Onboard and Authenticate User with Social Account Process
Content
- Overview
- OIDC: How it Works
- Adding Provider IDs to the Request URL
- Responsive Process Design
- Modifying User Details Returned by the Social Provider
- App Settings
- Onboarding Flow(s)
- Authentication Flow(s)
- Social Onboarding and/or Authentication User Journey
- API Walkthroughs
- Error Codes
- Revision History
Overview
This Process defines how an anonymous (or unauthenticated) user onboards and authenticates into ULM using a social media account. As one of the underlying components of ULM's Identity Management functionality, this Process supports the OIDC standard protocol for authentication and authorization between relying parties.
The Onboard & Authenticate User Process orchestrates two primary flows:
- Onboarding with Social Media flow: a new, anonymous user signs-up using their preferred social account. ULM Cloud uses details return from the social provider to create the User ID.
- Authentication with Social Media flow: an existing, anonymous user authenticates using their associated social account. The User ID already exists, and it the social account is already associated to the User ID.
This process is distinct from the Associate Social Account to User ID Process that can only be invoked by an existing, authenticated user who decides to associate their social account to their User ID.
OIDC: How it Works
Open ID Connect (OIDC) is an authentication layer which sits on top of the OAuth authorization framework. Where OAuth 2.0 allows a user to grant a third-party access to protected resources, OIDC extends that to allow the IdP (in this case ULM) to directly provide/request third-party information about the user.
A user who opts to onboard with a social account is first directed to the provider's website where they then sign into their account. The provider requires the user to explicitly share key information with ULM Cloud, and then redirects the user back to the client application where they first started their journey.
On the back end, ULM Cloud requests key user details (often known as "scopes") that will then be registered on the ULM User ID. The provider first returns a token to ULM, and a subsequent call to redeem that token results in user data that is added to the ULM User ID, including a contact channel and the provider's unique internal identifier for that social account. This information is used to create the new ULM User ID.
When an existing user opts to authenticate with an associated social account, and the provider is already associated to the User ID, the process queries the provider with a the unique identifier now stored on the User ID. ULM Cloud then authenticates the user once the provider confirms the internal identifier is still valid.
Third-party integrations allow users to share segments of their information from one website to another, without the need to expose their credentials.
Note: In this Process, the social provider federates user authentication to ULM Cloud. Similarly, ULM Cloud can also federate authentication to other third-party applications in order to enable single-sign on (SSO) with ULM Cloud as the authentication entry point. In other words, a user can authenticate into ULM using their preferred method, and then remain signed in once they navigate to provisioned relying parties. See the OIDC section in the MarketONE User Admin Guide for more details.
Adding Provider IDs to the Request URL
Like most Processes, this Process is initialized by the Process Start API. The Process Start API optionally consumes no payload, but you can add the required parameters upfront in the initial API request URL.
For example, in a normal invocation, the Process Star API consumes no payload:
| POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0 |
|---|
<no body>
|
The Process then responds with a request for request for a supported providerID.
| Response Payload |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"providerId": "String"
},
"stepName": "ProviderPrompt",
"lastStep": false,
"output": {
"providers": [
"linkedin",
"google",
"facebook",
"apple"
]
}
}
|
The UI would then need to provide that in the subsequent Process Step API.
However, the application can also simply invoke the Process with that providerId in the initial Process Start request URL:
- POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0?providerId=facebook
- POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0?providerId=google
As a best practice, adding the providerID to the request URL enables you to build your application to display social media badges on the sign-in and/or sign-up screens. The client can then invoke the provider-specific variation of the request when a user clicks on a provider-specific badge.
Responsive Process Design
This Process is responsive enough to account for edge cases and user error scenarios wherein a user mistakenly begins at one flow's starting point, but logistically needs to arrive at another flow's end result.
For example, a user who already owns a ULM User ID may mistakenly start from a client application UI's onboarding screen. Since the UI invokes the same Process from either flow's entry point, the communication between ULM Cloud and the social provider ensures that the user will arrive at the correct end point. See the below diagram for a better idea:
The result is a seamless flow that minimizes some of the friction that occurs from user errors.
Modifying User Details Returned by the Social Provider
When a user onboards with their social account, the social provider returns scopes that the user must confirm are valid. These scopes include an email address and/or mobile number. If the user confirms the details, then ULM creates the ULM User ID and registers the the email/mobile as both and authentication identifier and the user's primary contact channel. The user does not need verify this channel, as ULM Cloud implicitly trusts the provider. However, the Process also allows the user to optionally change the email/mobile returned by the provider.
If the user changes the email/mobile, the Process performs an additional check to see if that new email/mobile is already registered to an existing ULM User ID and, if a User ID is found, then prompts the user to supply a password to prove that they own the User ID. Once the user provides a valid password, the Process associates the social account to the existing User ID, and authenticates the user.
