Automated account registration
13.5.2.3. Automated account registration (social registration) 

This feature allows to automatically create IAM accounts based on the provider's data. The created account is stored in the loginapp's user repository.

This feature requires Account Linking to be enabled.

If this feature is used in combination with Auto-link existing IAM accounts, no account is registered if an existing IAM account was found and linked.

For automated account registration, the provider's data is used without additional validation. In particular:

  • Channel verification for mTAN numbers and/or email addresses is currently not supported.
  • Data validation (e.g. using regular expressions) is currently not supported.
  • The provider's data that is used to create the account is not displayed to the user and the user is not asked to confirm the data, e.g. using transaction approval.

Therefore, if this feature is used, the provider must guarantee that the provided data is valid (e.g. channel-verified and validated). IAM must trust the provider to do appropriate validation.

An automated account registration fails in case a user already exists on IAM but its context data differs from the data sent by the provider. This can potentially be used to find out if a user exists in the IAM database (user enumeration attack). Make sure this is not an issue in the given setup, especially in case the provider allows users to self-register.

Configuration

Data of the provider's account (e.g. Google account) need to be mapped with context data resources (OAuth 2.0 Remote Context Data Resource) in the Resource Mappings. The Local Context Data Key of the resources must match the local context data schema that is also used in the loginapp's User Data Source.

All context data values that should be stored with the new account can be defined through User Context Data Items. This is a filter of previously mapped context data resources (OAuth 2.0 Remote Context Data Resource).