Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview:

Currently, Any user initiating a first time SSO login using an identifier that already exists in the custodian org - causes an auto migration of the account from custodian to the state tenant it can cause erroneous migration to avoid it user's acknowledgment is required.

If the user is found to match an account in the custodian org when the user tries to login via SSO for the first time, the user should be prompted about the existence of the duplicate account and asked whether the account belongs to them.

...

Account auto-merge workflow should be handled in the portal front end and portal securely. Currently only the existing user's are migrated 

Flow chart: 

Image Removedbackend. An auto migration of the account from custodian to the state tenant it can cause erroneous migration to avoid its user's acknowledgment is required.

Approach :


Image Added

                                          

...

Step 4: User is allowed to enter the password if the password is correct to initiate migration of account else allow the user to reenter the password.

Step 5: Users re-enter the password. If the password is correct initiate account migration else create a new account for the user.

Things to discuss
1) Sending username phone number/ email address as query parameter

2) Storing the password failure attempts in localstorage as we will have 2 password failure.

...

.


Conclusions after design discussion

  1. Send state token along with email/Phone number encrypted in redirectUri while opening keycloack page.
  2. Mobile team should append client_id='andriod'.
  3. Before calling migrate API portal should perform the following checks
    - Decrypt the encrypted data to get state token, user email 
    - Check if state token is valid using echo API
    - Check if state token is not expired.
    - Verify the access token
    - Check if email Id from encrypted data and the access token is same.
  4. Only after all checks in step 3 are passed migrate API can be called. 
  5. Once migration is done user will be notified via email from backend.
  6. Mobile related changes - 
    User will be logged as a nonstate user after the user enters password or Gmail.
    Mobile needs to detect by reading the query parameter if auto-merge is in progress or not.
    If auto-merge is in progress mobile will call to portal sending encrypted data and access token to migrate the user.


Open questions for the mobile team? 

  1. Once the non-state user is migrated to state user how the data in the mobile client will can updated details 



Draw.io flow chart link to edit - Untitled Diagram (2).drawio

UI Screens

Verify user via email or phone

...