Single Sign-On
Using single sign-on for the Merchant Center
Single sign-on (SSO) is a feature that allows organizations to use an Identity Provider to log users into the Merchant Center. After the user logs in for the first time using SSO, a new commercetools account is automatically created, which uniquely identifies the user.
This feature is marked as beta and may be affected by changes. Use with caution for production.
Prerequisites
For the setup to work, ensure that the following conditions are met:
The Identity Provider must support OpenID Connect (OIDC), including the Discovery Endpoint.
In your Identity Provider, set up a new application for the Merchant Center to get the required credentials such as Client ID, Authority URL, etc. For the redirect rule, use the full Merchant Center domain and add the subpath
/login/sso/callback
.You have Administrator access to the Organization in the Merchant Center.
Configure SSO in the Merchant Center
To configure SSO, do the following:
Click the profile icon and select Manage Organization & Teams.
Select the Organization for which you want to configure SSO.
In the Settings tab, click the Edit SSO configuration icon and enter the values for the following fields:
Authority URL: the base URL given by the Identity Provider used to construct a new URL that points to the OpenID Connect discovery endpoint
{authorityUrl}/.well-known/openid-configuration
.Client ID: the client ID given by the Identity Provider.
Team ID: the Team that new users would be added to upon sign-in via SSO.
We recommend setting up a Team with limited permissions for new users. After the users log in to the Merchant Center, administrators can invite users to the appropriate Team and reassign them.
Toggle Single Sign-On (SSO).
Configure RP-Initiated logout
If your Identity Provider doesn’t support the end_session_endpoint
for RP-Initiated Logout:
- You can provide an explicit logout URL. The user will be redirected to this URL after the logout process on the Merchant Center.
- You can provide query parameters that will be passed along with the logout URL. For example, if supported by your Identity Provider, it can include a
redirectTo
query parameter with a URL back to the Merchant Center. In this case, ensure that theredirectTo
parameter points to the correct Region of the Merchant Center.
Log in to the Merchant Center via SSO
After the SSO settings are activated, users can log into the Merchant Center using their commercetools Organization's name on the dedicated SSO login page.
Upon login, users will be redirected to the login page of the configured Identity Provider. After being authenticated by the Identity Provider, a commercetools session is started, which redirects users and grants them access to the Merchant Center.
As the commercetools and Identity Provider sessions are independent, signing out from the Identity Provider session does not invalidate the commercetools session.
Log in to the Merchant Center via SSO with a pre-filled organization name
You can log in to the Merchant Center via SSO with a pre-filled organization name and avoid entering the Organization name every time you log in. The benefits are as follows:
- Quicker SSO login
- Sharable Merchant Center SSO login URL with the organization name
- Prevent Merchant Center users from entering the wrong organization name
To use the SSO Merchant Center with a pre-filled organization name, enter a URL in the following format:
URL Format: https://mc.{region}.commercetools.com/login/sso/{your-organization-name}
Example: https://mc.us-central1.gcp.commercetools.com/login/sso/your-organization-name
Frequently Asked Questions about the Merchant Center SSO
Can I manage Merchant Center SSO users in the Teams of an Organization?
Yes, it's possible. However, ensure that Merchant Center SSO users remain in at least one Team, else they won't be able to join the Organization anymore. If a user is removed from all Teams, contact the Support team as you will not be able to create a new Merchant Center SSO user.
What flow is supported by the Merchant Center SSO?
Merchant Center SSO only supports the implicit flow with response_type: id_token
.
What does Active Directory Federation Service support?
Active Directory Federation Service only supports adding custom scopes using response_mode=form_post
.
If given_name
, family_name
, or name
are not available in the idToken
, then Merchant Center SSO uses the idToken.sub
to populate first name and last name as a fallback when creating the user in the commercetools Platform.
After the user is created, they can update the first and last name in the user profile page in Merchant Center.
What is the format of the Merchant Center SSO user's email?
Each Merchant Center SSO user gets a unique email value based on the following format:
<base64(issuer + subject)>@<organizationId>.sso
Where are the Merchant Center SSO user's first name and last name coming from?
When a Merchant Center SSO user is created upon first login, the firstName
and lastName
fields are determined based on the following logic:
first name: idToken.given_name
, idToken.name
, or idToken.sub
last name: idToken.family_name
, idToken.name
, or idToken.sub
Is it possible to log in with the same Merchant Center SSO user into multiple Organizations in the same Region?
No, it's not possible. Each Merchant Center user can only log into one Organization.
Is it possible to apply the roles from the Identity Provider into the commercetools Teams?
No, it's not possible.
Is it possible to configure the Merchant Center session timeout?
No, it's not possible.
What Identity Providers are most commonly used with the Merchant Center?
The following are the most commonly used Identity Providers that integrate with the Merchant Center: