Manage single sign-on (SSO) Identity Providers

Marketplace authentication methods

Marketplacer supports two authentication methods for team members:

• Marketplace-specific username and password with multi-factor authentication.
• Single sign-on (SSO) by using a SAML (Security Assertion Markup Language) Identity Provider. Multi-factor authentication needs to be configured on the Identity Provider.

If SSO is configured, the team member login screen provides the option to log in using a named SSO Identity Provider instead of a marketplace-specific username and password.

Centralising management of users and roles

Instead of manually creating and updating users on Marketplacer, your SSO Identity Provider can manage Marketplacer admin user and their roles by enabling one or both of the following settings on Marketplacer:

• Create missing admins - If an assertion is received for a person and there is not already an admin account for them on Marketplacer, the admin account will be created on Marketplacer.

• Update existing admins - If an assertion is received for a person who already has an admin account on Marketplacer, the name, and role that are provided in the assertion will be saved to their account details on Marketplacer.

Before you add an SSO Identity Provider

You will need to work with the IT staff responsible for administering the SSO Identity Provider system, who could be within the operator’s organization or an external IT service provider.

The configuration required for the SSO Identity Provider is implementation specific, but at a minimum:

• The SSO Identity Provider must have an application definition for Marketplacer.
• To configure Marketplacer, you need to have the Metadata URL or the Metadata XML for the SSO Identity Provider.

If you enable the options Create missing admins and or Update existing admins:

• The SSO Identity Provider has to be configured to provide the Name and Role SAML attributes for Marketplacer users.
  Note: Marketplacer identifies existing users based on email addresses. The SAML NameID provided by the SSO Identity Provider must be an email address.
• You need to specify the names of the fields in the SAML assertion that contain the Name and Role attributes for the user.

SSO configuration will usually be completed during initial deployment. Contact your Marketplacer delivery manager if you need technical assistance to configure SSO in your marketplace.

Using both SSO and local authentication

The two authentication methods can be used together. However:

• The team member login process will bypass any multi-factor authentication configured locally in the marketplace when a user authenticates using the SSO Identity Provider.
• Some functions in the operator portal require a password. Those functions require a local (marketplace) password even if the system is configured to use SSO. To use those features, the team member must have a local username and password set in the marketplace. An example is adding a mobile phone to a team member’s account, which requires the user to provide a valid local (marketplace) password even if the system is configured to use SSO.

To add an SSO Identity Provider

1. Go to Configuration > SSO Identity Providers > New Identity Provider.
2. Enter the Name of the Identity Provider. This will appear on the login screen unless hidden (next step).
3. Set the Hidden checkbox (optional). If this Identity Provider is hidden, it will not be shown on the login screen. Users can still log in using Identity Provider-initiated flows such as apps selector in Google.
4. Enter either the Metadata URL or the Metadata XML.
   The URL and/or XML must be provided by the operator of the SAML Identity Provider.
   If you provide the URL, the XML will be downloaded periodically from the Identity Provider.
5. Select Create missing admins, if required. (See above.)
6. Select Update existing admins, if required. (See above.)
7. Enter the Name attribute in assertion - This field is only required if you enable Create missing admins or Update existing admins. (See above).
   Enter the Role attribute in assertion - This field is only required if you enable Create missing admins or Update existing admins. (See above).
8. Select Create.

SSO Authentication Settings

The administrator of the SAML Identity Provider may ask you for a service provider certificate.

To access or generate the certificate:

1. Go to Configuration > SSO Configuration.
2. Do one of the following:
   • Download the service provider metadata.
   • Copy the service provider certificate (PEM encoded).
   • Generate a new certificate, and then download or copy the result.
3. You can then make the certificate available to the Identity Provider.

Sign in to your account using SSO

If single sign-on is configured, the Marketplacer login screen allows you to log in using the configured single sign-on Identity Provider for your organization.

Note: Functions in the operator portal that require a password, such as adding a mobile phone to a team member’s account, need the Marketplacer password even if the system is configured to use single sign-on. To use those features, the team member must have a password set in Marketplacer.

1. Create an application definition in your identity provider. You must create one definition per environment (for example: test-support, staging, or production).
2. Populate the required field fields in your identity provider. This table lists the required fields in OneLogin with corresponding values and where to locate them: 

   Field	Value or where to find it in marketplacer
   Audience (EntityID)	Get the Audience (EntityID) value from the downloaded metadata found at https://whatever.your.site.is/client/session/saml/metadata
   Recipient, ACS (Consumer) URL Validator and ACS (Consumer) URL	Get the AssertionConsumerService URL value from the downloaded metadata found at https://whatever.your.site.is/client/session/saml/metadata
   SAML NameID Format	Ensure that the SAML NameID Format is set to Email. <company_employee_number>@company.com
   SAML Issue Type	The SAML Issue Type must be set to Specific.

3. Specify the name attribute in the identity provider that defines the team member’s “name”. This is required for the final step.
4. Specify the attribute in the identity provider that defines the user roles available to users. This is required for the final step. Refer to this article to know more about the roles and permissions.
5. Enter the correct values for the user’s First name, Surname, and Seller URL title to create users that do not yet exist on the Marketplacer side.
   Note: The names of these attributes must match the identity provider setup on the marketplacer side. For example, the above setup corresponds to the below setup on the marketplacer side.
6. To set up the marketplacer side with a new Identity provider definition, you must fill in the Name and Metadata URL fields when creating a new identity provider. The marketplacer platform fetches the metadata from the identity provider and configures everything except the attributes you want to use to automatically create or update admins and/or sellers from this identity provider.

Important considerations for AzureAD/Entra SSO users

Customers using Microsoft Entra ID (AzureAD) SSO may need additional configuration steps to ensure proper mapping of permission groups and roles.

Marketplacer SSO Settings

• Ensure that the Name attribute in assertion and Role attribute in assertion are correctly set.
• Example values:
  
  • Name attribute in assertion: http://schemas.microsoft.com/identity/claims/displayname
  • Role attribute in assertion: http://schemas.microsoft.com/ws/2008/06/identity/claims/role

AzureAD/Entra Enterprise Application SSO Configuration

• In Attributes & Claims, ensure that:
  
  • The Role claim (http://schemas.microsoft.com/ws/2008/06/identity/claims/role) maps correctly to user.groups [ApplicationGroup].
• Under Group Claims, configure:
  
  • Source Attribute: sAMAccountName
  • Enable Emit groups as role claims

These settings help resolve issues with automatic permission group mapping.