Ch. 065b Single Sign-On (SSO)

PRESSERO > Pressero Documentation Manual
Single sign-on (SSO) is a session and user authentication service that allows your customer to use one set of login credentials (e.g., name and password) to access multiple applications. With Pressero, there are three methods you can use to enable single sign-on:
 
1. Authentication by passing username and password via URL
2. Open Authorization (OAuth) (Customers can login from their Facebook, Twitter, or Google accounts)
3. Security Assertion Markup Language (SAML) (Azure, Okta, OneLogin, PingOne, Salesforce, and a Custom/Generic option for others like Active Directory (ADFS))
 
 

Find details of these three options below. 


1. Authentication by passing user name and password via URL

This works well when a user has already logged into their company intranet and you want to pass the login details so they don't have to log in again to order in the portal. There is no cost to use this process. This assumes the user account already exists in the Pressero site. The URL for passing people through to a B2B site when they're already logged into their intranet is as follows:

http://domain.com/login?userEmail=xxxx&userPassword=yyyy

domain = your B2B site's domain
xxxx = the user's email address (or username)
yyyy = the user's password
 
1a. User Impersonation - A variation of this is that instead of sending the user's actual password, you can enable user impersonation for your site (or your subscriber) and pass an impersonation password in the URL. See Chapter 5 and Chapter 30 of the Pressero user manual.
 

2. Configuring OAuth2 Providers (Logging in through Facebook, Twitter or Google)

OAuth 2 enables access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizes access to the user account on Pressero. This option is available to Pressero subscribers with Professional or Enterprise Packages. You can locate and setup the following providers by going to Admin > Sites > Single Sign-On (SSO).
 
For OAuth SSO we provide support for the following services:
  • Facebook (https://developers.facebook.com)
  • Twitter (https://apps.twitter.com)
  • Google (https://console.developers.google.com/)
In order to enable those providers on the store front it's required to create an developer account with each of those providers, there they'll create an pair of keys, App Key and Secret key.
 
In the following section we're going to explain how to generate those keys.
 
 
Facebook                                                                                                          
  • After Creating a developer account, access the site https://developers.facebook.com and then click on the My Apps drop down on the top/right and select Add a New App.
  • Facebook will show a configuration window, where you'll set the application name, contact email and category, after filling all the fields click on the Create App ID.
  • Facebook will show a window with a all the options for the application, choose the Facebook Login option.
  • From there you must select the platform, in our case, Web.
  • Facebook will show a window where you can set the application address, use the site primary Address from Pressero, and click next to close this window, you can ignore all the configuration that Facebook will show.
  • Once done with that, on the top left you'll see that facebook will now show My Apps, instead of Create a Project, click on the link and it will show all your applications, click on the application you want to configure.
  • After that you'll see the application basic information, there you'll see the App Key and Secret key, you'll need this key configure your store on Pressero.
  • There are many things you can configure here, like Ads, restrictions and other settings, for more information please check Facebook documentation.
  • Now on Pressero go to admin > Sites > Single Sign-on (SSO) and create a new entry for the Facebook Authentication Process.
  • Click on the Add New Single Sign-On Provider, on the configuration window provide a name for the provider, select Facebook as the identity provider and the default group for the user, click on the save button. After that the application will show two new fields, App Key and App Secret, copy those information from the Facebook page and then click on the save button again.
  • Once you are done with that, the application is configured to use Facebook as the login provider.
  • When you setup the Facebook SSO application on https://developers.facebook.com, the app is set as private and only the person who created it will be able to login. until you make it public. 
    If you are ready to have this option available to your customers to login to the storefront using Facebook, you need to activate the application and remove it from development mode. In order to activate the App, go to https://developers.facebook.com > Login > App > From the left menu select "App Review" and there you'll see an option to activate the application and set it as public. Once you do this all the users will be able to use the Facebook button on your site to login. 
Twitter                                                                                                          
  • First access the site https://apps.twitter.com and then click on the Create New App button.
  • Twitter will then show a new window where you can set the application basic information
  • You will then be redirected to the application configuration page, where you'll see the App key and the basic authentication information, now the first thing to do is go to the settings tab and insert the URLs for the Privacy Policy and Terms of Service, this information is required so Twitter can return the user email address during the authentication process.
  • After that go to the permissions tab and check the Request Email address from the user.
  • Save the settings and got to the Keys and Access Tokens tab, you'’l need the API key and secreted listed on this page.
  • There are many things you can configure here, like Ads, restrictions and other settings, for more information please check Twitter documentation.
  • Now on Pressero go to admin > Sites > Single Sign-on (SSO) and create a new entry for the Twitter Authentication Process.
  • Click on the Add New Single Sign-On Provider, on the configuration window provide a name for the provider, select Twitter as the identity provider and the default group for the user, click on the save button. After that the application will show two new fields, App Key and App Secret, copy those information from the Twitter page and then click on the save button again.
  • With that done, the application is configured to use Twitter as the login provider.

