Identity Enterprise SSO overview

Learn about Identity Enterprise SSO to authenticate using your company's IAM provider.

Identity Enterprise SSO lets companies delegate user authentication to an Identity and Access Management (IAM) provider of their choice (for example, Okta or Microsoft Entra ID). Users exist as accounts in Identity, but they sign in through the company's IAM provider instead of using a password in Identity.

Enterprise SSO relies on verified email domains. Your company defines one or more domains used by employees. When Identity detects that a user's email domain matches a configured Enterprise SSO domain, it automatically redirects the sign-in flow to your IAM provider. Password-based sign-in to Identity is not possible for those users.

Authentication and access

Enterprise SSO covers only authentication (verifying identity). It does not manage what a user can access.

Key distinctions:

Authentication: Who the user is (handled by your IAM).
Access management (authorization): What the user can do (handled by the specific business tools, for example, via team permissions in the Merchant Center).

Restricting or removing a user in your IAM provider does not automatically adjust their Merchant Center permissions. You must manage user access inside the Merchant Center via permissions.

The legacy Merchant Center SSO integration has limitations. For instance, a Merchant Center user signed in via SSO is restricted to access only one Merchant Center Organization.

With Identity, those limitations are removed because the SSO integration now sits outside the Merchant Center. All users are treated the same no matter how they sign in (email/password or SSO). Access is controlled only by permissions and team assignments, even across multiple Merchant Center Organizations. This allows users to have access to multiple Merchant Center Organizations.

Differences with legacy Merchant Center SSO

If you had been using SSO in the Merchant Center prior to Identity, you might be aware of some of the limitations and constraints around the SSO integration and functionality.

For instance:

SSO integrations rely on the OIDC implicit flow.
SSO integrations are bound to a Merchant Center Organization.
- Having multiple Merchant Center Organizations requires users to manage multiple SSO-bound accounts, one for each Organization.
- An SSO-bound account can only be used to access one single Merchant Center Organization.
- SSO-bound accounts have a unique email identifier based on the format <base64(issuer + subject)>@<organizationId>.sso.
- It is not possible to invite users by their real email address.
A default team is required to assign new users to upon first login.

With Identity, these limitations and constraints don't exist because the SSO integration does not have any dependencies on the Merchant Center. SSO becomes an authentication method only and doesn't affect how users access their Merchant Center Organizations.

Therefore, a user with an Identity account can access the Merchant Center with one account and can be part of multiple Merchant Center Organizations according to the permissions granted to that user. Assigning permissions and team memberships can be done in the normal way by inviting the user to the specific team.

Item	SSO in Merchant Center	SSO in Identity
SSO flow	OIDC (implicit flow)	OIDC (authorization code flow with PKCE)
User matching criteria	Per Merchant Center Organization	Per email domain
Uses real email address	No	Yes
Can be invited to teams via email address	No	Yes
Requires a default team	Yes	No, new users have no access by default and must be invited to Organizations

Transitioning to Identity

When Identity is enabled for the Merchant Center on 6 October, users are required to sign in via Identity when trying to access the Merchant Center. If they don't have an account yet, they need to create one (it takes only a couple of minutes).

The first time users access the Merchant Center with an Identity account, an automatic migration is executed on demand. Upon successful migration, users are assigned a "normal" Merchant Center user account that is linked to their Identity account. This Merchant Center user has the same level of access as legacy Merchant Center SSO-bound users.

The migration relies on matching the legacy Merchant Center SSO-bound users by their unique email identifier <base64(issuer + subject)>. Therefore, it is crucial that your IAM provider doesn't change between the Merchant Center and Identity. The client applications for the SSO integrations can change, that's not a problem.

However, the following values must not change:

Issuer URL
Subject ID

This process happens during the first time users access the Merchant Center after signing in via Identity. Once completed, the Merchant Center finishes loading and users can continue using the Merchant Center as before.

Some things to note:

The Merchant Center user profile shows the normal email address as well as the correct first and last name.
For administrators, users listed in teams are visible as "normal" users.

Get started

To set up Identity Enterprise SSO (including migrating from an existing Merchant Center SSO setup), a designated IT administrator from your company must follow the steps listed in the Initial setup and configuration guide in coordination with your commercetools Customer Success Manager (CSM).

After the initial setup, you can request individual users to create an Identity account. We recommend that you also ask users to test signing in to their account at https://identity.commercetools.com.

