This works well when a user has already logged into their company intranet and you want to pass the login details so they don't have to log in again to order in the portal. There is no cost to use this process. This assumes the user account already exists in the Pressero site. The URL for passing people through to a B2B site when they're already logged into their intranet is as follows:
http://domain.com/login?userEmail=xxxx&userPassword=yyyy
domain = your B2B site's domain
xxxx = the user's email address (or username)
yyyy = the user's password
1a. User Impersonation - A variation of this is that instead of sending the user's actual password, you can enable user impersonation for your site (or your subscriber) and pass an impersonation password in the URL. See Chapter 5 and Chapter 30 of the Pressero user manual.
2. Configuring OAuth2 Providers (Logging in through Facebook, Twitter, Google, or Amazon)
OAuth 2 enables access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account and authorizes access to the user account on Pressero. This option is not available to Pressero Sandard plan or EM subscribers. You can locate and set up the following providers by going to Admin > Sites [select a site] > Single Sign-On (SSO).
For OAuth SSO we provide support for the following services:
- Facebook (https://developers.facebook.com)
- Twitter (https://apps.twitter.com)
- Google (https://console.developers.google.com/)
- Amazon (https://sellercentral.amazon.com)
In order to enable those providers on the storefront, it's required to create a developer account with each of those providers, where they'll create a pair of keys, App Key, and Secret key.
In the following section, we're going to explain how to generate those keys.
Facebook
- After Creating a developer account, access the site https://developers.facebook.com and then click on the My Apps drop down on the top/right and select Add a New App.
- Facebook will show a configuration window, where you'll set the application name, contact email and category, after filling all the fields click on the Create App ID.
- Facebook will show a window with all of the options for the application, choose the Facebook Login option.
- From there you must select the platform, in our case, Web.
- Facebook will show a window where you can set the application address, use the site primary Address from Pressero, and click next to close this window, you can ignore all the configuration that Facebook will show.
- Once done with that, on the top left you'll see that Facebook will now show My Apps, instead of Create a Project, click on the link and it will show all your applications, click on the application you want to configure.
- After that you'll see the application basic information, there you'll see the App Key and Secret key, you'll need this key configure your store on Pressero.
- There are many things you can configure here, like Ads, restrictions and other settings, for more information please check the Facebook documentation.
- Now on Pressero go to admin > Sites > Single Sign-on (SSO) and create a new entry for the Facebook Authentication Process.
- Click on the Add New Single Sign-On Provider, on the configuration window provide a name for the provider, select Facebook as the identity provider and the default group for the user, click on the save button. After that, the application will show two new fields, App Key and App Secret, copy that information from the Facebook page and then click on the save button again.
- Once you are done with that, the application is configured to use Facebook as the login provider.
- When you set up the Facebook SSO application on https://developers.facebook.com, the app is set as private and only the person who created it will be able to log in. until you make it public.
If you are ready to have this option available to your customers to log in to the storefront using Facebook, you need to activate the application and remove it from development mode. In order to activate the App, go to https://developers.facebook.com > Login > App > From the left menu select "App Review" and there you'll see an option to activate the application and set it as public. Once you do this all the users will be able to use the Facebook button on your site to log in.
Twitter
- First access the site https://apps.twitter.com and then click on the Create New App button.
- Twitter will then show a new window where you can set the application basic information
- You will then be redirected to the application configuration page, where you'll see the App key and the basic authentication information, now the first thing to do is go to the settings tab and insert the URLs for the Privacy Policy and Terms of Service, this information is required so Twitter can return the user email address during the authentication process.
- After that go to the permissions tab and check the Request Email address from the user.
- Save the settings and go to the Keys and Access Tokens tab, you'll need the API key and secreted listed on this page.
- There are many things you can configure here, like Ads, restrictions and other settings, for more information please check the Twitter documentation.
- Now on Pressero go to admin > Sites > Single Sign-on (SSO) and create a new entry for the Twitter Authentication Process.
- Click on the Add New Single Sign-On Provider, on the configuration window provide a name for the provider, select Twitter as the identity provider and the default group for the user, click on the save button. After that, the application will show two new fields, App Key and App Secret, copy that information from the Twitter page and then click on the save button again.
- With that done, the application is configured to use Twitter as the login provider.
Google
