# SAML Single Sign-On How to access on Fynd Commerce Commerce panel → Settings → SAML Single Sign-On ## Introduction Once you have created a business account on Fynd Platform, you can set up a SAML single sign-on, through which, members in your organization can authenticate through your identity provider, rather than registering individually on Fynd Platform. You can set up a single sign-on (SSO) on Fynd Commerce using identity providers such as G-Suite and Azure AD. SAML will facilitate the data between the identity provider (IDP) and service provider (SP). ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/1.png) center em Figure 1: SAML Single Sign-On Configuration br In this document, we will learn the process of configuring SAML SSO with the following identity providers: * [G-Suite](#g-suite) * [Azure AD](#azure-ad) ## G-Suite Prerequisite A Google Workspace Admin account (formerly known as G-Suite). 1. Set up your custom SAML app in your Google Admin Console (admin.google.com). 2. Go to Apps → Web and mobile apps 3. Click **Add App** → **Add private SAML app**. Enter a name and icon in the **App Details** page and click **Continue**. 4. On the Google Identity Provider details page, click **Download Metadata** to get the setup information. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/2.png) Figure 2: Identity Provider Details Page 5. Copy and paste the following IDP settings into Fynd Platform: * SSO URL * Entity ID * Certificate ![QG4](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/3a.png) Figure 3a: Copying The SSO URL, Entity ID, And Certificate ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/3b.png) Figure 3b: Pasting The SSO URL, Entity ID, And Certificate 6. Copy and paste the following SP settings from Fynd Commerce to the IDP console. * Issuer * Callback Url ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/4a.png) Figure 4a: Copying The Issuer And Callback Url ![QG4](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/4b.png) Figure 4b: SAML Application ![QG4](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/4c.png) Figure 4c: Service Provider Details Page 7. Under IDP settings, you get the following additional configurations: ![QG2](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/5.png) Figure 5: Addition Configurations in SAML SSO Settings Enter a text to display on the login screen. * **Logo** - Upload an image to display on the login screen. * **Session Age** - Specify a duration (in hours) beyond which a user will be logged out. * **Assign Roles Manually** - Role determines the access and permissions a user will get in Fynd Platform. Enable this option to manually assign roles to users signed in via SSO. Disable the option to fetch and sync the roles directly from G-Suite. * **Role** - Shows a list of roles if defined already within the **Team** section of Fynd Platform. * **Create New Role** - If no role is defined yet, use this option to create a role, and specify the permissions granted to the users who log in via SSO. ![QG2](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/5a.png) Figure 5a: Creating A Role ![QG11](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/5b.png) Figure 5b: Giving Permissions ![QG11](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/5c.png) Figure 5c: Role Creation Successful ![QG2](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/5d.png) Figure 5d: Choosing A Role * **Provider** - Select an identity provider; in this case, Google. 8. Upon successful setup, members of your organization who have not registered on Fynd Commerce can choose **Login as Organisation**. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/6.png) Figure 6: Fynd Commerce Login Page 9. They can enter the Company ID. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/7a.png) Figure 7a: Single Sign-On Page ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/7b.png) Figure 7b: SAML Login Page 10. Finally, they can sign in to Fynd Commerce using their Google Account. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/gsuite/8.png) Figure 8: Google Sign-In Page ## Azure AD Prerequisite An Azure account with an active subscription, and an enterprise application created within it for setting up SSO. Click here to know more about adding an application in Azure AD. 1. After adding an enterprise application, you'll get an overview page. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/1.png) Figure 1: Enterprise Application Overview Page 2. In the Manage section, select Single sign-on. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/2.png) Figure 2: Single Sign-On Configuration 3. Go to SAML SSO settings in Fynd Platform, and copy the following SP settings: * Issuer * Callback Url ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/3a.png) Figure 3a: Copying The Issuer And Callback Url Use the **Edit** option in the first block, i.e., 'Basic SAML Configuration' to paste the copied values as shown below. * *Issuer* → *Identifier* * *Callback Url* → *Reply URL* ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/3b.png) Figure 3b: Pasting The Issuer And Callback Url 4. Go to the 4th block, i.e., 'Set up *yourAppName*' and click on **View step-by-step instructions**. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/4.png) Figure 4: Checking IDP Settings 5. From the pane (on the right-side), copy the following values one-by-one: * SAML Single Sign-On Service URL * SAML Entity ID ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/5a.png) Figure 5a: Copying Data For SSO URL And Entity ID Paste the copied values in IDP Settings of Fynd Commerce as shown below. * *SAML Single Sign-On Service URL* → *SSO URL* * *SAML Entity ID* → *Entity ID* ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/5b.png) Figure 5b: Pasting Data Into SSO URL And Entity ID 6. Go to the 3rd block, i.e., 'SAML Signing Certificate*' and use the **Download** button next to 'Certificate (Base64)'. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/6.png) Figure 6: Downloading Certificate 7. Use any text editor to open the certificate, and copy its content. ![QG2](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/7a.png) Figure 7a: Copying Certificate Content Paste the copied content in the IDP Settings of Fynd Platform. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/7b.png) Figure 7b: Pasting Certificate Content 8. Under IDP settings, you get the following additional configurations: ![QG2](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/8.png) Figure 8: Addition Configurations in SAML SSO Settings Enter a text to display on the login screen. * **Logo** - Upload an image to display on the login screen. * **Session Age** - Specify a duration (in hours) beyond which a user will be logged out. * **Assign Roles Manually** - Enabled by default for Azure AD. * **Role** - Shows a list of roles defined within the **Team** section of Fynd Platform. * **Create New Role** - If no role is defined yet, use this option to create a role and specify the permissions granted to the users who log in via SSO. ![QG11](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/8a.png) Figure 8a: Giving Permissions ![QG11](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/8b.png) Figure 8b: Role Creation Successful ![QG2](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/8c.png) Figure 8c: Choosing A Role * **Provider** - Select an identity provider; in this case, Microsoft AD. 9. Upon successful setup, members of your organization who have not registered on Fynd Commerce can choose **Login as Organisation**. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/9.png) Figure 9: Fynd Commerce Login Page 10. They can enter your Company ID. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/10a.png) Figure 10a: Single Sign-On Page ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/10b.png) Figure 10b: SAML Login Page 11. Finally, they can sign in to Fynd Commerce using their Microsoft Account. ![QG1](https://cdn.pixelbin.io/doc/original/searchlight/platform-panel/company-settings/saml/azure/11.png) Figure 11: Microsoft Sign-In Page