Using single sign-on for the Merchant Center
Single sign-on (SSO) is a feature that allows organizations to use an Identity Provider to log users into the Merchant Center. After the user logs in for the first time using SSO, a new Composable Commerce account is automatically created, which uniquely identifies the user.
This feature is marked as beta and may be affected by changes. Use with caution for production.
For the setup to work, ensure that the following conditions are met:
The Identity Provider must support OpenID Connect (OIDC), including the Discovery Endpoint.
In your Identity Provider, set up a new application for the Merchant Center to get the required credentials such as Client ID, Authority URL, etc. For the redirect rule, use the full Merchant Center domain and add the subpath
You have Administrator access to the Organization in the Merchant Center.
Configure SSO in the Merchant Center
To configure SSO, do the following:
Click the profile icon and select Manage Organization & Teams.
Select the Organization for which you want to configure SSO.
In the Settings tab, click the Edit SSO configuration icon and enter the values for the following fields:
Authority URL: the base URL given by the Identity Provider used to construct a new URL that points to the OpenID Connect discovery endpoint
Client ID: the client ID given by the Identity Provider.
Team ID: the Team that new users would be added to upon sign-in via SSO.
We recommend setting up a Team with limited permissions for new users. After the users log in to the Merchant Center, administrators can invite users to the appropriate Team and reassign them.
Toggle Single Sign-On (SSO).
Configure SSO session timeout
An SSO session is valid for 30 days by default, but you can configure it to a shorter duration. In SSO settings, click Edit SSO configuration and select Use a custom expiration time to set the new token expiration time. You can set the duration between 1 to 29 days or 1 to 24 hours. The updated session duration applies only to users of the Organization for which you update these settings.
Configure RP-Initiated logout
If your Identity Provider doesn’t support the
end_session_endpoint for RP-Initiated Logout:
- You can provide an explicit logout URL. The user will be redirected to this URL after the logout process on the Merchant Center.
- You can provide query parameters that will be passed along with the logout URL. For example, if supported by your Identity Provider, it can include a
redirectToquery parameter with a URL back to the Merchant Center. In this case, ensure that the
redirectToparameter points to the correct Region of the Merchant Center.
Log in to the Merchant Center via SSO
After the SSO settings are activated, users can log into the Merchant Center using their commercetools Composable Commerce Organization name on the dedicated SSO login page.
Upon login, users will be redirected to the login page of the configured Identity Provider. After being authenticated by the Identity Provider, a commercetools session is started, which redirects users and grants them access to the Merchant Center.
As the commercetools and Identity Provider sessions are independent, signing out from the Identity Provider session does not invalidate the commercetools session.
Log in to the Merchant Center via SSO with a pre-filled organization name
You can log in to the Merchant Center via SSO with a pre-filled organization name and avoid entering the Organization name every time you log in. The benefits are as follows:
- Quicker SSO login
- Sharable Merchant Center SSO login URL with the organization name
- Prevent Merchant Center users from entering the wrong organization name
To use the SSO Merchant Center with a pre-filled organization name, enter a URL in the following format:
Frequently Asked Questions about the Merchant Center SSO
Can I manage Merchant Center SSO users in the Teams of an Organization?
Yes, it's possible. However, ensure that Merchant Center SSO users remain in at least one Team, else they won't be able to join the Organization anymore. If a user is removed from all Teams, contact the Support team as you will not be able to create a new Merchant Center SSO user.
What flow is supported by the Merchant Center SSO?
Merchant Center SSO only supports the implicit flow with
What does Active Directory Federation Service support?
Active Directory Federation Service only supports adding custom scopes using
name are not available in the
idToken, then Merchant Center SSO uses the
idToken.sub to populate first name and last name as a fallback when creating the user in commercetools Composable Commerce.
After the user is created, they can update the first and last name in the user profile page in Merchant Center.
What is the format of the Merchant Center SSO user's email?
Each Merchant Center SSO user gets a unique email value based on the following format:
<base64(issuer + subject)>@<organizationId>.sso
Where are the Merchant Center SSO user's first name and last name coming from?
When a Merchant Center SSO user is created upon first login, the
lastName fields are determined based on the following logic:
Is it possible to log in with the same Merchant Center SSO user into multiple Organizations in the same Region?
No, it's not possible. Each Merchant Center user can only log into one Organization.
Is it possible to apply the roles from the Identity Provider into the commercetools Teams?
No, it's not possible.
Is it possible to configure the Merchant Center session timeout?
Yes, you can configure the Merchant Center SSO session timeout to a duration between 1 to 24 hours or 1 to 29 days.
What Identity Providers are most commonly used with the Merchant Center?
The following are the most commonly used Identity Providers that integrate with the Merchant Center: