Authentication and Single sign-on (SSO)

Essential knowledge

Author:

Fluent Commerce

Changed on:

15 Nov 2024

Overview

This guide helps to select the correct IDP configuration and plan SSO implementation.

Key points

Single sign-on (SSO) is exclusive to the OMX framework, and API users are managed in Fluent IdP, not Corporate IdP, with creation possible through API.
SSO, enabled for each Fluent account, involves creating a corresponding SSO Ping Identity environment managed by the SRE team, covering admin user setup, password policy configuration, branding, and application enablement.
SSO Environment Admin Users, Fluent IdP Configuration, Password Policy, and other guides provide comprehensive details for SSO enablement, Corporate IdP integration, user management, authentication policies, multi-factor authentication, and configurations with Azure AD and Okta.

Prerequisite

Single sign-on (SSO) is only supported by the OMX framework.

API Users Overview

All API users will be stored in Fluent IdP and cannot be stored in Corporate IdP as it’s not an individual user and has a separate machine-to-machine authentication flow. API users can be created via API as per the current implementation. All details provided for API Users will be stored in the SSO vendor environment.

Note

Enabling Single Sign-On (SSO) with an External Identity Provider (IDP) introduces a restriction where only ADMIN and API users possess the authorization to acquire API tokens and perform API actions.

SSO/Ping Identity Environment

SSO will be enabled for each Fluent account, and the corresponding SSO Ping Identity environment will also be created. SSO enablement requests can be made via SRE or Success teams. You must provide details of the admin user managing the SSO vendor environment.

SSO vendor environment setup will be done by the SRE team, and the following changes will be introduced:

The admin user is created and provided the required permissions.
Authentication and password policies are set up. By default, the password policy is not configured strictly and has everything disabled. It all can be changed later.
Fluent Branding is enabled.
Fluent OMX applications are enabled.
User and API authentication flows are added.

Once SSO Environment access is granted, all configurations can be introduced by the client's IT Team or an Administrator directly in the SSO environment.

SSO Environment Admin Users

Admin users will have the following permission in the SSO vendor environment:

Add integrations to Corporate IdP via SAML and Open ID Connect.
Enable or Disable Fluent Users.
Enable MFA
Change Password Policies
Change Environment Branding.

Note:

All Fluent Users need to be created in the Fluent application independently from what IdP type you select. There are no changes introduced to the way users are currently created, either APIs or Admin section in Fluent Console (Fluent OMS) can be used.

If you need to create an additional SSO vendor environment admin, follow the next guides:

Fluent Identity Provider (IdP) Configuration

Fluent Identity Provider (IdP) implementation will depend on how many features you want to include. If no features are required, then there is no implementation to consider. Users will be migrated to Fluent IdP and will continue to access Fluent with current credentials.

As part of Fluent IdP implementation, you will be able to benefit from strong password policies, MFA configurations, and being able to enable and disable users from Fluent IdP. All configurations will be done in the SSO vendor environment.

Users will be stored in the SSO vendor environment and in the Fluent system. Continue to create users using the currently available methods like API and Admin section in Console (OMS) app.

Fluent users cannot be created in the SSO vendor environment, however, they can be managed from there. Next user management features are available:

Password Policy Configuration

Passwords policies are applicable for both IdP types: Corporate IdP and Fluent IdP.

For Corporate IdP cases, password policies will be used only for API users
For Fluent IdP they will be applied to all users.

Note:

Default password policy has every item disabled to make sure that login will flow will work as expected after user migration for Fluent IdP users. If the password policy is changed, then users will require to change the password on their first login.

Password policies are configured once per the SSO vendor environment.

Refer the following links to learn more about password policies:

Login Page Branding

SSO vendor environment support branding for a login page. This is only applicable to users with Fluent IdP. Corporate IdP users will be redirected to their own login page during authentication.

By default Fluent branding is provided but can be changed.

Branding and themes

Editing environment branding

How SSO Affects User Authentication

When Single Sign-On (SSO) is enabled, user authentication is handled by an external Identity Provider (IDP), which manages user credentials and authentication processes. This means that authentication requests bypass

`client_secret`

verification, routing instead through the IDP to confirm that the user exists and their password is correct.

The typical flow involves the user initiating a login request, which is then redirected to the IDP. The IDP verifies the user’s credentials, and upon successful authentication, returns a token to the application, allowing the user access to the system.

Temporarily Disabling SSO

To disable SSO yourself, use the Settings API to update the SSO settings. This will enable direct authentication with the system using `client_secret` verification. If you cannot disable SSO through the API, you can contact support for assistance.

Guides

Related content

SSO User Management

Edited 45 days ago

User management is a client’s internal process. Your nominated IT team or a partner is responsible for user management.

SSO - Multi-Factor Authentication (MFA) Configuration

Edited 374 days ago

Single sign-on (SSO) Overview

Edited 211 days ago

Single sign-on (SSO) is a session and user authentication module that gives users the ability to sign on once and with a single set of credentials to access multiple services and resources. It means is that the user will be authenticated against any Fluent platform application via corporate identity management provider (IdP) or Fluent IdP.

Federated identity management means establishing of a trusted relationship between separate organizations and third parties, allowing users to authenticate to one domain and access resources in another without a separate login, enhancing security and user satisfaction. Fluent's Federated SSO utilizes protocols like SAML and OIDC for secure data exchange, providing a seamless single sign-on experience across Fluent OMX applications. These open standards enable the secure transmission of authentication and access information across domains

SSO

Edited 192 days ago

This guide helps to select correct IDP configuration and plan SSO implementation.

Fluent Identity Provider (IdP)

Edited 216 days ago

An identity provider (IdP) is a service that stores and manages digital identities. Companies use these services to allow their employees or users to connect with the resources they need. They provide a way to control access, adding or removing privileges, while security remains tight.

For companies who don’t have corporate IdP, Fluent provides a solution that allows them to receive all SSO benefits without needing to support their own SSO solution.

Configure Fluent OMS session timeout for SSO users without external IDPs

Edited 325 days ago

SSO Audit

Edited 393 days ago

This page describes where to find user activity logs in SSO Environment. Ping Identity (SSO Vendor) logs all actions performed in the SSO admin console and keeps logs for two years by default. Review logs if you need to investigate an activity of a certain users or check a number of failed logins.

SSO: Configure JumpCloud connection via SAML

Edited 44 days ago

Corporate Identity Provider (IdP) Integration

Edited 44 days ago

If a company has an internal IdP then this IdP can be integrated with our SSO Vendor and used for future user authentication.

API user is always managed in the SSO vendor environment and doesn't have an MFA authentication option.

Configure session timeout for SSO users with external IDPs (Okta)

Edited 244 days ago

SSO User onboarding and offboarding

Edited 108 days ago

The document describes the best practice for onboarding and offboarding users.

SSO Authentication Policies Configuration

Edited 6 days ago

Authentication policies dictate how the user's identity will be verified. For Corporate IdP all users are managed by corporate IdP and authentication policy needs to be configured to make sure that all users are authenticated via internal IdP.