--- title: Select Identity Provider node description: The Select Identity Provider node presents an end user with a list of configured, enabled, social identity providers to use for authentication. component: auth-node-ref version: latest page_id: auth-node-ref::select-identity-provider canonical_url: https://docs.pingidentity.com/auth-node-ref/latest/select-identity-provider.html keywords: ["Nodes & Trees", "Journeys", "Authentication", "Social Identity"] page_aliases: ["auth-node-select-identity-provider.adoc"] superseded_by: https://docs.pingidentity.com/auth-node-ref/latest/select-identity-provider.html section_ids: examples: Examples example_1_social_authentication: "Example 1: Social authentication" example_2_dynamic_account_linking: "Example 2: Dynamic account linking" example-3: "Example 3: Login journey with multiple authentication options" availability: Availability inputs: Inputs dependencies: Dependencies configuration: Configuration outputs: Outputs callbacks: Callbacks outcomes: Outcomes errors: Errors --- # Select Identity Provider node The Select Identity Provider node presents an end user with a list of configured, enabled, social identity providers to use for authentication. Use this node with the [Social Provider Handler node](social-provider-handler.html) for social authentication. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You can configure this node to show only the identity providers the user has already associated with their account. This is useful, for example, in account claiming flows, where a user wants to associate a new social identity provider with an account that's being authenticated through social authentication.In cases such as account claiming, where the user has already authenticated once and is linking a new identity provider, the node only displays a local sign-in option if it detects that the user's account has a `password` attribute. | ## Examples ### Example 1: Social authentication This example shows the Social Provider Handler and Select Identity Provider nodes in a social authentication journey. ![journey social provider handler](_images/journey-social-provider-handler.png) a The [Page node](page.html) containing the [Select Identity Provider node](select-identity-provider.html) prompts the user to select a social identity provider or to authenticate with a username and password. b If the user selects local authentication, the [Data Store Decision node](data-store-decision.html) takes care of the authentication. c If the user selects social authentication, the [Social Provider Handler node](social-provider-handler.html) does the following: * Routes the user to the selected social provider to authenticate there * Retrieves the user's profile information, and transforms it into a format that Advanced Identity Cloud can use * Assesses whether the user has an existing user account in Advanced Identity Cloud * If the user has an existing user account, authenticates that user * If the user doesn't have a user account, routes the user to another page node * If the user interrupts the social authentication, routes the user back to the [Select Identity Provider node](select-identity-provider.html) d The nodes on the page node request the information required to *register* a new user account. e The [Create Object node](create-object.html) creates the new user account in Advanced Identity Cloud. ### Example 2: Dynamic account linking This example shows a social authentication journey with dynamic account linking. ![journey social provider handler link](_images/journey-social-provider-handler-link.png) a A [Page node](page.html) contains the [Select Identity Provider node](select-identity-provider.html) node that prompts the user to select a social identity provider or to authenticate with a username and password. b If the user selects local authentication, the [Data Store Decision node](data-store-decision.html) takes care of the authentication. c If the user selects social authentication, the Social Provider Handler node does the following: * Routes the user to the selected social provider to authenticate there * Retrieves the user's profile information, and transforms it into a format that Advanced Identity Cloud can use * Assesses whether the user has an existing user account in Advanced Identity Cloud * If the user has an existing user account, authenticates that user * If the user doesn't have a user account, routes the user to the [Identify Existing User node](identify-existing-user.html) * If the user interrupts the social authentication, routes the user back to the [Select Identity Provider node](select-identity-provider.html) d The [Identify Existing User node](identify-existing-user.html) checks if the user exists in Advanced Identity Cloud using the Identity Attribute specified and does the following: * If the user exists, routes the user to the [Patch Object node](patch-object.html) * If the user doesn't exist, routes the user to another page node e The [Patch Object node](patch-object.html) updates the existing user to create the link. f The nodes on the page node request the information required to *register* a new user account. g The [Create Object node](create-object.html) creates the new user account in Advanced Identity Cloud. ### Example 3: Login journey with multiple authentication options AM only *(tooltip: Currently available only in AM 8.1)* The following example journey lets the user authenticate using social authentication, a username and password, or a passkey: ![Journey with WebAuthn conditional