- First access the site https://console.developers.google.com/ and then on the left side click on Credentials and a pop menu will show up, click on Create a Project.
- Set the application Identification and then click save, a new window will appear, from the drop-down menu select OAuth Client ID.
- From there the site will show you a menu where you can select the Application type, select Web application, give it a name and then click on the save button.
- After that the application will redirect you to application list menu, there select the application and Google will show the application Key and Secret.
- There are many things you can configure here, like Ads, restrictions and other settings, for more information please check Google documentation.
- Now on Pressero go to the SSO configuration Window and create a new entry for the Google Authentication Process.
- Click on the Add New Single Sign-On Provider, on the configuration window provide a name for the provider, select Google as the identity provider and the default group for the user, click on the save button. After that, the application will show two new fields, App Key and App Secret, copy that information from the Google page and then click on the save button again.
- Done that, the application is configured to use Google as the login provider.
Amazon
- First, access the site https://sellercentral.amazon.com and log in to your account. Next click on the "Register New Application" button.
- Amazon will show a configuration window for registering this new application, where you'll set the Application Name, Description, Privacy Notice URL, and the Application Logo.
- After filling in all the fields, click on Save. Amazon will then show the application configuration page, with the Client ID (App Key) and the Client Secret. You will use these two pieces of information later inside Pressero. Also, do not close this window just yet, as you will need to enter the URL Pressero provides to you at the end of the setup process in Pressero.
- In Pressero go to Sites [Select a Site] > Single Sign-on (SSO). Click on the "Add New Single Sign-On Provider" button. Provide a Name for the provider (such as Amazon), select Amazon as the identity provider and the Default User Group. Save.
- Once saved, the application will show two new fields, App Key and App Secret, copy the information from the Amazon page, where App Key is the Client ID and App Secret is Client Secret and then click on the save button again.
- Copy the Authentication Endpoint address shown on this page and paste this URL into the Allowed Return URLs in the configuration panel on Amazon, so they can authorize the user to return to the application store after a successful authentication process in Amazon.
This is a standard protocol for web browser single Sign-On using security tokens. SAML securely eliminates passwords. There is a cost to add SAML to your storefronts and each site must be activated individually. To activate SAML you should contact either your sales representative or the Pressero support team. They will work with you to implement this service.
Per default Pressero provides pre-defined configuration for the following Identity Providers:
This means that, Pressero was tested to use those identity providers (IdP), but if you use a custom identity provider, you can manually configure the application so it can communicate with your custom IdP.
Mapping
Mapping is available to help customers that already have attributes on their IdP, so to avoid the need to create new attributes Pressero makes available this tool, allowing the user to map their attributes to variables that Pressero can recognize.
The mapping tool is available on the SSO configuration page and from there the user can make all the necessary mapping, allowing Pressero to get all the information available by the IdP.
For example, the customer IdP stores the UserGroup name in the attribute memberOf, when Pressero receives the SAML data, it will now look for the UserGroup name on the attribute memberOf. The field and field value are case sensitive, so be careful when configuring this, to avoid possible problems.
Below you will find instructions on adding each of the pre-defined configurations along with instructions on adding a custom identify provider.
PART 1: Adding SAML to your Site (Pressero Admin)
Go to Sites > Single Sign-on (SSO) on the site menu in Pressero, for the site to be setup with SAML Azure AD.
Click the green Add New button.
Set the Button Text and choose Azure Ad for the Identity Provider from the dropdown menu.
Choose which site group new users will be automatically added to.
Click Save. The rest of the configuration fields will become available and visible on that window.
You are going to need 3 pieces of information from Pressero Admin to help you configure your App on Azure AD:
- Entity ID = primary domain of the site
- Reply URL (Assertion Consumer Service URL) = Authentication Endpoint:
- Sign On URL = Single SignOn URL
We will get to where these pieces of information are needed next.
PART 2: Adding and configuring your Azure AD Application (Pressero Admin + Azure Admin)
Note: The next set of steps will require collaboration between two people: Your Pressero Admin, and the Azure AD Admin. Typically, when you’re setting this up on a site for a customer, the Azure AD Admin is your customer. They will need to provide and configure the details below. It is recommended that you first read through the instructions one time before proceeding.
Also note, that browsers tend to enable autofill in certain fields, such as “Metadata File URL” and “Certificate Password” in Pressero. Be watchful that the browser autofill does not override the correct values that should go in these fields (see steps 14, 16, & 17).
- Navigate to the Azure AD Admin Center from the Microsoft 365 Admin Center

