Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New User Login Flow - IdP Discovery based on email #1139

Open
15 tasks done
juliajeroch opened this issue Dec 27, 2024 · 0 comments
Open
15 tasks done

New User Login Flow - IdP Discovery based on email #1139

juliajeroch opened this issue Dec 27, 2024 · 0 comments

Comments

@juliajeroch
Copy link

Implementation of New User Login Flow - IdP Discovery

Overview

We are introducing a new user login flow for the Catena-X Dataspace. This flow will utilize IDP-Discovery, eliminating the need for users to actively select their Identity Provider (IDP). Instead, the system will manage IDP selection based on the user's email address. This new flow aims to streamline the user experience and improve the login process.

What's the benefit?

The new user login flow with IDP-Discovery brings significant benefits, including a more streamlined and user-friendly login process, enhanced security, and better management capabilities. It positions Catena-X Dataspace for future growth and scalability while contributing valuable improvements to the Keycloak community.

Implementation Details

Current Flow

  1. User navigates to the login page.
  2. User selects their Identity Provider (IDP) from a list.
  3. User enters their login credentials.
  4. User is authenticated and logged in.

New Flow (IDP-Discovery)

  1. User navigates to the login page.
  2. User enters their email address.
  3. System validates the email address.
  4. System discovers the associated IDP(s) based on the email domain:
    • If a single IDP is discovered:
      • User is forwarded directly to the login page of the discovered IDP.
    • If multiple IDPs are discovered:
      • User is forwarded to a company login selection page to choose the appropriate IDP.
  5. User enters their password/authentication details.
  6. User is authenticated and logged in.

Impacted Products

  • Keycloak
    • Adjustments to the login flow to implement IDP-Discovery.
    • Modification of authentication logic to validate email and discover IDPs.
  • Keycloak Login Themes
    • Update to the login page UI to accommodate email input for IDP-Discovery.
    • Design and implementation of the company login selection page.

What are the Risks?

None

Contribution Timeline

We plan to contribute the code for this new login flow within the next release scheduled for 25th June.

Benefits

  • Enhanced User Experience: Simplifies the login process by reducing the steps required for the user to select their IDP.
  • Improved Efficiency: Automates the discovery of IDPs based on email addresses, reducing user effort.
  • Streamlined Authentication: Ensures a smoother transition from email input to authentication.

Feature Team

Contributor

  • Cofinity-X (Saloni & Shahin)

Committer

open

User Stories

  • Issue 1, linked to specific repository
  • Issue 2, linked to another specific repository

Acceptance Criteria

General Acceptance Criteria

User Interface:

  • The login page must have an email input field.
  • The email input field must validate the format of the email address.
  • Error messages must be clear and user-friendly.

Email Validation:

  • The system must validate the email format upon user input.
  • Invalid email formats must trigger an error message without proceeding further.

IDP Discovery:

  • The system must accurately discover associated IDPs based on the email domain.
  • If a single IDP is found, the user must be forwarded directly to the IDP login page.
  • If multiple IDPs are found, the user must be directed to a company login selection page.

Test Cases (DRAFT)

Test Cases for New User Login Flow

Test Case 1: Valid Single IDP Discovery

Description

Test the scenario where a user enters a valid email address associated with a single IDP.

Precondition
  • The user has a valid email address.
  • The IDP is configured correctly.
Steps
  1. Navigate to the login page.
  2. Enter a valid email address (e.g., [email protected]).
  3. Click on the "Continue" button.
Expected Result
  • The system validates the email address.
  • The system discovers a single IDP associated with the email domain.
  • The user is redirected to the IDP login page.
  • The IDP login page is displayed correctly.

Test Case 2: Valid Multiple IDP Discovery

Description

Test the scenario where a user enters a valid email address associated with multiple IDPs.

Precondition
  • The user has a valid email address.
  • Multiple IDPs are configured for the email domain.
Steps
  1. Navigate to the login page.
  2. Enter a valid email address (e.g., [email protected]).
  3. Click on the "Continue" button.
Expected Result
  • The system validates the email address.
  • The system discovers multiple IDPs associated with the email domain.
  • The user is redirected to the company login selection page.
  • The company login selection page is displayed correctly with all available IDPs.

Test Case 3: Invalid Email Address

Description

Test the scenario where a user enters an invalid email address.

Precondition
  • The user has an invalid email address format.
Steps
  1. Navigate to the login page.
  2. Enter an invalid email address (e.g., invalid-email).
  3. Click on the "Continue" button.
Expected Result
  • The system validates the email address.
  • The system detects the invalid email format.
  • An error message is displayed indicating the email address is invalid.

Test Case 4: No IDP Found

Description

Test the scenario where a user enters a valid email address, but no IDP is associated with the email domain.

Precondition
  • The user has a valid email address.
  • No IDP is configured for the email domain.
Steps
  1. Navigate to the login page.
  2. Enter a valid email address (e.g., [email protected]).
  3. Click on the "Continue" button.
Expected Result
  • The system validates the email address.
  • The system does not find any IDP associated with the email domain.
  • An error message is displayed indicating no IDP is found for the entered email address.

Test Case 5: Successful Login with Single IDP

Description

Test the scenario where a user successfully logs in through a single discovered IDP.

Precondition
  • The user has a valid email address.
  • The IDP is configured correctly.
  • The user knows their login credentials.
Steps
  1. Navigate to the login page.
  2. Enter a valid email address (e.g., [email protected]).
  3. Click on the "Continue" button.
  4. Enter the password on the IDP login page.
  5. Click on the "Login" button.
Expected Result
  • The system validates the email address.
  • The system discovers a single IDP.
  • The user is redirected to the IDP login page.
  • The user enters the correct credentials.
  • The user is successfully authenticated and logged in.

Test Case 6: Successful Login with Multiple IDPs

Description

Test the scenario where a user successfully logs in through one of the multiple discovered IDPs.

Precondition
  • The user has a valid email address.
  • Multiple IDPs are configured correctly.
  • The user knows their login credentials.
Steps
  1. Navigate to the login page.
  2. Enter a valid email address (e.g., [email protected]).
  3. Click on the "Continue" button.
  4. Select the appropriate company IDP from the company login selection page.
  5. Enter the password on the selected IDP login page.
  6. Click on the "Login" button.
Expected Result
  • The system validates the email address.
  • The system discovers multiple IDPs.
  • The user is redirected to the company login selection page.
  • The user selects the correct IDP.
  • The user is redirected to the IDP login page.
  • The user enters the correct credentials.
  • The user is successfully authenticated and logged in.

Test Case 7: Incorrect Password

Description

Test the scenario where a user enters an incorrect password.

Precondition
  • The user has a valid email address.
  • The IDP is configured correctly.
  • The user knows their login credentials.
Steps
  1. Navigate to the login page.
  2. Enter a valid email address (e.g., [email protected]).
  3. Click on the "Continue" button.
  4. Enter an incorrect password on the IDP login page.
  5. Click on the "Login" button.
Expected Result
  • The system validates the email address.
  • The system discovers a single IDP.
  • The user is redirected to the IDP login page.
  • The user enters incorrect credentials.
  • An error message is displayed indicating the password is incorrect.
  • The user remains on the IDP login page to retry.

Architectural Relevance

The following items are ensured (answer: yes) after this issue is implemented.

In the context of the standards 126 and 127, typically only one is applicable, depending on the specific use case. Please cross out one of the two standards that does not apply.

Additional information

n/a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Release Planning
Status: Inbox
Milestone
No milestone
Development

No branches or pull requests
1 participant
@juliajeroch