Fluent Commerce Logo
Docs
Help & Feedback

Authentication and Single sign-on (SSO)

Essential knowledge

Intended Audience:

Technical User

Author:

Fluent Commerce

Changed on:

7 Jan 2026

Overview

Authentication in Fluent Web Apps is managed through PingOne, which serves as the central identity hub. It hosts the Fluent Identity Provider (Fluent IdP) and integrates with Corporate Identity Providers (Corporate IdPs) such as Azure AD, Okta, and Google Workspace. PingOne authenticates users, issues tokens, and enforces access and security policies across all environments.

Key points

  • SSO is supported only in the OMX framework.
  • PingOne serves as the central identity platform managing all authentication requests.
  • Fluent IdP (hosted in PingOne) handles Admin and API users.
  • Corporate IdPs authenticate business users via SAML or OIDC.
  • Once SSO is enabled, direct username/password login to Fluent Web Apps is disabled.
  • Each Fluent account has its own PingOne environment where authentication and policy configurations are stored.

Understanding the Authentication Flow

When a user logs in to Fluent Web App, authentication is handled through PingOne, which routes the request to the correct Identity Provider (IdP) based on the user’s email domain.Step-by-step process:
  • The user enters their email on the Fluent Web App login page.
  • PingOne identifies the domain (e.g., (e.g., `@google.com`, `@microsoft.com`) and determines whether the user belongs to the Fluent IdP or a Corporate IdP (e.g., Azure AD, Okta, Google Workspace):
    • If the user belongs to the Fluent IdP: PingOne authenticates credentials directly within the Fluent IdP (stored in PingOne).
    • If the user belongs to a Corporate IdP: PingOne redirects the user to their organization’s IdP for authentication via SAML or OIDC.
  • The IdP (Fluent or Corporate) verifies credentials and returns an assertion or ID token to PingOne.
  • PingOne issues a verified session token to Fluent OMS, granting access.
This flow allows:
  • Internal users (Fluent-managed) to authenticate directly via Fluent IdP.
  • External or vendor users to authenticate through their Corporate IdPs.
All users access the system through a single entry point, ensuring centralized authentication, improved security, and seamless SSO experience.

Fluent IdP vs Corporate IdP

PingOne acts as the host for both internal and external identity providers in the Fluent SSO model.
AspectFluent IdP (Hosted in PingOne)Corporate IdP (External)
Primary UseAdmin and API usersBusiness users
Authentication MethodMachine-to-machine or admin credentialsRedirected SAML/OIDC via PingOne
Managed InPingOne SSO EnvironmentCorporate IdP (e.g., Azure AD, Okta, Google Workspace)
Web UI AccessNot supportedSupported via PingOne redirect

API and Admin Users

Admin and API users are non-human accounts used for integration, automation, and administrative purposes. They are stored and authenticated through the Fluent IdP, which is part of PingOne.
  • Created via API or the Admin Console in Fluent Web Apps.
  • Authenticate using machine-to-machine credentials.
  • Not connected to any Corporate IdP.
When SSO is enabled:
  • Only Admin and API users can generate API tokens.
  • Business users must authenticate via their Corporate IdP.
  • Direct Fluent login with username and password is unavailable for SSO-enabled users.

Password Policies and Security

Password policies are enforced at the PingOne environment level to maintain consistent security across both IdP types.
  • Corporate IdP: Policies apply only to API users.
  • Fluent IdP: Policies apply to all users managed in PingOne.
  • Default configuration disables all password policy options to ensure smooth post-migration login.
  • When modified, users will be prompted to reset their password during their next login.
📘 For details, refer to the official PingOne Documentation on Password Policy Configuration.

Authentication Behavior with SSO Enabled

Once SSO is active:
  • PingOne handles all credential validation and token issuance.
  • Fluent OMS trusts the PingOne-issued token instead of performing `client_secret` verification.
  • Access is granted based on the user’s IdP role and permissions.
This structure ensures centralized access control, auditability, and compliance with enterprise security policies.

Temporarily Disabling SSO

SSO can be temporarily disabled through the Settings API, allowing direct authentication using `client_secret `verification.To do this, update the SSO configuration via the API to disable the SSO flag. Once disabled, users can log in directly without being redirected to the Identity Provider (IdP). If you are unable to perform this action through the API, contact support for assistance.

Multi-Factor Authentication (MFA)

Administrators can enable Multi-Factor Authentication (MFA) in the PingOne environment to strengthen account security and protect against unauthorized access. MFA settings are managed independently for Fluent IdP and Corporate IdPs, allowing flexible control per authentication source.📘 Refer to the official PingOne Documentation for comprehensive instructions on MFA configuration.

Auditing and Logging

All authentication events, administrative actions, and configuration changes are recorded within the PingOne audit logs. These logs provide visibility into user access, MFA challenges, and policy updates — supporting compliance and security monitoring.📘 Refer to the official PingOne Documentation for details on auditing and log management.

