Moving to GOV.UK One Login if your service already proves users identities

We’ve created this design pattern to help your service migrate (or move) your users to GOV.UK One Login to prove their identity. This pattern assumes your service already proves users' identities using an existing identity service.

All of these migrations are initiated by the user when they sign in to your service. GOV.UK One Login does not currently migrate users in bulk uploads.

These design patterns are diagrams that set out the steps GOV.UK One Login, or your service should take. The design pattern you need to use depends on the specific circumstances for your users or service.

the following design patterns do not cover your circumstances
you need the patterns in a different format (they’re Mural files)
you need more help

Design pattern 1: when new users come to your service

Pattern to use when new users come to your service

Your service sends the user to GOV.UK One Login.
The user signs in or creates a GOV.UK One Login. This is the authentication stage.
When the user has signed in to GOV.UK One Login, we’ll send your service a unique identifier code so you can check if the user is new to your service, or is a returning user.
If they are a new user, they’ll have to prove their identity using GOV.UK One Login.

Design pattern 2: when existing users have already proved their identity with your service

Pattern to use when existing users have already proved their identity with your service

Your service sends the user to GOV.UK One Login.
The user signs in or creates a GOV.UK One Login. This is the authentication stage.
When the user has signed in to GOV.UK One Login, we’ll send your service a unique identifier code so you can check if the user is new to your service, or is a returning user.
If the user is signing in to GOV.UK One Login for the first time, and they match a record in your service, then you can connect (‘bind’) them to your service. This means the user will not need to prove their identity again with GOV.UK One Login. You’ll need to use the identity record they created with your legacy identity service provider.

Design pattern 3: when users return to your service

Pattern to use when users return to your service

When a user returns to your service, you’ll need to check their proof of identity using either:
- your legacy identity service
- GOV.UK One Login
You’ll need to decide when you want to retire your legacy identity service. When you do this your existing users will also need to sign in to GOV.UK One Login and use that to prove their identity. Once all your users are on GOV.UK One Login, you’ll be able to stop using your legacy identity service.

When to use this design pattern

Use this design pattern if all of the following circumstances apply:

your service’s existing users have already proved their identities
the existing identity service provider holds these users’ data, and you’d like to reuse the data so they do not need to prove their identity again with GOV.UK One Login
for new users, you’ll stop using your existing identity service provider and start using GOV.UK One Login to prove their identity

What to consider when using this design pattern

This pattern will mean:

existing users do not need to prove their identities again
you can decide when you start allowing existing users to move to GOV.UK One Login for identity proving
you’ll need to keep records about your existing users who’ve already proved their identity until they’ve all moved over to GOV.UK One Login, which will mean continuing to run your legacy identity proving solution for some time
you’ll need the ability to build new functionality, for example to check if a user proved their identity with GOV.UK One Login or your existing identity service

Cookies on GOV.UK One Login