BETA

Single Sign-On

Using single sign-on for the Merchant Center

Single sign-on (SSO) is a feature that allows organizations to use an Identity Provider to log users into the Merchant Center. After the user logs in for the first time using SSO, a new Composable Commerce account is automatically created, which uniquely identifies the user.

This feature is marked as beta and may be affected by changes. Use with caution for production.

Prerequisites

For the setup to work, ensure that the following conditions are met:

  • The Identity Provider must support OpenID Connect (OIDC), including the Discovery Endpoint.

  • In your Identity Provider, set up a new application for the Merchant Center to get the required credentials such as Client ID, Authority URL, etc. For the redirect rule, use the full Merchant Center domain and add the subpath /login/sso/callback.

  • You have Administrator access to the Organization in the Merchant Center.

Configure SSO in the Merchant Center

To configure SSO, do the following:

  1. Click the profile icon and select Manage Organization & Teams.

  2. Select the Organization for which you want to configure SSO.

  3. In the Settings tab, click the Edit SSO configuration icon and enter the values for the following fields:

    • Authority URL: the base URL given by the Identity Provider used to construct a new URL that points to the OpenID Connect discovery endpoint {authorityUrl}/.well-known/openid-configuration.

    • Client ID: the client ID given by the Identity Provider.

    • Team ID: the Team that new users would be added to upon sign-in via SSO.

      We recommend setting up a Team with limited permissions for new users. After the users log in to the Merchant Center, administrators can invite users to the appropriate Team and reassign them.

  4. Toggle Single Sign-On (SSO).

configure-sso

Configure SSO session timeout

An SSO session is valid for 30 days by default, but you can configure it to a shorter duration. In SSO settings, click Edit SSO configuration and select Use a custom expiration time to set the new token expiration time. You can set the duration between 1 to 29 days or 1 to 24 hours. The updated session duration applies only to users of the Organization for which you update these settings.

custom-sso-session-timeout

Configure RP-Initiated logout

If your Identity Provider doesn’t support the end_session_endpoint for RP-Initiated Logout:

  • You can provide an explicit logout URL. The user will be redirected to this URL after the logout process on the Merchant Center.

logout-URL

  • You can provide query parameters that will be passed along with the logout URL. For example, if supported by your Identity Provider, it can include a redirectTo query parameter with a URL back to the Merchant Center. In this case, ensure that the redirectTo parameter points to the correct Region of the Merchant Center.

logout-URL-query-parameters

Log in to the Merchant Center via SSO

After the SSO settings are activated, users can log into the Merchant Center using their commercetools Composable Commerce Organization name on the dedicated SSO login page.

sso-login

Upon login, users will be redirected to the login page of the configured Identity Provider. After being authenticated by the Identity Provider, a commercetools session is started, which redirects users and grants them access to the Merchant Center.

As the commercetools and Identity Provider sessions are independent, signing out from the Identity Provider session does not invalidate the commercetools session.

Log in to the Merchant Center via SSO with a pre-filled organization name

You can log in to the Merchant Center via SSO with a pre-filled organization name and avoid entering the Organization name every time you log in. The benefits are as follows:

  • Quicker SSO login
  • Sharable Merchant Center SSO login URL with the organization name
  • Prevent Merchant Center users from entering the wrong organization name

To use the SSO Merchant Center with a pre-filled organization name, enter a URL in the following format:

URL Format: https://mc.{region}.commercetools.com/login/sso/{your-organization-name} Example: https://mc.us-central1.gcp.commercetools.com/login/sso/your-organization-name

sso-login-with-org-name

Frequently Asked Questions about the Merchant Center SSO

Can I manage Merchant Center SSO users in the Teams of an Organization?

Yes, it's possible. However, ensure that Merchant Center SSO users remain in at least one Team, else they won't be able to join the Organization anymore. If a user is removed from all Teams, contact the Support team as you will not be able to create a new Merchant Center SSO user.

What flow is supported by the Merchant Center SSO?

Merchant Center SSO only supports the implicit flow with response_type: id_token.

What does Active Directory Federation Service support?

Active Directory Federation Service only supports adding custom scopes using response_mode=form_post. If given_name, family_name, or name are not available in the idToken, then Merchant Center SSO uses the idToken.sub to populate first name and last name as a fallback when creating the user in commercetools Composable Commerce. After the user is created, they can update the first and last name in the user profile page in Merchant Center.

What is the format of the Merchant Center SSO user's email?

Each Merchant Center SSO user gets a unique email value based on the following format: <base64(issuer + subject)>@<organizationId>.sso

Where are the Merchant Center SSO user's first name and last name coming from?

When a Merchant Center SSO user is created upon first login, the firstName and lastName fields are determined based on the following logic:

first name: idToken.given_name, idToken.name, or idToken.sub

last name: idToken.family_name, idToken.name, or idToken.sub

Is it possible to log in with the same Merchant Center SSO user into multiple Organizations in the same Region?

No, it's not possible. Each Merchant Center user can only log into one Organization.

Is it possible to apply the roles from the Identity Provider into the commercetools Teams?

No, it's not possible.

Is it possible to configure the Merchant Center session timeout?

Yes, you can configure the Merchant Center SSO session timeout to a duration between 1 to 24 hours or 1 to 29 days.

What Identity Providers are most commonly used with the Merchant Center?

The following are the most commonly used Identity Providers that integrate with the Merchant Center: