Getting Started

This document will help you set up LoginRadius as a Customer Identity and Access Management (CIAM) solution for your application. While this walkthrough uses Identity Orchestration (IO) for its simplicity and no-code capabilities, by following this guide, you will be able to:

• Set up a new OAuth/OpenID Connect application
• Configure authentication methods (email, passwordless, social login, etc.)
• Create a custom brand theme that matches your website’s look and feel
• Build and deploy a front-end workflow using the low-code Workflow Editor

Identity Orchestration (IO)

LoginRadius Identity Orchestration (IO) enables you to go from zero to a fully working user journey with minimal setup, while giving you the flexibility to customize every part of the experience. IO empowers businesses to design and manage tailored identity workflows that align with their unique customer journeys.

Configure a New App

Start by creating a new application and configuring the grant types and scopes that match your use case.

Create the App

1. Navigate to Applications in the Console.
2. Click Add Application.
3. Enter a unique Application Name and click Create Application.

Your app is now created and you will be taken to the app's configuration page.

Configure the App

General

1. Credentials & Security

• Name : The display name for your application.
• Client ID : Auto-generated unique identifier. Use this in authorization requests and client-side flows.
• Client Secret : Auto-generated secret key. Authenticates your app with the Authorization Server. Never expose this in client-side code or public repositories.
• Token Endpoint Auth Method : Defines how your app proves its identity when calling the token endpoint.
• Default Workflow : Set the default interaction pattern for this application.

2. Grant Settings

• Grant Type : Select one or more grant types based on your use case:

  Grant Type	Use Case
  Authorization Code	Standard web or SPA login
  Refresh Token	Persistent sessions without re-authentication
  Password Grant	Trusted first-party apps
  Client Credentials	Service-to-service (M2M)

• Scopes : Define what user information your app is allowed to access:

  • Email address, Phone, Profile, Address

Refer to the protocol-specific guides for recommended grant types — OAuth 2.0, OIDC, or M2M.

3. MCP Registration (Optional)

• CIMD (Client ID Metadata Document) : Allows your app to use a URL as its identity. The server fetches and verifies client details automatically.
• DCR (Dynamic Client Registration) : Allows external apps to register and obtain credentials at runtime without manual dashboard setup.

Tokens

1. Token & Session Settings

• Access Token Lifetime (secs) : How long the access token remains valid. (Default: 3600)
• Refresh Token Lifetime (secs) : How long the refresh token remains valid. (Default: 86400)
• ID Token Lifetime (secs) : How long the ID token remains valid.
• Force Reauthentication : When enabled, users must re-authenticate instead of reusing an existing session.
• Signed User Info : When enabled, user info is returned as a signed JWT; otherwise returned as JSON.

Tokens are signed using the RS256 algorithm.

2. Authorization Requests (Optional)

• PAR (Pushed Authorization Request) : Allows the app to send authorization requests through the PAR endpoint for enhanced security.
• RAR (Rich Authorization Request) : Enables rich authorization data in PAR flows. Add the allowed authorization_details.type values for this app.

---

3. Data Mapping & Metadata (Optional)

• Audiences : Define the intended recipients of the token.
• Data Mapping : Attach custom fields or properties to the token data response.
• Metadata : Add static non-profile values to the data response.

Endpoints

1. Endpoint URLs

Copy these endpoints for your integration:

• Issuer URL
• Authorization URL
• Device Authorization URL
• Token URL
• User Info URL
• OpenID Discovery Endpoint
• OAuth Authorization Server Metadata
• JWKS URL

2. Redirect & Logout URLs

• Login Redirect URLs : Whitelisted URIs where users are sent after successful authentication.
• Logout Redirect URLs : URIs where users are redirected after logout.

If left blank, redirect_uri is validated against the globally configured Domains list in Tenant Settings.

3. Cross-Origin Authentication

• CORS Origin : Whitelist domains allowed to access your app's APIs from the browser. Enable if your app runs on a different domain than your APIs.

4. Back-Channel Logout

• Back-Channel Logout : Configure a logout endpoint that LoginRadius will call to ensure users are logged out across all active sessions when a logout event is triggered.