SSO Configuration and Management Guides

Collection of articles covering SSO and identity configuration.
Azure AD & Microsoft Entra ID OIDC Configuration: Unified Guide
Azure AD & Microsoft Entra ID SAML Configuration: Unified Guide
Azure Single Logout configuration
Configure Okta connection via SAML
Configure session timeout for SSO users with external IDPs (Okta)
Explore This Category

Single Sign-On (SSO) Configuration Essentials

This collection covers the foundational concepts and key configuration principles for enabling and managing Single Sign-On (SSO) in Fluent Web Apps. Explore how SSO works, how identity providers are integrated, and how authentication flows are managed securely.
Authentication and Single sign-on (SSO)
Corporate Identity Provider (IdP) Integration
Federated Identity Provider (IdP)
Fluent Commerce Fundamentals
Fluent Identity Provider (IdP)
Explore This Category

Related content

Single sign-on (SSO) Overview
Edited 638 days ago
Single sign-on (SSO) is a session and user authentication module that gives users the ability to sign on once and with a single set of credentials to access multiple services and resources. It means is that the user will be authenticated against any Fluent platform application via corporate identity management provider (IdP) or Fluent IdP.
SSO
Edited 106 days ago
This guide helps to select correct IDP configuration and plan SSO implementation.
SSO Enablement Process
Edited 106 days ago
SSO User onboarding and offboarding
Edited 85 days ago
The document describes the best practice for onboarding and offboarding users.
SSO User Management
Edited 472 days ago
User management is a client’s internal process. Your nominated IT team or a partner is responsible for user management.
SSO - Multi-Factor Authentication (MFA) Configuration
Edited 106 days ago
Configure Okta connection via SAML
Edited 106 days ago
Federated Identity Provider (IdP)
Edited 643 days ago
Federated identity management means establishing of a trusted relationship between separate organizations and third parties, allowing users to authenticate to one domain and access resources in another without a separate login, enhancing security and user satisfaction. Fluent's Federated SSO utilizes protocols like SAML and OIDC for secure data exchange, providing a seamless single sign-on experience across Fluent OMX applications. These open standards enable the secure transmission of authentication and access information across domains
Fluent Identity Provider (IdP)
Edited 643 days ago
An identity provider (IdP) is a service that stores and manages digital identities. Companies use these services to allow their employees or users to connect with the resources they need. They provide a way to control access, adding or removing privileges, while security remains tight.For companies who don’t have corporate IdP, Fluent provides a solution that allows them to receive all SSO benefits without needing to support their own SSO solution.
Configure session timeout for SSO users without external IDPs
Edited 106 days ago
SSO Audit
Edited 49 days ago
This page describes where to find user activity logs in SSO Environment. Ping Identity (SSO Vendor) logs all actions performed in the SSO admin console and keeps logs for two years by default. Review logs if you need to investigate an activity of a certain users or check a number of failed logins.
SSO: Configure JumpCloud connection via SAML
Edited 471 days ago
Corporate Identity Provider (IdP) Integration
Edited 471 days ago
If a company has an internal IdP then this IdP can be integrated with our SSO Vendor and used for future user authentication.API user is always managed in the SSO vendor environment and doesn't have an MFA authentication option.
Configure session timeout for SSO users with external IDPs (Okta)
Edited 106 days ago
SSO Authentication Policies Configuration
Edited 433 days ago
Authentication policies dictate how the user's identity will be verified. For Corporate IdP all users are managed by corporate IdP and authentication policy needs to be configured to make sure that all users are authenticated via internal IdP.
Renew SSO (SAML External IDP) Certificate in Ping
Edited 16 days ago
SSO Cutover Planning and Execution
Edited 226 days ago
The SSO Cutover Planning and Execution details the essential steps for migrating and transitioning to SSO in Fluent. The specifics may differ based on the client's implementation of Fluent. It is advisable to have discussions with your partner and the Expert Services contact to gain further clarification.
Fluent Commerce

Fluent Commerce

Building Blocks
Building Blocks
Packages & Modules
All UI Components
Workflows
Settings
Interface Contracts
All Rules
By Type
All Types
Knowledge Tracks
Extend Knowledge
Glossary
All How-to Guides
Sitemap
Topics
Use Cases
Helpful Resources
Platform Limits
Support Policy
Service Level Agreement (SLA) - Enterprise
Deprecation Policy
Extend Knowledge Content – Terms and Conditions
System and Organization Controls (SOC) 3 Report
Data Privacy Addendum
Security Policy
Quick Links
For Partners
Customer Resources
Webinars and Events
Certifications
Training Resources
Knowledge Tracks
Builders Portal
Product Update Newsletter
Industry Blogs & Events Newsletter
Trust Center Portal

Copyright © 2024-2026 Fluent Retail Pty Ltd (trading as Fluent Commerce). Unless otherwise expressly stated in a current written agreement with Fluent Commerce or any of its affiliates or on any single page of the docs.fluentcommerce.com site, use of the materials on this site is strictly limited to viewing by individuals over 18 years old for legitimate commercially appropriate reasons; and any downloading, copying or other actions or uses of any kind or by any means of the materials on this site, including by artificial intelligence tools, is strictly prohibited. All other rights reserved.

Fluent Logo