- Click “Azure Active Directory” on the left

- Click “Enterprise Applications”
- Click “New application

- Click “Create your own application”
- Input a name for the application
- Ex. “Pressero”
- Select the “Integrate any other application you didn’t find in the gallery (Non-gallery)”

- Navigate to “Single sign-on” within the newly created application
- Select “SAML” when prompted to select a single sign-on method
- Select the “Edit” button for the “Basic SAML Configuration”
- Enter the Pressero site’s primary domain as the “Entity ID”
- Enter the “Assertion URL” from Pressero Admin in the “Reply URL (Assertion Consumer Service URL)” field in Azure AD
Pressero Admin:

Azure Admin:

- In Azure Admin, click “SAML-based Sign-on” at the top of the page to return to the SAML configuration page
- Click the Download link for “Federation Metadata XML”
Azure Admin:

- That downloaded file will be used for the Metadata File (iDP) upload control in the "Identity Provider Metadata and Service Certificate" area in the window on Pressero.
Pressero Admin:

- Copy the “App Federation Metadata URL” field
Azure Admin:

- Paste that value in Pressero’s Metadata File URL (iDP) field
Pressero Admin:

- The Service Certificate is optional. But it would be a PEM or CER or PFX file from the identity provider system. Have the Azure Admin provide the certificate if one is needed, and also a password if a password was used when creating the certificate. If one is not provided or needed from the identity provider, then leave those fields blank and Pressero will try to use a default certificate.
- Enter the “Sign on URL” provided from Pressero Admin into the “Sign on URL (Optional)” field in Azure ADx`
Pressero Admin:

