Skip to main content

Social IDP

Flow Description

This flow leverages the Trusted IDP capability which has been configured with JIT User Creation enabled. In this case a Trusted IDP has been configured to Google (via Oauth2) as a Social Sign On provider and new users can create an account in the Cedarstone OneLogin environment automatically by signing in with their Google Account. In this use case we are using a custom button in the CIAM application to invoke a redirect to the external iDP via the Third-Party Initiated login capability. The TIDP connection is also configured to collect a number of different claims provided by Google and maps those claims into various attributes in OneLogin. When the user account is created in OneLogin the mappings capability can then trigger which can be used to automatically allocate OneLogin roles (which in this case grants access to the CIAM Applications) , groups (assigns the user security policy) and optionally set additional attributes on the user object based on the mappings rulebase. With the new user created and roles and security policies allocated the user can now be signed into the Cedarstone Demo site.

Try it out

  • Open a new browser session in incognito mode and go to cedarstone-demo.com.
  • Select the Gaming theme in the App Configuration section in the bottom left corner of the site.
  • Click one of the Sign In images and then select the Sign Up With Google button and this will redirect you to Google (via the OneLogin TiDP Service) to authenticate.
  • Complete all required authentication steps at Google and you will then be redirected back to the Cedarstone OneLogin environment where a new account will be created on the fly by calling the Google User Info endpoint to gather the required claims needed to create the new user object in the OneLogin directory. The OneLogin UI (with Master Brand displayed) will be displayed to the user momentarily before being redirected back to the CIAM Application.
  • After the user creation step has completed (and the mappings rules have fired to grant the user the OneLogin Role required to access the application) the user will be redirected to the CIAM Application with an ID and Access token from the OneLogin OIDC service and the new user will be automatically signed in.
  • Optional - Login to the Admin Console with the Read Only Admin account you have created Create Read Only Admin user and observe the new user created from Google and see how the new user object looks from the Admin Console perspective.

More Details

For more details on Trusted IDP please see TIDP KB. For more details on Branding please see Branding KB. For more details on User Policies please see User Policy KB. For more details on the Mappings capability please see Mappings KB.