Google                                                                                                          
  • First access the site https://console.developers.google.com/ and then on the left side click on Credentials and a pop menu will show up, click on Create a Project.
  • Set the application Identification and then click save, a new window will appear, from the dropdown menu select OAuth Client ID.
  • From there the site will show you a menu where you can select the Application type, select Web application, give it a name and then click on the save button.
  • After that the application will redirect you to application list menu, there select the application and Google will show the application Key and Secret.
  • There are many things you can configure here, like Ads, restrictions and other settings, for more information please check Google documentation.
  • Now on Pressero go to the SSO configuration Window and create a new entry for the Google Authentication Process.
  • Click on the Add New Single Sign-On Provider, on the configuration window provide a name for the provider, select Google as the identity provider and the default group for the user, click on the save button. After that the application will show two new fields, App Key and App Secret, copy those information from the Google page and then click on the save button again.
  • Done that, the application is configured to use Google as the login provider.

 

3. SAML - (Security Assertion Markup Language)

This is a standard protocol for web browser single Sign-On using security tokens. SAML securely eliminates passwords. There is a cost to add SAML to your storefronts and each site must be activated individually. To activate SAML you should contact either your sales representative or the Pressero support team. They will work with you to implement this service. 
 
Per default Pressero provides pre-defined configuration for the following Identity Providers:
  • Azure AD (http://azure.microsoft.com)
  • Okta (www.okta.com)
  • OneLogin (www.onelogin.com)
  • PingOne (www.pingidentity.com)
  • SalesForce (www.salesforce.com)
  • Custom Option also available (see last item in list)
This means that, Pressero was tested to use those identity providers (IdP), but if you use a custom identity provider, you can manually configure the application so it can communicate with your custom IdP. 

Mapping

Mapping is available to help customers that already have attributes on their IdP, so to avoid the need to create new attributes Pressero makes available this tool, allowing the user to map their attributes to variables that Pressero can recognize.
 
The mapping tool is available on the SSO configuration page and from there the user can make all the necessary mapping, allowing Pressero to get all the information available by the IdP.
 
For example, the customer IdP stores the UserGroup name in the attribute memberOf, when Pressero receives the SAML data, it will now look for the UserGroup name on the attribute memberOf. The field and field value are case sensitive, so be careful when configuring this, to avoid possible problems.
 
Below you will find instructions on adding each of the pre-defined configurations along with instructions on adding a custom identify provider. 
 
Azure AD                                                                                                          
To configure the Azure AD Provider, first access your Azure Account and go the management portal (https://manage.windowsazure.com)
 
  • Select All Items and then your Directory.
  • In your directory click in the Application Tab and then on the bottom of the window click in the add button.
  • The site will show a dialog box, with two options, select the first one (Add an application my organization is developing).
  • Give a name to the application and set the type as Web Application and/or Web API.
  • Click next, the next window will require some information from Pressero.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO. 
  • In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
  • From there click the Add New Single Sign-on Provider and you’ll see a new window, where you can give a name to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to, then click the Save button and the application will generate the endpoint URL, copy this URL and access the SAML configuration page on the Azure site.
  • Set the Sign on URL as the endpoint address provided by Pressero and set APP ID URL as the site primary domain and check the check/ok button.
The application is created and configured on Azure, but now you must bring the configuration data back to Pressero, for this:
  • Click the Configure tab in the application properties page on Azure and then on the bottom of the page click in view endpoints.
  • The application will show a dialog box, select the Federation Metadata Document and save the generated XML File.
  • Now back in Pressero, access the Single Sign-on configuration window and import the metadata file and your PFX (Personal Information Exchange) file, if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
  • After selecting both metadata file, certificate and typing the certificate password, click on the Save button and the window will load all the necessary configuration, making SSO available to your site.
Configuring Attributes on Azure:
 
For the SSO functionality work properly it’s necessary to create a few attributes on the Azure AD to help Pressero identify the user, as a requirement Pressero needs that the Identity Provider provides the following information about the user:
  • FirstName
  • LastName
  • Email
But you can also return the following information, that will be used to fill the user profile:
  • UserGroup (The usergroup name in Pressero)
  • Address1
  • Address2
  • Address3
  • Country (ISO 3166-2)
  • Telephone
  • Postcode
  • City
  • State (2 letters)
  • MiddleName
  • Title
  • CellPhone
  • MISID
  • Business
  • Fax
  • Department
 