Alternatively, if the user-supplied email or mobile is not found in ULM, then the Process issues and and sends an action token to the user, in a verification message to that user-supplied contact channel. The Process then ends, and the user must then redeem that token with the GET session/token API to invoke Activate User Process.
Once invoked, the Activate User Process completes the onboarding (new ULM User ID is activated, email/mobile registered as AuthN ID), associates the social account, and authenticates the user into ULM.
App Settings
Certain aspects of the Process' behaviour are controlled by configurable application settings.
| ULM Admin Application Settings | Default Values | |
|---|---|---|
| Max Failed Sign-In Attempts | The maximum number of times the Process accepts bad input before locking the user out.
Applies to Alt Flow cases below wherein a user needs to provide their password and prove that they own an existing ULM User ID. |
10 failed attempts |
| Count Failed Attempts Within | The length of time in which the user's total failed attempts are counted towards lockout, measured in seconds. After this time expires, the count resets. | 3600 seconds |
| User Lockout Duration | The length of time that a user ID lockout lasts, measured in sections | 3600 seconds |
| Enable reCAPTCHA Prompt | Determines whether or not reCAPTCHA, v1 is enabled. This app setting include multiple fields for client and test secret keys. | Enabled |
| Token URL | Base for the action token URL to include in the notification message sent to the user's external channel. The actual token value will be appended to this String to form the complete URL.
This app setting is applicable for when a user attempts to sign-in with an unverified email/mobile. When this occurs, the Process sends the token out to that email/mobile for verification. |
https://idp/user_confirm?token_value= |
| Token (long-form) Expiration | Determines the number of days before a verification link expires. | 7 days |
| Token (short-form) Expiration | Determines the number of minutes before a short OTP expires. This setting is not configurable, and is simply noted here for context. |
5 minutes |
| Valid Email Pattern | Defines the logic for an acceptable email format.
Applies to Alt Flow cases below where the user changes the email returned from the social provider. |
.+@.+\..+ |
| Valid Phone Pattern | Defines the logic for an acceptable mobile number format.
Applies to Alt Flow cases below where the user changes the mobile returned from the social provider. |
^\(?([0-9]{3})\)?[-.\s]?([0-9]{3})[-.\s]?([0-9]{4})$ |
All app settings are set within the ULM Admin web application. System managers and administrators can consult the MarketONE User Admin UI User Guide.
Onboarding Flow(s)
The following tables describe the Process functionality at a high level, from an onboarding-oriented flow.
| Onboarding with Social Account | |||
|---|---|---|---|
| Actors | Frontend user, ULM Cloud, Client Application, Social Account Provider | ||
| Pre-Conditions | The User ID does not yet exist in ULM (i.e., the ULM User entity does not yet exist in the cloud data store) | ||
| The prospective user is currently anonymous | |||
| Basic Flow | 1 | The user navigates to the sign-up page and selects their preferred social media provider. | |
| 2 | The client UI redirects to the social provider, and the user authenticates into that provider. | ||
| 3 | The provider prompts the user with terms and conditions, and the claims they need to consent to sharing. | ||
| Notes: - If the user does not consent to sharing their information, then The Process ends. |
|||
| 4 | The user consents to sharing their information, and the provider sends the user back to the client. | ||
| Notes: - On the back end, the provider sends along an access token that grants ULM access to the user's shared data. - The Process makes a separate backcall to the provider and redeems that token for the user data. - Below is the generic payload of user information – claims may vary depending on the provider. |
|||
| Social Provider Response Data | |||
| First Name | The user's first name, as provided by the social platform. | ||
| Last Name | The user's last name, as provided by the social platform. | ||
| Email or Phone | The user's email address or mobile number, as provided by the social platform. | ||
| Display Name | The user's full display name, as provided by the social platform. | ||
| ID | The provider's unique ID for the user's social account. Used for social authentication calls. | ||
| 5 | The Process searches ULM Cloud data store for any current User ID with a matching email/mobile. | ||
| Notes: - This flow assumes that no existing User ID is found. - In the Alternate Flow 1 below, a User ID is found, but there is no association to the provider account. - In the Alternate Flow 2 below, a User ID is found, and it is already associated to the provider account. |
|||
| 6 | ULM prompts the user to confirm the response data (name and email/phone). | ||
| Notes: - This flow assumes that the user simply confirms the details returned from the provider. - In the Alternate Flow 3 below, the user changes the email/mobile value before confirming. |
|||
| 7 | The user clicks Confirm. The Process activates and authenticates the User ID. | ||
| Post-Conditions | The new User ID exists in ULM with the connected Social ID. | ||
| The user is authenticated. Going forward, they can log into ULM using the social account. | |||
| Error Messages | The user refused to share their claims. | ||
| The user has reached the maximum number of failed input attempts. | |||
| Alt. Flow 1 | This flow is the same as the Basic Onboarding Flow above, up to step 5. | ||
| 5 | The Process searches ULM Cloud data store for any current User ID with a matching email/mobile. | ||
| Notes: - In this flow, ULM locates an existing User ID with a matching email/mobile, but no matching social ID. |
|||
| 6 | ULM prompts the user to supply a password and verify their User ID. | ||
| Notes: - The Max Failed Input app setting defines the number of failed input attempts before the process errors. - The user may be prompted for a reCaptcha if they fail a certain number of times. |
|||
| 7 | The user enters their password and clicks Verify. | ||
| 8 | The Process authenticates the user, and associates the social account to the User ID. | ||
| Post-Conditions | The existing user's social media account is now associated to their ULM User ID. | ||
| The user is authenticated. Going forward, they can sign into ULM with the associated social account. | |||
| Error Messages | Generic authentication error (if reCaptcha is not successfully validated) | ||
| User reached the maximum number of failed input attempts / User profile locked | |||
|
Existing User ID - No Existing Connection Onboarding, Alternate Flow 1 covers an edge case where an existing ULM user associates their social media after starting at the onboarding flow, either deliberately or by mistake. Usually, existing users do this task when they are authenticated in ULM and on their profile. For that use case, your application UI must leverage the Associate Social Account to User ID Process.
