Adobe Commerce Okta OAuth Single Sign-On (SSO) Integration

Overview

This guide explains how to configure Single Sign-On (SSO) between Adobe Commerce and Okta using OAuth 2.0 and OpenID Connect protocols. By integrating Okta as the identity provider, users can securely log in to the Adobe Commerce store using their existing organizational credentials. This removes the need for separate login details and simplifies user authentication. The integration supports essential SSO features such as attribute mapping and role mapping, allowing administrators to manage user access and permissions effectively. It also helps enhance security by ensuring that only authenticated users can access the store.
By the end of this guide, you will have a fully functional SSO setup, enabling users to smoothly log in to Adobe Commerce using their Okta credentials.

Installation Steps

• Using Composer
• Manual Installation

• Purchase the miniOrange Adobe Commerce OAuth Single Sign-On (SSO) extension from Adobe Commerce Marketplace.
• Go to My profile -> My Purchases
• Please ensure you are using correct access keys (My Profile - Access Keys)
• Paste the access keys in your auth.json file inside your project
• Use the below command to add the extension to your project.

"composer require {module_name}:{version}"

• You can see the module name and list of versions in the selector below the extension module name.
• Run the following commands on command prompt to enable the extension.

php bin/magento setup:upgrade

• Download the miniOrange Adobe Commerce OAuth Single Sign-On (SSO) extension.
• Unzip all contents of the zip inside the MiniOrange/IDPSaml directory.

{Root Directory} app code MiniOrange OAuth

• Run the following commands on command prompt to enable the extension

php bin/magento setup:upgrade

Configuration Steps

1. Configure miniOrange SSO Extension

• In the miniOrange Adobe Commerce SSO extension, navigate to the Application tab, select OAuth/Openid, and click on Okta application.

• Copy the Callback URL from the extension. You’ll need this for Okta configuration.

2. Setup Okta as OAuth Provider

• First of all, go to https://www.okta.com/login and log into your Okta account.
• Go to the Okta Admin panel. Go to Applications -> Applications.

• You will get the following screen. Click on Create App Integration button.

• Select sign in method as the OIDC - OpenID Connect option and select Application type as web application, click on Next button.

• You will be redirected to the app details page. Enter App integration name and Sign-in redirect URIs. you will get that from miniOrange Adobe Commerce SSO (OAuth/OIDC) 'OAuth Provider' tab under the Redirect/Callback URL field.

• Scroll down and you will see the Assignments section. Choose a controlled access option and uncheck the Enable immediate access with Federation Broker Mode option. Click on Save button.

• Now you will get the Client credentials and Okta domain. Copy these credentials in Miniorange Adobe Commerce SSO (OAuth/OIDC) extension configuration on corresponding fields.

2.1 Assign an app integration to a user

• Go to Applications tab and Click on your application.

• Select the Assignments tab.

• Click Assign and select Assign to People.
• If you want to assign the application to multiple users at the same time then select Assign to Groups [If an app is assigned to a group then, the app will be assigned to all the people in that group]

• Click Assign next to a user name.

• Click Save and Go Back.

• Click Done.

2.2 Profile Attributes for the id Token

• In your Okta admin dashboard, navigate to Security -> API.

• Select your SSO application and click on the edit icon.

• Go to claims tab and select the ID token option.

• click on Add claim button.

• Give a Name to your claim/attribute and Select ID Token from the token type dropdown. Now, enter the value user.$attribute in the Value field based on the attribute you want to receive. Keep other settings as default and click on Create button.

• Follow the similar steps for all the attributes you want to see. You will have a list similar to the below one.

• You will be able to see the attributes in the Test Configuration output as follows.

You've successfully set up Okta Adobe Commerce - Single Sign-On (SSO) using Okta as the OAuth Provider, allowing users to log in to your Adobe Commerce Okta Login - site securely with their Okta login credentials.

3. Setup Adobe Commerce as OAuth Client

• Now, Enter the OAuth Provider Name, Client ID, Client Secret, Scope and provided endpoints.
• Please refer the Endpoints table provided below to authorize Single Sign-On (SSO) with Okta single-tenant environment to your Adobe Commerce site.

Scope:	openid
Authorize Endpoint:	https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
Access Token Endpoint:	https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Get User Info Endpoint:	https://login.windows.net/<tenant-id>/openid/userinfo
Custom redirect URL after logout:[optional]	https://login.microsoftonline.com/<tenant-id>/oauth2/logout?post_logout_redirect_uri=<your URL>

• Please refer the Scope and endpoints table provided below to authorize Single Sign-On (SSO) with any Okta tenant environment to your Adobe Commerce site.

Scope:	openid
Authorize Endpoint:	https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token Endpoint:	https://login.microsoftonline.com/common/oauth2/v2.0/token
Get User Info Endpoint:	https://login.windows.net/common/openid/userinfo
Custom redirect URL after logout:[optional]	https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=<your URL>

• Click on the Save button to save the settings.
• Click on the Test Configuration button.

• You will see all the values returned by your OAuth Provider (Okta) to Adobe Commerce in a table. If you don't see value for First Name, Last Name, Email or Username, make the required settings in your OAuth Provider to return this information.

4. Multisite Settings (*Available in the Enterprise versions)

• Find your Okta application and click Edit in the Actions menu.

• Click on Store Configuration from the left-hand menu.
• In the Store Configuration, select the website where you want to activate SSO, and check the Enable SSO for this site option.

• Show SSO Button on Login Page: Displays the SSO button on the selected website’s customer login page.
• Auto-create Users: You have the option to automatically create customer users during the SSO process if they do not already exist. Enabling the corresponding checkbox activates this feature.
• Auto Redirect Feature: Automatically redirects users to the OAuth Provider login page, either from the Adobe Commerce login page or from any page on the website.

