As a user who has never signed up or logged in before, I should be able to use a set of credentials from a pre-approved external service like Github or NCSA Kerberos to log into the platform.

Preconditions

• User has selected "Sign in with ____" link from home page
• Workbench does not yet have any "account" in etcd for this user

Primary flow:

• On the SSO page, the user selects "Sign in with _______" (for some IDP that is supported by CILogon)
• User is redirected to an application-specific IDP approval page (i.e. "Authorize NDS Labs to access your ______ account")
• If user approves access, an NDS Labs account (aka "shadow record") is created in etcd in a pending/unapproved state. The new account then follows the normal approval workflow.
• After account is approved by admin, user receives notification and is able to login to the system with their Oauth IDP credentials

Alternate flows:

• User does not choose to approve/ grant access for Workbench to use application information

Supported CILogon login methods include:

• Shibboleth (i.e. universities)
• Google
• Github?