Setting Up Amazon as an IDM Social Identity Provider

As suggested in the introduction to this chapter, you'll need to take the following basic steps to configure Amazon as a social identity provider for IDM:


Amazon as a social identity provider requires access over secure HTTP (HTTPS).

Setting Up Amazon

To set up Amazon as a social identity provider, first Register for Login With Amazon. You will need an Amazon account.

Then, create a security profile. You will need the following information:

  • Security Profile Name (The name of your app)

  • Security Profile Description

  • Consent Privacy Notice URL

  • Consent Logo Image (optional)

When complete and saved, you should see a list of security profiles with OAuth2 credentials. You should be able to find the Client ID and Client Secret from this screen.

You still need to configure the web settings for your new Security Profile. From the Amazon Developer Console dashboard, select Apps and Services > Login with Amazon, then select Manage > Web Settings.

In the Web Settings for your app, you'll need to set either of the following properties:

  • Allowed Origins, which should match the URL for your registration page, such as

  • Allowed Return URLs, which should match the redirect URIs described in "Configuring an Amazon Social Identity Provider". You may see URIs such as

Configuring an Amazon Social Identity Provider

  1. To configure an Amazon social identity provider, log in to the Admin UI and navigate to Configure > Social ID Providers.

  2. Enable the Amazon social identity provider.

    In the Amazon Provider pop-up that appears, the values for Redirect URI should match the values that you've entered for Allowed Return URLs in "Setting Up Amazon".

  3. Include the values that Amazon created for Client ID and Client Secret, as described in "Setting Up Amazon".

  4. Under regular and Advanced Options, include the options shown in the following appendix: "Amazon Social Identity Provider Configuration Details".

When you enable an Amazon social identity provider in the Admin UI, IDM generates a conf/identityProvider-amazon.json file.

When you review that file, you should see information beyond what you see in the Admin UI. The first part of the file includes the name of the provider, endpoints, as well as the values for clientId and clientSecret.

   "provider" : "amazon",
   "authorizationEndpoint" : "",
   "tokenEndpoint" : "",
   "userInfoEndpoint" : ""
   "enabled" : true,
   "clientId" : "<someUUID>",
   "clientSecret" : {
       "$crypto" : {
           "type" : "x-simple-encryption",
           "value" : {
               "cipher" : "AES/CBC/PKCS5Padding",
               "stableId" : "openidm-sym-default",
               "salt" : "<hashValue>",
               "data" : "<encryptedValue>",
               "keySize" : 16,
               "purpose" : "idm.config.encryption",
               "iv" : "<encryptedValue>",
               "mac" : "<hashValue>"
   "scope" : [

You should also see UI settings related to the social identity provider icon (badge) and the sign-in button, described in "Social Identity Provider Button and Badge Properties".

You'll see links related to the authenticationIdKey, redirectUri, and configClass; the location may vary.

The file includes schema information, which includes properties for each social identity account, as collected by IDM, as well as the order in which it appears in the Admin UI. When you've registered a user with an Amazon social identity, you can verify this by selecting Manage > Amazon, and then selecting a user.

Another part of the file includes a propertyMap, which maps user information entries between the source (social identity provider) and the target (IDM).

If you need more information about the properties in this file, refer to the following appendix: "Amazon Social Identity Provider Configuration Details".

Configuring User Registration to Link to Amazon

Once you've configured the Amazon social identity provider, you can activate it through User Registration. To do so in the Admin UI, select Configure > User Registration, and activate that feature. Under the Social tab that appears, enable Social Registration. For more information on IDM user self-service features, see Admin UI.

When you enable Social Registration, you're allowing users to register on IDM through all active social identity providers.

Read a different version of :