Single Sign-On (Beta)
Single sign-on (SSO) is a feature that allows your organization to use an Identity Provider to log users into the Merchant Center. Once the user logs in for the first time, a new commercetools account will be automatically created which uniquely identifies the user.
Note: This feature is marked as beta and may be affected by changes. Use with caution for production.
For the setup to work, the Identity Provider needs to support OpenID Connect (OIDC), including the Discovery Endpoint.
In your Identity Provider, set up a new application for the Merchant Center to get the required credentials such as Client ID, Authority URL, etc. For the redirect rule, use the full Merchant Center domain and add the subpath
If your Identity Provider doesn’t support the
end_session_endpointfor RP-Initiated Logout, you can optionally provide an explicit logout URL. The user will be redirected to this URL after the logout process on the Merchant Center
Optionally you can provide query parameters which will be passed along with the logout URL. These for example, if supported by your Identify Provider, can include a
redirectToquery parameter with a URL back to the Merchant Center. In this case please make sure that the
redirectToparameter points to the correct Region of the Merchant Center.
You have Administrator access to the organization in the Merchant Center.
Configure SSO in the Merchant Center
In the Merchant Center, go to the Settings tab in the Organization details page and configure the SSO provider, following the instructions there.
Select a default team
When a user signs in for the first time into the Merchant Center via SSO, a new unique commercetools account is automatically created. However, users need to be assigned a team to have permissions configured. Therefore, a team needs to be explicitly selected in the SSO settings. All new SSO users will be added to the selected team.
Note: We recommend setting up a team with limited permissions for new users. After the users first login in the Merchant Center, administrators can then reassign them into the appropriate teams using the invitation menu on the team members page.
Log in to the Merchant Center via SSO
Once the SSO settings are activated, users can log into the Merchant Center using their commercetools organization’s name on the dedicated SSO login page.
Upon login, users will be redirected to the login page of the configured Identity Provider. After being authenticated by the Identity Provider users are redirected back to the Merchant Center where a commercetools session is started, giving them access to the Merchant Center.
Note: The commercetools session is independent from the session of the Identity Provider. Signing out from the Identity Provider will not invalidate the commercetools session.