Login SPI

To simplify login for your users, you may need to allow OIDC application sign-in with a service provider like Twitter or Facebook.

The Login Provider feature on cidaas lets you set up an app using OIDC for a specific provider account. The Login SPI tries to match the user's provider account to the local user account. The user is automatically signed into the application if the accounts match.

The cidaas Login Service Provider Interface (SPI) enables intercepting the authentication request or login request to perform specific actions before creating an access token.

Click here to know which Login providers cidaas supports.

Key Features

  1. The Login SPI will be called after successful user authentication.
  2. It can prevent a login.
  3. The Login SPI can provide/update custom fields, which can then be used in the continue login process, for example, token creation.

How it works?

The Login Service Provider will be called via an API that follows the format given below.

curl --location --request GET '{{baseurl}}/login-interceptor-srv/login/{{sub}}'

The Authentication should be based on the API Key, cidaas OAuth 2.0 Token or TOTP Key.

Process Flow

The process flow is illustrated below.

1. The user accesses the Login UI of your app, which redirects to the Login Hosted Page.

2. Then, the Login service initiates the Authentication. At the same time, the Token service verifies the credentials with the server and generates an access token (that contains information about the user, permissions, groups, and session).

3. Before generating the access token and letting the user login, the Login SPI intercepts the process to perform some pre-defined action(s) defined by you, for example, providing/updating custom fields to continue the login process.

4. The Login SPI uses the created access token to verify the user's provider account with the local user account.

5. After successful authentication, the user is redirected to the redirect_url set by you.

Configuring Login Provider on the cidaas Admin UI

To enable the Login Provider Interface, we should configure the required settings in Admin UI, which allows registering the login provider interceptor service (URL), enable the Interface functionality, and finally, select the Authentication option (under Edit App > App Settings > Advance Settings > Authentication).

Configuring Login Providers under Dashboard Settings

You need to individually configure Social Providers, Custom OAuth2 & OpenID Connect Providers, SAML SP, and AD Providers for the Login page under Settings > Login Providers. The details for integration to enable seamless login are described here.

Based on the configurations done for different login provider pages here, the options will be available under App Settings.

Click here to find more details on how to configure various login providers under Settings > Login Providers.

Configuring the Login SPI for your Application under Advance Settings

You can configure the Login SPI feature at the App-Level. This means for a specific app. You can define different Service Providers that support specific action(s) you want to perform.

Here are the steps to configure Login SPI on the cidaas Admin UI.

1. In Dashboard, go to Apps > App Settings.

2. Then, click on the Edit icon of the App you want to configure.

3. Under App Settings, set the values for Scope, Hosted Page Group (default or custom Hosted Page Group that has been mapped to your Login SPI in Hosted Pages Admin UI), and Redirect URLs.

4. You can add Login Providers to your Default Login Hosted Page by navigating to Apps > Edit App > App Settings > Advance Settings and then, clicking on Login Providers.

5. Select the required Login Providers from the appropriate list as shown below and click on Save.

6. The Login Providers option lets you configure the login options from various providers like social providers, SAML providers, etc. that you require for your app on the Login hosted page.

By default, the allowed providers are PayPal and Facebook. You can add a Custom Login Provider from either your organization or any other provider whose services you want to integrate to your app.

Similarly, you can add SAML and Active Directory Providers from the list to configure on the Login Hosted Page of your app.

7. After selecting the required options from the list, click on Save. The following Success Confirmation window will appear.

This completes the Login SPI configuration for your app on cidaas.

Activating the Login SPI using APIs

To enable user login on the Login SPI, we've defined an API that allows you to configure the Login SPI. You can find more information here.

This API tells cidaas which Service Provider API to connect to during login. The Service Provider is secured by an OAuth-Token and is called using a token from a non-interactive client defined at the API level.

Use Cases

The following use case will help you understand the benefits of Login SPI.

cidaas provides the Login SPI functionality to add profile fields (registration fields) in an access token.

This is useful, for example, to provide certain information required by the app without the need to make further API calls.

When the user logs in, the access token is created, after which the profile fields that are mapped to a specific user and application will be added to the access token.

Suppose your app needs context-specific information in the user's access token like the last logged time in the timestamp. In that case, you can configure the Login Service Provider for updating the user profile.

Sometimes, Registration fields don't have to be public and visible to the users but must be used as internal fields that provide further information about the user, like their groups and roles. In this case, you can configure the Login Service Provider for the same.

This brings us to the end of our discussion on Login SPI.

If you have any questions, or need further assistance in configuring Login Providers for your app, please visit our support page.

results matching ""

    No results matching ""