|
|||
| Alt.Flow 2 | This flow is the same as the Basic Onboarding Flow above, up to step 5. | ||
| 6 | The Process searches ULM Cloud data store for any current User ID with a matching email/mobile. ULM searches for any current User ID with a matching Social Provider ID or matching email/mobile. |
||
| Notes: - In this flow, ULM locates an existing User ID with a matching email/mobile and social connection. |
|||
| 7 | ULM determines that this User ID already exists, and that the ID is already connected with this provider. | ||
| Post-Conditions | The existing user is authenticated into ULM. | ||
|
Existing User - Existing Social Connection - Wrong Screen? Alternate flow 3 covers an edge case where an existing user authenticates from an onboarding screen (e.g., a "Sign Up" or "Create an ID" page) by mistake. As a best practice, a user will primarily authenticate with their social account from a clearly marked "Sign In" screen. However, this ultimately comes down to how you build out your own application UI screens with ULM Processes. |
|||
| Alt. Flow 3 | This flow is the same as the Basic Onboarding Flow above, up to step 6. | ||
| 6 | ULM prompts the user to confirm the response data (name and email/phone). | ||
| Notes: - In this flow, the user changes the email/mobile to a different email/mobile. This is optional, but the user will be required to verify their new email/mobile before they can complete their onboarding journey. - Alternatively, if the social provider does not return an email/mobile, then the user must supply one and verify it to complete this journey. - As in the Basic Flow above, if the user simply confirms the email/mobile returned by the provider, then ULM trusts that the social provider has authenticated and verified the user's identity. |
|||
| 7 | The Process issues and sends an action token in verification message to the user-supplied email/mobile. | ||
| Notes: - The Process ends after sending out the verification message. - The Activate User Process handles the remaining work initiated by the Social Connection process. - See Activate User Process, Alt Flow 2 for more information. |
|||
| Post-Conditions | The new User ID exists in ULM with the connected Social ID. | ||
| The user-supplied email/mobile is registered on the User ID as an authentication Identifier (authN ID). | |||
| Both the User ID and authN ID have an activating status. | |||
| Notes: - The user needs to verify their supplied contact channel to complete their onboarding. - The notification message sent (in point 7) will contain either a clickable link, a custom One-Time Passcod (OTP), or both. - See the note about notifications below. |
|||
| Error Messages | The user-supplied email is not a valid format | ||
| The user-supplied mobile is not a valid format | |||
|
About Verification Messages: By default, the ULM Process delivers the verification message directly to the user-supplied contact channel. Regardless of the user-supplied contact channel type, the Process sends both a clickable link and an OTP in the message. However, if you're a large scale Service Provider with an existing notification dispatch system, ULM can integrate with it and instead deliver the token and relevant user information to your system first. Your system then constructs and delivers the appropriate message. Notification settings are established during the initial onboarding and integration phase between your business and Amdocs ULM Cloud. Be sure to verify with your manager as to what types of notifications your users will receive (i.e., clickable links or OTPs that need to be redeemed through the UI), and construct your application screens accordingly |
|||
Authentication Flow(s)
The following table describes the Process functionality at a high level, for authentication scenarios.
