cancel
Showing results for 
Search instead for 
Did you mean: 

Implement SSo in backoffice

sharada1234
Explorer
0 Kudos
921

Hi All,

Currently, I am implementing SSO for backoffice. We need to integrate backoffice with our client-specific authentication system.

As part of this, We requested our IDP to provide metadata and certificate but Our IDP is requesting us to provide mapping attributes and additional attributes. we are not sure what attributes we need to provide.

And what are the below attributes reffering to:

sso. usergroup. attribute.key=groups sso.firstname.attribute.key=first_name sso.lastname.attribute.key=last_name sso.userid.attribute.key=mail sso.database.usergroup.mapping=true

And do we need to ask them for SSO usergroup from IDP end to create SAML mapping in backoffice.

I am following below Signle signon trial from SAP documentation:

https://help.sap.com/docs/SAP_COMMERCE/2a797fed80934746adc68fb1bbe23dd0/84d89847ddd14e5eb6e2d8643222...

Please help us to understand more on this.

Thanks,
Sharada

Golden
Newcomer
0 Kudos

Hi sharada1234

I am also getting the same error as yours while doing the SSO using okta with Hybris. Can you please help.

Accepted Solutions (1)

Accepted Solutions (1)

Aldali
Explorer

Hello sharada1234 ,

To start working on the SSO integration with your IDP, you may first refer to Single Sign-On in SAP Commerce.
After that you can check Single Sign-On in Backoffice.


Additionally, feel free to contact me thru my LinkedIn, I would be happy to assist :)


Regards,

Abdul Rahman Aldali

sharada1234
Explorer
0 Kudos

Hi @aldali,

Thank you for your reply. I have gone through all documentation related to SSO.

The issue is with Entity ID not being mapped properly. After mapping the correct Entity ID at IDp end, Now I am receiving the response from IDP.

But getting the below error, hence backoffice still going to the login page and Authentication is not happening.

""

INFO | jvm 1 | main | 2023/06/16 09:59:44.391 | 09:59:44.278 [hybrisHTTP58] ERROR de.hybris.platform.samlsinglesignon.security.Saml2UserFilter - Can't map user properly

INFO | jvm 1 | main | 2023/06/16 09:59:44.392 | java.lang.IllegalArgumentException: Roles must not be empty

INFO | jvm 1 | main | 2023/06/16 09:59:44.392 | at com.google.common.base.Preconditions.checkArgument(Preconditions.java:144) ~[guava-30.1.1-jre.jar:?]

INFO | jvm 1 | main | 2023/06/16 09:59:44.392 | at de.hybris.platform.samlsinglesignon.DefaultSSOService.getOrCreateSSOUser(DefaultSSOService.java:59) ~

""

Below properties added in local.properties:

sso.usergroup.attribute.key=groups

sso.firstname.attribute.key=first_name

sso.lastname.attribute.key=last_name

sso.userid.attribute.key=uid

#sso.database.usergroup.mapping=false

sso.mapping.(IDPusergroup).usertype=Employee

sso.mapping.(IDPusergroup).groups=employeegroup,admingroup

Added IDP metadata and installed certificate to keystore.

Do we need to customize Singlesignon extension or do we need to create a new extension to customize singlesignon behaviour?

Could you please assist?

Thanks,

Sharada

Aldali
Explorer
0 Kudos

Hello sharada1234 ,

No, for the backoffice login with sso senario there is no need to have custom extension as it is supported OOTB.

By reading the error message, it seems that the user is successfully authenticated from IDP side and you are receiving the saml response. However, there is one issue with the content of the response which is the roles sent from IDP to SAP Commerce.

My advice is you should install a saml tracer addon/extension in your browser then check the saml response and you may share it here. In particular check what is the "groups" field value is in the saml response and whether you have the correct mapping for it.

SAML-tracer Chrome. SAML-tracer Firefox


When it comes to Employee, after the IDP authentication is successful and the groups were set correctly, The logic is that check if this employee exist, if yes --> update the groups and other details. if !exist --> create new Employee as per the saml response.


Note: There is a way to overcome this error if you think that IDP will not do good job in maintaining the groups of the sso users. You can create a custom extension to override the OOTB implementation of getOrCreateSSOUser() and check if the roles field value in the saml response is empty, a default usergroup can be set for the User (Employee in backoffice case).

public interface SSOUserService {
UserModel getOrCreateSSOUser(String var1, String var2, Collection<String> var3);
}


Regards

sharada1234
Explorer
0 Kudos

Hi @aldali,

Thanks for your help.SSO in backoffice is working fine now.

Thanks,

Sharada

Answers (0)