Adobe Commerce Microsoft Entra ID (Azure AD) OAuth Single Sign-On (SSO) Integration

Overview

This guide explains how to configure Single Sign-On (SSO) between Adobe Commerce and Microsoft Entra ID using the OAuth 2.0 protocol. By integrating Azure AD as the identity provider, users can securely log in to the Adobe Commerce store using their existing organizational credentials. This eliminates the need to manage separate usernames and passwords, simplifying access management and improving the user experience. The integration supports key SSO features such as attribute mapping and role mapping, allowing administrators to control how user data and permissions are handled within Adobe Commerce. It is also compatible with multi-store environments, making it suitable for organizations operating across multiple regions or business units.
By the end of this guide, you will have a fully functional SSO setup, enabling users to authenticate smoothly with Azure AD credentials in Adobe Commerce.

Installation Steps

• Using Composer
• Manual Installation

• Purchase the miniOrange Adobe Commerce OAuth Single Sign-On (SSO) extension from Adobe Commerce Marketplace (Adobe Commerce Marketplace).
• Go to My profile -> My Purchases
• Please ensure you are using correct access keys (My Profile - Access Keys)
• Paste the access keys in your auth.json file inside your project
• Use the below command to add the extension to your project.

"composer require {module_name}:{version}"

• You can see the module name and list of versions in the selector below the extension module name.
• Run the following commands on command prompt to enable the extension.

php bin/magento setup:upgrade

• Download the miniOrange Adobe Commerce OAuth Single Sign-On (SSO) extension.
• Unzip all contents of the zip inside the MiniOrange/IDPSaml directory.

{Root Directory} app code MiniOrange OAuth

• Run the following commands on command prompt to enable the extension

php bin/magento setup:upgrade

Configuration Steps

1. Configure miniOrange SSO Extension

• In the miniOrange Adobe Commerce SSO extension, navigate to the Application tab, select OAuth/Openid, and click on Azure AD application.

• Copy the Callback URL from the extension. You’ll need this for Azure AD (Entra ID) configuration.

2. Setup Microsoft Entra ID (Azure AD) as OAuth Provider

• Sign in to Microsoft Entra ID (Azure AD)portal.
• Select Microsoft Entra ID.

• In the left-hand navigation panel, click the App registrations service, and click New registration.

• Configure the following options to create a new application in your Azure AD (Entra ID) Application.

• Enter a name for your application under the Name text field.
• In supported account types, select 3rd option ‘Accounts in any organizational directory (for authenticating user with user flows).
• Click on the Register button to create your application.

• Microsoft Entra ID (Azure AD) assigns a unique Application ID to your application. The Application ID is your Client ID and the Directory ID is your Tenant ID, keep these values handy as you will need them to configure the miniOrange Adobe Commerce SSO OAuth Client extension.

• Go to Certificates and Secrets from the left navigaton panel and click on New Client Secret in Azure AD. Enter description and expiration time and click on ADD option.

• Copy the secret key value from Azure AD and keep the value handy it will be required later to configure Client Secret under the miniOrange Adobe Commerce SSO OAuth Client extension.

You have successfully configured Azure AD as OAuth Provider.

3. Setup Adobe Commerce as OAuth Client

• Now, Enter the OAuth Provider Name, Client ID, Client Secret, Scope and provided endpoints.
• Please refer the Endpoints table provided below to authorize Single Sign-On (SSO) with Azure AD single-tenant environment to your Adobe Commerce site.

Scope:	openid
Authorize Endpoint:	https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
Access Token Endpoint:	https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Get User Info Endpoint:	https://login.windows.net/<tenant-id>/openid/userinfo
Custom redirect URL after logout:[optional]	https://login.microsoftonline.com/<tenant-id>/oauth2/logout?post_logout_redirect_uri=<your URL>

• Please refer the Scope and endpoints table provided below to authorize Single Sign-On (SSO) with any Azure AD tenant environment to your Adobe Commerce site.

Scope:	openid
Authorize Endpoint:	https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token Endpoint:	https://login.microsoftonline.com/common/oauth2/v2.0/token
Get User Info Endpoint:	https://login.windows.net/common/openid/userinfo
Custom redirect URL after logout:[optional]	https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=<your URL>

• Click on the Save button to save the settings.
• Click on the Test Configuration button.

• You will see all the values returned by your OAuth Provider (Azure AD) to Adobe Commerce in a table. If you don't see value for First Name, Last Name, Email or Username, make the required settings in your OAuth Provider to return this information.

4. Multisite Settings (*Available in the Enterprise versions)

• Find your Azure AD application and click Edit in the Actions menu.

• Click on Store Configuration from the left-hand menu.
• In the Store Configuration, select the website where you want to activate SSO, and check the Enable SSO for this site option.

• Show SSO Button on Login Page: Displays the SSO button on the selected website’s customer login page.
• Auto-create Users: You have the option to automatically create customer users during the SSO process if they do not already exist. Enabling the corresponding checkbox activates this feature.
• Auto Redirect Feature: Automatically redirects users to the OAuth Provider login page, either from the Adobe Commerce login page or from any page on the website.

• Go to customer login page and you will see the SSO button on your frontend. Click on the button and test the SSO.

• You will be sucessfully logged in into Adobe Commerce.

