How do I create end user journeys for social registration and login in Identity Cloud?
The purpose of this article is to provide information on creating end user journeys for social registration and login in ForgeRock Identity Cloud. These journeys are required when you integrate Identity Cloud with a third-party social provider, such as Google®, using OpenID Connect (OIDC) or OAuth 2.0 for Single Sign-On (SSO).
Overview
This article describes how to create end user journeys for social registration and login in Identity Cloud. These journeys will include all your enabled social identity providers, so you won't need to create different journeys for different providers.
Journeys in Identity Cloud are very customizable and can support many use cases. This article provides examples of simple journeys that you can create easily by modifying the journey templates provided with Identity Cloud. It includes the following examples:
Social registration journey (example)
With this example journey, users can choose to register to Identity Cloud either with a social identity provider or by entering their details locally. If the user chooses to register with a social identity provider, such as Google or Facebook, Identity Cloud creates a user from the profile data returned by the social identity provider. If any of the attributes required by Identity Cloud are missing from this profile data, the user is prompted to add values for those attributes when completing the registration.
Creating the social registration journey
- In the Identity Cloud admin UI, navigate to Journeys > Registration.
- Click the ... menu and select Duplicate.
- Enter a unique name for your journey, select which identities will authenticate using this journey, (optionally) enter a journey description, and click Save.
- Add the Select Identity Provider node to the Page Node. This node prompts the user to select a social identity provider to register with, or (optionally) to register locally.
- Add the following nodes to your journey:
- Social Provider Handler. This node authenticates the user with the selected social identity provider. Once authenticated, the node collects profile information from the social identity provider and transforms that profile information into the attributes required by Identity Cloud.
- Required Attributes Present. This node checks the attributes required by the specified identity object in Identity Cloud and determines if all the required attributes exist within the shared state of the journey.
- Attribute Collector. This node collects the values of attributes required to populate a new account if any of those attributes are missing from the profile information provided by the social identity provider. Add this node to a Page Node so that the user is prompted to complete the required information during registration.
The journey should now look similar to this:
- Configure the nodes as follows:
- Page Node: Configure the Page Header and Page Description as needed. For example, you may want the “Sign In” link to go to a Social Login Journey instead of the default Login Journey.
-
Social Provider Handler: Select
Normalized Profile to Managed User
in the Transformation Script field. This script transforms the social identity provider's profile object into an appropriate object for Identity Cloud. -
Required Attributes Present: Check the Identity Resource is correct; this should match the identity object you selected in step 3. The default is
managed/user
but you may need to change this tomanaged/alpha_user
, for example. - Attribute Collector: Add the attributes to collect. These should include all the required attributes for the identity object. (You can check which attributes are required by navigating to Native Consoles > Identity Management > Configure > Managed Objects > [Managed Object Type] and reviewing the list of properties). See Attribute Collector node for further information.
- Page Node (containing the Attribute Collector node): Configure the Page Header and Description as needed. See Page node for further information.
- Click Save to save the journey.
Testing the journey
Before testing the journey, ensure that your social identity providers are correctly configured and enabled. See Identity Cloud social identity providers for further information.
- In the Identity Cloud admin UI, navigate to Journeys.
- Click the journey that you want to test.
- Copy the Preview URL.
- Paste the preview URL into a browser using Incognito or Browsing mode.
A registration screen is displayed, similar to this:
- Follow the registration steps to test your journey.
Social login journey (example)
With this example journey, existing users can choose to sign in to Identity Cloud using either a social identity provider or by entering credentials locally.
Creating the social login journey
- In the Identity Cloud admin UI, navigate to Journeys > Login.
- Click the ... menu and select Duplicate.
- Enter a unique name for your journey, select which identities will authenticate using this journey, (optionally) enter a journey description, and click Save.
- Add the Select Identity Provider node to the Page Node. This node prompts the user to select a social identity provider to log in with, or (optionally) to log in using local credentials.
- Add the Social Provider Handler node. This node authenticates the user with the selected social identity provider.
