Stay Logged In – SAML Single Sign On

Why should organizations choose Single Sign On?

In the world of Omni-Channel, the customer is the king! If the customer has trouble logging in or registering on a website, no matter how preeminent the website is, they will be dissatisfied. Having a seamless navigation across different touchpoints is the most critical factor that helps the organization compete and increase revenue.  

Moreover, the customer personal data is the most valuable part of any website and with scams and hackers on the run, securing data has never become more imperative. So, it is vital to have a simple and secure login process across all digital and physical touchpoints. Providing these capabilities helps the organization build confidence in the customers.   

But, is this achievable? Yes, welcome to SAML Single Sign On, an Identity Management solution that can solve these business problems.

What exactly is SAML SSO?

Single Sign on Authentication [SSO] provides the users (customers) with a seamless authentication experience by providing them access to multiple applications using one set of login credentials. SSO is implemented via various federated protocols like Session Assertion Markup Language [SAML], WS-FED, and OpenID Connect.

Session Assertion Markup Language [SAML], developed by the Security Services Technical Committee of OASIS, is a standard XML based framework for user authorization and authentication between a Service Provider [SP] and an Identity Provider [IDP]. SAML uses the digital signature and cryptography to eliminate the usage of passwords. The information is passed securely in the form of SAML assertions, sign-in tokens which the applications working across the security domain can trust.

What is a Service Provider and an Identity Provider?

According to the OASIS, an Identity Provider is defined as “A kind of Provider that creates, maintains, and manages identity information for principals and provides principal authentication to other service Providers within a federation, such as with web browser profiles.”

A Service Provider is “A role donned by a system entity where the system entity provides services to principals or other system entities.”

Basically, Identity Provider is a trusted Provider that authenticates the user and the web application using this service and could be called a Service Provider.

Hybris as the Service Provider and SP-Initiated SSO with SAML

Hybris OOTB comes with the samlsinglesignon extension that can be integrated with any SAML compatible Single Sign On service. The extension uses the standard SAML 2.0 protocol to enable SSO functionality into the Hybris commerce. However, this extension is designed to support SSO for Hybris Assisted Service module (used by Customer Service Agents) only.

Nevertheless, the OOTB functionality can still be leveraged based on our requirements. For instance, the process below gives us an insight on how we can enable the SSO for the end-users, where Hybris acts as a Service Provider and the Identity Provider can be any third party federated service.

The interaction between Hybris and the Identity Provider is as follows:

  1. The user clicks the login icon on the Hybris storefront; a request to access the protected SP resource is then sent. The system redirects the user to SSO entry point of Hybris.
  2. The SSO entry point, generates a new authentication SAML request and sends it to the Identity Provider.
  3. The Identity Provider displays the login screen and the user is prompted to enter the login credentials.
  4. Once the user is authenticated, the samlsinglesignon extension listens to the incoming requests. The request received from the Identity Provider is then checked for a valid assertion.
    • If the assertion is invalid, the user is redirected to the login page.
    • If the assertion is valid, SAML cookie is created and the user is redirected and logged into the storefront.
    • SAML image

With SAML SSO, end users who are logged into one Service Provider application can be authenticated directly to another SP application. For example, a user logged into Hybris storefront (SSO enabled), can be authenticated to another third party application through SAML, rather than being required to login separately again.  

Also, the Identity Provider acts as the source of truth containing all the users’ information. The data can be managed and updated on their secured domain. The updated data can then be sent to Hybris from the IDP using the OCC (Omni Commerce Connect) API calls.

SAML SSO provides a single view of the user profiles across an entire organization providing a greater visibility to the IT. SAML authenticates and authorizes the users using XML assertions, also by communicating via predefined attributes of the users between the SP’s and the IDP’s. This process eventually leads to  richer and reliable user profiles.

Meet the Author


Nitisha Goliala

Solution Consultant
Nitisha Goliala, is a Solution Consultant at Intrigo Systems Inc, with a focus on SAP C/4HANA. She is a Certified SAP Hybris Consultant and has experience working on SAP Hybris Commerce digital transformation projects; specifically Single Sign On (SSO) implementation, Content Management, Product Management, Commerce Marketing and other Hybris modules. She was recently part of a project at Corsair Components and successfully deployed a multi-country transactional website.