APIs

Select the Audience and Scopes this app is permitted to access. Click + Add New to define API-level access permissions.

For M2M apps, scopes defined here represent resource-level permissions, not user profile claims.

MCP Clients

MCP clients connected to this application will be listed here. Use the search bar to find clients by name or client ID.

Connections

Enable Set authentication configuration for this app to configure authentication-level settings specific to this application.

Set up authentication

You need to select which authentication types and methods you want to provide. You must enable at least one authentication type and one authentication method. You can also choose to allow authentication through social providers.

To set up authentication types and methods

• Navigate to Authentication > Authentication Configuration in the Console.

• Enable at least one authentication type:

  • Email: Allows users to register and log in with an email and password.
  • Phone: Enables login via mobile phone number with one-time password (OTP) sent via SMS.
  • Username: Supports registration and login using a username.

• Enable at least one authentication method:

  • Passwordless: Provides a seamless, secure login without traditional passwords.
  • Passkey: Uses biometrics or hardware security keys for password-free authentication.

To Enable Authentication through Social Login (Optional)

1. Go to Authentication > Social Providers.

2. Toggle on the desired social provider.

3. In the Configuration tab, enter your social provider’s settings.
   Note: Refer to the Setup Guide tab for step-by-step instructions on configuring your provider.

4. Click Save to apply the changes.

You can now enable authentication via this social provider for specific applications by navigating to Applications > [Select an App] > Connections.

Once you’ve set up your application and selected the authentication services you want to provide, you’re ready to tie your apps into a front-end workflow by creating a brand and a workflow.

For more detailed information, please refer to the Authentication documentation.

Deploying Identity Orchestration

Utilize the low-code workflow creation engine to create plug-and-play blocks for a rapid and straightforward workflow setup. After configuring your workflow, connect an app and brand, and generate a workflow URL for live preview or deployment.

To create a new workflow

1. Navigate to Orchestration > Workflows.

2. Select New Workflow.

3. Select a method to start setting up your workflow:

   • Templates: Choose from pre-built templates for common identity workflows, such as login and registration.
   • Editor: Create a workflow based on your custom requirements
   • Upload JSON: Upload your workflow JSON to import, modify, or reuse for your specific use case.

4. In the Add-Workflow dialog, enter your workflow name and description and select a brand.

5. Select Confirm.

6. In the workflow editor, you can configure your workflow by arranging, editing, and adding nodes to define the user journey. Supported node types include:

   • Authentication: Email/password, OAuth, SAML, JWT.
   • Service: Session management, webhooks, custom scripts.
   • Security: MFA setup, security policies.
   • Page: Custom user input forms.
   • Social Login: Social provider integration.
   • Helper: Utility nodes for additional logic.

7. Click Update to save and deploy the workflow.

The format of the URLs generated for workflows is:

https://<API_Domain>/workflow?workflowName=<workflow_name>&client_id=<client_id>&s=<style>&debugMode=<debug_mode>

• API Domain: The domain of the LoginRadius Hub.

  For more information on URL formatting parameters, please refer to the documentation.
  Before you deploy a workflow, preview it to see how it will appear to users.

Preview the workflow

1. In the workflow editor, select Preview, or select the workflow name in your list of workflows.

2. Select the OIDC/OAuth app that you have created in the previous steps, which you want to use with the workflow.

3. Select a brand for the workflow.
   Note: If you don’t select a brand, the default theme appears. Or, if you selected a brand when you initially created the workflow, that brand’s theme appears.

4. Select Preview.
   The URL can include various parameters to control workflow behavior. Below is a list of key parameters:

   • workflowName - The workflow name to be triggered. It can be found in the Admin Console by navigating to Orchestration > Workflows.
   • client_id - Client ID of the OIDC/OAuth application
   • brand - The name of the brand under which the workflow will be executed. Can be found in the Admin Console by going to Orchestration > Theme Customization
   • debugMode - To see the debug log during the workflow execution, use the flag true

For more detailed information on configuring IO workflows, refer to the IO Workflows Documentation.

Related Resources

• Authentication
• Identity Orchestration
• Legacy Hosted Pages