Social login
You can add social login to your Identity Cloud single-factor (SFA) signup and login flow. Social login allow your users to sign-up and log in using their existing accounts from social identity providers. Social login is a frictionless alternative method to access your applications and services without having to register a new account and create additional password credentials. Identity cloud supports out-of-the-box integrations with all prevalent social identity providers.
Under Signup/Login > Social login, you have the following options to add and configure social identity providers:
Under Signup/Login > Authentication you can manage the social login buttons you want to enable in your signup and login flows.
Social login with Identity Cloud
Social login is a federated login using social identity providers to verify the user's identity. The OAuth 2.0 and OIDC protocols are used to facilitate authentication and authorization. The process includes the following steps:
- The user clicks on a social login button on the Identity Cloud signup and login pages.
- Identity Cloud forwards a request to the social identity provider to authenticate the user. The user logs in to the social identity provider.
- Once the social identity provider confirmed the user identity, Identity Cloud automatically links the social account to the user if not done yet. Linking requires email verification. For more information, see Automatic account linking.
- Identity Cloud provides access to your application.
- Step 2. does not involve any user interaction if the user is already logged in to the social identity provider.
- Step 2. does not involve any user interaction if the user is already logged in to the social identity provider.
- Step 3. usually is only required the first time a user logs in with social login. Afterward, the social login takes only a single click for the user.
Automatic account linking
Identity Cloud supports the automatic linking of social accounts from various social identity providers. This allows users to log in with any of their social accounts and be associated with the same Identity Cloud user account. The linking is based on the user's email address.
Upon the first login with a social identity provider, the user's email of the social account is verified. Email verification is required to prevent security attacks such as account takeovers.
After successful email verification, we create a user in Identity Cloud, if one does not exist yet. The user is created with the same email address as used in the social login account. Upon user creation, we also set the first and last name of the user if provided by the identity provider.
Finally, the social account is linked to the Identity Cloud user. The linking is visible as social login authentication method in the user details. If you delete a social login authentication method, the user has to verify their email during the next login to link the social account again. For more information, see View authentication methods.
- User information modifications in the social accounts are not automatically synchronized to the user account in Identity Cloud. The user data is only set upon first user creation in Identity Cloud.
- Users can use Password and any Social login as authentication methods interchangeably, independent of the initially used method during signup.
- Users who initially signed up using Social login and want to use the Password authentication method can register a Password by using the Password reset flow.
View social identity providers
Under Signup/Login > Social login you see the list of all added social identity providers.
Add social identity providers
To add social identity providers:
- Go to Signup/Login > Social login.
- Click Add social login.
- Select a social identity provider and proceed as described in the corresponding chapter.
Add Apple login
To add Apple login, do the following:
Create an Apple Developer account, see Apple Developer Program: What You Need To Enroll in the Apple documentation.
Register an App ID in Apple Developer, see Register an App ID in the Apple documentation.
Click Continue in the dialog in Identity Cloud.
Configure sign in with Apple in Apple Developer, see Configure Sign in with Apple for the web in the Apple Developer documentation.
- Note down the Services ID you created.
- Copy the Website URL from Identity Cloud, and paste it as the Website URL in Apple Developer.
Copy the Services ID you created in the previous step and paste it as the Services ID in Identity Cloud. You can find the Services ID in Apple Developer. Go to Certificates, Identifiers & Profiles > Identifiers and select Services IDs in the drop-down on the top right.
Copy the Apple Team ID in Apple Developer and paste it as the Apple Team ID in Identity Cloud. You can find the Apple Team ID in your Apple Developer account under Membership.
Create and download a private key file in Apple Developer, see Create a private key to access a service in the Apple Developer documentation.
- Select Sign in with Apple and Configure your registered App ID as Primary App ID.
- Download your private key. caution
You can download your private key only once. Save a backup of your private key in a secure place.
Add the downloaded private key from Apple Developer as the Private key in Identity Cloud.
Click Save.
Example setup
The following video gives an overview of how to add an Apple login. Some of the steps shown here may differ from those you need to take for your own setup. This depends on factors such as the setup on your third party, Apple Developer account.
Add Facebook login
To add Facebook login, do the following:
Create a Facebook for Developers account, see Register as a Facebook Developer in the Facebook for Developers documentation.
Create an App, and select Business or Consume as app type, see Create an App in the Facebook for Developers documentation. Add the Facebook login product to the App. Set the App to be in Live mode in case of Consumer app type.
To have Advanced Permission to email and public_profile, see Facebook Login Overview in the Facebook for Developers documentation.
Click Continue in the dialog in Identity Cloud.
Copy the Redirect URI from Identity Cloud, and paste it for your App under Facebook Login > Settings as Valid OAuth Redirect URIs in Facebook for Developers.
In Facebook for Developers, go to your App, and then Settings > Basic, where you can find the App ID and App secret.
Copy the App ID from Facebook for Developers, and paste it as App ID in Identity Cloud, see App Dashboard in the Facebook for Developers documentation.
Copy the App secret from Facebook for Developers, and paste it as App secret in Identity Cloud, see Login Security in the Facebook for Developers documentation.
- Click Save.
Example setup
The following video gives an overview of how to add a Facebook login. Some of the steps shown here may differ from those you need to take for your own setup. This depends on factors such as the setup on your third party, Facebook for Developers account.
Add Google login
To add Google login, do the following:
Create a Google Developers account, see Google Identity Overview in the Google Developers documentation.
Create a Project, see Creating and managing projects in the Google Developers documentation.
Click Continue in the dialog in Identity Cloud.
Copy the Redirect URI from in Identity Cloud, and paste it as Redirect URI in Google Developers, as part of setting up OpenID Connect, see OpenID Connect in the Google Developers documentation.
In Google Developers, go to your Project, and then Credentials, where you can find the Client ID and Client secret.
Copy the Client ID from Google Developers, and paste it as Client ID in Identity Cloud, see OpenID Connect in the Google Developers documentation.
Copy the Client secret from Google Developers, and paste it as Client Secret in Identity Cloud.
Click Save.
Example setup
The following video gives an overview of how to add a Google login. Some of the steps shown here may differ from those you need to take for your own setup. This depends on factors such as the setup on your third party, Google Developers account.
Add Microsoft login
To add Microsoft login, do the following:
Create a Microsoft account, see How to create a new Microsoft account for details.
Using your Microsoft account, log into Azure.
Click Continue in the dialog in Identity Cloud.
Register your application with Azure, see Configure your App Service or Azure Functions app to use Microsoft Account login for details.
- Choose a multitenant account type that supports all your users, corporate or personal, or both. For more information click Help me choose....
- Select Web in Platform type.
- Copy the Redirect URI from Identity Cloud and paste it as Redirect URI in the form.
In your registered application go to Token configuration and click Add optional claims. Select ID token and add the following claims:
- family_name
- given_name
Copy your Application (client) ID and paste it as Application (client ID) in Identity Cloud. You can find the Application (client) ID under Overview in your registered application.
In your registered application go to Certificates & secrets and click New client secret to create a new secret. Copy your Client secret and paste it as Client secret in Identity Cloud.
You can view and copy the value of your Client secret only upon creation. Save a backup of your Client secret in a secure place.
- Click Save.
Example setup
The following video gives an overview of how to add a Microsoft login. Some of the steps shown here may differ from those you need to take for your own setup. This depends on factors such as the setup on your third party, Microsoft account and in Azure.
Edit social identity providers
To edit social identity providers:
- Go to Signup/Login > Social login.
- Select a social identity provider.
- In the Social login details adapt any attribute.
- Click Save.