Getting started with ForgeRock Identity Cloud journeys: Part 5 - Social authentication

This is Part 5 of 8 in the series Getting started with ForgeRock Identity Cloud journeys.

Social authentication ~ 15 minutes

Users can onboard themselves in ForgeRock Identity Cloud by authenticating against their preferred social sites such as Google or Facebook. The user data shared by such sites post successful authentication is used to create or identify their account in Identity Cloud.

To achieve this, Identity Cloud should include a journey that gives end users an option to authenticate with social providers like Google, Facebook, Apple and more. The journey should include nodes to identify an existing Identity Cloud user or create a new one, based on data about the authenticated user it receives from the social provider.

For the Identity Providers like Google to share their authenticated users’ data with Identity Cloud, the Identity Cloud instance should be registered as their trusted client. This step requires an active Google account.

In the following two-part exercise, the first part walks through steps to configure the Identity Cloud tenant as a client of Google Identity Provider. The second part builds a journey in Identity Cloud with the Google Identity Provider as an option to authenticate with.

Configuring Identity Cloud as a Google client

First, register a ForgeRock app with Google:

  1. Go to

  2. Log in using an active Google account, if required.

    If it’s the first time logging into the Google Cloud console, select the country and agree to the Terms of Service.

  3. Click on the Select a project drop-down menu and click NEW PROJECT.

  4. Enter a name for the project, say ‘FIDC Social Authentication’, and click CREATE.

    Note that the newly created project is in focus now on the drop-down menu.

  5. On the left navigation pane of Google Cloud console, click Enabled APIs & Services.


  7. Select Google+ API under the Social category.

  8. Click ENABLE.

  9. On the left navigation pane, click OAuth consent screen.

  10. Under User Type, select External and click CREATE.

  11. On the App information page, enter the required details using the following information as a reference:

    • App name: ForgeRock ID Cloud
    • User support email: <active gmail address>
    • Authorized Domain: <forgerock identity cloud tenant url>
    • Developer contact information: <active gmail address>

  13. On the Scopes page, click ADD or REMOVE SCOPES and select to update the following scopes:

    • …/auth/
    • …/auth/userinfo.profile
    • Openid


  15. On the Test users page, click SAVE AND CONTINUE.

    The Summary page is displayed.

  16. With the ‘FIDC Social Authentication’ project selected on the top left menu, select Credentials on the left navigation pane.

  17. Click +CREATE CREDENTIALS and select OAuth client ID.

  18. Select Web Application in the Application type drop-down menu.

  19. Using the following information as reference, complete the OAuth Client details:

    • Name: FIDC
    • Authorized JavaScript origins: https://<forgerock_id_cloud_tenant_url>
    • Authorized redirect URIs: https://<forgerock_id_cloud_tenant_url>/am
  20. Click CREATE.

  21. Copy the Client ID and Client secret generated for the FIDC client and keep them handy. You can also download a JSON file containing the Client ID and Client secret.

Next, configure the Google Identity Provider service in Identity Cloud:

  1. In a supported browser, log into your Identity Cloud Admin UI.

  2. In the alpha realm, go to Native Consoles > Access Management.

    The Access Management Admin UI opens in a browser tab/window.

  3. Go to Services > Social Identity Provider Service.

  4. Confirm the Enabled toggle is turned on in the Configuration tab.

  5. Select the Secondary Configurations tab and click Add a Secondary Configuration > Client configuration for Google.

  6. Enter the following details:

    • Name: Provide a name for the new configuration, say “Google IDP”.
    • Client ID: Paste the Client ID copied during the client registration step with Google.
    • Redirect URL: Enter the URL that exactly matches the value specified for Authorized Redirect URIs during the OAuth client configuration in Google. Eg: https://forgerock_id_cloud_tenant_url/am
    • Scope Delimiter: Hit the spacebar.
  7. Click Create.

