IDM 7.2.0

Social user claim stage

Social authentication is deprecated and will be removed in a future release of IDM. For more information, see Deprecation.

This stage enables an existing managed user to claim a social identity. The stage obtains a CLIENT_TOKEN from some social identity provider. That token includes the following data:

  • OAuth token

  • Identity provider name

  • Renewal token

  • Expiration date

Using the CLIENT_TOKEN, the stage retrieves the user profile from the social identity provider and normalizes the profile into a user object (using the regular normalization mapping for social identity providers). For more information on this mapping, see Many social identity providers, one schema.

If the stage is unable to retrieve the user profile, or unable to normalize it using the mapping, it exits with an exception. It does not return any missing requirements.

When the user profile has been normalized, the stage attempts to identify any existing managed users that match the profile. If there are no matches, it simply advances to the next stage in the process. If it finds a match, it extracts the existing managed object and returns that as a new set of requirements.

The new requirement is that the user must provide their password, either their managed/user password, or the password to another social identity provider, if they registered through a separate identity provider.

The stage then does the following:

  • Verifies the login

  • Creates a managed/idp object for the user

  • Establishes a relationship between the managed object and the idp object

  • Puts OAUTH_LOGIN:true into state

  • Puts a claimedProfile containing the URL of the managed object that was claimed into successAdditions

    Example configuration
    {
        "name" : "socialUserClaim",
        "identityServiceUrl" : "managed/user",
        "claimQueryFilter" : "/mail eq \"{{mail}}\""
    },
    Dependencies

    This stage has no dependencies on previous or subsequent stages and can occur anywhere in a process.

    Required Parameters
  • identityServiceUrl - the managed object type against which the stage verifies the profile.

  • claimQueryFilter - the query filter that is used to locate the managed object from the social identity provider profile.

    Notice the double-brace notation in preceding example "claimQueryFilter" : "/mail eq \"{{mail}}\"". This notation indicates that the named property from the user object in state is substituted for the double-braced value. In this example, {{mail}} would become the value of the mail property of the user in state, such as bjensen@example.com, if that was in the user in state. You can use this notation with any user property.

Copyright © 2010-2022 ForgeRock, all rights reserved.