Okta                                                                                                          
 
To configure the Okta Provider, first access your Okta Account.
  • Go the admin area and select the option Add Application
  • Select “Create Application” and select the authentication method as SAML 2.0.
  • In the next window please provide the basic information for the app, like name, logo and the app visibility. 
  • In the next step, you’ll see the basic SAML configuration, but before you can configure this step you’ll need to activate the SAML endpoint in Pressero.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO. This also means that each site is a different application on Okta.
  • In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
  • Click the Add New Single Sign-on Provider and you’ll see a new window where you can create an alias to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to.
  • Click the Save button and the application will generate the endpoint URL. Copy this URL and access the SAML configuration page on the Okta site.
  • Set the Single sign on URL as the endpoint address provided by Pressero and set Audience URI (SP Entity ID) as the site primary domain.
  • After that you’ll need to configure the SAML attributes. Pressero needs some information to identify the user. At a minimum, Pressero needs the Identity Provider to provide the following information about the user:
    • FirstName
    • LastName
    • Email
  • But you can also return the following information, that will be used to fill the user profile:
    • UserGroup (The usergroup name in Pressero)
    • Address1
    • Address2
    • Address3
    • Country (ISO 3166-2)
    • Telephone
    • Postcode
    • City
    • State (2 letters)
    • MiddleName
    • Title
    • CellPhone
    • MISID
    • Business
    • Fax
    • Department
  • After configuring this item, click the next button and the site will display the final window. Select I’m an Okta Customer adding an internal app and then click Finish.
  • After this Okta will redirect you to the application Sign on configuration Window.  From there, click on view setup instructions.
  • In the next window Okta will provide all the necessary information needed to do the final configuration on Pressero.  Copy the content from the metadata area and save in a text file with the .xml extension.
  • Now back in Pressero, access the Single Sign-on configuration window and import the metadata file and your PFX (Personal Information Exchange) file.  If you do not provide the PFX file Pressero will try to use a default certificate.  If you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
  • After selecting both the metadata file and the certificate, and typing the certificate password, click on the save button and the window will load all the necessary configuration, making SSO available to your site.
 
OneLogin                                                                                                          
 
To configure the OneLogin Provider:
  • First access your OneLogin Account (https://app.onelogin.com/login), from there select New App.
  • Search for SAML and select SAML Test Connection (IdP), from there OneLogin will redirect the user to the basic configuration Window.
  • Add the Application Name, select the icons and banners, then click on the save button. After that the UI will change and will display all the available options. Select the tab Configuration, there you’ll see a set of options.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO and that means that each site is a different application on OneLogin.
  • In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
  • From there click the Add New Single Sign-on Provider and you’ll see a new window, where you can create an alias to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to. Click the save button and the application will generate the endpoint URL, copy this URL and access the SAML configuration page on the OneLogin site.
  • Now go back to the OneLogin configuration window and set (replace the address by the one Pressero generated)
  • Then click on the save button. After saving, go to the SSO tab, change the SAML Signature Algorithm from SHA-1, to SHA-256 and again click the save button.
  • After that click in the More Action button and select the SAML Metadata option, save the XML file, you’ll need it to import the data to Pressero.
But before importing the data to Pressero, go to the parameters tab add the following fields:
  • FirstName
  • LastName
  • Email
Double click on each parameter to map it to a profile field.
 
This is necessary because Pressero needs some basic information to identify the user, so the Identity Provider must return those user fields.
 
But you can also return the following information, that will be used to fill the user profile:
  • UserGroup (The usergroup name in Pressero)
  • Address1
  • Address2
  • Address3
  • Country (ISO 3166-2)
  • Telephone
  • Postcode
  • City
  • State (2 letters)
  • MiddleName
  • Title
  • CellPhone
  • MISID
  • Business
  • Fax
  • Department
Now back in Pressero:
  • Access the Single Sign-on configuration window and import the metadata file and your PFX (Personal Information Exchange) file, if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
  • After selecting both metadata file, certificate and typing the certificate password, click on the save button and the window will load all the necessary configuration, making SSO available to your site.
 
PingOne                                                                                                          
 
To configure the PingOne Provider:
  • First access your PingOne Account (https://admin.pingone.com )
  • From there click on the Applications Tab, then click on the Add Application button and select New SAML Application.
  • The site will show a new configuration window, where the user must configure the application basic information, like name, logo and category, after that click on the Continue to Next Step Button.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO and that means that each site is a different application on PingOne.
  • In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
  • From there click the Add New Single Sign-on Provider and you’ll see a new window, where you can create an alias to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to. Click the save button and the application will generate the endpoint URL, copy this URL and access the SAML configuration page on the PingOne site.
  • Now go back to the PingOne configuration window and set (replace the address by the one Pressero generated)
  • Before saving, click on the Download link, to download the metadata file to use on Pressero, more on that later.
  • Now click on Continue to the next step, where you’ll be able to customize the attributes returned by the IdP.
This step is necessary because Pressero needs some basic information to identify the user, so the Identity Provider must return the following fields:
  • FirstName
  • LastName
  • Email
But you can also return the following information, that will be used to fill the user profile:
  • UserGroup (The usergroup name in Pressero)
  • Address1
  • Address2
  • Address3
  • Country (ISO 3166-2)
  • Telephone
  • Postcode
  • City
  • State (2 letters)
  • MiddleName
  • Title
  • CellPhone
  • MISID
  • Business
  • Fax
  • Department
 
