Developer Programs

Learn

Docs

New User Enrollment

Unified Identity Service > Integration Tips > New User Enrollment

Each product is responsible for determining and enforcing its own requirements for eligibility, before users are sent to UIS to establish a new (or connect to an existing) Identity.

For example, Banno has two different supported flows:

Self-enrollment (Retail users)

  • User must enter tax id (TIN), account number, and phone number; those values are matched to core data (by Banno, not by UIS).
  • If a matching core record is found, the user must retrieve a one-time passcode sent to the phone number on the core record. This step helps Banno to confirm the user should be allowed to proceed with gaining access to accounts connected to a particular CIF. This happens within Banno, before the user is directed to UIS.
  • If the one-time code is verified, the user is redirected to UIS enrollment so they can create (or link an existing) identity.
  • Once the identity is established, the user is redirected back to Banno. Banno stores the unique ID for the identity from UIS, and associates it with Banno’s own unique ID for the user.

Email invitation (Business users, some retail users)

  • An FI employee OR a Banno Business online banking user with the required permissions creates a new user in Banno, and assigns them any needed Banno permissions.
  • The FI employee or Banno Business admin user emails the new user an invitation link.
  • The new user clicks the link and is redirected to UIS enrollment so they can create (or link an existing) identity.

With both of these flows, Banno collects and passes user profile details to UIS through the API a/uis/api/v0/institutions/{institutionId}/enrollment/start.

Example Flow

Here’s an example showing the business user creation step within Banno, in which an admin user creates a new user and supplies their basic profile details.

Banno create user

Banno sends the supplied user information to the Unified Identity Service via the enrollment/start API

{
  "clientId": "1234f43a1-2a7a-48b1-96a4-538210507890",
  "productUserId": "string", (unique id within Your Product)
  "email": "test@jackhenry.com",
  "firstName": "Rachel",
  "lastName": "Demo",
  "requiredSecurityLevel": "enhanced"
}

Once the user gets to the Unified Identity Service enrollment screens, they’ll see editable profile fields that were pre-filled with the data provided in the enrollment/start API request.

UIS Enrollment Step 1
Magic Links and Enrollment Expiration
UIS enrollments expire in 1 hour. For products that send email invitations, the link within the email may need to be valid for longer than 1 hour. Your product must handle generation of a link with your desired expiration time period, so that the UIS enrollment/start request can be made (and the 1 hour UIS expiration clock started) after the user has clicked the link contained in your email invitation.
  1. Your Product will use a Client Credentials Flow to authenticate with the enrollment/start UIS API, for providing the initial user details and obtaining an enrollmentId. The scope https://jackhenry.com/uis/uis.enrollment is required.

  2. Your Product will initiate an OAuth Authorization Code flow:

  • Generate code_verifier and code_challenge (if using Proof Key for Code Exchange).
  • Redirect to the /oidc/auth endpoint [add link].
    • Include scope parameter openid so an Identity Token can be obtained in addition to an access token.
    • Include prompt parameter enroll so that your productUserId is returned as a claim in the Identity Token.
    • Include the enrollmentId parameter with the value obtained from the UIS enrollment/start response.
  1. Unified Identity Service will authenticate the user, and redirect the user back to Your Product’s URL with an authorization code and other parameters.
  2. Your Product will finish the enrollment process and store the unique identifer for the UIS identity that the user chose to create or link.
  • Your Product triggers the /oidc/token request (including the previously generated code_verifier, if applicable).
  • The resulting Identity Token will include claims for both the unique identifier for the UIS identity (sub) and for the productUserId you supplied in the enrollment/start UIS request.
  • Your Product may wish to update the user’s status within your product, such as updating the user from a “Pending” status to “Enrolled” or “Active”.

Have a Question?

Did this page help you?

Last updated Thu Mar 12 2026