How To
ForgeRock Identity Cloud
Integrations

Facebook SSO integration with Identity Cloud for social authentication/registration

Last updated Jan 17, 2023

The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Facebook® as a social provider using OpenID Connect (OIDC) for Single Sign-On (SSO).

Overview

This article describes how to configure Identity Cloud to use Facebook as a social provider for authentication and/or registration. Identity Cloud provides a standards-based solution for Facebook social sign-on based on OIDC standards. Once configured, users can log in to applications protected by Identity Cloud using their Facebook credentials. 

Steps involved:

  1. Configure Facebook 
  2. Configure the Social Identity Provider in Identity Cloud
  3. Create the end-user journey
  4. Test the end-user experience
Note

This article covers social login to websites protected by Identity Cloud. For information on setting up social login for ForgeRock SDKs, see the ForgeRock SDK documentation.

Prerequisites

  • You have a working Identity Cloud tenant.
  • You are registered as a Facebook Developer.
  • Existing users must have matching attributes in Identity Cloud and Facebook.

Configuring Facebook

Disclaimer

ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.

Create a Facebook app for Identity Cloud

Refer to the Facebook Developer documentation for guidance on creating a Facebook app

  1. Navigate to the Apps page to create a new Facebook app.
  2. Select Consumer as the app type, and enter a display name and contact email for the app.
  3. Once the app has been created, navigate to Settings > Basic and complete the following configuration:
    • App Domains: Enter the domain of the site users are redirected to after they have authenticated with Facebook, for example, <tenant-env-fqdn>, where <tenant-env-fqdn> is your Identity Cloud tenant name.
    • Privacy Policy URL: Enter the URL that contains your privacy policy.
    • User Data Deletion: Enter either the URL to inform people how to delete their data from your website or the URL for a data deletion request callback.
  4. Copy the App ID and App Secret to a secure place. You'll need this information when you configure the Facebook social identity provider in Identity Cloud.

Add Facebook Login to the app

Refer to the Facebook Developer documentation for guidance on adding Facebook Login for the web.  

  1. Click Add Product and set up the Facebook Login product.
  2. Select Web as the app platform and enter the ForgeRock redirect URI in Site URL. This is where users are redirected to after they have authenticated with Facebook, for example, https://<tenant-env-fqdn>.
  3. Once Facebook Login has been added, navigate to Facebook Login > Settings and complete the following configuration:
    • Valid OAuth Redirect URIs: Enter the URL to go to once access has been granted, for example, https://<tenant-env-fqdn>/login.
    • Get advanced access for the public_profile scope. See Access Levels for further information.
Note

Please note the following:

  • When you configure the Social Identity Provider in Identity Cloud, the email and user_birthday OAuth 2.0 scopes are added by default, which means you will need to submit your app for Login Review. See Permissions for further information about Facebook scopes.
  • All Facebook apps start out in Development mode; you will need to switch to Live mode once you have completed testing. See App Modes for further information.

Configuring the Social Identity Provider in Identity Cloud

  1. In the Identity Cloud admin UI, go to Native Consoles > Access Management > Services > Social Identity Provider Service.
  2. Choose Secondary Configurations, click Add a Secondary Configuration, and select Client configuration for Facebook.
  3. Complete the following configuration:
    • Name: Enter a name for the social identity provider, for example, Facebook.
    • Client ID: Enter the App ID of your Facebook app.
    • Redirect URL: Enter the URL to go to once access has been granted. This must match the Valid OAuth Redirect URIs you configured in your Facebook app, for example, https://<tenant-env-fqdn>/login.
    • Scope Delimiter: Enter the scope delimiter, which is usually an empty space.
  1. Click Create.

The full configuration for the new Facebook social identity provider is displayed.

  1. Enter the App Secret for your Facebook app in the Client Secret field.
  2. Check the rest of the default settings are correct. In particular, check the following fields:
    • Enabled: Ensure the configuration is enabled.
    • Transform Script: Ensure that Facebook Profile Normalization is entered. This script transforms Facebook credential data into a normalized form.
  1. Click Save Changes.

Creating the end user journey

You can create custom end user journeys for social registration and sign in. These journeys will include all your enabled social identity providers, so you won't need to create different journeys for different providers.

See How do I create end user journeys for social registration and login in Identity Cloud? for information on how to create end user journeys for SSO with social providers.

Testing the end user experience

  1. In the Identity Cloud admin UI, go to Journeys.
  2. Click the journey that you want to test.
  3. Copy the Preview URL.
  4. Paste the preview URL into a browser using Incognito or Browsing mode.
  5. Follow the sign in and/or registration steps to test your journey.

For example, if Facebook is configured as a social identity provider for social login, end users are asked if they want to authenticate with Facebook, similar to the screenshot below. 

See Also

How do I create end user journeys for social registration and login in Identity Cloud?

Does the ForgeRock solution support social authentication?

Single Sign-On Integrations for Identity Cloud

Identity Cloud documentation:

Other social integrations:
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.