Social IDP
Flow Description
This flow leverages the Trusted IDP capability which has been configured with JIT User Creation enabled. In this case a Trusted IDP has been configured to Google (via Oauth2) as a Social Sign On provider and new users can create an account in the Cedarstone OneLogin environment automatically by signing in with their Google Account. This TIDP has been configured to be visible on the login page, be automatically invoked when a new user enters an email address from gmail.com domain and is configured to collect a number of different claims provided by Google and maps those claims into various attributes in OneLogin. When the user account is created in OneLogin the mappings capability can then trigger which can be used to automatically allocate OneLogin roles (which in this case grants access to the CIAM Applications) , groups (assigns the user security policy) and optionally set additional attributes on the user object based on the mappings rulebase. With the new user created and roles and security policies allocated the user can now be signed into the Cedarstone Demo site.
Try it out
- Open a new browser session in incognito mode and go to cedarstone-demo.com.
- Select the Retail theme in the App Configuration section in the bottom left corner of the site.
- Click one of the Sign In images and then press the Continue To Sign In button and this will redirect you to the OneLogin hosted login page with the Retail branding applied.
- On the OneLogin hosted login page select the image for the "continue with google" option and this will redirect you to Google to authenticate. Alternatively you can enter an email address with the gmail.com domain and this will also automatically trigger the redirect to Google based on the TIDP Configuration applied in this environment.
- Complete all required authentication steps at Google and you will then be redirected back to the Cedarstone OneLogin environment where a new account will be created on the fly by calling the Google User Info endpoint to gather the required claims needed to create the new user object in the OneLogin directory.
- After the user creation step has completed (and the mappings rules have fired to grant the user the OneLogin Role required to access the application) the user will be redirected to the CIAM Application with an ID and Access token from the OneLogin OIDC service and the new user will be automatically signed in.
- Optional - Login to the Admin Console with the Read Only Admin account you have created Create Read Only Admin user and observe the new user created from Google and see how the new user object looks from the Admin Console perspective.
More Details
For more details on Trusted IDP please see TIDP KB. For more details on Branding please see Branding KB. For more details on User Policies please see User Policy KB. For more details on the Mappings capability please see Mappings KB.