IAM account creation based on remote IDP data (social registration) 

This feature allows to automatically create IAM accounts based on the provider's data. The created account is stored in the Loginapp's user repository.

This feature requires Account Linking to be enabled.

If this feature is used in combination with Auto-link existing IAM accounts, no account is registered if an existing IAM account was found and linked.

The provider's data is used without additional validation for automated account registration.

  • In particular:
  • Channel verification for mTAN numbers and/or email addresses is not supported.
  • Data validation (e.g., using regular expressions) is currently not supported.
  • The provider's data that is used to create the account is not displayed to the user and the user is not asked to confirm the data, e.g., using transaction approval.

Therefore, if this feature is used, the provider must guarantee that the provided data is valid (e.g., channel-verified and validated). IAM must trust the provider to do appropriate validation.

An automated account registration fails if a user already exists on IAM but its context data differs from the data sent by the provider. This can potentially be used to find out if a user exists in the IAM database (user enumeration attack). Ensure this is not an issue in the given setup, especially if the provider allows users to self-register.


Data of the provider's account (e.g., Google account) must be mapped with context data resources (OAuth 2.0 Remote Context Data Resource) in the Resource Mappings. The Local Context Data Key of the resources must match the local context data schema used in the Loginapp's User Data Source.

All context data values that should be stored with the new account can be defined through User Context Data Items. This is a filter of previously mapped context data resources (OAuth 2.0 Remote Context Data Resource).