About IU Guest 2.0

On this page:


Overview

IU Guest accounts provide account-based services to applications at Indiana University for those without a University account. Each account consists of a first name, last name, email address, and unique 10-digit identifier (UID), as well as a means of authentication. IU Guest 2.0 adds new functionality that allows social authentication and supports multiple authentication methods for the same account. However, these 2.0 features only work with IU applications that have migrated to IU Login 2.0. IU Guest account creation and management is hosted by Identity Management Systems (IMS) and supported by Tier 2 Support and IMS Tier 3.

User experience

Account creation

Each application that integrates with IU Guest 2.0 may support the email login account type, social login account type, or both. Support is determined by the authentication protocol. When creating IU Guest 2.0 accounts, users will choose from the login types supported by the application where their account creations originate, either an email (credential-based) login or a social login from Facebook, Google, or Microsoft.

Important:
IU Guest 2.0 for social login accounts uses services from Cirrus Identity, a vendor, for account creation. Because Cirrus Identity's services run on Amazon Web Services, users in countries with web traffic restrictions may not be able to log in successfully with social accounts.

Email login

To know which protocols support email login, review IU Guest email login support in the authentication protocols table.

  1. Users will be prompted to provide their first name, last name, and email address, and create a password (with the same requirements as passphrases; they must be between 15 and 127 characters).
  2. Once a user has requested an account, IU Guest will prompt the user to look for an email verification message, which will include a link to confirm ownership of the account.

    Note:
    The unique link expires after 30 days.

    IU Guest will also check the provided email address against existing accounts (both email and social logins). If a match is found, the account will be linked to the pre-existing Guest account via its UID. This means that a user may end up with a Guest account with both social and email login options.

  3. Once the user confirms the account, the user will see an account creation confirmation with a summary of the user's account details and a button to log into the application where the user began the process.
    • IU Guest 2.0 uses cookies to ensure that the user is presented with the IU Login Guest tab when returning to the sponsor application.
    • If the account has been linked to a previous account, IU Guest will present the user with that information.
  4. Once the account is created, an email confirmation will be sent to the address on record, including the name, email address, and login type provided for the account, as well as links to documentation and the account management application. Sponsors can also choose to provide additional information (see Collect IU Guest integration data in Integrate with IU Guest 2.0).

Social login

Similar to many social login offerings across the internet, instead of creating an account with an email address, a user may create an account by logging in with a social provider and sharing select personal data to provision the account.

To know which protocols support social login, review IU Guest social login support in the authentication protocols table.

  1. IU Guest 2.0 will prompt users to log into their social provider; users may need to grant permissions to IU Guest to continue. The social provider will pass the user's first name, last name, and email address back to IU Guest for account provisioning.
    • If the social provider does not provide a first name, last name, or email address, the user will be prompted to provide these details. If a user needs to provide an email address, IU Guest will prompt the user to check for an email verification message that includes a link to confirm ownership.
      Note:
      The unique link expires after 30 days.
    • IU Guest will check the email provided by the social provider against existing accounts (both email and social logins). If a match is found, the account will be linked to the pre-existing Guest account via its UID. This means that a user may end up with a Guest account with both social and email login options. Technically, a user may have an account that is connected to all three social providers.
  2. Once a user has provided all required information, the user will see an account creation confirmation with a summary of the user's account details, along with a button to log into the application where the user began the process.
    • IU Guest 2.0 uses cookies to ensure that users are presented with the IU Login Guest tab when returning to the sponsor application.
    • If a user's account has been linked to a previous account, IU Guest will present the user with that information.
  3. Once the account is created, an email confirmation will be sent to the address on record. It will include the name, email address, and login type for the account, as well as links to documentation and the account management application. Sponsors can also elect to provide additional information (see Collect IU Guest integration data in Integrate with IU Guest 2.0).

Account invitations

Application sponsors may wish to send out invitations to specific users, inviting them to create an IU Guest account. The External Accounts API supports this functionality, as well as an account lookup to see if an IU Guest account already exists for an email address. For details, see the External Accounts API Documentation.

Account linking

A user can repeat the account creation processes above to link either a social or email login to an existing account, as long as the associated email address matches. For example, an account with a social login can add an email login as long as the email login address matches the social login address; or, an account with a Facebook login can have a Google login linked to it. However, an account can only have one email login.

Account authentication

Process (SAML integrations)

Important:
IU Guest 2.0 with social logins uses services from Cirrus Identity, a vendor, for account creation. Because Cirrus Identity's services run on Amazon Web Services, users in countries with web traffic restrictions may not be able to login successfully with social accounts.

IU Login will only display the University and Guest tabs shown below if the sponsor application is integrated with the SAML protocol:

IU Login with both University and Guest tabs

  • On the Guest tab, only the login type(s) available for the sponsor application will appear. If the sponsor only accepts email logins, IU Guest will send users to the email account creation process; if the sponsor only accepts social logins, users will only see the social options.
  • When a user without an account attempts to log in with a social provider, IU Guest will provision the user with a new Guest account.
Note:
IU Login relies on persistent cookies to remember a user's last login attempt.

Process (CAS integrations)

If the sponsor application used the CAS protocol, the user will enter their credentials (email address and password) in the "Username" and "Passphrase" fields (click the image below to enlarge).

Account management

All Guest accounts should be managed with IU Guest 2.0. Current functionality includes the ability to:

  • Change first and last name
  • Change email address
    Note:
    An email address cannot be changed to an address that is already tied to an existing account.
  • Change password (email login only)
  • Reset password (email login only)

Integrate with IU Guest 2.0

To set up and sponsor an application to use IU Guest accounts, see Integrate with IU Guest 2.0.

This is document bgmf in the Knowledge Base.
Last modified on 2021-12-09 09:37:09.