| Authentication with Social Account | ||
|---|---|---|
| Actors | Front-end user, Client Application, ULM, Social Account Provider | |
| Pre-Conditions | The user has a fully activated ULM User ID. | |
| The user has at least one social account associated to their User ID | ||
| The user is currently anonymous (i.e., they are not authenticated in ULM). | ||
| Basic Flow | 1 | The user navigates to their sign in portal and selects to sign with their preferred social provider. |
| 2 | Client UI redirects to the social provider, and the user authenticates into that provider. | |
| Notes: - The Process ends if the user fails to sign into their social account. - The user shouldn't need to authenticate with the provider if they already have an open session. - The user previously consented to sharing their provider scopes with ULM. Therefore, the provider will usually (and silently) remember this consent before automatically redirecting the user back to the client application. However, if the user manually deleted those consents in the provider application, then they will be prompted to consent again at this step before proceeding back to ULM. |
||
| 3 | The social provider redirects the user back to ULM. | |
| Notes: - On the back end, the provider sends along an authN access token that grants ULM access to the user info (that the user consented to sharing during the Onboarding flow or Associate Social Account Process). - ULM makes a separate call to the provider and redeems that token to confirm user details. - The user data includes an email/mobile that the user has registered with that provider. |
||
| 4 | ULM searches for the existing User ID with the connected social ID. | |
| Notes: - This flow assumes that an existing user is found with the connected social ID. - Alternate cases are covered in the Onboarding Flows above: -Alternate Flow 1 above involves a found existing user but with no connected social ID. -Alternate Flow 2 above involves no user found with the social ID or matching email/mobile. |
||
| 5 | ULM authenticates the user. | |
| Post-Condtions | The user is now authenticated in ULM. | |
| Error Messages | Generic authentication error. | |
| The selected social media is not supported at this time. | ||
Social Onboarding and/or Authentication User Journey
This diagram illustrates standard user journey(s) using the Onboard & Authenticate Use with Social Account Process.
Note: This diagram also includes the PUT session/token API (for verification resend), and the Activate User Process.
API Walkthroughs
The following section provides guided walkthroughs of the Onboard and Authenticate User with Social Account Process, including demonstrations of the various branching paths the Process can take during its execution.
Onboarding Scenario - No Matching User ID, User Confirms Provider Details
In this flow, a new, anonymous user onboards into ULM using their account with a trusted third-party social provider.
This flow also includes an alternate path wherein the user changes the email/mobile returned from the social provider.
Initial Request
The Process Start API initializes the Process:
| POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0 |
|---|
<no body>
|
Response
The Process prompts the user to select a social provider, from a list of available options:
| Response Body |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"providerId": "String"
},
"stepName": "ProviderPrompt",
"lastStep": false,
"output": {
"providers": [
"linkedin",
"google",
"facebook",
"apple"
]
}
}
|
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| parameters | Object that specifies the info this Process requires to continue its task. | |
| providerId | Identifier of the social provider requested for social onboarding/authentication. | |
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| providers | A list of the available social providers that are supported by ULM Cloud. | |
Next Request: Choose Social Provider
The user enters their desired social provider, and the client passes that info to the Process with the Process Step API:
| PUT /process/step |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"parameters": {
"providerId": "facebook"
}
}
|
Note: Facebook is the provider in this example, but the steps are the same regardless of the chosen provider.
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Object that contains the data requested in the previous Process response. | |
| providerId | Identifier of the social provider requested for social onboarding/authentication. | |
Response: Redirect URL to Social Provider
ULM responds with a redirect for the client to follow:
| Response Body |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"stepName": "CodePrompt",
"lastStep": false,
"output": {
"requestUrl":"https://www.facebook.com/dialog/oauth?response_type=code&client_id=<redacted>
&state=<redacted>&scope=public_profile%20email&redirect_uri=
https%3A%2F%2Fidp-local.corp.amdocs.com%2Frest%2Fv70%2Fprocess%2Fstep"
}
}
|
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| requestUrl | URL to the social provider to which the client application needs to redirect. | |
Note: The client can skip this step if the social provider ID is provided in the initial Process Start request URL:
| POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0?providerId=facebook |
|---|
<no body>
|
This method is useful when social provider badges are displayed on a UI (for users to click and immediately begin the onboarding or authentication procedure).
Next Step: Redirect to Social Provider
Clients are expected to redirect to the URL provided in the requestUrl parameter. This URL redirects away from ULM Cloud and to the selected social provider (in this example, Facebook). Users are typically asked to authenticate to their social profile, then grant access for ULM to read basic information (their name, email address, etc). The social provider then redirects back to ULM Cloud with an authorization code, which ULM Cloud independently verifies with the social provider back end.
