Skip to main content

Overview

Single sign-on (SSO) lets customers log in and register through an external identity provider rather than the built-in email and password flow. When SSO is enabled for a company, the standard login form on the shop is replaced with a button that redirects customers to the external provider for authentication. SSO is configured at the company level in Partner Hub. It supports several provider types including OpenID Connect and Azure AD B2C, allowing organisations to integrate their existing identity infrastructure with the shop experience.

Supported Provider Types

The platform supports four SSO provider types:
Provider TypeDescription
OpenID ConnectStandard OpenID Connect protocol
Laravel PassportLaravel Passport OAuth integration
External/CustomCustom external authentication provider
Azure AD B2CMicrosoft Azure Active Directory B2C
The provider type determines how the platform communicates with the external identity system. All types follow the same general OAuth flow: the customer is redirected to the external provider, authenticates there, and is redirected back to the shop.

Configuring SSO

SSO is configured in Partner Hub on the company edit page. All SSO settings are grouped together in the SSO settings section.

Enabling SSO

  1. Navigate to the company edit page in Partner Hub
  2. Find the SSO settings section
  3. Toggle SSO on
  4. Select a provider type from the SSO Type dropdown
  5. Complete the required configuration fields
  6. Save the settings

Configuration Fields

FieldDescriptionRequired
SSOMaster toggle that enables or disables SSO for the company-
SSO TypeThe provider type to use (OpenID Connect, Laravel Passport, External/Custom, or Azure AD B2C)When SSO is enabled
SSO NameDisplay name shown on the login and registration buttons in the shop (e.g. “Company Portal”)When SSO is enabled
SSO Base URLThe provider’s OAuth endpoint URLWhen SSO is enabled
SSO Client IDThe OAuth client identifier issued by the providerWhen SSO is enabled
SSO Client SecretThe OAuth client secret issued by the providerWhen SSO is enabled
SSO Identifier KeyThe field name in the provider’s response that contains the user’s unique identifierWhen SSO is enabled
SSO PolicyThe Azure policy nameAzure AD B2C only
SSO Change Email URLAn external URL where customers can change their email addressOptional
SSO Change Password URLAn external URL where customers can change their passwordOptional
SSO Logout URLA URL to redirect customers to after they log outOptional
Client ID and Client Secret values are encrypted when stored. They are not visible in plain text after saving.
The SSO Policy field only appears when the provider type is set to Azure AD B2C.

Optional Redirect URLs

The three optional URL fields — SSO Change Email URL, SSO Change Password URL, and SSO Logout URL — let you redirect customers to your external provider for account management actions that should be handled outside the platform.
  • SSO Change Email URL — When set, any email change links in the shop redirect the customer to this URL instead of the built-in email change flow.
  • SSO Change Password URL — When set, any password change links in the shop redirect the customer to this URL instead of the built-in password change flow.
  • SSO Logout URL — When set, customers are redirected to this URL after they successfully log out. For OpenID Connect and Azure AD B2C providers, this is described as an optional additional URL to redirect the user to after they have successfully logged out.
If these URLs are not configured, the corresponding links in the shop either point to the built-in flows or are handled by the provider’s standard logout mechanism.

Shop Login Experience

When SSO is enabled, the shop login page changes significantly. The standard email and password form is completely hidden — not just disabled, but removed from the page entirely.

What Customers See

In place of the login form, customers see a single button: “Sign in with {SSO Name}” The button label uses the SSO Name configured in Partner Hub. If no SSO Name is set, the company name is used as a fallback. On the registration page, customers see: “Register with {SSO Name}“

The Authentication Flow

  1. The customer clicks Sign in with {SSO Name} on the shop login page
  2. They are redirected to the external identity provider
  3. They authenticate with the provider (entering credentials, completing MFA, etc.)
  4. After successful authentication, the provider redirects the customer back to the shop
  5. The platform logs the customer in automatically
The same flow applies to registration — the customer clicks Register with {SSO Name} and is routed through the external provider. The platform creates a local account linked to the external identity after successful authentication.
Social login buttons (Google, Facebook, etc.) can still appear alongside the SSO button if social logins are configured for the company. SSO replaces only the email/password form, not other authentication methods.

What Changes When SSO Is Enabled

Enabling SSO affects several parts of the shop experience beyond the login page:
AreaBehaviour with SSO Enabled
LoginEmail/password form replaced with Sign in with {SSO Name} button
RegistrationStandard registration replaced with Register with {SSO Name} button
Email changesIf SSO Change Email URL is set, email change links redirect to the external URL
Password changesIf SSO Change Password URL is set, password change links redirect to the external URL
LogoutIf SSO Logout URL is set, customers are redirected to the external URL after logging out

Reporting

SSO-linked identity values are available in reporting contexts. This allows organisations to reconcile platform activity (orders, attendance, customer records) with identities in their external identity system.