- In Pressero Admin, click Save.
- In Azure Admin, click the “Edit” button for the “Attributes & Claims”
- The three main fields Email, FirstName, and LastName need to be added
- Click the claim with the value “user.mail”
- Change the Name to “Email” and click Save
- Click the claim with the value “user.givenname”
- Change the Name to “FirstName” and click Save
- Click the claim with the value “user.surname”
- Change the Name to “LastName” and click Save
Azure Admin:
PART 3: Field Mappings
Once successful, there will be no red error warnings at the top of the window.
Scroll down to Fields Mapping. Pressero requires mappings for the email address, the first name, and the last name for any users logging into the site. Click Add to Mapping to save the mapping.
This will be done three times to add Field Mappings for Email, FirstName, and LastName. These are the fields you created earlier:
Azure Admin:
On the drop down, start with Email from the drop down, add the value, then click the green “Add to Mapping” button.
Pressero Admin:
You can come back later to this area to add additional mappings. Just establish these three for now.
Important: The values of fields in the mapping must be complete URNs that are defined in the SAML schema.
So, for example,
"Email" maps to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"First Name" maps to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"Last Name" maps to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname".
Hit Save again after adding the mappings. There should be no errors showing after hitting Save.
Go to the login page for the Pressero site. You should have a button to login with SSO on the site login window, please test the login.
Any users on Azure that will need access to the new application will have to be granted or assigned access to that application. If not assigned, an error like the one below may show.
If you are seeing any other errors here that you do not understand, please capture the text and/or a screenshot of the error and open a ticket to Aleyant Support on support.aleyant.com.
General notes about attributes on Azure:
For the SSO functionality work properly it’s necessary to create a few attributes on the Azure AD to help Pressero identify the user, as a requirement Pressero needs that the Identity Provider provides the following information about the user:
But you can also return the following information, that will be used to fill the user profile:
- UserGroup (The usergroup name in Pressero)
- Address1
- Address2
- Address3
- Country (ISO 3166-2)
- Telephone
- Postcode
- City
- State (2 letters)
- MiddleName
- Title
- CellPhone
- MISID
- Business
- Fax
- Department
Okta
To configure the Okta Provider, first access your Okta Account.
- Go the admin area and select the option Add Application
- Select “Create Application” and select the authentication method as SAML 2.0.
- In the next window please provide the basic information for the app, like name, logo and the app visibility.
- In the next step, you’ll see the basic SAML configuration, but before you can configure this step you’ll need to activate the SAML endpoint in Pressero.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO. This also means that each site is a different application on Okta.
- In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
- Click the Add New Single Sign-on Provider and you’ll see a new window where you can create an alias to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to.
- Click the Save button and the application will generate the endpoint URL. Copy this URL and access the SAML configuration page on the Okta site.
- Set the Single sign on URL as the endpoint address provided by Pressero and set Audience URI (SP Entity ID) as the site primary domain.
- After that you’ll need to configure the SAML attributes. Pressero needs some information to identify the user. At a minimum, Pressero needs the Identity Provider to provide the following information about the user:
- But you can also return the following information, that will be used to fill the user profile:
- UserGroup (The usergroup name in Pressero)
- Address1
- Address2
- Address3
- Country (ISO 3166-2)
- Telephone
- Postcode
- City
- State (2 letters)
- MiddleName
- Title
- CellPhone
- MISID
- Business
- Fax
- Department
- After configuring this item, click the next button and the site will display the final window. Select I’m an Okta Customer adding an internal app and then click Finish.
- After this Okta will redirect you to the application Sign on configuration Window. From there, click on view setup instructions.
- In the next window Okta will provide all the necessary information needed to do the final configuration on Pressero. Copy the content from the metadata area and save in a text file with the .xml extension.
- Now back in Pressero, access the Single Sign-on configuration window and import the metadata file and your PFX (Personal Information Exchange) file. If you do not provide the PFX file Pressero will try to use a default certificate. If you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
- After selecting both the metadata file and the certificate, and typing the certificate password, click on the save button and the window will load all the necessary configuration, making SSO available to your site.
OneLogin
To configure the OneLogin Provider:
- First access your OneLogin Account (https://app.onelogin.com/login), from there select New App.
- Search for SAML and select SAML Test Connection (IdP), from there OneLogin will redirect the user to the basic configuration Window.
- Add the Application Name, select the icons and banners, then click on the save button. After that the UI will change and will display all the available options. Select the tab Configuration, there you’ll see a set of options.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO and that means that each site is a different application on OneLogin.
- In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
- From there click the Add New Single Sign-on Provider and you’ll see a new window, where you can create an alias to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to. Click the save button and the application will generate the endpoint URL, copy this URL and access the SAML configuration page on the OneLogin site.
- Now go back to the OneLogin configuration window and set (replace the address by the one Pressero generated)
- Then click on the save button. After saving, go to the SSO tab, change the SAML Signature Algorithm from SHA-1, to SHA-256 and again click the save button.
- After that click in the More Action button and select the SAML Metadata option, save the XML file, you’ll need it to import the data to Pressero.
But before importing the data to Pressero, go to the parameters tab add the following fields:
Double click on each parameter to map it to a profile field.
This is necessary because Pressero needs some basic information to identify the user, so the Identity Provider must return those user fields.
But you can also return the following information, that will be used to fill the user profile:
- UserGroup (The usergroup name in Pressero)
- Address1
- Address2
- Address3
- Country (ISO 3166-2)
- Telephone
- Postcode
- City
- State (2 letters)
- MiddleName
- Title
- CellPhone
- MISID
- Business
- Fax
- Department
Now back in Pressero:
- Access the Single Sign-on configuration window and import the metadata file and your PFX (Personal Information Exchange) file, if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
- After selecting both metadata file, certificate and typing the certificate password, click on the save button and the window will load all the necessary configuration, making SSO available to your site.
