SLAS Identity Providers

To support logging in with social media accounts or other federated login systems (Google’s, for example), you must set up an external identity provider (IDP) for SLAS.

When using an IDP, the source of truth for shopper credentials is the external identity system, instead of the B2C Commerce system. Setting up IDPs is optional. You can still use SLAS for implementing login and API access for shoppers whose credentials are stored in the B2C Commerce system as well (not the external IDP).

The following IDPs are supported by SLAS:

ProviderJSON
Amazon Cognito"name": "cognito"
Apple"name": "apple"
Auth0"name": "auth0"
Azure Active Directory"name": "azure"
Azure Active Directory B2C"name": "azure_adb2c"
Facebook"name": "facebook"
Google"name": "google"
Okta"name": "okta"
Ping Identity"name": "ping"
Salesforce"name": "salesforce"
SAP Gigya"name": "gigya"

You must use one of the strings from the list of supported IDPs for the value of the name property in the JSON object that you use in the body of your API requests. You can also append - to the IDP name, followed by any string to create variations. For example, you can use both "name": "google" and "name": "google-test", but not "name": "googletest".

To request support for an IDP that isn’t on the list, create a support ticket with Commerce Cloud. We can then work with you to configure the IDP.

We only support IDPs that are compliant with OpenID Connect. We don’t support SAML.

To set up any of the supported IDPs for SLAS, make a request to the idps endpoint of the SLAS Admin API. Make sure that you have set up a client ID with the IDP before making your request.

You can set up more than one IDP for a tenant. For example, you could set up both Google and Facebook as IDPs for the same tenant.

To enable single sign-on, SLAS must be configured as an authentication provider on core Salesforce clouds. For more information, see this course on Trailhead: Set Up Social Sign-On.

When a shopper logs in through an IDP, a customer record specific to that IDP is created. For example, if rachel.rodriquez@example.com logs in first using Google and second using Facebook, two separate customer records are created. If Rachel logs in with Google, makes a purchase, and then logs in with Facebook, they can’t see the purchase that they made while logged in with Google. To see the purchase again, they must log in with Google (not Facebook).

Calling the /logout endpoint in SLAS does not automatically log the customer out of a third-party IDP. The customer must explicitly log out from the IDP.

Here’s an example request to set up Google as an IDP for SLAS. Don’t forget to replace {{idp_name}} with one of the supported IDP names listed earlier.

The value for redirectUrl in the request follows a different URL format than the endpoint.