IO Workflow Guide
Identity Orchestration Workflows provide a powerful no-code solution to design and manage identity processes using an intuitive drag-and-drop interface. You can:
- Use pre-built templates.
- Build workflows from scratch.
- Customize existing workflows.
This flexibility empowers you to create workflows tailored to your business needs effortlessly.
Configuration
This configuration guides you through creating identity workflows for customer registration, authentication, forgot passwords, and more. You can design workflows for different styles or deploy separate workflows for custom use cases.
- Navigate to Admin Console > Orchestration > Workflows.
- Click the New Workflow button.
- Choose the Workflow Type
Start with a Template: This allows you to choose a prebuilt template for common identity workflows, such as Login/Registration.
Start in the Editor: Create a workflow based on your custom requirements.
Start with a JSON File.
- Once you select the Workflow type, a popup will appear asking for workflow details; the following are the details you need to add.
- Workflow Name, a unique identifier for your workflow
- Workflow Description (Optional): Additional details about the workflow.
- Style (Optional): This field allows you to associate the workflow with a specific style, as defined in the Auth Studio. For details on customizing workflow pages, see the Auth Studio Workflow Page documentation and Branding and Customisation Guide.
- Upload Workflow JSON: Upload workflow JSON if you select the workflow type Upload your JSON.
- Debug Mode: This feature allows you to turn on or off debugging for the workflow. Enabling debugging can help identify and resolve issues during the workflow creation and testing process. For example, if your workflow is not behaving as expected, enabling debugging can help you trace the problem and make necessary adjustments.
Once the configuration is completed, you will be redirected to the Workflow Editor.
Workflow Editor
The Workflow Editor is a powerful, user-friendly live editor that allows you to design and customize identity workflows without writing code. Its intuitive drag-and-drop interface simplifies workflow creation, making it easy to confidently build, modify, and test solutions.
IO Workflow Nodes
Nodes are the core building blocks of your workflow. Each node represents a specific identity management function in the left sidebar of the Workflow Editor.
Key Features of Workflow Nodes:
- Modularity: Each node performs a distinct function, allowing you to combine them for complex workflows.
- Customizability: Nodes can be configured with parameters to tailor them to your specific requirements.
- Reusability: Save frequently used configurations for future workflows to save time.
Customizing and Testing Workflows
The drag-and-drop interface allows you to arrange nodes into a logical sequence, visually representing your workflow. You can test your workflows within the editor to ensure they function as expected before deployment.
Refer to the Supported IO Workflow Nodes Guide for comprehensive information on each node type and its capabilities.
Deployment
Once all configurations and the workflow are ready to deploy, click the Update button to apply the changes. This will make the updated workflow available for use. To preview the workflow, click the Preview button and select the OIDC/OAuth App and Styles.
Here are additional technical details for understanding the redirection and utilizing the preview URLs generated during workflow deployment:
Access Token Handling and Redirect Behavior
When executing authentication workflows, if an access_token is present in the request and the first node is not a HasSession node, the workflow will automatically redirect the user based on the following priority order:
-
Success Node Redirect URL - If a redirect URL is configured in the success node of the workflow, the user will be redirected to this URL.
-
Return URL Query Parameter - If a return_url parameter is present in the query string, the user will be redirected to this URL.
Note: The
return_urlmust be whitelisted in the configured domain. -
Auth Studio Profile Page - If neither of the above is present, the user will be redirected to the default profile page of the auth studio.
Priority Note: When both a return_url query parameter and a success node redirect URL are present, the success node redirect URL takes precedence.
This redirect behavior applies to both initial workflow requests and GET calls when an access_token is present, ensuring consistent user experience across authentication workflows.
URL Format
The format of the URLs generated for workflows is as follows:
https://<API_Domain>/workflow?workflowName=<workflow_name>&client_id=<client_id>&s=<style>&debugMode=<debug_mode>
- API Domain: The domain of the LoginRadius Hub, e.g.,
lrdemo2.hub.loginradius.com.