  • Now click on Save and Publish, the site will display a review report, where you can download the metadata file, click on the finish button and go back in Pressero, access the Single Sign-on configuration window.
  • On the Pressero UI import the metadata file and your PFX (Personal Information Exchange) file, if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
 
SalesForce                                                                                                          
 
To configure the SalesForce Provider:
  • First access your SalesForce Account (https://login.salesforce.com), from there click on the Security Controls -> Identity Provider.
  • Enable the Identity Provider, the generated self-signed certificate is okay to use. Now click on the download metadata button and then on “Service Providers are now created via Connected Apps. Click here” link.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO and that means that each site is a different application on SalesForce.
  • In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
  • From there click the Add New Single Sign-on Provider and you’ll see a new window, where you can create an alias to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to. Click the save button and the application will generate the endpoint URL, copy this url and access the SAML configuration page on the SalesForce site.
  • Now go back to the SalesForce configuration window and set (replace the address by the one Pressero generated)
  • On this window, you’ll fill the fields with basic information, like application name (SalesForce will fill the api name field), the contact email address, icon URL, description, etc.
  • On the Web App settings, you’ll check the enable SAML checkbox, fill the fields with the following information:
  • Entity ID: http://redfrog.localtest.me
  • ACS URL: http://redfrog.localtest.me/SSO/Assertion/d1866310-a454-4873-91db-3bd7de3ee9a7
  • Then click the save button.
  • No go to Manage Apps -> Connected Apps and select the just created app.
  • Got to the bottom of the window, set the Profile associated to the application and users that will be allowed to access the application, otherwise SalesForce will deny access to the application, even if the user exists on the user company user’s directory.
  • Also, on this part of the window you’ll must create some specific SAML attributes, this step is necessary because Pressero needs some basic information to identify the user, so the Identity Provider must return the following fields:
    • FirstName
    • LastName
    • Email
  • But you can also return the following information, that will be used to fill the user profile:
    • UserGroup (The usergroup name in Pressero)
    • Address1
    • Address2
    • Address3
    • Country (ISO 3166-2)
    • Telephone
    • Postcode
    • City
    • State (2 letters)
    • MiddleName
    • Title
    • CellPhone
    • MISID
    • Business
    • Fax
    • Department
  • Now on the Pressero UI import the metadata file and your PFX file (Personal Information Exchange), if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
 
In the Generic provider, the user is free to configure the SSO service, we provide all the necessary settings that can be configured to allow Pressero to access an IdP server.
 
The steps are similar to the other providers, assuming you already have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO.
  • In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
  • So, after enabling the endpoint you'll copy the address generated by Pressero to your IdP provider, usually the settings look like this (sample data):
    • Entity ID: http://openfrog.dev6.pressero.com
    • ACS URL: http://openfrog.dev6.pressero.com/SSO/Assertion/85bebb80-28ac-4adf-83bf-91c432278e7e 
  • When you are done with that configuration, you'll get the metadata file generated by the IdP server and import it on Pressero. So you'll need to import the metadata file and your PFX file (Personal Information Exchange), if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
  • After loading the data, Pressero will enable the SSO configuration Window, there you can set all the necessary settings to enable SSO.
  • It will load the IdP identity name, SignOn Url and Single Logout Url automatically, if those data are in the metadata file.
  • You will need to set manually the values for:
    • Assertion is Signed: Check if your IdP server signs the assertion
    • Certificate is Embedded: Check if your server sends the certificate in the request/response
    • Sign Authentication Request: Check if the Authentication request is signed
    • Response is Signed: Check if the response is signed
    • Assertion is Encrypted: Indicates if the Assertion is encrypted by the IdP
    • Signature Method: The applications is compatible with SHA-1, SHA-256, SHA-384 and SHA-512.
  • When done with the configuration, click on Save and try to access the Store using the following URL: http://openfrog.dev6.pressero.com/SSO/Initiate/85bebb80-28ac-4adf-83bf-91c432278e7e 
  • this should redirect to the IdP login page, if the application doesn't redirect to the expected page, there's a misconfiguration, please review it and try again.
For Directions on using the Custom/Generic option for setting up Active Directory (ADFS) see this Knowledge Base article.
Please note: When configuring the Pressero side for use with an ADFS server, you should set the checkboxes as shown below