FAQs

If you have questions that aren't answered here, contact your Customer Success Manager (CSM) or commercetools support.

How do we avoid issues with our current Merchant Center SSO configuration while migrating to Identity?

To avoid disruptions in accessing the Merchant Center, we recommend creating a separate client application in your identity provider. This ensures that your current implementation is not impacted. Users can continue to sign in with the legacy SSO until the official launch of Identity Enterprise SSO.

Refer to the following guides to help set up SSO in Identity:

How do we migrate multiple Merchant Center Organizations that currently use SSO?

The new Enterprise SSO integration in Identity works differently from the one in the Merchant Center. The Enterprise SSO configuration operates at the company level using email domains and is not bound to any specific Merchant Center Organizations.

After your designated IT administrator completes the one-time Enterprise SSO setup, SSO will be enabled for all users with the configured email domains, regardless of how many Merchant Center Organizations you have.

Can SSO support more than one domain?

Yes.

Can we limit SSO access to only certain members of a domain?

No.

Can we add any domain to the SSO configuration?

No. Only add a domain your company owns and actively uses for commercetools access. In other words, only use email domains that users in your company can use to authenticate via your company's IAM provider.

Can we change domains after we set up SSO?

Yes. For security reasons, we handle this process manually.

To add or remove domains, please contact support.

Can an SSO user be invited to any Merchant Center Organization?

Yes. The method of authentication (SSO or password login) is independent of the permissions and access the user has within our tools.

If SSO is turned on, can users create an account with a password?

No. If a user creates an account with an email domain that is registered under the SSO configuration, they must authenticate with SSO. They will not be given the option of specifying a password.

If a user's email domain is registered under the SSO configuration, they must authenticate with SSO. The first time they sign in with SSO, they must confirm and complete the account setup by entering their password. Follow the instructions on screen, when presented. After that, they only need to authenticate with SSO credentials.

Can anyone with an email that uses an SSO-registered domain create an account?

Yes, anyone with an email address that uses a domain registered under the SSO configuration can create an Identity account. However, the Identity account only provides authentication. Permissions and access to the individual tools must still be explicitly granted to each user.

For example, if users sign up with Identity and would like to work inside the Merchant Center, they must be manually invited to your Merchant Center Organization to access your project.

Is SAML supported?

No, not at this time. Please raise a feature request if you are interested in this feature.

Is SCIM supported?

No, not at this time. Please raise a feature request if you are interested in this feature.

Manage Identity SSO configuration

To manage an existing Identity SSO configuration, you must have one of the following roles:

Owner: can update the SSO configuration and assign or unassign manager role to other identity users.
Manager: can only update the SSO configuration.

Update configuration

From the Identity homepage, click SSO Settings in the left menu.
If you don't see the SSO Settings option, please contact commercetools support to verify if your identity account has the required roles.
Click the Configuration tab.
Update the Issuer URL, Client ID, and Client secret, as needed.
Click Save.

Add or remove a manager

Only users with the owner role can perform this action.

From the Identity homepage, click SSO Settings in the left menu.
If you don't see the SSO Settings option, please contact commercetools support to verify if your Identity account has the required roles.
Click the Permission tab.
Do one of the following:

To add a manager: type the email address of the user, then select Add member.
To remove a manager, click the X icon next to the user account to delete, then confirm.

Other resources

Title	Description
Identity overview	General information about Identity, including user account topics.
Initial setup guide	Initial setup for Identity Enterprise SSO.
Auth0 integration	How to register an Auth0 client application.
Okta integration	How to register an Okta client application.
Microsoft Entra ID integration	How to register a Microsoft Entra ID client application.

Identity Enterprise SSO overview

Authentication and access.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Differences with legacy Merchant Center SSO.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Transitioning to Identity.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Get started.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

FAQs.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Can SSO support more than one domain?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Can we add any domain to the SSO configuration?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Can we change domains after we set up SSO?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Is SAML supported?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Is SCIM supported?.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Manage Identity SSO configuration.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Update configuration.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Add or remove a manager.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}

Other resources.css-c0cbbx{display:inline-block;}.css-c0cbbx >:disabled{pointer-events:none;}.css-ik49mw{-webkit-flex-shrink:0;-ms-flex-negative:0;flex-shrink:0;}.css-ik49mw *:not([fill='none']){fill:inherit;}.css-ik49mw,.css-ik49mw image{width:24px;height:24px;}