  8. Paste the Client secret copied during the client registration step with Google in the Client secret field.

  9. Click Save Changes.

Building the social authentication journey

  1. In the alpha realm of your Identity Cloud Admin UI, go to Journeys > +New Journey.

  2. Using the following information as a reference, provide values for the new journey:

    • Name: GoogleIDP
    • Identity Object: Alpha realm – Users managed/alpha_user
    • Description: Journey that lets users authenticate with Google
  3. Click Save.

  4. Click and drag the following authentication nodes onto the journey canvas:

    • Page Node (Utilities)
    • Platform Username (Identity Management)
    • Platform Password (Identity Management)
    • Select Identity Provider (Identity Management)
  5. Arrange the three nodes from the Identity Management category inside the Page Node in the following order:

    a. Platform Username
    b. Platform Password
    c. Select Identity Provider

  6. Connect the Start node to the Page Node.

  7. Drag the following nodes onto the canvas:

    • Data Store Decision (Basic Authentication)
    • Increment Login Count (Behavioral)
  8. Build the journey by connecting nodes as shown in the screenshot below.

    If the user opts for Local Authentication, the user credentials are validated against the datastore. If successful, the login count for the user is incremented and the user lands on to Identity Cloud end user dashboard.

  9. Drag the Social Provider Handler Node (Federation) onto the canvas.

  10. Click on the Social Provider Handler Node and select “Normalized profile to Managed User” in the Transformation Script property.

  11. Connect the newly dragged nodes to extend the journey as shown in the screenshot below.

    If the user opts for Social Authentication, a social provider handler node handles the request, authenticates the user with the Social ID provider like Google, and checks if the user has a local account in Identity Cloud. If the Google user already has an account with Identity Cloud, meaning the user has used the social authentication facility before, then the authentication is successful and the user lands on to the Identity Cloud end user dashboard.

  12. Drag the following nodes onto the canvas:

    • Required Attributes Present (Identity Management)
    • Attribute Collector (Identity Management)
    • Platform Password (Identity Management)
  13. Click on the Required Attributes Present node and modify the Identity Resource node property to the value “managed/alpha_user”.


  14. Click on the Attribute Collector node, and enter the following values in the Attributes to Collect field. Hit enter after keying in each of the following values.

    • givenName
    • sn
    • mail

  15. Drag two Page Nodes (Utilities) onto the canvas.

  16. Drag the Attribute Collector node into one of the Page Nodes and drag the Platform Password node into the other one.

  17. Connect the newly added nodes as shown in the screenshot below.

    If the Google-authenticated user does not yet have a local account with Identity Cloud, the journey should check that the Google IDP has sent all the required attributes of the user to create an account in Identity Cloud. If not, it should prompt the user for additional attributes, collect a new password to be set for their Identity Cloud account and eventually create an account using the information gathered.

  18. Drag the Create Object (Identity Management) node onto the canvas.

  19. Click on the Create Object node and modify the Identity Resource property to the value “managed/alpha_user”.


  20. Connect the nodes to complete the journey as shown in the screenshot below.

  1. Click Save to save the journey.

Testing the ‘GoogleIDP’ journey

  1. Go back to the list of journeys in the alpha realm, click on the newly created journey ‘GoogleIDP’ and copy the preview URL.

  2. In a supported browser, different from the one that has the Identity Cloud administrator’s active session, log out of any active Google session, and open the journey URL copied above.

    The login page now has an option to authenticate with Google.

  3. Click Sign in with Google.

    Google login screen appears.

  4. Log in using Google account credentials.

    Google returns a token with the Google user data to Identity Cloud and, if the token has all required attributes to create an account in Identity Cloud, the journey prompts you for a password to be set for the account that gets created for the user in Identity Cloud.

  5. Click Next.

    A user account for the Google user is created in Identity Cloud and the user lands on the end user dashboard of Identity Cloud.

  6. Sign out of the end user dashboard.

  7. Repeat the ‘GoogleIDP’ journey, signing in using the same Google account. This time the journey takes the user directly to the Identity Cloud end user dashboard.

  8. Sign out of the Identity Cloud end user dashboard.

Further reading

Other guides in the Getting started with ForgeRock Identity Cloud journeys series: