SSO Login Using BigCommerce Store as IDP

---

Login to BigCommerce Store or any other cloud apps using SSO Login with BigCommerce existing credentials. This means your BigCommerce account can be used as an Identity Provider (IdP) for your existing stores or any other external applications. This eliminated the need to log in separately for each app or store.
A One in all solution for - Centralized Management & Storage of customer data, Store to Store sync, Order status notification, Social login —> for your BigCommerce Store.

Verified Technology Partner of BigCommerce

SSO + MFA Support for any BigCommerce Plan (Standard, Plus, Pro, Enterprise)

Create API account

• Log in to BigCommerce Admin Panel.
• Go to the Settings from the menu, scroll down and select API Accounts.



• Click on Create API Account and choose Create V2/V3 API Token option from the menu shown.
• Add a suitable name for your API account.
• API Path will be used as the store_hash value when we configure BigCommerce in miniOrange which will require in step2.



• Enable the Customers option as Modify and Customers Login option as login. Keep rest of the settings as it is.
• Click on Save.



• Download the API credentials file. It contains the API token, Client ID and Client Secret.

Follow the Step-by-Step Guide given below to setup SSO login using BigCommerce IDP

1. Setup BigCommerce as an IDP in miniOrange

• Login with your miniOrange account.
• Click on Setup under Add Identity Source from the dashboard.



• Select Add Directory under Add External Directories.



• Switch to the API tab and select BigCommerce as API Type from the dropdown.



• Fill in the following values in the respective fields:
  
  

  API Identifier	Any custom name e.g. BigCommerceIDP
  Store Hash	Store hash value found in Create API Account step
  Client ID	Client ID value found in Create API Account step
  Access Token	Access token found in Create API Account Step
  Enable for End USer Login	Enable this option only if you want users to log in to miniOrange dashboard using their BigCommerce credentials. This can be helpful in changing 2fa configurations, etc.
  Migrate User's Password in miniOrange	Enable this option if you want to migrate user credentials from BigCommerce to miniOrange gradually
  Send Configured Attributes	Enable this if you want to send any attributes from BigCommerce as SSO response to any third party application
  Domain Mapping	Enable this option If you want users with a specific email domain to be able to authenticate against BigCommerce

• Click on the Save button.
• Navigate back to View Identity Providers page.
• Click on select against the configured IDP and select Make Default.

2. Test Configuration

• Next step is to test if the configurations work. On the External Directories page, click on select against the BigCommerce configuration and select Test Authorization API.



• It will open a pop-up where you can enter credentials for any BigCommerce account. Upon successful validation, you will see a success message.
• If you see any error message, double-check the Client ID, Store Hash and Access token values. If it still doesn’t work, contact us at idpsupport@xecurify.com.

3. Configure Your application in miniOrange

• Login to miniOrange Admin Console.
• Go to Apps >> Add Application.

• BigCommerce Application
• SAML Application
• OAuth Application
• JWT Application

• In Choose Application Type click on JWT tab.



• In the next step, search for BigCommerce application from the list and click on it.



• Enter the following values in the respective fields.
1. Custom Application Name [Required] : BigCommerce (According to your choice)
2. Description : According to your choice
3. Redirect-URL [Required] : Storefront URL, e.g. https://{{my-store}}.mybigcommerce.com/login/token/
4. Logout-URL : https://{{my-store}}.mybigcommerce.com
5. Force Authentication : Enable if you want user to authenticate even if the user has a session
6. Primary IDP : The identity source against which user will be authenticated
7. User Mapping : Enable if you are sending the logged-in user from this app in the response



1. Group Name : Default
2. Policy Name : Add policy name according to your Preference
3. Login Method : Password



• Click on Save.
• For Attribute Mapping, navigate to Select >> Edit next to your configured applicaition.



• For miniOrange as an IDP:
  • Enter the Client Id, App Secret and Access Token (which we have downloaded from step 1 during API creation in BigCommerce Console).
  • For Signature Algorithm, select HS-256 from the dropdown menu.
  • Set Subject to E-Mail Address.
  
  
  
  • To map the attributes between the miniOrange IDP and BigCommerce application, click on Attributes + button.
  • The first three attributes will be hard-coded values.

  Attribute Name	Attribute Value
  store_hash	You got in this step.
  redirect_to	Endpoint where you wish to redirect the user to after sso. [Homepage or account page e.g. /account.php]
  operation	customer_login

  
  
  
  
  • Click on Save.
  • Now, You can access BigCommerce Account Using IDP credentials through the Single-sign-on URL as shown in image above.

• In Choose Application Type click on SAML tab.



• Search for your Application. In case you do not find your app, search for Custom SAML App.





• Get the ACS URL and SP Entity ID from your application.
• Enter the following values OR click on Import SP Metadata:

Service Provider Name	Choose appropriate name according to your choice
SP Entity ID or Issuer	Your Application Entity ID
ACS URL X.509 Certificate (optional)	Your Application Assertion Consumer Service URL
NameID format	Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Response Signed	Unchecked
Assertion Signed	Checked
Encrypted Assertion	Unchecked
Group policy	Default
Login Method	Password

• Click on Save to configure your application.
• Now to get the IDP metadata of the app configured, Go to apps >> your_app >> select >> metadata tab.



• Click on the Show Metadata details in the Information required to Authenticate via External IDPs section. Download the metadata XML file by clicking on Download Metadata button or copy the Metadata URL link.



• You need to Upload this metadata in your application.

• In Choose Application Type click on OAUTH/OIDC tab.



• You can add any OAuth Client app here to enable miniOrange as OAuth Server. Few popular OAuth client apps for single sign-on are Salesforce, WordPress, Joomla, Atlassian, etc.





• Enter following Values:

Client Name	Add appropriate Name
Redirect URL	Get the Redirect-URL from your OAuth Client
Description	Add if required
Group Name	Default
Policy Name	As per your Choice
Login Method	Password

• Click on Save
• Now to provide the required data to OAuth client go to the app configured i.e apps >> your_app >> select >> edit.






Note: Choose the Authorization Endpoint according to the identity source you configure.

• When you want to use you want to use miniOrange as OAuth identity server use this endpoint: https://{mycompany.domainname.com}/moas/idp/openidsso
• If you are configuring any Identity Provider in Identity Providers Menu and not using miniOrange as IDP use this endpoint: https://{mycompany.domainname.com}/broker/login/oauth{customerid}

• In Choose Application Type click on JWT tab.



• Select JWT App.



• Configure the name for your application and configure Redirect-URL which tells where to send JWT response. Redirect-URL should be an endpoint on your application where you want to achieve SSO.




In case you are setting up SSO with Mobile Applications where you can't create an endpoint for Redirect or Callback URL, use below URL.

https://login.xecurify.com/moas/jwt/mobile


• Click Save
• To get the SSO link for your application, Go to Apps >> your_app >> select >> Edit.



• Then, copy the Single Sign On Url and verify SSO setup by browsing that url.



• On successful authentication, you will be redirected to configured Redirect or Callback URL with JWT token
• You will need to download a certificate from App > Manage Apps, and click Certificate link against your configured application. This certificate will be used for signature validation of JWT response.

Additional Resources

• BigCommerce Azure AD Integration
• BigCommerce OKTA Integration
• Know more about BigCommerce NetSuite Integration
• What is CIAM (Customer Identity & Access Management)
• Know more about Powerschool SSO

If you are looking for anything which you cannot find, please drop us an email on idpsupport@xecurify.com.