Authentication providers and single sign-on (SSO)

StoreConnect supports a number of login methods for store users. By default a username+password login is provided, to provide alternative login options you will need to create an Authentication Provider.

Supported authentication options:

• StoreConnect
• Azure ActiveDirectory
• Google
• Experience Cloud

Configure authentication providers

Authentication Providers can be created from the store’s Authentication Providers related list.

StoreConnect (username + password)

If no active Authentication Providers exist for a store, then a username/password login will be available by default.

If you wish to allow multiple login options and still provide username/password login, you will need to create a StoreConnect Authentication Provider for the store. Other than Provider and Active, all fields can be left blank.

Azure activedirectory

The Base URL here is the URL of your Azure login page, it may be similar to: https://.b2clogin.com/.onmicrosoft.com/B2C_1A_signup_signinTo test if your URL is correct you should be able to add /discovery/keys to the end of the URL and visit it in a browser, if the URL is correct you should see something similar to this:

{ "keys": [ {"kid":"EU323HFCv3ZRmOgTOGLXcFsjlnq0RzRhzKsSGFXLDyk3","use":"sig","kty":"RSA","e":"AQAB","n":"DJjEXl+VZ9m8fn9gUv/an+4llIwXKYcYaNpR3CgZ83lr+Su+OCG9QcsFWKXbylo3xqyiYTmOmGHGMlq4enzm7T4JmM7EDizBrLfiLbw1x6hXkPLrEAS4Pre4W8p6sI+11TVFawPKIGShzcjBz9RQ6QbZWZA6iuxw40iHNg5/DHZjC1nEEJQ506jyeePpJNpP8gTUBx8TwzJdnMItcMMSOcV0dH5hPpbEJkl0mTLvwUhaAXQjXa-TcqqvsJq58C3zxBU0rOLJFeZ9oDtC965f9VC58b3duFyiPg4JhYySPhZ4R+9nLPq4xceZGj1pDRMd6I2w704MjFXLgmQXzKqsiIfI"} ] }

Callback URL

In your ActiveDirectory configuration you will need to add the callback URL to the list of permitted URLs: [https://your-store-domain/logins/auth/azure/callback](https://your-store-domain/logins/auth/azure/callback)

Reset Password URL

Due to security limitations, StoreConnect is not able to initiate a password reset for an ActiveDirectory account. To support password reset, the ‘reset password’ flow on the store will redirect the user to the Reset Password URL if it is present. If left blank, the store will not show a ‘reset password’ link.

Google

To generate your credentials, follow these instructions from Google: Oauth Access

Reset password URL

Due to security limitations, StoreConnect is not able to initiate a password reset for an Google account. To support password reset, the ‘reset password’ flow on the store will redirect the user to the Reset Password URL if it is present. If left blank, the store will not show a ‘reset password’ link. For Google, use: [https://support.google.com/mail/answer/41078](https://support.google.com/mail/answer/41078) as the password reset URL, to direct users to Google’s own support page.

Details on a new contact

When a new website account is created using an SSO provider service, these values are saved on the new Contact record:

Incoming Azure ad payload mapping

Contact.sso_uid = 'sub' Contact.sso_provider_id = (StoreConnect AuthenticationProvider sfid) Contact.email = 'email' || 'signInName' || 'signInNames.emailAddress' || 'upn' || 'preferred_username' Contact.username = (same as email) Contact.first_name = 'given_name' Contact.last_name = 'family_name' Contact.phone = 'phone_number' || 'Phone Number' Account.name = 'name' || indicates the priority order (e.g. if 'email' is present use that, if not use 'signInName', if that's not present use... etc.)

Experience Cloud

To allow login from Experience Cloud requires more configuration in Salesforce than other Authentication Providers, please follow the dedicated Experience Cloud Login guide.