Provisioning (B2C)

Determining how users get signed up is important to address early, and the decisions you make here will influence many of the decisions you will need to make going forward. We’ve found there are a typical set of patterns for how users will get added to your system, and things to take note of when considering workflow design too.

Best practice

While Login 3.0 supports numerous workflows, web-based workflows using Login 3.0 Universal Login for sign-up are considered both industry and Login 3.0 best practice as they provide for optimal functionality and the best security.

Login 3.0 supports user sign-up via a number of different identity providers. During sign-up, Login 3.0 provisions the user profile so that it contains the user’s account information. There are a number of things to consider when looking at functionality and workflow:

• Should you use Login 3.0 as an identity store?

• Can you use your own (legacy) identity store with Login 3.0?

• How do you migrate user identities from your identity store to Login 3.0?

• Can your users sign up using their existing social accounts such as Google and Facebook?

Login 3.0 provides out-of-the-box identity storage that can be leveraged to store user credentials safely and securely. See Self Sign-Up for more information. If you already have a legacy identity store and want to offload its management, the User Migration capabilities provide several options to do so.

Alternatively, if you have to maintain your legacy identity store—perhaps because you’ve got applications that you aren’t ready to migrate or cannot be migrated—then you can use the identity store proxy capability. Allowing your customers to use “bring their own identity” is also an attractive proposition. Though we find our customers don’t initially do so, you can use the Social Sign-Up capability to provide it.

User Migration

In addition to hosting the User Profile, Login 3.0 also has the capability to both proxy your own legacy identity store and provide a secure Login 3.0-hosted replacement. Both of these capabilities are supported via the use of Login 3.0 Database Connections. If you decide to use Login 3.0 as a replacement for your legacy identity store, then you can migrate users either all at once with bulk migration or progressively with automatic migration. Configurations for these processes must be handled by the UPBOND team upon request.

Best Practice

Customers often opt for a two-stage approach to user migration, using Automatic Migration first to migrate as many users as possible, then using Bulk Migration for the users that remain. See User Migration Scenarios for more information.

• Automatic Migration is preferred as it allows users to be migrated individually and allows them to retain their existing password in almost all situations.

• For Bulk Migration, we recommend using the Userinfo API over the User Import/Export extension in all but the simplest cases, as the Management API provides greater flexibility and control.

Best Practice

Calls to the Management API are subject to Login 3.0 Rate Limiting policy. You must take this into consideration. To assist, Login 3.0 generally recommends using the appropriate Login 3.0 SDK for your development environment rather than calling our APIs directly.

Identity Store Proxy

Login 3.0 Database Connection types can also be configured to proxy an existing (legacy) identity store. If you need to keep user identities defined in your own legacy store—for example, if you have one or more business-critical applications that you can’t migrate to Login 3.0 but still need access to these identities—then you can easily integrate with Login 3.0. See Authenticate Users Using Your Database for more information.

Self Sign-Up

Self sign-up leverages Login 3.0 Database Connections to store the user ID, password, and (optional) username identity information collected from new users during the sign-up process. Database connection policies governing things such as minimum username length or password strength and complexity can be configured by the UPBOND team upon request.

Social Sign-Up

Social sign-up is synonymous with sign-in via social authentication—there’s no distinction here per se, as user profile creation happens automatically upon first social login.