| GET /process/step?code=<redacted>&state=<redacted> |
|---|
<no body>
|
Response: No User Found, Confirm Provider Details
The Process gets user details from the provide. No existing ULM user match is found, so the Process returns the provider details to the client for user confirmation:
| Response Body |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"confirm": "boolean",
"lastName": "String",
"firstName": "String",
"phone": "String",
"displayName": "String",
"email": "String"
},
"stepName": "SocialUserInfoPrompt",
"lastStep": false,
"output": {
"providerId": "facebook",
"socialUserInfo": {
"id": "1425242407805720",
"email": "uxpsystemsmint@gmail.com",
"firstName": "Bob",
"lastName": "Jones"
}
}
}
|
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| parameters | Object that specifies the info this Process requires to continue its task. Values maybe be pre-populated with socialUserInfo returned from the social provider. | |
| confirm | A boolean value indicative of the user's agreement to associate the authenticated social profile with ULM Cloud. | |
| lastName | (Optional) The user's last name. | |
| firstName | (Optional) The user's first name. | |
| displayName | (Optional) A display name for the user. This could be just a combination of the user's first and last name or a nickname. | |
| phone | (Conditional) The user's mobile phone number. Mandatory if email is not provided. | |
| (Conditional) The user's email address. Mandatory if phone is not provided. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| providerId | The identifier of the provider of the social account. | |
| socialUserInfo | Object of user data given by the social provider. Can be used to pre-populate user fields, such as first/last name, and email/mobile. | |
| id: The social provider's own unique identifier for the user's social account. | ||
Final Request: Confirm and Complete
The user confirms the data to complete their profile:
| PUT /process/step |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"parameters": {
"confirm": "true",
"lastName": "Jones",
"firstName": "Bob",
"email": "bobj@example.com",
"displayName": "Bob Jones"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Object that contains the data requested in the previous Process response. | |
| confirm | A boolean value indicative of the user's agreement to associate the authenticated social profile with ULM Cloud. | |
| lastName | (Optional) The user's last name. | |
| firstName | (Optional) The user's first name. | |
| (Conditional) The user's email address. | ||
| displayName | (Optional) A display name for the user. This could be just a combination of the user's first and last name or a nickname. | |
| phone | (Conditional) The user's mobile phone number. Mandatory if email is not provided. | |
Response: Success
If the user confirms the information returned by the provider, ULM trusts the provider has verified the returned email/mobile. The Process completes its task and returns a 200 HTTP status code.
| Response Body |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"lastStep": true,
"runtimeId": 5009,
"userAuthenticated": true,
"userId": 6013
}
|
The new User ID is created, activated, and associated to the social account. The user can now authenticate into ULM using this social account.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| runtimeId | The unique identifier of the Runtime associated with the user's session. | |
| userAuthenticated | Boolean that indicates if the user was authenticated into ULM. | |
| userId | The unique identifier of the User associated with the session. The client may want to leverage this for a GET /user/{userId} API. | |
Onboarding Scenario - No Matching User ID, User Changes Email/Mobile
This flow is the same as the above onboarding flow, except that the user does not confirm the email/mobile returned from the social provider. Instead, they change the email and/or mobile value(s) before hitting confirm.
Request: Submit Updated User Details
In this example, the user changes the email address returned by the provider:
| PUT {url} /process/step |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"parameters": {
"confirm": "true",
"lastName": "Jones",
"firstName": "Bob",
"email": "bobs_new_email@example.com",
"displayName": "Bob Jones"
}
}
|
Response: Process Complete, Prompt User to Verify Email/Mobile
If the new authN ID does not match an existing authN ID already assigned to an existing ULM User ID, the Process completes its task and returns a 200 HTTP status code. The Process also sends an action token to the user through email or SMS.
| Response Body |
|---|
{
"processId": "8f41d5cc-a4ab-45e9-9e3b-7f58a2ed183f",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"lastStep": true,
"output": {
"pkats": [
"e82786ea-1e72-4880-b7e2-eb56031470e0"
]
}
},
"runtimeId": 5009,
"userId": 6018,
}
|
OTP Verification & Resend Verification
Any Process step that sends a ULM action token also returns a corresponding pkat to the client application. In order to enable OTP verification on the UI, the client must retain the pkat returned by the final Process step. The pkat, along with the user supplied OTP, is required for the GET /session/token?customToken={OTP}&pkat={pkat} API to invoke the Activate User Process.
In cases where the user is anonymous, the pkat is required if the application wants to provide a quick token resend option on the UI, using the PUT /session/token?pkat={pkat} API. This method applies to cases where the user is anonymous (i.e., they are not authenticated in ULM). However, if the user is currently authenticated in ULM, the client application can instead invoke the Resend Verification Process for this purpose.
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| pkats | An array of PKAT (Proof Key for Action Token) values.
Note: Multiple pkats if provider returns an email and mobile, and if the user changes both. |
|
| runtimeId | The unique identifier of the Runtime associated with the user's session. | |
| userId | The unique identifier of the User associated with the session. | |
The user must verify their updated email/mobile value(s) before their ULM User ID is activated and fully associated to the social account. The Activate User Process will handle these updates once it is properly invoked and the relevant ULM action token is redeemed.
Onboard User Scenario - Existing User ID Found
In this flow, an anonymous user invokes the Process from an onboarding-oriented starting point, similar to the previous flows above. However, unlike in the previous flows, ULM Cloud detects that the email/mobile returned from the social provider is already registered as an authN ID on an existing ULM User ID. Therefore, the Process challenges the user for a password, to prove that the user actually owns the User ID.