• Go to customer login page and you will see the SSO button on your frontend. Click on the button and test the SSO.

• You will be sucessfully logged in into Adobe Commerce.

5. Admin SSO

• Enable SSO for Admins: Displays the SSO button on the Admin login Page.
• Admin SSO Button Text: Sets the label displayed on the SSO button on the admin login page (e.g., Login via Okta).
• Auto-create Admin Users: Automatically creates admin user in Adobe Commerce when they log in via SSO for the first time.
• Auto-Redirect from Admin: Automatically redirects admin users to the OAuth Provider login page from the admin login page.
• Backdoor URL: A backdoor URL allows you to log in to your Admin dashboard using default Admin credentials in case you get locked out.

• Visit your admin login page and you will see the SSO button on your admin page. Click on the button to initate SSO as an admin.

• After sucessfully logged into Adobe Commerce as admin you will be redirect to Adobe Commerce backend dashboard.

6. Headless SSO Settings *This is Premium feature.

• Enable for Customers: This option allows you to activate Headless SSO for customers.
• Customer SSO URL: This URL is used to initiate customer SSO from headless applications. Append this SSO URL within your headless application.
  • Example Format: https://<your-domain>/mosso/actions/SendSSORequest?relayState={Store_URL}/headless_store_url/{Headless_URL}&app_name=Okta AD
  • {Store_URL}: Enter your Adobe Commerce store URL.
  • {Headless_URL}: Enter the URL of your headless application where the customer token should be sent.
  • After successful SSO, a customer token is sent to the headless URL.
    For example: {Headless_URL}?customer_token=...
• OAuth Token:Enable this option to send the OAuth provider’s (Okta) JWT token along with the customer token.
• Customer Token Expiry: You can set the expiration time (in minutes) for the customer token.
• Whitelist Frontend URLs: Here, you can add URLs that are allowed to receive the customer token. The customer token will only be sent to the URL(s) that are whitelisted here.

• Enable for Admins: Similar to customers, this option activates Headless SSO for admins.
• Admin SSO URL: This URL initiates admin SSO from headless applications.
• Admin Token Expiry: Set the expiration time (in minutes) for the admin token.
• Whitelist Frontend URLs: Admin tokens are only sent to the whitelisted URLs here. You must ensure that any URL receiving an admin token is listed.

7. Attribute / Custom Mapping(Optional). *This is Premium feature.

• Go to the Attribute Mapping section to configure Customer Attribute Mapping.
• Enable Customer Attribute Mapping and select checkbox the option to Update Customer Attributes.

• You will see fields like Email, First Name, and Last Name under Customer Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Customer Attributes button and select the appropriate attribute from the dropdown.

• In the Customer Attribute section, enable Address Attribute Mapping and select the checkbox to update Customer Address attributes.

• You will see fields such as Street Address, Zip Code, City, State, and others under Customer Address Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add additional address attributes, click the + Add Address Attributes button and choose the appropriate attribute from the dropdown.

• In the Admin Attribute Mapping section, enable Admin Attribute Mapping and select the checkbox to update Admin attribute.

• You will see fields like Email, Username First Name, and Last Name under Admin Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Admin Attributes button and select the appropriate attribute from the dropdown.

• In the B2B Mapping section, enable B2B Company Mapping and select the checkbox to update B2B Company attribute.

• Company Attribute: This is the field from your Identity Provider (IdP) that contains the company name or ID for the user.
• Default Company: If no matching company is found from the IdP data, the user will be assigned to this default company.
• Enter the Identity Provider Company values against the corresponding Adobe Commerce customer Company as required.
• Example: If the company attribute value received from the Identity Provider is mapped to miniOrange or newCompany in Adobe Commerce, then users logging in via SSO will be automatically assigned to the respective company. For instance, if the IdP company attribute value is mapped to the miniorange company in Adobe Commerce then the user will be mapped to the miniOrange company.

8. Group/Role Mapping (Optional). *This is Premium feature.

• Adobe Commerce uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. Role mapping helps you to assign specific roles to users of a certain group in your OAuth Provider.
• Select the attribute from your identity provider that contains group/role information for both admin and customer users from the dropdown.

• In the Customer Group Mapping settings, the store admin can define which Adobe Commerce customer group should be assigned based on the group information received from the Identity Provider (IdP) during Single Sign-On (SSO).
• Enable the “Update frontend group on SSO” checkbox if you want Adobe Commerce to update customer group each time a user logs in via SSO.
• Use the Default Group dropdown to select the Adobe Commerce Groups that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Adobe Commerce customer groups as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Adobe Commerce group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Adobe Commerce, any user with that group in the IdP will be assigned the General customer group upon SSO.

• Enable the “Update Backend roles on SSO” checkbox if you want Adobe Commerce to update Admin roles each time a user logs in via SSO.
• Use the Default Group dropdown to select the Adobe Commerce role that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Adobe Commerce Admin roles as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Adobe Commerce group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Adobe Commerce, any user with that group in the IdP will be assigned the General Admin roles upon SSO.

Additional Resources

• Adobe Commerce Security Solutions
• What is Single Sign-On (SSO) Login?
• Azure AD SSO | Azure Single Sign-On (SSO) Login
• Magento OAuth Single Sign On (SSO) Plugin.

Get in Touch

Please reach out to us at magentosupport@xecurify.com, and our team will assist you with setting up the Adobe Commerce SSO (OAuth/OIDC) Extension. Our team will help you to select the best suitable solution/plan as per your requirement.