The SSO Authentication App allows you enable the ability for customers of the store to login via SAML SSO with either Okta or Microsoft Azure as the Identity Provider (idP).
In this article, we will cover the following topics:
- Enable and configure the SSO Authentication App
- Okta setup and configuration
- Microsoft Azure setup and configuration
-
Disable Manual Account Creation
Enable and configure the SSO Authentication App
To get started, log into your store and use the left navigation menu to go to Apps:
You will then see the list of all available apps and you can click the Enable button on the SSO Authentication app tile:
Then click the Enable button at the top of the App page.
You will then see a list of the available Identity Providers (idP) and you can enable the desired ones by clicking the toggle switch next to the name.
See the individual Identity Provider sections below for detailed information on completing the configuration for that particular provider.
Okta setup and configuration
To use Okta as your Identity Provider for customer logins, first follow the steps in the preceding section to enable the SSO Authentication App and then click the toggle switch next to Okta to enable it.
You will see two fields with pre-populated values that will be needed in the following steps. If the Okta account is managed by your client or another department, you will likely need to send these values to them. You can use the copy links to copy the values of the following fields:
- Audience URI (SP Entity ID)
- Single sign-on URL (Assertion Consumer Service URL)
The next few steps involve creating and configure the app integration in Okta.
After logging in to your Okta account, navigate to Applications on the left menu and then click the Create App Integration button at the top of the page.
For the sign-in method, select SAML 2.0 and then click the Next button.
Then you will need to enter the App name and optionally upload a logo for the app. When done, click the Next button.
You will now be on the SAML Settings page. This is where you will enter the values that you copied from the SSO Authentication App on the Prodigy store. Paste the Audience URI and Single sign-on URL into the corresponding fields. In the Name ID format field, select EmailAddress from the dropdown list. Then click the Finish button.
You will now see the Metadata URL. Click the copy link below the URL.
You can now navigate back to the SSO Authentication App page of the Prodigy store and paste the value from the previous step into the IDP Metadata URL field. When done, click the Save Changes button at the top of the page.
Then go back to your Okta account and navigate to Applications -> Assign Users to App to assign people and groups to the application. Those users will then be able to log into the store with their Okta account and user profiles in the store will automatically be created the first time they log in.
Microsoft Azure setup and configuration
To use Microsoft Azure as your Identity Provider for customer logins, first follow the steps in the first section to enable the SSO Authentication App and then click the toggle switch next to Microsoft to enable it.
You will see two fields with pre-populated values that will be needed in the following steps. If the Microsoft account is managed by your client or another department, you will likely need to send these values to them. You can use the copy links to copy the values of the following fields:
- Identifier (Entity ID)
- Reply URL (Assertion Consumer Service URL)
The next few steps involve creating and configure the app integration in Microsoft Azure.
Log into your Azure account at: https://portal.azure.com/#home and then under the Azure services heading select Enterprise applications.
Click the New application button.
Then click Create your own application.
Enter a name for your app and then select the radio button labeled Integrate any other app you don't find in the gallery (Non-gallery). Then click the Create button.
Select Set up single sign on
Then select SAML.
Click the Edit button in the Basic SAML Configuration section
Then click the Add Identifier link and paste in the Identifier value that you saved from the SSO Authentication app in the Prodigy store.
Then click the Add reply URL link and paste in the Reply URL value that you saved from the SSO Authentication app in the Prodigy store. Then click the Save button.
You will now see the App Federation Metadata Url. Click the copy icon to the right of the value.
You can now navigate back to the SSO Authentication App page of the Prodigy store and paste the value from the previous step into the App Federation Metadata Url field. When done, click the Save Changes button at the top of the page.
Then go back to your Microsoft Azure account and navigate to Users and groups to assign them to the application. Those users will then be able to log into the store with their Azure account and user profiles in the store will automatically be created the first time they log in.
Disable Manual Account Creation
After configuring your SSO identity provider(s), you can optionally disable manual account creation. When manual account creation is disabled, there will be no option on the log in page for users to manually create accounts and login will only be allowed for users that are configured in the SSO identity provider system.
To disable manual account creation for the store, click on the Disable Manual Account Creation button on the SSO Authentication app page.