Initial Request
The Process Start API initializes the Process:
| POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0 |
|---|
<no body>
|
Response
The Process prompts the user to select a social provider, from a list of available options:
| Response Payload |
|---|
{
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"providerId": "String"
},
"stepName": "ProviderPrompt",
"lastStep": false,
"output": {
"providers": [
"linkedin",
"google",
"facebook",
"apple"
]
}
}
|
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| parameters | Object that contains data that the client can consume, retain, and use for additional operations. | |
| providerId | Identifier of the social provider requested for social onboarding/authentication. | |
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| providers | A list of the available social providers that are supported by ULM Cloud. | |
Next Request: Choose Social Provider
The user selects their desired social provider, and the client passes that info to the Process with the Process Step API:
| PUT /process/step |
|---|
{
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"parameters": {
"providerId": "facebook"
}
}
|
Note: Facebook is the provider in this example, but the steps are the same regardless of the chosen provider.
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Object that contains the data requested in the previous Process response. | |
| providerId | The identifier of the social provider requested for social onboarding/authentication. | |
Response: Redirect URL to Social Provider
ULM responds with a redirect for the client to follow:
| Response Body |
|---|
{
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"stepName": "CodePrompt",
"lastStep": false,
"output": {
"requestUrl": "https://www.facebook.com/dialog/oauth?response_type=code&client_id=
<redacted>&state=<redacted>&scope=public_profile%20email&redirect_uri=
https%3A%2F%2Fidp-local.corp.amdocs.com%2Frest%2Fv70%2Fprocess%2Fstep"
}
}
|
Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| processName | Full name of the Process, including the category and version number. | |
| stepName | Name of the specific step that the Process is currently on. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| displayMessage | Optional message that the UI can display to the end user. | |
| output | Object that contains data that the client can consume, retain, and use for additional operations. | |
| requestUrl | The URL to the social provider which a UI or other implementing client application is expected to redirect to, to complete authentication with the selected social provider. | |
Note: As noted above, the client can skip the provider selection step if the social provider ID is provided in the initial Process Start API request URL:
| POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0?providerId=facebook |
|---|
<no body>
|
This method is useful when social provider badges are displayed on a UI (for users to click and immediately begin the onboarding or authentication procedure).
Next Step: Redirect to Social Provider
Clients are expected to redirect to the URL provided in the previous response's requestUrl parameter. This URL redirects away from ULM Cloud and to the selected social provider (in this example, Facebook). Users are typically asked to authenticate to their social profile, then grant access for ULM to read basic information (their name, email address, etc). The social provider then redirects back to ULM Cloud with an authorization code, which ULM Cloud independently verifies with the social provider back end.
| GET /process/step?code=<redacted>&state=<redacted> |
|---|
<no body>
|
Response: Existing User Found, Prompt for Password
The Process gets user details from the provider, and checks for a matching User ID. In this scenario, the the email/mobile returned from the provider is found on an existing User ID. The Process therefore prompts the user to provide a password and prove that they own the email/mobile (and by extension, the ULM User ID to which the email/mobile is registered):
| Response Payload |
|---|
{
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"credential": "String"
},
"stepName": "CredentialPrompt",
"lastStep": false,
"output": {
"providerId":"facebook",
"socialUserInfo": {
"id": "1425242407805720",
"email": "bob@example.com",
"firstName": "Bob",
"lastName": "Jones"
}
}
}
|
Response Parameters
| Parameter | Description | ||
|---|---|---|---|
| displayMessage | Optional message that the UI can display to the end user. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| processId | Unique identifier for the current instance of this Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| parameters | Data object that specifies the required information this Process requires to continue its task. | ||
| credential | The password for the found ULM User ID. | ||
| stepName | Name of the specific step that the Process is currently on. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| providerId | The identifier of the provider of the social account and associated data returned with it. | ||
| socialUserInfo | Object of user data given by the social provider. | ||
| id | The provider's unique identifier for the user's social account. | ||
| The email address, as returned by the provider. | |||
| mobile | The mobile number, as returned by the provider. | ||
| firstName | The user's first name, as returned by the provider. | ||
| lastName | The user's last name, as returned by the provider. | ||
Next Request: Provide Credential
The user provides their password, and the client passes it through the next Process Step API request:
| PUT /process/step |
|---|
{
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"parameters": {
"credential": "Letm3inpl34se"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Object that contains the data requested in the previous Process response. | |
| credential | The password for the identified ULM Cloud User ID. | |
Response: Confirm Association
The Process authenticates the user, and prompts them to confirm that they want to complete the association between the social account and their ULM User ID.