5. Admin SSO

• Enable SSO for Admins: Displays the SSO button on the Admin login Page.
• Admin SSO Button Text: Sets the label displayed on the SSO button on the admin login page (e.g., Login via Azure AD).
• Auto-create Admin Users: Automatically creates admin user in Adobe Commerce when they log in via SSO for the first time.
• Auto-Redirect from Admin: Automatically redirects admin users to the OAuth Provider login page from the admin login page.
• Backdoor URL: A backdoor URL allows you to log in to your Admin dashboard using default Admin credentials in case you get locked out.

• Visit your admin login page and you will see the SSO button on your admin page. Click on the button to initate SSO as an admin.

• After sucessfully logged into Adobe Commerce as admin you will be redirect to Adobe Commerce backend dashboard.

6. Headless SSO Settings *This is Premium feature.

• Enable for Customers: This option allows you to activate Headless SSO for customers.
• Customer SSO URL: This URL is used to initiate customer SSO from headless applications. Append this SSO URL within your headless application.
  • Example Format: https://<your-domain>/mosso/actions/SendSSORequest?relayState={Store_URL}/headless_store_url/{Headless_URL}&app_name=Azure AD
  • {Store_URL}: Enter your Adobe Commerce store URL.
  • {Headless_URL}: Enter the URL of your headless application where the customer token should be sent.
  • After successful SSO, a customer token is sent to the headless URL.
    For example: {Headless_URL}?customer_token=...
• OAuth Token:Enable this option to send the OAuth provider’s (Azure AD) JWT token along with the customer token.
• Customer Token Expiry: You can set the expiration time (in minutes) for the customer token.
• Whitelist Frontend URLs: Here, you can add URLs that are allowed to receive the customer token. The customer token will only be sent to the URL(s) that are whitelisted here.

• Enable for Admins: Similar to customers, this option activates Headless SSO for admins.
• Admin SSO URL: This URL initiates admin SSO from headless applications.
• Admin Token Expiry: Set the expiration time (in minutes) for the admin token.
• Whitelist Frontend URLs: Admin tokens are only sent to the whitelisted URLs here. You must ensure that any URL receiving an admin token is listed.

7. Attribute / Custom Mapping(Optional). *This is Premium feature.

• Go to the Attribute Mapping section to configure Customer Attribute Mapping.
• Enable Customer Attribute Mapping and select checkbox the option to Update Customer Attributes.

• You will see fields like Email, First Name, and Last Name under Customer Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Customer Attributes button and select the appropriate attribute from the dropdown.

• In the Customer Attribute section, enable Address Attribute Mapping and select the checkbox to update Customer Address attributes.

• You will see fields such as Street Address, Zip Code, City, State, and others under Customer Address Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add additional address attributes, click the + Add Address Attributes button and choose the appropriate attribute from the dropdown.

• In the Admin Attribute Mapping section, enable Admin Attribute Mapping and select the checkbox to update Admin attribute.

• You will see fields like Email, Username First Name, and Last Name under Admin Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Admin Attributes button and select the appropriate attribute from the dropdown.

• In the B2B Mapping section, enable B2B Company Mapping and select the checkbox to update B2B Company attribute.

• Company Attribute: This is the field from your Identity Provider (IdP) that contains the company name or ID for the user.
• Default Company: If no matching company is found from the IdP data, the user will be assigned to this default company.
• Enter the Identity Provider Company values against the corresponding Adobe Commerce customer Company as required.
• Example: If the company attribute value received from the Identity Provider is mapped to miniOrange or newCompany in Adobe Commerce, then users logging in via SSO will be automatically assigned to the respective company. For instance, if the IdP company attribute value is mapped to the miniorange company in Adobe Commerce then the user will be mapped to the miniOrange company.

8. Group/Role Mapping (Optional). *This is Premium feature.

• Adobe Commerce uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. Role mapping helps you to assign specific roles to users of a certain group in your OAuth Provider.
• Select the attribute from your identity provider that contains group/role information for both admin and customer users from the dropdown.

• In the Customer Group Mapping settings, the store admin can define which Adobe Commerce customer group should be assigned based on the group information received from the Identity Provider (IdP) during Single Sign-On (SSO).
• Enable the “Update frontend group on SSO” checkbox if you want Adobe Commerce to update customer group each time a user logs in via SSO.
• Use the Default Group dropdown to select the Adobe Commerce Groups that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Adobe Commerce customer groups as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Adobe Commerce group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Adobe Commerce, any user with that group in the IdP will be assigned the General customer group upon SSO.

• Enable the “Update Backend roles on SSO” checkbox if you want Adobe Commerce to update Admin roles each time a user logs in via SSO.
• Use the Default Group dropdown to select the Adobe Commerce role that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Adobe Commerce Admin roles as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Adobe Commerce group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Adobe Commerce, any user with that group in the IdP will be assigned the General Admin roles upon SSO.

Additional Resources

• Adobe Commerce Security Solutions
• What is Single Sign-On (SSO) Login?
• Azure AD SSO | Azure Single Sign-On (SSO) Login
• Magento OAuth Single Sign On (SSO) Plugin.

Get in Touch

Please reach out to us at magentosupport@xecurify.com, and our team will assist you with setting up the Adobe Commerce SSO (OAuth/OIDC) Extension. Our team will help you to select the best suitable solution/plan as per your requirement.