Use the PUT /ccadmin/v1/merchant/samlSettings
endpoint in the Admin API to configure Commerce Cloud to use storefront SSO. The endpoint request body includes the following properties that are used to create the service provider entity descriptor:
enabled
– Iftrue
, support for SSO is enabled. Default isfalse
.nameIdPolicyFormat
– The SAML name ID policy to use. Default isurn:oasis:names:tc:SAML:2.0:nameid-format:persistent
.
In addition, the request body can include several properties that control the SAML security policies that Commerce Cloud enforces. The values of these properties are used to create settings in the service provider entity descriptor:
signAuthnRequest
– Iftrue
, the SAML request message will be signed. Default istrue
.nameIdPolicyAllowCreate
– Iftrue
, Commerce Cloud allows the identity provider to create persistent name identifiers for sessions. Default istrue
.requireEncryptedAssertions
– Iftrue
, Commerce Cloud accepts SAML assertions from the identity provider only if they are encrypted. Default istrue
. For security reasons, this should be set totrue
in your production environment.requireSignedResponse
– Iftrue
, Commerce Cloud accepts authorization responses from the identity provider only if they include a signature. Default istrue
. For security reasons, this should be set totrue
in your production environment.
The following call enables and configures SSO on a Commerce Cloud instance:
PUT /ccadmin/v1/merchant/samlSettings HTTP/1.1
Authorization: Bearer <access_token>
{
"enabled": true,
"nameIdPolicyFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"requireEncryptedAssertions": true,
"requireSignedResponse": true,
"signAuthnRequest": true,
"nameIdPolicyAllowCreate": true
}
Note that it may take several minutes for the changes to propagate to the storefront server.