| Response Payload |
|---|
{
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"confirm": "boolean"
},
"stepName": "ConfirmAssociation",
"lastStep": false,
"output": {
"selectedUserId": 6013
}
}
}
|
Response Parameters
| Parameter | Description | ||
|---|---|---|---|
| processId | Unique identifier for the current instance of this Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| stepName | Name of the specific step that the Process is currently on. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| displayMessage | Optional message that the UI can display to the end user. | ||
| parameters | Object that specifies the required information this Process requires to continue its task. | ||
| confirm | A boolean value indicative of the user's agreement to associate the social account with the matching ULM Cloud profile. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| selectedUserId | ULM Cloud's unique identifier of the user profile identified by matched data from the social provider. | ||
Final Request: Confirm Association
The user confirms the association, and the client passes this confirmation in its final request:
| PUT /process/step |
|---|
{
"actionType": "com.uxpsystems.mint.framework.bpm.process.ManualInputStepAction",
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"parameters": {
"confirm": "true"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Data object that contains the data request in the previous Process response. | |
| confirm | A boolean value indicative of the user's agreement to associate the social account with the matching ULM Cloud profile. | |
Response: Success
The Process associates the social account to the User ID, authenticates the user, and returns a 200 HTTP status code.
| Response Body |
|---|
{
"actionType": "com.uxpsystems.mint.framework.bpm.process.AuthenticationCompleteStepAction",
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"lastStep": true,
"runtimeId": 5009,
"userId": 6013,
"userAuthenticated": true
}
|
The user can now authenticate into ULM with their existing authN ID and password, or they can simply select to authenticate with the associated social account.
Response Parameters
| Parameter | Description | ||
|---|---|---|---|
| processId | Unique identifier for the current instance of this Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| runtimeId | The unique identifier of the Runtime associated with the user's session. | ||
| userId | The unique identifier of the User associated with the session. | ||
| userAuthenticated | Boolean that indicates if the user was authenticated into ULM. | ||
Note: If the user does not confirm the association, they receive the same response that indicates successful authentication. However, the social account is not associated to their User ID. If they choose to attempt social login again, they will need to repeat this process flow.
Authentication Scenario
This flow enables an anonymous user to authenticate to ULM Cloud using a trusted third-party social provider. At the end of this flow, the user will be authenticated to ULM Cloud, dependent on a successful response from the chosen social provider.
This flow requires the user to have already associated a social account with their user profile, and they are selecting the same social provider to perform a subsequent authentication attempt.
Initial Request
Use the Start Process API to initiate the flow:
| POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0 |
|---|
<no body>
|
Response
The API responds with a request to select a social provider, from a list provided.
| Response Payload |
|---|
{
"processId": "c741ce95-0be3-4220-9532-692be317077c",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"parameters": {
"providerId": "String"
},
"stepName": "ProviderPrompt",
"lastStep": false,
"output": {
"providers": [
"google",
"facebook",
"apple",
"linkedIn"
]
}
}
|
Response Parameters
| Parameter | Description | ||
|---|---|---|---|
| processId | Unique identifier for the current instance of this Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| stepName | Name of the specific step that the Process is currently on. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| displayMessage | Optional message that the UI can display to the end user. | ||
| parameters | Data object that specifies the required information this Process requires to continue its task. | ||
| providerId | The identifier of the social provider requested for social onboarding/authentication. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| providers | A list of available and supported social providers by ULM Cloud. | ||
Next Request: Select Social Provider
In this example, Facebook will be the selected social provider (although the steps are the same regardless of which provider is chosen). A response is crafted to indicate the selection:
| PUT /process/step |
|---|
{
"processId": "c741ce95-0be3-4220-9532-692be317077c",
"parameters": {
"providerId": "facebook"
}
}
|
Request Parameters
| Parameter | Description | |
|---|---|---|
| processId | Unique identifier for the current instance of this Process. | |
| parameters | Data object that contains the data request in the previous Process response. | |
| providerId | The identifier of the social provider requested for social onboarding/authentication. | |
Response: Redirect URL to Social Provider
ULM responds with a redirect for clients to follow:
| Response Body |
|---|
{
"processId": "c741ce95-0be3-4220-9532-692be317077c",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"displayMessage": "Please input required information",
"stepName": "CodePrompt",
"lastStep": false,
"output": {
"requestUrl": "https://www.facebook.com/dialog/oauth?response_type=code&client_id=
<redacted>&state=<redacted>&scope=public_profile%20email&redirect_uri=
https%3A%2F%2Fidp-local.corp.amdocs.com%2Frest%2Fv70%2Fprocess%2Fstep"
}
}
|
Response Parameters
| Parameter | Description | ||
|---|---|---|---|
| processId | Unique identifier for the current instance of this Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| stepName | Name of the specific step that the Process is currently on. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| displayMessage | Optional message that the UI can display to the end user. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| requestUrl | The URL to the social provider which a UI or other implementing client application is expected to redirect to, to complete authentication with the selected social provider. | ||
Note: As noted above, the client can skip the provider selection step if the social provider ID is provided in the initial Process Start API request URL:
| POST /process/start/socialFederation.SocialMediaAssistedOnboarding.v1.0?providerId=facebook |
|---|
<no body>
|
This method is useful when social provider badges are displayed on a UI (for users to click and immediately begin the onboarding or authentication procedure).
