Login and Registration Flows

This page explains the login and registration flows when you have activated mixed mode (i.e., local login and external identity provider) or only one or more external identity providers. We will analyze in detail what are the available flows in conjunction with the generic registration options of your Storefront.

Enabling or Disabling the Storefront’s Native (local) Login Method


From the moment that an external identity provider has been configured and is available in your Storefront, you can choose whether you will offer the local login method to your users in your Storefront or not.

You can disable Storefront’s local login by navigating to BSS Setup > Administration > System Options > Authentication Options. The default option is set to “Yes”, meaning that the local login is available.

Login Flows


#1 Mixed Mode

If the “Allow Local Login“ option is enabled and two or more external authentication providers are also activated and visible, the Storefront’s Login page will display both login options.

In this scenario, you can have customers log in using their local credentials and other customers that use an external provider. When pressing the external provider button, the user will be directed to the external’s provider login page. However, the Storefront user selects to login with their local credentials, and the Two-Factor Authentication (2FA) mechanism is enabled, then the BSS users will also have to go through the 2FA authentication process after they submit their local login credentials correctly.
For more information about the Two-Factor Authentication (2FA) mechanism in BSS, please continue to the Local Login in Storefront With Two Factor Authentication (2FA) page.

#2 - Local Login is Disabled and only one External Provider is Active

If the “Allow Local Login“ option is disabled, and only one external authentication provider is activated and visible, then the Storefront’s Login button will direct the user to the login page of the external identity provider.

 

#3 - Local Login is Disabled and two or more External Providers are Active

If the “Allow Local Login“ option is disabled, but two or more external authentication providers are activated and visible, then the Storefront’s Login page will display only the external authenticators' login options.

In this scenario, your customers can only log in using one of the available external providers.

Registration Flows


This paragraph will explain how the local registration process can work in conjunction with an external identity provider and how a user can self-register using their account they have with the external provider.

#1 Local Registration is enabled and the Mixed Mode is enabled

This is the scenario where:

  1. The local registration is enabled

  2. The local login is enabled

  3. You have activated at least one external identity provider

The registration button is available in your Storefront and when a user self registers, our system will create a Storefront user with local login credentials. When the local login is enabled (as in this scenario), the registration process always creates a Storefront user using our native authentication mechanism.

#2 - Local Registration is Enabled and the Local Login is Disabled

This is the scenario where:

  1. The local registration is enabled

  2. The local login is disabled

  3. You have activated at least one external identity provider

In this scenario, the registration process is used for collecting customer’s data, but the process will be completed when the registered user receives the invitation email for completing the registration by logging in using the account he is having with the external identity provider.

Once the user clicks on the Storefront’s Register button, the registration form that will appear will not include any password fields since the local login is disabled.

The registration process will create an account and a contact in your BSS, but the registration will require your approval. The process is the following:

  1. A BSS account and contact will be created, and the notification “Storefront User pending request” will be sent to your operation team.

  2. Your operations team should review and accept the pending request

  3. The user will receive the activation email for completing the registration process

    1. If you have activated only one external identity provider, the user will receive an activation email that contains a link for completing the registration process through the login page of the external provider.

    2. If you have activated two or more external providers, the user will receive an activation email that will send him to Storefront’s login page for selecting the identity provider he wants to use for completing the registration.

#3 - Registration via External Provider is Enabled

In this scenario, a user will be able to register to your Storefront using his external provider account (e.g., his Microsoft account). Whether the registration process will be automatic or not depends on the local registration options you have selected.

Registration Approval is Required

The registration process using the user account of an external provider will require your approval if one of the following conditions are met:

  • The local registration is disabled.

  • OR the local registration is enabled, but the option “Requires Approval” is set to true.

The registration process, in this case, is the following (we use the Azure AD provider for our paradigms)

  1. The user presses the login button and he is redirected to the login page of the external provider.

  2. The user enters his credentials. MFA authentication might be required (it depends on the external provider)

  3. The external providers ask the user’s consent to share information with interworks.cloud platform.

  4. If the user gives his consent, he will be redirected to your Storefront, informing him that his registration request is pending approval.

  5. A contact entity will be created in your BSS using the information provided by the external provider.

  6. An account entity will be created in your BSS if there is no matching with an existing BSS account. Our platform will try to relate the new contact with an existing BSS account if:

    1. You have defined in the external identity provider settings a property for matching the BSS account code field.

    2. AND The response we will get from the external provider matches the “Accounting No.” field of an existing account. For more details, please check Azure AD (OIDC) | AzureAD(OIDC) AttributeMatching Setup

  7. Your operations team should review and accept the pending request.

  8. The user will receive the activation email informing him that he can now access your Storefront.

  9. The first time the user logs in to your Storefront, the “My Profile” pop-up will be displayed for setting his preferences and accepting the terms of use of your site.

Registration Approval is not Required

The registration process using the user account of an external provider will not require your approval if the local registration is enabled and the option “Requires Approval” is set to false.

In this case, the registration process is described in the previous section but without steps 7 and 8. The user will enter his credentials and be redirected back to your Storefront to set his preferences in the “My Profile” pop-up.

 

 

Single Logout Flow OIDC


With the support of Single Logout, Storefront users can sign out of both their local Storefront session and their configured external identity provider application with a single action when they have signed in using an external identity provider that supports the OpenID Connect (OIDC) standard.

Single Logout Rules

  • At least one OIDC external identity provider has been enabled and is visible on the Storefront login page.

  • The Storefront user has his account connected to at least one of those enabled and visible OIDC external identity providers.

When the Storefront users log in using an external identity provider account, consequently they are logged in to the relevant application (e.g. Azure). When those users click on the Logout button, the following pop-up window appears, informing them of their log-out options.

By selecting:

  • Locally: The users log out of the Storefront, while their session on the external identity provider application remains active.

  • Globally: The users log out of both the Storefront and the external identity provider application. This means that after closing the browser window of the application, if they re-open it, the application will redirect them to the external identity provider’s log-in page to re-enter their credentials, so as to log in to the Storefront.

If users have been idle and they are automatically logged out, this logout is considered local and does not affect their connection with the application of the external identity provider.