Skip to content
Log in

Set up SAML single sign-on

On this page

StoreConnect supports standards-based single sign-on using SAML 2.0, compatible with any SAML-compliant identity provider (IdP) — such as Okta, OneLogin, PingFederate, or Salesforce acting as an IdP. Use this when your organization manages its own identity infrastructure.

You supply StoreConnect with a single value: your IdP’s SAML metadata URL. StoreConnect fetches and parses that metadata to obtain the IdP’s entity ID, sign-in URL, and signing certificate — so there is no certificate to copy by hand.

SAML is one of several login methods StoreConnect supports. For the other providers and shared login behavior, see Authentication providers and single sign-on (SSO).

Before you begin

  • You need administrator access to your Salesforce org and to your identity provider.
  • Have your IdP’s SAML metadata URL ready.
  • Decide which store this login applies to — each SAML provider is configured against a specific store.

Step 1: Add the SAML option as an Authentication Provider

Authentication provider records do not include SAML as a provider option out of the box, so you need to add it before creating the record.

  1. Go to Setup > Object Manager > Authentication Provider > Fields & Relationships > Provider.
  2. Under Values, click New.
  3. Enter saml (lowercase) as the value. The value must be exactly saml in lowercase — this is the value StoreConnect matches on.
  4. Select Save.

Step 2: Create the authentication provider record

  1. On the store record, go to the Authentication Providers related list, and select New.
  2. Configure the record as follows.

    StoreConnect Field Value
    Provider SAML
    Authorised Domains Your IdP’s host (only needed if the IdP posts its response from a different domain than the metadata URL)
    Client Id  
    Client Secret  
    Provider URL Your IdP’s SAML metadata URL
    Reset Password URL  
  3. Save the record and take note of the Salesforce record ID (the 15- or 18-character ID in the browser URL, referred to below as PROVIDER_SFID). It forms part of every SAML URL for this provider.

Step 3: Configure your identity provider

This step completes entirely in your IdP’s admin console. First give it StoreConnect’s service provider (SP) URLs, then set how it sends the assertion.

Enter StoreConnect’s service provider URLs

Use your store domain and the Salesforce record ID you recorded above to form the IdP settings you need. StoreConnect exposes them at a ‘convenience endpoint’. Open this URL in a browser and it returns the values as JSON:

https://your-store-domain/logins/auth/saml/PROVIDER_SFID/config

IdP setting Value
Entity ID / Issuer https://your-store-domain/logins/auth/saml/PROVIDER_SFID/metadata
Assertion Consumer Service (ACS) URL https://your-store-domain/logins/auth/saml/PROVIDER_SFID/auth
Start URL your store’s home page

StoreConnect also publishes the SP metadata as XML at the Entity ID URL above, which many IdPs can import directly.

Configure the assertion

Configure your IdP to send the assertion as follows:

  • NameID format: email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
  • SSO binding: HTTP-Redirect
  • Attributes: release these attributes so StoreConnect can populate the Contact:
SAML attribute Used for
email (falls back to NameID if omitted) Contact email and username
username (or id) The stored SSO user identifier
firstName Contact first name
lastName Contact last name

Confirm the configuration by opening the SP metadata URL in a browser:

https://your-store-domain/logins/auth/saml/PROVIDER_SFID/metadata

If the Provider URL is valid, StoreConnect returns SP metadata XML. If it is misconfigured, the page returns an error instead of XML — recheck the Provider URL on the authentication provider record. When a customer then attempts to sign in with a provider that is still not configured correctly, they see a message that SSO via SAML is not fully configured.

To start a login, the store’s SAML sign-in link submits to:

https://your-store-domain/logins/auth/saml/PROVIDER_SFID/sign_in

What happens on login

SAML supports new-account registration. When a customer signs in via SAML and no matching Contact exists, StoreConnect creates one using the attributes above.

For how StoreConnect matches returning customers to existing Contacts, the fields saved on a new Contact, and logout behavior, see the shared sections in Authentication providers and single sign-on (SSO).

Was this article helpful?

Was this article helpful?