Request: Redirect to Social Provider
Clients are expected to redirect to the URL provided in the previous response's requestUrl parameter. This URL redirects away from ULM Cloud and to the selected social provider (in this example, Facebook). Users are typically asked to authenticate to their social profile, then grant access for ULM to read basic information (their name, email address, etc). The social provider then redirects back to ULM Cloud with an authorization code, which ULM Cloud independently verifies with the social provider back end.
| GET /process/step?code=<redacted>&state=<redacted> |
|---|
<no body>
|
The Process then authorizes the user and ends.
Response: Success
| Response Payload |
|---|
{
"actionType": "com.uxpsystems.mint.framework.bpm.process.AuthenticationCompleteStepAction",
"processId": "c741ce95-0be3-4220-9532-692be317077c",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"lastStep": true,
"runtimeId": 5010,
"userId": 6013,
"userAuthenticated" : true
}
|
Response Parameters
| Parameter | Description | ||
|---|---|---|---|
| processId | Unique identifier for the current instance of this Process. | ||
| processName | Full name of the Process, including the category and version number. | ||
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | ||
| output | Object that contains data that the client can consume, retain, and use for additional operations. | ||
| runtimeId | The unique identifier of the Runtime associated with the user's session. | ||
| userId | The unique identifier of the User associated with the session. | ||
| userAuthenticated | Boolean that indicates if the user was authenticated into ULM. | ||
Error Scenario - Onboarding: Existing User Found, Invalid Password
If an existing User ID is found, the Process prompts for a password. If the user provides an invalid password, the Process responds with a HTTP 400 status code. The body includes a operationError array with the reason(s) as to what went wrong:
| Response Body |
|---|
{
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"lastStep": false,
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"operationError": [
{
"code": "authentication-required",
"type": "com.uxpsystems.mint.framework.ulm.process.service.ServiceStep.GeneralFailure",
"message": "Bad credentials",
"authorities": [
{
"authority": "ROLE_ANONYMOUS"
}
]
}
],
"stepName": "CredentialPrompt",
"lastFailedStepAction": {
"processId": "2a561555-e206-403b-aafc-0aa63a0dc3d9",
"processName": "socialFederation.SocialMediaAssistedOnboarding.v1.0",
"parameters": {
"credential": "String"
},
"stepName": "CredentialPrompt",
"output": {
"providerId": "facebook",
"socialUserInfo": {
"id": "1425242407805720",
"email": "bob@example.com",
"firstName": "Bob",
"lastName": "Jones"
}
}
}
}
|
The Process also includes a lastStepFailedAction object that repeats the previous Process step's request. The user can re-attempt to submit a valid password.
Error Response Parameters
| Parameter | Description | |
|---|---|---|
| processId | The unique identifier for this instance of the Process. | |
| lastStep | Boolean that indicates whether or not this was the last step in the Process. | |
| lastFailedStepAction | Object that repeats the previous Process step's details and required input. This allows the client to essentially retry the failed request. | |
| operationError | Array of possible error objects. Each object describes a separate error condition. | |
| code | An error object's internal code name. | |
| type | Internal reference of the operation error type. | |
| message | Optional message that describes the error in a human readable format. | |
| authorities | The list of authority roles currently granted to the user. Can be used to help supply context to authorization errors (i.e. a process requires a user to be authenticated to ULM Cloud, however they are an "anonymous", or unauthenticated user). | |
| stepName | The internal name of the step that the Process is currently on / just executed. | |
Error Codes
Below is a comprehensive list of potential error codes that may be returned during the execution of this Process.
Common Error Codes
Process-Specific Error Codes
| HTTP Status | ULM Business Error Code | Description |
|---|---|---|
| 401 | process-terminated-user-denies-claims | User rejected to use social claims with ULM. |
| 400 | not-supported-provider | Invalid social provider. |
| 400 | missing-input-params | Missing expected input parameter. |
| 401 | authentication-required | User not found or credential is not valid. |
| 401 | user-profile-locked | User is locked. |
| 400 | not-supported-provider | Unknown provider. |
| 400 | invalid-email-format | Email does not match the valid format. |
| 400 | invalid-phone-format | Phone does not match the valid format. |
| 409 | already-exist-email | Email already exists. |
| 409 | already-exist-phone | Phone already exists. |
Additional Notes
- ULM allows a user to have more than one social accounts associated to their User ID.
- ULM sends a notification message to the user confirming when they have successfully associated a social account.
- If the social provider returns an email address and mobile number, and the user changes the value for each, then they will need to verify each channel separately. The Process will issue and send two separate action tokens, and send them to each channel. Additionally, the Process returns two separate PKATs to to the client application.
- ULM currently supports account association with the following providers: Facebook, Google, Apple ID, and LinkedIn.
Revision History
| Version | Description |
|---|---|
| 2020.09 | Added this topic. |