PingOne
To configure the PingOne Provider:
- First access your PingOne Account (https://admin.pingone.com )
- From there click on the Applications Tab, then click on the Add Application button and select New SAML Application.
- The site will show a new configuration window, where the user must configure the application basic information, like name, logo and category, after that click on the Continue to Next Step Button.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO and that means that each site is a different application on PingOne.
- In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
- From there click the Add New Single Sign-on Provider and you’ll see a new window, where you can create an alias to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to. Click the save button and the application will generate the endpoint URL, copy this URL and access the SAML configuration page on the PingOne site.
- Now go back to the PingOne configuration window and set (replace the address by the one Pressero generated)
- Before saving, click on the Download link, to download the metadata file to use on Pressero, more on that later.
- Now click on Continue to the next step, where you’ll be able to customize the attributes returned by the IdP.
This step is necessary because Pressero needs some basic information to identify the user, so the Identity Provider must return the following fields:
But you can also return the following information, that will be used to fill the user profile:
- UserGroup (The usergroup name in Pressero)
- Address1
- Address2
- Address3
- Country (ISO 3166-2)
- Telephone
- Postcode
- City
- State (2 letters)
- MiddleName
- Title
- CellPhone
- MISID
- Business
- Fax
- Department
- Now click on Save and Publish, the site will display a review report, where you can download the metadata file, click on the finish button and go back in Pressero, access the Single Sign-on configuration window.
- On the Pressero UI import the metadata file and your PFX (Personal Information Exchange) file, if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
SalesForce
To configure the SalesForce Provider:
- First access your SalesForce Account (https://login.salesforce.com), from there click on the Security Controls -> Identity Provider.
- Enable the Identity Provider, the generated self-signed certificate is okay to use. Now click on the download metadata button and then on “Service Providers are now created via Connected Apps. Click here” link.
This next step assumes you have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO and that means that each site is a different application on SalesForce.
- In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
- From there click the Add New Single Sign-on Provider and you’ll see a new window, where you can create an alias to the provider, select the provider that you’ll use to authenticate the user and the default group the user will be set to. Click the save button and the application will generate the endpoint URL, copy this url and access the SAML configuration page on the SalesForce site.
- Now go back to the SalesForce configuration window and set (replace the address by the one Pressero generated)
- On this window, you’ll fill the fields with basic information, like application name (SalesForce will fill the api name field), the contact email address, icon URL, description, etc.
- On the Web App settings, you’ll check the enable SAML checkbox, fill the fields with the following information:
- Entity ID: http://redfrog.localtest.me
- ACS URL: http://redfrog.localtest.me/SSO/Assertion/d1866310-a454-4873-91db-3bd7de3ee9a7
- Then click the save button.
- No go to Manage Apps -> Connected Apps and select the just created app.
- Got to the bottom of the window, set the Profile associated to the application and users that will be allowed to access the application, otherwise SalesForce will deny access to the application, even if the user exists on the user company user’s directory.
- Also, on this part of the window you’ll must create some specific SAML attributes, this step is necessary because Pressero needs some basic information to identify the user, so the Identity Provider must return the following fields:
- But you can also return the following information, that will be used to fill the user profile:
- UserGroup (The usergroup name in Pressero)
- Address1
- Address2
- Address3
- Country (ISO 3166-2)
- Telephone
- Postcode
- City
- State (2 letters)
- MiddleName
- Title
- CellPhone
- MISID
- Business
- Fax
- Department
- Now on the Pressero UI import the metadata file and your PFX file (Personal Information Exchange), if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
In the Generic provider, the user is free to configure the SSO service, we provide all the necessary settings that can be configured to allow Pressero to access an IdP server.
The steps are similar to the other providers, assuming you already have added SAML to your Pressero subscription. If you have not done this yet, you will not be able to continue. This configuration must be done for each site that will use SSO.
In Pressero locate the "Single Sign-on" option in the navigation (admin > site).
So, after enabling the endpoint you'll copy the address generated by Pressero to your IdP provider, usually the settings look like this (sample data):
When you are done with that configuration, you'll get the metadata file generated by the IdP server and import it on Pressero. So you'll need to import the metadata file and your PFX file (Personal Information Exchange), if you do not provide the PFX file, Pressero will try to use a default certificate, but if you provide the certificate file do not forget to type the certificate password, otherwise the application will not be able to load this certificate and the SSO process will not work.
After loading the data, Pressero will enable the SSO configuration Window, there you can set all the necessary settings to enable SSO.
It will load the IdP identity name, SignOn Url and Single Logout Url automatically, if those data are in the metadata file.
You will need to set manually the values for:
-
Assertion is Signed: Check if your IdP server signs the assertion
-
Certificate is Embedded: Check if your server sends the certificate in the request/response
-
Sign Authentication Request: Check if the Authentication request is signed
-
Response is Signed: Check if the response is signed
-
Assertion is Encrypted: Indicates if the Assertion is encrypted by the IdP
-
Signature Method: The applications is compatible with SHA-1, SHA-256, SHA-384 and SHA-512.
When done with the configuration, click on Save and try to access the Store using the following URL: http://openfrog.dev6.pressero.com/SSO/Initiate/85bebb80-28ac-4adf-83bf-91c432278e7e
this should redirect to the IdP login page, if the application doesn't redirect to the expected page, there's a misconfiguration, please review it and try again.
Important: The values of fields in the mapping must be complete URNs that are defined in the SAML schema. So, for example,
"Email" maps to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"First Name" maps to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", and
"Last Name" maps to "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname". .
Active Directory (ADFS)
For Directions on using the Custom/Generic option for setting up Active Directory (ADFS) see this Knowledge
Please note: When configuring the Pressero side for use with an ADFS server, you should set the checkboxes as shown below

Shibboleth 3.x
For Directions on using the Custom/Generic option for Shibboleth 3.x SAML, see this document.
Questions:
Can SSO be used on B2C sites?
Yes, SSO can be used on B2B and B2C sites.
Related Articles: