Identity FAQ

This page compiles a list of frequently asked questions about the upcoming Identity feature. If you have questions that aren't answered here, please contact your Customer Success Manager (CSM).

General

What is Identity?

Identity is an authentication service that provides access to commercetools business tools and other offerings using a single account. The goal of Identity is to make authentication easier and more secure.

For more information, see the Identity overview page.

When does Identity launch?

For Studio users: 26 August, 2025. We'll communicate the official launch via the Studio release notes page.

For Merchant Center users: September 2025.

To ensure a smooth transition, we're encouraging users to create an Identity account before support officially becomes available for the Merchant Center.

We'll communicate the launch date and additional information as it becomes available via our Customer Success Managers (CSMs) and the Merchant Center release notes page.

How does this affect users?

All users will need to create an Identity account.

For companies using SSO

If you're currently using SSO in the Merchant Center for one or more Organizations, an IT administrator from your company must complete a one-time SSO setup before users can create their individual accounts.

For more information, see How do I setup SSO for my company?.

For companies using password authentication

If your company is not using SSO in the Merchant Center and does not plan to use it with Identity, each user can create an Identity account now and set a new password during account creation.

The user can then access Merchant Center and Studio tools with their new Identity account.

Which tools and services are currently supported by Identity?

See Tools and services.

What information must be provided when creating an Identity account?

Each user will be asked to provide their email address, first name, last name, and role. The selected role does not affect access or permissions within our business tools.

What will users see when accessing Merchant Center or Studio after Identity launches?

Identity will go live for the Studio first. When that happens, users will be logged out and redirected to the Identity login page. If they haven't yet created an Identity account, then they'll need to do so before continuing. After completing the signup flow, users will be brought back to the Studio.

Later, when Merchant Center support is added, the process will be the same. If they haven't yet created an Identity account, then they'll need to do so before continuing. After completing the signup flow, users will be redirected back to the Merchant Center.

Users can continue to use their existing bookmarks to access these tools.

Access & permissions

Does access to the Merchant Center or Studio change?

No.

For Merchant Center, you can continue to use the same region-specific links. For Studio, you can continue to use the same customer-specific links.

When accessing these links without being signed in, you will be redirected to Identity to authenticate yourself and then you will be brought back to the application.

Does permissions management change with Identity?

Identity is an authentication service that gives access to commercetools business tools and services. It does not manage the permissions within them. Permissions continue to be managed directly within the business tools.

Are API Clients affected?

No, API clients are not affected.

SSO

How do I set up SSO for my company?

If your company currently uses SSO within the Merchant Center (or wants to use SSO in Identity), a one-time SSO setup is required.

A designated IT administrator from your company must:

Create an Identity account for themselves first.
Follow the steps listed in the Initial setup and configuration for Identity SSO guide, in coordination with your commercetools Customer Success Manager (CSM).

After SSO is enabled for your email domain(s), each of your users must then create an Identity account. They will be required to use the SSO option to authenticate.

Users will then be able to access the Merchant Center and Studio tools with their new Identity account.

Should we expect issues with the current Merchant Center SSO during this transition?

To avoid issues with the current Merchant Center SSO, we recommend that you create a separate client application in your identity provider. This ensures that your current implementation will not be impacted. Users will continue to be able to sign in with the legacy SSO until the official launch of Identity.

Should we reuse the client ID and secret from our previous SSO configuration?

No. We recommend that you create a new client ID and secret for use in Identity.

How do we migrate multiple Merchant Center Organizations that currently use SSO?

After your designated IT administrator completes the one-time SSO setup, SSO will be enabled for all users using the configured email domain(s), regardless of how many Merchant Center Organizations you have.

Users can continue to sign in with the legacy Merchant Center SSO integration until Identity launches. At launch, users who have not yet created an Identity account will be required to create one before they can sign in.

Can SSO support more than one domain?

Yes.

Can we limit SSO access to only certain members of a domain?

No.

Can we add any domain to the SSO configuration?

No. We recommend only adding domains of users that use commercetools products, and not every single domain that your company owns.

In addition, any domain that you do configure within the SSO configuration should be owned by your company.

Can we add additional domains after we set up SSO?

Yes. However, for security reasons we handle this process manually.

To add additional domains, please contact support.

Can an SSO user be invited to any Merchant Center Organization?

Yes. The method of authorization (SSO or password login) is independent of the permissions and access the user has within our tools.

If SSO is turned on, can users create an account with a password?

No. If a user creates an account with an email domain that is registered under the SSO configuration, they must authenticate with SSO. They will not be given the option of specifying a password.

If a user's email domain is registered under the SSO configuration, they must authenticate with SSO. The first time they sign in with SSO, they must confirm and complete their account setup by entering their password. After that, they only need to authenticate with SSO credentials.

Can anyone with an email that uses an SSO-registered domain create an account?

Yes, anyone with an email address that uses a domain registered under the SSO configuration can create an Identity account. However, the Identity account only provides authentication. Permissions and access to the individual tools must still be explicitly granted to each user.

For example, if a user signs up with Identity and would like to work inside the Merchant Center, you must manually invite them into your Merchant Center Organization for them to have access to your project.

What is the purpose of the permissions tab under the SSO settings within Identity?

In the permissions tab, you can add or remove SSO managers.

For more information, see How do we add another SSO manager?.

We're planning to enable SSO in the next few months. Should we wait for Identity to launch?

We recommend that you set up SSO through Identity now instead of setting it up in the Merchant Center (legacy). This ensures that the SSO configuration is in place by the time Identity launches.

How do we add another SSO manager?

After the one-time SSO setup, the IT administrator from your company can assign additional SSO managers within Identity.

From the Identity homepage, click SSO Settings in the left menu.
If you don't see the SSO Settings option, please contact your designated Customer Success Manager (CSM) to verify your SSO configuration.
Click the Permissions tab.
Search for users and add them as SSO managers.
Click Save.

Is SAML supported?

No, not at this time.

Identity FAQ

General.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

What is Identity?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

When does Identity launch?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

How does this affect users?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

For companies using SSO.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

For companies using password authentication.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Access & permissions.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Does permissions management change with Identity?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Are API Clients affected?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

SSO.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

How do I set up SSO for my company?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Can SSO support more than one domain?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Can we add any domain to the SSO configuration?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Can we add additional domains after we set up SSO?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

How do we add another SSO manager?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Is SAML supported?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}