Identity providers
The identity provider object and the allowed CRUD operations on the related resource endpoint
Last updated
The identity provider object and the allowed CRUD operations on the related resource endpoint
Last updated
Identity providers allow users to authenticate themselves to the Commerce Layer Dashboard using a single set of credentials. Identity providers leverage the open standard and decentralized authentication protocol , built on top of and JWT (JSON Web Token), actually enabling Single Sign-On (SSO) on the Dashboard.
To enable SSO for your user you need to create at least one identity provider resource and properly set up the domains in scope. In detail:
— to do that, choose a meaningful name (must be unique across all Commerce Layer users), specify the list of domains you want to put in scope (i.e. that will be used to validate the email address of the user that will try to log in via SSO), and add all the necessary information and parameters supplied by your IdP of choice (Auth0 by Okta, Microsoft Azure, etc. or any custom one — you can find some examples ), such as:
Client ID
Client secret
Issuer
Token URL
Authorize URL
JWKS (JSON Web Key Sets) URL
Add the TXT record you get from the successful response to all the domains specified in the list (you must be the domain owner).
If the 3rd-party service you've chosen as your IdP requires a redirect_uri to be specified, use the following:
Identity providers are created in pending status and a verification job on the specified domains is immediately started (domain existence, correct TXT record presence, etc.). On success, the status is automatically moved to verified. Otherwise, it remains pending or is moved to error (e.g. domain non-existent, verification process timed-out, etc.).
You can temporarily disable an identity provider by passing the _disable trigger attribute and eventually re-enable them by passing the _enable trigger attribute.
Since the txt_record attribute you get from the response is encoded based on the IdP keys (client ID, client secret, issuer, etc.), if you change one of them a new TXT record will be generated and the identity provider status moved back to pending until you update the TXT record with the new one on all the domains specified in the list.
Click on the Log in with SSO button.
Enter the name of one of the identity providers you created for your user.
Click on the Log in button and enter your credentials.
When authenticating in with SSO to the Dashboard you may receive some 302 Found errors, mostly due to possible identity provider misconfigurations. Follow the suggestion displayed in the error message to fix them and try to log in again:
Disabled — The selected provider has been disabled, please contact the organization owner.
Non-existent — The selected provider does not exist.
Not verified — The selected provider is not verified. Please add the provided DNS TXT record to your domain.
In error — The selected provider is in error. The domain may not exist or we may be unable to resolve it.
Please find below some examples of how the required parameters must be set when using some of the most common 3rd-party services:
An example of how to set the required parameters when using by Okta (replace your values):
An example of how to set the required parameters when using (replace your values):
An example of how to set the required parameters when using (replace your values):
Once you have successfully set up and verified one or more identity providers, you can use them to with SSO. To do that:
