SSO Configuration
- Miguel Correa Calvo
- Vincent Vila
Index
Overview
Single Sign-On (SSO) allows to log in to OneStock services — Admin Backoffice and Store App — using an external Identity Provider (IdP).Â
When using SSO, access to OneStock is granted by un external Identity Provider. If the user can log in to the identity provider, he will be able to log in to OneStock.
Supported SSO protocols are SAMLv2, also referred to as SAML.
Good to know
A user can connect either using SSO or a login / password. Not both.
Users, configured to authenticate using SSO, can not log in to OneStock API. Only login / password users can.
Some vocabulary:
Acronym / word | Definition |
|---|---|
SSO | Single Sign-On: user authentication service that permits a user to use one set of login credentials to access multiple applications |
IdP | Identity Provider: application doing the actual authentication |
SAML / SAMLv2 | SAMLv2 is the version 2 of the SAML protocol, which is a widely used protocol for Single Sign-On. When we refer to SAML in this documentation, it means the version 2 of SAML protocol. |
Setup
We strive to keep things simple. SSO configuration is not an exception.Â
Setup must be done in OneStock and in the external Identity Provider (client's end).
Steps to get SSO up and running:
Configures your Identity Provider to connect with OneStock. This must be done on your end.
Adding Identity Providers to your project in OneStock
Flag OneStock users that should log in using SSO.
You must create user accounts in OneStock before they can connect using SSO.
1. Configures your Identity Provider to connect with OneStock. This must be done on your end.
The client's Identity provider must be configured so OneStock can communicate with it.
Configuration consists of two steps : 1) communication with OneStock and 2) OneStock expected user matching attributes.
Communication with OneStock
Configuration can usually be done by setting at metadata URL or by setting each field individually.
Configuration by metadata URL
The following URLs must be used:
Qualif: https://api-qualif.onestock-retail.com/sso/saml_descriptor
Training: https://api-training.onestock-retail.com/sso/saml_descriptor
Production: https://api.onestock-retail.com/sso/saml_descriptor
Configuration by individual fields
The list of fields is the following:Â
callback url :
certificate : latest version can be found inside the metadata URL response.
assertion url :
audience url :
signing : true
OneStock expected user matching attributes.
For OneStock to match the Identity Provider response with a OneStock users, an attribute mapping must be configured. The mapping that need to be configured is the following:Â
OneStock expects the SAML nameID field to contain the user's ID (equals email if created through the BackOffice), as set in OneStock. i.e. for the user john@fashion_market.com OneStock expects nameID field to be equal to john@fashion_market.com
OneStock expects the SAML email field to contain the user's ID (equals email if created through the BackOffice), as set in OneStock. i.e. for the user john@fashion_market.com OneStock expects email field to be equal to john@fashion_market.com
2. Adding Identity Providers to your project in OneStock
To access SSO configuration, you must go to OneStock’s Back-Office > Configuration > Security
Configuring an IdP is very simple, you just need to provide OneStock with your IdP information, this can be done by providing an URL or a static XML.
Metadata Expected content
Your IdP metadata should contain at least :
<KeyDescriptor use="signing">....</KeyDescriptor>: key that will be used for authetication.<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"..../>: It will be used by OneStock to validated authetication<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"..../>: It will be used by OneStock to logout the user from your IdP when he disconects from a OneStock application. This allows a new user to login to the application with a different account.
Â
Configuring the IdP
In the Back-office you can configure a specific IdP to be applied per login email domain or a default one to be applied as a fallback to all email domains not included in the list of authentications per domain.
3. Create and activate SSO for users in OneStock
For a user to be able to log in to OneStock using SSO:
The user must exist in OneStock.
The user must have a valid OneStock role. The role is not retrieved from the IdP.
The user must be flagged as SSO.
The user ID must match a configured SSO domain config.
From the back-office
By API
The field is_sso flags the user as SSO active. For more details, check out our API documentation
User Provisioning Management
To enable users to access OneStock via SSO, their accounts must be created in OneStock beforehand. Since automatic provisioning is not currently supported, we recommend creating user accounts in OneStock when you grant them access in your Identity Provider (IdP). Similarly, when you deactivate or delete a user in your IdP, please ensure to deactivate or delete their account in OneStock. These actions can be performed manually via the Back Office or automated using our APIs (note that the API allows for deactivation but not complete deletion of accounts).
Known Constraints
Autocompletition of login form
Our SSO technological stack, SAML2, does not support relaying the user identifier to the IdP when redirecting to the IdP login UI.
Identity provider limitations
Azure doesn’t support POST binding single logout. As a result, when a user diconnects from OneStock he will not be logged out from Azure. More information about Azures limitation here
Common errors
When I login to OneStock it redirects me to my SSO login page but when I login something goes wrong
Check that the configuration in your IdP are correct.
If you have done the configuration by filling in a metadata url, make sure you have used this ones
If you have done the configuration by filling in each configuration field inididually, make sure they match the configuration stated here
Can login with a user, but when logged out, is not possible to login with another
Check that your IdP metadata contains a <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" . It is used by OneStock to logout the user from your IdP.
Â