This page gives a short overview on COmanage enrollment flows and how to configure the most used cases: invitation and self-signup. More detailed (technical) information on enrollment flows can be found at the COmanage application documentation:

Basic Idea

An enrollment flow allows a user (in COmanage also known as a COPerson) to enroll into a CO or COU they were not a member of yet. Enrollment flows are not meant to administer group membership; group administrators (group owners) can do that directly through the Group interface of COmanage. Group membership does not infer any special rights to members, whereas CO and COU membership allows access to specific services.

During the enrollment flow, the system makes a distinction between the petitioner and the enrollee. The petitioner is the person that started the enrollment flow and the enrollee is the subject of the flow. For self-signup enrollment flows, petitioners and enrollees are the same. For invitation flows, the petitioner is the person creating the invitation.

The basic steps of an enrollment flow are:

Some of these steps are optional depending on the configuration of the enrollment flow.


Enrollment flows reside under the 'Configuration' form of a CO. Only CO administrators can configure these options, other users do not have this link.

New COs do not have any enrollment flows yet, but you can easily add or restore the default templates, which serve as a starting point for further configuration. Before configuring a new enrollment flow, you can duplicate a relevant template.

After this, the enrollment flow can be given a name and configured, which requires three steps:

These steps are described in more detail below.

Main Configuration Form

A typical enrollment flow configuration form has the following options selected:

Important fields here are:

The other fields are either less relevant or very obvious and allow administrators to further personalize the enrollment experience.

Enrollment Attributes

Enrollment attributes determine the attributes gathered of, from or by the enrollee during the enrollment flow:

A typical list of attributes looks as follows:

This list determines which attributes are gathered and to which destination object the attributes are copied (note: not from which source). Administrators can determine which values are required, which fields are visible and which attributes can be further modified by the user:

Note: the following 3 attributes are REQUIRED for any invitation flow:

COmanage will happily accept a flow without those attributes, but will then fail to submit the enrollment form with incomprehensible error messages like "Please check the highlighted field", while not of the fields are highlighted.

A typical attribute configuration form looks like this:

Important fields on this form:

OrgIdentity Sources

An OrgIdentity Source (OIS) is a data store that can supply relevant OrgIdentity attributes based on some common identifier. COmanage typically uses email address as common identifier, which makes storing the right email address more of an issue.

COmanage has a default OIS called 'EnvSource', which allows reading 'environment variables' of the webserver to scan for relevant authentication attributes introduced by back-end authentication systems like Shibboleth, auth_mod_mellon, etc. Because these variables are hidden from basic CO administrators and can differ based on the original IdP against which is authenticated, use of this specific OIS is not supported by SCZ.

Instead, SCZ supplies the SamlSource OIS. This OIS reads all relevant SAML attributes from the SCZ flow and creates a related, non-modifiable OrgIdentity record. To enable this OIS, you need to configure it under the CO configurations (Configuration→Organizational Identity Sources). The form looks as follows:

Important fields here:

After completing this form, the SamlSource plugin can be setup:

With at least one OIS configured, a new option appears with the enrollment flow configuration screen:

You can add several OIS-es, but the general case is to have only the SamlSource OIS:

Depending on the type of flow, you will need to set the 'Org Identity Mode':