Magento PingFederate Single Sign-On (SSO) | SSO into Magento using PingFederate Credentials

Overview

The PingFederate Magento SSO enables secure and seamless login to your Magento by using PingFederate as your OAuth and OpenID Connect provider. With PingFederate Magento login, users can access the store using PingFederate login credentials. This means with our extension, users of your PingFederate organization/directory can login into your Magento store using their PingFederate login cedentials. Our Magento PingFederate Login extension provides secure Single Sign-On (SSO) integration with advanced features like attribute mapping, role mapping, and access control. It enhances site security by ensuring that only verified users can log in or register your Magento site. With a simple Magento PingFederate SSO setup process, the plugin streamlines user authentication and improves overall access management. Follow the guide below to install and configure PingFederate Magento SSO effortlessly. Click here to read more about the Magento OAuth Single Sign-On (OAuth & OpenID Connect Client) extensions extra features.

Installation Steps

• Using Composer
• Manual Installation

• Purchase the miniOrange Magento OAuth Single Sign-On (SSO) extension from Magento Marketplace (Adobe Commerce Marketplace).
• Go to My profile -> My Purchases
• Please ensure you are using correct access keys (My Profile - Access Keys)
• Paste the access keys in your auth.json file inside your project
• Use the below command to add the extension to your project.

  "composer require {module_name}:{version}"

• You can see the module name and list of versions in the selector below the extension module name.
• Run the following commands on command prompt to enable the extension.

php bin/magento setup:upgrade

• Download the miniOrange Magento OAuth Single Sign-On (SSO) extension.
• Unzip all contents of the zip inside the MiniOrange/IDPSaml directory.

{Root Directory of Magento} app code MiniOrange OAuth

• Run the following commands on command prompt to enable the extension

php bin/magento setup:upgrade

Configuration Steps

1. Configure miniOrange SSO Extension

• In the miniOrange Magento SSO extension, navigate to the Application tab, select OAuth/Openid, and click on PingFederate application.

• Copy the Callback URL from the extension. You’ll need this for PingFederate configuration.

2. Setup PingFederate as OAuth Provider for Magento PingFederate SSO Login

• Login to your PingFederate User Admin dashboard.
• Click on the OAuth Server in the left navigation menu.
• Under Clients section, click on Create New.

• Copy the Redirect/Callback URL from the module/plugin and enter it in Redirect URIs field and click on Add. Select the Authorization Code grant type and click on the Save.

• Enter the Client ID, Name and Description. Select Client Secret in Client Authentication and click on Generate Secret. Take a note of your Client ID & Client Secret.

3. Setup Magento as OAuth Client

• Now, Enter the OAuth Provider Name, Client ID, Client Secret, Scope and provided endpoints.
• Please refer the Endpoints table provided below to authorize Single Sign-On (SSO) with PingFederate to your Magento site.

• Click on the Save button to save the settings.
• Click on the Test Configuration button.

• You will see all the values returned by your OAuth Provider to Magento in a table. If you don't see value for First Name, Last Name, Email or Username, make the required settings in your OAuth Provider to return this information.

4. Multisite Settings (*Available in the Enterprise versions)

• Find your PingFederate application and click Edit in the Actions menu.

• Click on Store Configuration from the left-hand menu.
• In the Store Configuration, select the website where you want to activate SSO, and check the Enable SSO for this site option.

 Login Settings

• Show SSO Button on Login Page: Displays the SSO button on the selected website’s customer login page.
• Auto-create Users: You have the option to automatically create customer users during the SSO process if they do not already exist. Enabling the corresponding checkbox activates this feature.
• Auto Redirect Feature: Automatically redirects users to the OAuth Provider login page, either from the Magento login page or from any page on the website.

• Go to customer login page and you will see the SSO button on your frontend. Click on the button and test the SSO.

• You will be sucessfully logged in into Magento.

5. Admin SSO

• Enable SSO for Admins: Displays the SSO button on the Admin login Page.
• Admin SSO Button Text: Sets the label displayed on the SSO button on the admin login page (e.g., Login via PingFederate).
• Auto-create Admin Users: Automatically creates admin user in Magento when they log in via SSO for the first time.
• Auto-Redirect from Admin: Automatically redirects admin users to the OAuth Provider login page from the admin login page.
• Backdoor URL: A backdoor URL allows you to log in to your Admin dashboard using default Admin credentials in case you get locked out.

