This article describes how to configure Identity Cloud to use Amazon as a social provider for authentication and/or registration. Identity Cloud provides a standards-based solution for Amazon social sign-on based on OIDC standards. Once configured, users can log in to applications protected by Identity Cloud using their existing Amazon account.
- You have a working Identity Cloud tenant.
- You have an Amazon account.
ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.
- Go to the Login with Amazon console.
- Register for an Amazon developer account if you do not already have one.
a new security profile (if you do not already have one). You'll need the following information:
- Security Profile Name (the name of your app)
- Security Profile Description
- Consent Privacy Notice URL
When you save the security profile, Login with Amazon automatically generates a Client ID and Client Secret. You'll need this information when you configure the Amazon social identity provider in Identity Cloud.
Under Web Settings, enter the redirect URI for your app in
Allowed Return URLs. This is the URL to go to once access has been granted, for example
https://<tenant-name>.forgeblocks.com/login. The URL must match the redirect URI that you
will provide when configuring the Amazon social provider in Identity Cloud.
- In the Identity Cloud Admin UI, navigate to Native Consoles > Access Management > Services > Social Identity Provider Service.
- Choose Secondary Configurations, click Add a Secondary Configuration, and select
Client configuration for Amazon.
- Complete the following configuration:
- Name: Enter a name for the social identity provider, for example, Amazon.
- Client ID: Enter the Client ID of your Login with Amazon app.
Redirect URL: Enter the URL to go to once access has been granted. This must
match the Allowed Return URLs you configured in your Login with Amazon app, for example,
- Scope Delimiter: Enter the scope delimiter, which is usually an empty space.
- Click Create.
The full configuration for the new Amazon social identity provider is displayed.
- Enter the Client Secret for your Login with Amazon app in the Client Secret field.
- Check the rest of the default settings are correct. In particular, check the following fields:
- Enabled: Ensure the configuration is enabled.
Transform Script: Ensure that
Amazon Profile Normalizationis entered. This script transforms Amazon credential data into a normalized form.
- Click Save Changes.
You can create custom end user journeys for social registration and sign in. These journeys will include all your enabled social identity providers, so you won't need to create different journeys for different providers.
See How do I create end user journeys for social registration and login in Identity Cloud? for information on how to create end user journeys for SSO with social providers.
- In the Identity Cloud Admin UI, navigate to Journeys.
- Click the journey that you want to test.
- Copy the Preview URL.
- Paste the preview URL into a browser using Incognito or Browsing mode.
- Follow the sign in and/or registration steps to test your journey.
For example, if Amazon is configured as a social identity provider for social login, end users are asked if they want to authenticate with Amazon, similar to the screenshot below.