At Acorel we receive more and more inquiries from customers for implementing single sign on (SSO) in SAP Commerce. What is single sign on exactly, what are the benefits and how can you implement this technique in SAP Commerce?
Single sign on allows your users to login to your applications via a central identity provider like your SAP Cloud Identity Service or Microsoft Azure. The end-user does not have to fill in its credentials in SAP Commerce but instead can click on a link that tries to login with the account from the identity provider. The end-user can use this account to login to SAP Commerce and will be redirected to the Backoffice.
Using single sign on with an identity access management tool like SAP Cloud Identity Services or Microsoft Azure will benefit both the end-user as the company administrator. The end-user can login to multiple applications like SAP Commerce Backoffice with one set of credentials. There is no need for managing several username/password combinations for different applications.
Single sign on with an identity access management tool will also benefit the company. Employee credentials and access can be managed in one tool. When a new employee starts working at the company, a global account that provides access to multiple locations can be created in one application. The opposite applies when an employee leaves the company, access to linked company systems can be revoked in a single click.
SAP Commerce is shipped with a default SSO extension. This extension sets up the basics for using single sign on and can easily be configured to connect to a third-party identity provider. When the configuration is successful an additional link will be available in the login screen called “Login with Single Sign On”.
This link will redirect the user to the identity provider of the company to verify the user and retrieve the login information including name and groups. Some additional checks will be performed by SAP Commerce after the user has been authorized by the identity provider.
The identity provider will provide SAP Commerce with basic details like the user’s username, first-name, last-name and SSO-groups. SAP Commerce will verify whether the provided (SSO)groups are in the list of (SSO)groups that are allowed to access the Backoffice. When the user is allowed to access the Backoffice the user will be assigned to the correct user groups and logged in to the application. The user will be created if the user does not exist yet.
Existing users who already have a login with password for SAP Commerce will still be able to login with their SAP Commerce username and password. These users can also login via SSO when their SSO username matches the current username. The passwords of these users will not change, and users will still be able to login with their username/password combination. Both options can still be used to login to the application.
The company administrator of the identity provider is fully in control of new users who are registered with single sign on only to SAP Commerce Backoffice (user does not have a password for SAP Commerce). When the user is completely disabled in the identity provider or the commerce related groups are removed from the user, logging in to the SAP Commerce Backoffice via SSO would not be possible anymore.
Setting up single sign on in SAP Commerce should be done carefully, there are use cases where existing users can still get access to the Backoffice when their access is revoked via the identity provider. These existing users are still able to login with their username/password combination, so be aware to revoke these rights for existing users in SAP Commerce as well. Although this can be seen as a risk, this will only happen for users that are created manually in SAP Commerce.
Single sign on for SAP Commerce is a great addition to manage user authorization. There are a few points you should watch out for but there is an overall benefit for both the end-user and the company. The company can be in better control of which user has access to which application and the end-user can login with one click.