Your CRM enables you to provide a single sign-on (SSO) for your users via the Secure Assertion Markup Language (SAML) and using enterprise identity providers such as Active Directory or LDAP.
Implementing SSO via SAML means that the user authentication is handled entirely outside of the CRM. Users can sign in to their corporate system normally (authenticated by Active Directory or LDAP for example) and then click a link in the system in order to access the CRM.
Your CRM will then automatically recognize the user and log them in, without asking the user to enter a different set of credentials (that would otherwise be needed in order to log in to the CRM).
By enabling SSO, users will have a more seamless experience using two systems, which to them may appear as a single system.
Additionally, your organization will have an added benefit of being able to manage users all in one place (e.g. in Active Directory or LDAP), as opposed to managing different user accounts for different systems individually.
Note that the SSO feature is available only for clients with an Enterprise plan.
In order to enable SSO in your CRM you will need to:
- Contact your Sales Representative to have the feature enabled on your site (usually within 1-2 business days).
- Implement SAML by building an in-house SAML server or choosing an external SAML service such as Okta, OneLogin, or PingIdentity.
- Add the required user attributes for users who will be using the CRM
- Enable and configure SSO in the CRM administration
Important: Note that the SSO connection is a one-way and not a two-way connection. Users logged into a corporate system will be automatically logged into the CRM too when SSO is enabled.
However if a user logs into Merchant Central first and not the corporate system, then they will not be logged into the corporate system automatically.
Instead, the user will need to perform additional authentication in order to log into the corporate system.
Implementing SAML
There are many different ways in which SAML may be implemented and we recommend that you check out this page as a starting point:
http://saml.xml.org/wiki/saml-open-source-implementations
To view the format of the metadata required by the CRM, open your SSO metadata page by using a link in the following format (replace "yourdomain" with your actual domain):
https://yourdomain.iriscrm.com/sso/metadata
Adding User Attributes
In order to use SSO with your CRM, the following attributes must be set for each CRM user:
- username (the username that the user will go by in the CRM)
- firstName
- lastName
- class (any CRM user class such as Admin, Sales Rep, etc.)
The below screenshot provides an example of the attributes assigned to a CRM user:
Enabling SSO in the CRM
Once you have completed your SAML implementation and configured the CRM users' attributes, you can enable SSO in the CRM. Open the Manage SSO Settings page from the administration menu (Site Options > SSO Settings).
On the page that opens enable the SSO toggle switch and then add a new SSO account.
An example of the SSO settings is provided in the below screenshot:
To view the metadata required for the SSO setup click on the Show metadata switch and the metadata will be shown in a text box:
With the setup complete, your users can now start logging in using SSO either from your corporate system or from the CRM login page by clicking on the SSO button:
Additional Notes
- Returning visitors will be authenticated automatically if their SAML assertions are cached.
- If a user without an active CRM account logs into the CRM via SSO, a new account will be automatically created for them.
Setting Up SSO With OneLogin
Here are the steps to implement SSO using OneLogin.
1. Navigate to https://www.onelogin.com and log into your account.
2. Under the APPS menu, click Add Apps:
3. Search for "SAML" in order to display the SAML apps, and then click on the app you wish to use. In this example, we're selecting the SAML Test Connector (IdP) app:
4. On the next page add the optional icons and the description, and save the app:
5. Next, open the Configuration tab, enter the required information, and click Save:
6. Open the SSO tab to view the single sign-on settings that you will need to copy into Merchant Central:
Note: To get your X.509 Certificate, first save your changes and then click the "View Details" link shown just under the X.509 Certificate field:
7. In Merchant Central open the Manage SSO Settings page from the administration menu (Site Options > SSO Settings), copy the Onelogin settings to the appropriate fields, and save your changes:
Setting Up SSO With Okta
Here are the steps to implement SSO using Okta.
1. Open https://www.okta.com and sign into your account.
2. Click the Applications menu:
3. Click Add Application:
4. Click Create New App:
5. On the pop-up select the (Web) platform and the SAML 2.0 Sign on method, and click Create:
6. Fill in the required and/or optional SAML settings on the Configure SAML tab, and click Next at the bottom of the page:
7. Click Finish to create your new app:
8. Open the SSO tab and click View Setup Instructions:
9. You will now see the SAML settings that you will need to copy back in Merchant Central:
10. In Merchant Central open the Manage SSO Settings page from the administration menu (Site Options > SSO Settings), copy the Okta settings to the appropriate fields, and save your changes:
11. Go to the Assignments tab and click Assign to add a new user:
12. Next, open the General tab and click the Edit button in the SAML Settings section:
13. On the page which opens click Next in order to get to the Configure SAML tab:
14. You can now map the SAML attributes as shown in this example:
Note: You'll need to set the Name ID Format to Persistent. You are mapping the attributes that are required for any user in Merchant Central to the profile fields of the Okta.com users.
Note: The username in octa.com is an email and can't be changed. Therefore you should use the nickname value for the username (the nicname is editable in the octa.com profile).
15. After saving your changes log into Merchant Central using the okta.com SAML connection service and credentials to verify that the authentication is working correctly.