Single sign-on

Configure SSO and log in to the Merchant Center using an Identity Provider.

The most commonly used Identity Providers integrated with the Merchant Center are Auth0, Google Identity Platform, Microsoft 365, Active Directory Federation Services, Ping Identity, Okta, and One Login.

The Identity Provider must support OpenID Connect (OIDC) including the Discovery endpoint.

Integrate the Merchant Center with an Identity Provider

Refer to the respective guides for a step-by-step process of integrating the Merchant Center with the Identity Provider:

Configure SSO in the Merchant Center

You must have a Merchant Center account with Administrator access for the Organization.

  1. Click the profile icon and select Manage Organizations & Teams.

  2. Select the Organization for which you want to configure SSO.

  3. In the Settings tab, click the Edit SSO configuration icon and then do the following:

    • For OpenID Provider Configuration URL, enter the OpenID Connect Discovery endpoint {url}/.well-known/openid-configuration generated by the Identity Provider.

    • For Client ID, enter the client ID generated by the Identity Provider.

    • Optional: For Client secret, enter the client secret generated by the Identity Provider.

      This is required for Identity Providers using the JSON Web Token (JWT) HS256 signing algorithm.

    • For Team, select the Team that new users would be added to upon signing in by SSO.

      We recommend assigning users to a Team with limited permissions. You can then reassign users to appropriate Teams after they log in to the Merchant Center.

    • Optional: If the Identity Provider does not support the end_session_endpoint for RP-Initiated Logout, enter an explicit logout URL for Logout URL. Users logging out from the Merchant Center are then redirected to this URL.

    • Optional: To pass query parameters along with the logout URL, click Add new query parameter and enter the values for Key and Value.
      For example, if supported by the Identity Provider, it can include a redirectTo query parameter with a URL back to the Merchant Center. In this case, ensure that the redirectTo parameter points to the correct Region.

    • Optional: To shorten the default SSO session validity of 30 days, select Use a custom expiration time and set to 1-24 hours or 1-29 days. The updated session duration applies only to users of the Organization for which you update these settings.

      The timeout countdown starts from the time you log in to the Merchant Center. For example, if you configure a 1 hour-timeout, your session will expire 1 hour after login, regardless of your activity within the Merchant Center.

  4. Click the Single Sign-On (SSO) toggle.

Log in to the Merchant Center with SSO

As a user of a Team, do the following:

  1. In the Merchant Center login page, click Single Sign-On (SSO).
  2. Enter your Organization name and then click Continue to log in.
    You will be redirected to your configured Identity Provider's login page.
  3. After successful authentication by the Identity Provider, you will be redirected to the Merchant Center.
    When logging in for the first time, a new user account that uniquely identifies the user is automatically created.

To avoid manual and incorrect entry of the Organization name, you can also log in using the shareable URL https://mc.{region}.commercetools.com/login/sso/{your-organization-name}.

Signing out from the Identity Provider session does not invalidate the commercetools session as both sessions are independent.

FAQs

Can I manage SSO users in the Teams of an Organization?

Yes, but SSO users must remain in at least one Team, otherwise they'll not be able to join the Organization anymore. If a user is removed from all Teams, contact the Composable Commerce support team as you'll not be able to create a new SSO user.

What flow does the Merchant Center SSO support?

The Merchant Center SSO only supports the implicit flow with response_type: id_token.

What does Active Directory Federation Service support?

Active Directory Federation Service only supports adding custom scopes using response_mode=form_post.

What is the format of the SSO user's email?

Each SSO user gets a unique email value in this format: <base64(issuer + subject)>@<organizationId>.sso.

Where are the SSO user's first name and last name coming from?

When a user is created upon first login with SSO, the firstName and lastName fields are determined based on the following logic:

  • first name: idToken.given_name, idToken.name, or idToken.sub
  • last name: idToken.family_name, idToken.name, or idToken.sub

If given_name, family_name, or name are not available in the idToken, the SSO uses idToken.sub as a fallback to populate first name and last name when creating a user in Composable Commerce. The first and last names can be updated in the user's profile after the account is created.

Can the same SSO user log in to multiple Organizations in the same Region?

No, each user can only log in to one Organization.

Is it possible to apply the roles from the Identity Provider to the Teams?

No, it's not possible.

Can the Merchant Center session timeout be configured?

Yes, you can configure it to a duration of 1-24 hours or 1-29 days.