UI and social authentication](_images/webauthn-conditional-ui-example-journey.png) The v2.0 [Page node](page.html) provides the user with different authentication options on the same page. The Page node contains the following nodes: * [Platform Username node](platform-username.html). This node uses the following configuration to provide users with relevant autofill suggestions, including passkeys if they're available: * Autocomplete Values `username`\ `webauthn` The autocomplete values must be in this order. * [Platform Password node](platform-password.html) * [Select Identity Provider node](select-identity-provider.html). This node is configured to include local authentication. * [WebAuthn Authentication node](webauthn-authentication.html). This node is v2.0 and uses the following configuration to provide the WebAuthn conditional UI and Sign in with passkey button: * Username from device `Enabled` * Mediation `CONDITIONAL` * Authentication Button `Enabled` The standalone nodes must be added after the non-standalone nodes. This Page node configuration presents a Sign in page to the user similar to the following: ![Example Sign in page with passkey and social authentication options](_images/webauthn-conditional-ui-signin-page.png) * If the user chooses Google in this example, the [Social Provider Handler node](social-provider-handler.html) routes the user to Google to authenticate. If authentication is successful, the user follows the `Account exists` path. Otherwise, they can try a different authentication method. * If the user clicks in the User Name field, they are shown any relevant username and passkey autofill suggestions. * If they select a passkey and authenticate successfully, they follow the `Success` path. * If they enter their username and password (local authentication), they follow the `Outcome` path to the [Data Store Decision node](data-store-decision.html). This node validates their credentials and authenticates the user if they're valid. * If they click the Sign in with passkey button, they can select a saved passkey to authenticate with. If authentication is successful, they follow the `Success` path. ## Availability | Product | Available? | | ------------------------------------- | ---------- | | PingOne Advanced Identity Cloud | Yes | | PingAM (self-managed) | Yes | | Ping Identity Platform (self-managed) | Yes | ## Inputs The node reads the `username` and `password` from shared state. Implement a [Platform Username node](platform-username.html) and a [Platform Password node](platform-password.html) earlier in the journey. ## Dependencies The Social Identity Provider service must be configured with the details of at least one social identity provider. Find more information on this service in [Social Identity Provider Service](https://docs.pingidentity.com/pingoneaic/am-reference/services-configuration.html#realm-socialidentityproviders). ## Configuration | Property | Usage | | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Include local authentication** | Whether local authentication is included as a method for authenticating.This option must be enabled when this node is used in a [Page node](page.html). | | **Offer only existing providers** | When enabled, the node limits the social identity provider choices to those already associated with the user object. Use this when a user is authenticating using a new social identity provider, and an account associated with that user already exists (also known as "account claiming"). | | **Password attribute** | The attribute in the user object that stores a user's password for use during local authentication. | | **Identity Attribute** | The attribute used to identify an existing user. The node uses this attribute to query the user in the backend datastore to obtain the list of existing providers. | | **Filter Enabled Providers** | By default, the node displays all identity providers marked as **Enabled** in the Social Identity Provider Service. Enter one or more providers here to restrict the user's choice of providers to this list. You can see the configured social identity providers in Realms > Realm name > Services > Social Identity Provider Service > Secondary Configurations.Providers you specify here must be enabled in the **Social Identity Provider** service.If this field is empty, the node displays all enabled providers. | ## Outputs The node writes the selected social identity provider to the shared state in the `SELECTED_IDP` key. ## Callbacks The node sends a [SelectIdPCallback](https://docs.pingidentity.com/pingoneaic/am-authentication/callbacks-interactive.html#SelectIdPCallback) to display the list of social identity providers to the end user. This callback is sent only if there's more than one provider configured, or if a single provider is configured and Local Authentication is enabled. ## Outcomes * `Social Authentication` The user chooses to authenticate using a social identity provider. * `Local Authentication` The user chooses to authenticate using local authentication, for example, by entering a username and password. This outcome is only available if Include local authentication is enabled. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `Local Authentication` outcome isn't available when this node is placed in a v2.0 [Page node](page.html). Instead, the local authentication method uses the outcomes determined by the other nodes in the Page node as demonstrated in [example 3](#example-3). | ## Errors This node doesn't log any error or warning messages of its own.