The journey should look similar to this:
- Configure the nodes as follows:
- Page Node: Configure the Page Header and Page Description as needed. For example, you may want the “Create an Account” link to go to a Social Registration Journey instead of the default Registration Journey.
-
Social Provider Handler: Select
Normalized Profile to Managed User
in the Transformation Script field.
- Click Save to save the journey.
Testing the journey
Before testing the journey, ensure that your social identity providers are correctly configured and enabled. See Identity Cloud social identity providers for further information.
- In the Identity Cloud admin UI, navigate to Journeys.
- Click the journey that you want to test.
- Copy the Preview URL.
- Paste the preview URL into a browser using Incognito or Browsing mode.
A login screen is displayed, similar to this:
- Follow the registration steps to test your journey.
Social login and registration journey (example)
A more comprehensive social login user experience would allow new accounts to be registered during the social login journey. This can be achieved by combining a social login journey and social registration journey, or by adding an Inner Tree Evaluator node.
In this example journey, the user can log in to Identity Cloud using a social identity provider or local credentials and register using a social identity provider if they do not already have an account.
Creating the social login and registration journey
Note
The following steps assume that you have already created the social login journey described in the previous section.
- In the Identity Cloud admin UI, navigate to Journeys.
- Select the social login journey.
- Click the ... menu and select Duplicate.
- Enter a unique name for your journey, select which identities will authenticate using this journey, (optionally) enter a journey description, and click Save.
- Add the following nodes to your login journey; these are the nodes required to register new users:
- Required Attributes Present. This node checks the attributes required by the specified identity object and determines if all the required attributes exist within the shared state of the journey.
- Attribute Collector. This node collects the values of attributes required to populate a new account if any of those attributes are missing from the profile information provided by the social provider. Add this node to a Page Node so that the user is prompted to complete the required information during registration.
- Create Object. This node creates a new object in Identity Cloud, based on information collected during user registration.
- Increment Login Count. This node increments the successful login count property of a managed object after the object has been created.
The journey should look similar to this:
- Configure the nodes as follows:
- Page Node: Configure the Page Header and Page Description as needed. For example, you may want to completely remove the Create an Account link.
-
Required Attributes Present: Check the Identity Resource is correct; this should match the identity object you selected in step 4. The default is
managed/user
but you may need to change this tomanaged/alpha_user
, for example. -
Create Object: Check the Identity Resource is correct; this should match the identity object you selected in step 4. The default is
managed/user
but you may need to change this tomanaged/alpha_user
, for example. - Attributes Collector: Add the attributes to collect. These should include all the required attributes for the identity object. (You can check which attributes are required by navigating to Native Consoles > Identity Management > Configure > Managed Objects > [Managed Object Type] and reviewing the list of properties). See Attribute Collector node for further information.
- Page Node (containing the Attribute collector node): Configure the Page Header and Page Description as needed. See Page node for further information.
- Click Save to save the journey.
Testing the journey
Before testing the journey, ensure that your social identity providers are correctly configured and enabled. See Identity Cloud social identity providers for further information.
- In the Identity Cloud Admin UI, navigate to Journeys.
- Click the journey that you want to test.
- Copy the Preview URL.
- Paste the preview URL into a browser using Incognito or Browsing mode.
A login screen is displayed, similar to this:
- Follow the registration steps to test your journey.
See Also
Identity Cloud social identity providers:
- Amazon SSO integration with Identity Cloud for social authentication/registration
- Apple SSO integration with Identity Cloud for social authentication/registration
- Facebook SSO integration with Identity Cloud for social authentication/registration
- Google SSO integration with Identity Cloud for social authentication/registration
- LinkedIn SSO integration with Identity Cloud for social authentication/registration
- Microsoft SSO integration with Identity Cloud for social authentication/registration
- Salesforce SSO integration with Identity Cloud for social authentication/registration
- WordPress SSO integration with Identity Cloud for social authentication/registration
- Yahoo SSO integration with Identity Cloud for social authentication/registration
- Configure Social Identity Providers
Other resources: