Other APIs
Changelog

Identity providers

The identity provider object and the allowed CRUD operations on the related resource endpoint

Identity providers allow users to authenticate themselves to the Commerce Layer Dashboard using a single set of credentials. Identity providers leverage the open standard and decentralized authentication protocol OpenID connect, built on top of OAuth 2.0 and JWT (JSON Web Token), actually enabling Single Sign-On (SSO) on the Dashboard.

Identity providers can be created, updated, and deleted by Enterprise users only. For non-enterprise users identity providers are read-only.

Setting up SSO

To enable SSO for your user you need to create at least one identity provider resource and properly set up the domains in scope. In detail:

  1. Create an identity provider — to do that, choose a meaningful name (must be unique across all Commerce Layer users), specify the list of domains you want to put in scope (i.e. that will be used to validate the email address of the user that will try to log in via SSO), and add all the necessary information and parameters supplied by your IdP of choice (Okta, Auth0, Microsoft Azure, etc. or any custom one), such as:

    • Client ID

    • Client secret

    • Issuer

    • Token URL

    • Authorize URL

    • JWKS (JSON Web Key Sets) URL

  2. Add the TXT record you get from the successful response to all the domains specified in the list (you must be the domain owner).

Identity provider status

Identity providers are created in pending status and a verification job on the specified domains is immediately started (domain existence, correct TXT record presence, etc.). On success, the status is automatically moved to verified. Otherwise, it remains pending or is moved to error (e.g. domain non-existent, verification process timed-out, etc.).

You can temporarily disable an identity provider by passing the _disable trigger attribute and eventually re-enable them by passing the _enable trigger attribute.

Since the txt_record attribute you get from the response is encoded based on the IdP keys (client ID, client secret, issuer, etc.), if you change one of them a new TXT record will be generated and the identity provider status moved back to pending until you update the TXT record with the new one on all the domains specified in the list.

Logging in to the Dashboard with SSO

Once you have successfully set up and verified one or more identity providers, you can use them to log in to Dashboard with SSO. To do that:

  1. Click on the Log in with SSO button.

  2. Enter the name of one of the identity providers you created for your user.

  3. Click on the Log in button and enter your credentials.

Login errors

When authenticating in with SSO to the Dashboard you may receive some 302 Found errors, mostly due to possible identity provider misconfigurations. Follow the suggestion displayed in the error message to fix them and try to log in again:

  • Disabled — The selected provider has been disabled, please contact the organization owner.

  • Non-existent — The selected provider does not exist.

  • Not verified — The selected provider is not verified. Please add the provided DNS TXT record to your domain.

  • In error — The selected provider is in error. The domain may not exist or we may be unable to resolve it.

PreviousDelete an application membershipNextThe identity provider object

Last updated