• Visit your admin login page and you will see the SSO button on your admin page. Click on the button to initate SSO as an admin.

• After sucessfully logged into magento as admin you will be redirect to magento backend dashboard.

6. Headless SSO Settings (*Available in the premium versions)

• Enable for Customers: This option allows you to activate Headless SSO for customers.
• Customer SSO URL: This URL is used to initiate customer SSO from headless applications. Append this SSO URL within your headless application.
  • Example Format:
    https://<your-magento-domain>/mosso/actions/SendSSORequest?relayState={Store_URL}/headless_store_url/{Headless_URL}&app_name=PingFederate
  • {Store_URL}: Enter your Magento store URL.
  • {Headless_URL}: Enter the URL of your headless application where the customer token should be sent.
  • After successful SSO, a customer token is sent to the headless URL.
    For example: {Headless_URL}?customer_token=...
• OAuth Token:Enable this option to send the OAuth provider’s (PingFederate) JWT token along with the customer token.
• Customer Token Expiry: You can set the expiration time (in minutes) for the customer token.
• Whitelist Frontend URLs: Here, you can add URLs that are allowed to receive the customer token. The customer token will only be sent to the URL(s) that are whitelisted here.

• Enable for Admins: Similar to customers, this option activates Headless SSO for admins.
• Admin SSO URL: This URL initiates admin SSO from headless applications.
• Admin Token Expiry: Set the expiration time (in minutes) for the admin token.
• Whitelist Frontend URLs: Admin tokens are only sent to the whitelisted URLs here. You must ensure that any URL receiving an admin token is listed.

7. Attribute / Custom Mapping(Optional). *This is Premium feature.

 Customer Attribute Mapping

• Go to the Attribute Mapping section to configure Customer Attribute Mapping.
• Enable Customer Attribute Mapping and select checkbox the option to Update Customer Attributes.

• You will see fields like Email, First Name, and Last Name under Customer Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Customer Attributes button and select the appropriate attribute from the dropdown.

 Customer Address Mapping

• In the Customer Attribute section, enable Address Attribute Mapping and select the checkbox to update Customer Address attributes.

• You will see fields such as Street Address, Zip Code, City, State, and others under Customer Address Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add additional address attributes, click the + Add Address Attributes button and choose the appropriate attribute from the dropdown.

 Admin Attribute Mapping

• In the Admin Attribute Mapping section, enable Admin Attribute Mapping and select the checkbox to update Admin attribute.

• You will see fields like Email, Username First Name, and Last Name under Admin Attributes Mapping.
• Map these fields by selecting the appropriate options from the dropdown.
• If you need to add more attributes, click the + Add Admin Attributes button and select the appropriate attribute from the dropdown.

8. Group/Role Mapping (Optional). *This is Premium feature.

• Magento uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. Role mapping helps you to assign specific roles to users of a certain group in your OAuth Provider.
• Select the attribute from your identity provider that contains group/role information for both admin and customer users from the dropdown.

 Customer Group Mapping

• In the Customer Group Mapping settings, the store admin can define which Magento customer group should be assigned based on the group information received from the Identity Provider (IdP) during Single Sign-On (SSO).
• Enable the “Update frontend group on SSO” checkbox if you want Magento to update customer group each time a user logs in via SSO.
• Use the Default Group dropdown to select the Magento Groups that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Magento customer groups as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Magento group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Magento, any user with that group in the IdP will be assigned the General customer group upon SSO.

 Admin Role Mapping

• Enable the “Update Backend roles on SSO” checkbox if you want Magento to update Admin roles each time a user logs in via SSO.
• Use the Default Group dropdown to select the Magento role that should be assigned to a user when no group information is returned by the Identity Provider or when the received group does not match any configured mapping.

• Enter the Identity Provider group values against the corresponding Magento Admin roles as required.
• Users belonging to a specific group in the Identity Provider will be automatically assigned the mapped Magento group during SSO.
• Example: If the group value from the Identity Provider is mapped to the General group in Magento, any user with that group in the IdP will be assigned the General Admin roles upon SSO.

Additional Resources

• Magento Security Solutions
• What is Single Sign-On (SSO) Login?
• Magento OAuth Single Sign On (SSO) Plugin.

Get in Touch

Please reach out to us at magentosupport@xecurify.com, and our team will assist you with setting up the Magento 2 SSO (OAuth/OIDC) Extension. Our team will help you to select the best suitable solution/plan as per your requirement.