Options and Query Parameters
The URL can include various parameters to control workflow behavior. Below is a list of key parameters:
| Parameter | Description |
|---|---|
| workflowName | The workflow name to be triggered can be found under Admin Console > Orchestration > Workflows. |
| client_id | Client ID of the OIDC/OAuth application Note: To know more about OIDC/Oauth App creation, navigate to this document |
| s | The style under which the workflow is to be executed. The name of the style that is created under the Admin Console > Orchestration > Workflows > Auth Studio |
| debugMode | To see the debug log during the workflow execution, use the flag true |
Using with OIDC/OAuth (Federated SSO)
When integrating an IO workflow with an OIDC/OAuth application, pass the workflow parameter directly in the OIDC authorize URL instead of using the standalone workflow URL above. The IO workflow executes as part of the OIDC flow, and an authorization code is issued only after the workflow completes successfully.
For a full setup guide covering configuration steps, URL parameters, and use cases (MFA, custom claims, progressive profiling), see OIDC/OAuth Flows with Identity Orchestration.
Preview URL
The Preview URL is the live URL used to see the orchestration workflow. It allows you to run the existing workflow directly. To access and utilize the Preview URL, follow these steps:
-
Navigate to Admin Console > Orchestration > Workflows in the LoginRadius Console:
-
Select the workflow from the list.
-
A popup will appear to provide the deployed workflow.
-
Select the OIDC/OAuth App and style in the popup to preview the workflow.
-
Click on Preview, and it will redirect you to the Preview URL.
Triggering Workflows via URLs
You can trigger workflows using URLs in different scenarios:
Standard Login Workflow (Webpage as Entry Point)
- Use Case: Workflows with a login or entry form are displayed as a web page.
- Create the web page workflow in the Workflow Builder;
- How to Trigger:
- Navigate to the Preview URL corresponding to the workflow.
https://api_domain/workflow?workflowName=<workflow_name>&client_id=<client_id>&s=<style>
- Add the
api_domain,workflowname,client_idands(style).
Using the above guidelines, you can deploy, preview, and interact with workflows efficiently, tailoring them to specific application and business requirements.
Typical Workflow Use Cases
Below are some common starting points and node patterns for building IO workflows:
1. Registration Flow
- Purpose: Register a new user in the LoginRadius system.
- Typical Node:
- Create User Node: Handles user creation and initial profile setup.
- Notes: You can add additional nodes for email verification, consent, or profile enrichment as needed.
2. Login Flow
- Purpose: Authenticate users through various methods.
- Typical Nodes:
- Auth Node: Standard username/password login.
- Social Auth Node: Login via social providers.
- Custom IdP Node: Integrate with external/custom identity providers.
- Verification Nodes: For flows requiring additional verification (e.g., MFA, email, phone).
- Notes: Login flows can branch based on user type, authentication method, or verification requirements.
3. MFA (Multi-Factor Authentication) Flow
- Purpose: Enforce additional authentication steps for enhanced security.
- Typical Node Sequence:
- IdentityLookup Node: Identify the user and retrieve their profile.
- MFA State Node: Check if MFA is required or already configured.
- Configure MFA Node: If MFA is not set up, prompt the user to configure it (failure path from MFA State Node).
- Verification Nodes:
- Verify Authenticator
- Verify Security Questions
- Verify Push Notification
- Verify OTP/Other
- Notes: These nodes are often used together to ensure a secure and user-friendly MFA experience. The failure path from the MFA State Node should always map to the Configure MFA Node.
Example: MFA Flow with Email OTP
A typical MFA flow using Email OTP might look like this:
- IdentityLookup Node: Identify the user and retrieve their profile.
- MFA State Node: Check if MFA is required or already configured.
- Configure MFA Node: If MFA is not set up, prompt the user to configure it.
- Email OTP Node: Initiate the sending of an OTP to the user's email address.
- Send Email Node: Actually send the OTP email to the user.
- Webpage Node (OTP Input): Display a page with an input field for the user to enter the OTP.
- Verify Email/SMS OTP Node: Validate the OTP entered by the user.
Note: The MFA State Node can also branch to this same send email flow if the user's MFA method is email OTP.
This sequence ensures that users are prompted to configure MFA if needed, receive an OTP via email, and are required to verify the OTP before proceeding. You can adapt this pattern for SMS OTP or other verification methods as needed.
These patterns provide a foundation for building robust registration, login, and MFA workflows. You can further customize and extend these flows using additional nodes, scripts, and integrations to meet your business requirements.
Related Resources
Enhance your understanding with these additional references: