What a SAML integration gives you.
Employees and customers use a single set of credentials across the storefront, trade portal and internal tools. No credential duplication or password fatigue.
Buying roles, approval limits and account access are governed by your identity provider groups, not buried in ecommerce platform configuration. Changes propagate automatically on next login.
Onboarding and offboarding are unified - user creation or deletion at the identity provider flows through to commerce, with no manual account provisioning or orphaned sessions.
MFA policies set at your identity provider apply to commerce login without the storefront needing to implement MFA natively. One place to manage security policy.
Logged-in users are securely linked to their correct account record with permission and pricing context. No cross-contamination or guest accounts leaking into trade flows.
Where a SAML integration earns its place.
If two or more of these are true, the integration usually pays for itself quickly.
Where off-the-shelf connectors fall short.
Vendor connectors are fine for simple cases. Here's where the real ones need more.
Most commerce platforms do not automatically link an incoming SAML identity to an existing customer record. The integration must define and enforce the matching logic - typically via email, customer ID or account number in the assertion.
SAML assertions carry group membership but the translation to commerce roles, permissions and buying limits is not automatic. Rules must be built and maintained between identity groups and storefront features.
Removing a user from the identity provider does not automatically disable their commerce account or revoke existing sessions. A separate process or integration must handle cleanup and access removal.
Most SAML integrations support individual user authentication but not complex trade-account parent-child relationships or cost-centre hierarchies. Those must be modelled separately in the commerce platform or ERP.
SAML assertions carry a short lifetime and most ecommerce platforms do not offer fine-grained control over session length, reauthentication requirements or MFA policies. Rules must be set at the identity provider.
Most SAML integrations break not on the technical handshake but on the business logic: which user attributes become the match key, when a new account is created versus linked, and whether group changes propagate fast enough to keep permissions current.
Where this integration sits in your estate.
SAML holds the commercial record. The iWeb integration layer manages the rules, mappings, monitoring and exceptions. The commerce platform presents the customer-facing experience. The estate map helps agree ownership before anything is built.
Storefront independent. SAML feeds stock, pricing, orders and customer data into your chosen platform.
- SAML assertion validation and token generation
- Identity provider integration configuration
- Group and attribute mapping rules
- Account linking logic and matching strategy
- Deprovisioning detection and access revocation
- Customer and staff account records
- Roles, permissions and buying limits
- Session management and timeout policy
- Price books and approval workflows linked to roles
- Shopping cart and checkout flow for authenticated users
Systems this integration usually sits next to.
Examples, not a closed list. iWeb is platform-agnostic on both sides: we wire this integration into whatever ecommerce platform and surrounding systems your estate already runs.
- Adobe Commerce
- Magento Open Source
- Shopify Plus
- BigCommerce
- Other storefronts
- Azure AD / Entra ID
- Okta
- Ping Identity
- Custom SAML identity provider
- ERP (for staff account sync)
- CRM (for customer record linking)
- OMS (for order visibility permissions)
Not sure if this works with your stack?
Tell us what you’re using and what needs to connect. We’ll give you a straight view on what’s possible, what might be awkward, and the safest way to approach it.
The data flows we wire.
Each flow has a direction and an owner. We agree both before a line of code is written.
How iWeb configures the integration around your business.
Same method on every integration. The decisions come before the code.
- 01Design the account-linking and matching strategy
We define how incoming SAML identities are matched to commerce customers - via email, account number, employee ID or custom logic - and how new accounts are created if no match exists.
- 02Map identity groups to commerce roles
We translate your identity provider group membership into storefront roles, permissions, price books, approval workflows and buying limits. Mapping is versioned and monitored.
- 03Build provisioning and deprovisioning workflows
We set up automated user creation, updates and removal so identity provider changes flow to commerce within a defined window. Staff leaving trigger account disabling and session cleanup.
- 04Handle token refresh and session lifecycle
We configure token validation, refresh logic and session invalidation so password changes or MFA policy updates at the identity provider immediately affect commerce sessions.
- 05Monitor assertion flow and role-mapping accuracy
We build observability so SAML assertion validation, account linking success and role-mapping application are tracked. Mismatches and permission regressions are surfaced as alerts.
Who owns what.
The single most important table in any integration. One system owns each field; everything else reads it.
Built this before
We have connected SAML to ecommerce platforms across retail, trade and B2B use cases. We understand how identity provision, account linking, group-to-role mapping and deprovisioning fit alongside your ERP, OMS and CRM.
What we test before launch.
Every one of these is rehearsed before a customer ever sees the integration.
Common risks and where they bite.
We name these on day one. A risk written down is a risk you can plan around.
If the account-matching logic breaks - for example, if an incoming email address no longer matches a customer record - the user is either denied access or gets a default guest session. The failure is not visible until permissions go wrong.
When your identity provider group structure is renamed or restructured, the translation to commerce roles may break or apply stale permissions. Without monitoring, staff may have elevated or missing permissions for weeks.
If user removal at the identity provider is not automatically reflected in the commerce platform, departing employees or contractors retain access. Delayed or manual cleanup creates a security gap.
If SAML token lifetime, session timeout and platform session handling are not aligned, users may be logged out unexpectedly during checkout or placed back in a session with stale permission context.
If your identity provider enforces a new MFA requirement or revokes a user's MFA status, existing commerce sessions remain valid until natural expiry. High-privilege accounts may stay active longer than policy allows.
If SAML assertions are missing required attributes - such as email, account ID or group membership - account linking fails or roles cannot be applied. Configuration drift between identity provider and commerce is hard to spot.
Relevant services and sectors.
Common questions about SAML integrations.
What is SAML and why do we need it for commerce?
SAML 2.0 is an open standard for federated authentication. Instead of storing passwords in your commerce platform, SAML delegates login to a central identity provider - usually your corporate directory or a cloud service like Azure AD or Okta. This means staff, trade-account users and customers authenticate with a single set of credentials, permissions are governed from one place, and you can enforce MFA and password policies centrally.
How does SAML differ from OAuth 2.0 or OpenID Connect?
SAML is typically used for staff and B2B login (SSO into a web application or portal), while OAuth 2.0 and OpenID Connect are more common for consumer social login or delegated permissions (e.g. logging in with Google or Facebook). SAML works well for enterprise identity and group-based permission flows. The choice depends on whether you are connecting to a corporate identity provider or supporting consumer login.
How do we link a SAML identity to a customer account in the storefront?
The integration matches the incoming SAML assertion (which carries user attributes like email or employee ID) to an existing customer record using a matching rule - typically by email, account number or a custom identifier. If no match is found, the integration can create a new customer account. The matching logic must be designed before integration starts, and it must handle exceptions (e.g. duplicate emails or missing attributes).
Can we use SAML to govern permissions like buying roles or price books?
Yes. The identity provider can include group membership in the SAML assertion (e.g. 'Buyers', 'Finance Approvers', 'Branch Managers'). The integration translates these groups into commerce platform roles, permissions, price books, approval workflows and spending limits. The mapping must be maintained as organisation structure or permission rules change.
What happens when we deactivate a user at the identity provider?
Ideally the deactivation triggers a process to disable or delete the user account in the commerce platform and invalidate any active sessions. This is not automatic in most platforms - it requires a separate workflow or batch process that detects user removals at the identity provider and applies them to commerce. Without this, staff who leave can retain access.
How do we handle multi-factor authentication with SAML?
MFA is typically enforced at the identity provider level, not in the commerce platform. If the identity provider requires MFA, the SAML assertion is only sent after MFA challenge succeeds. The commerce platform does not need to implement MFA natively - it trusts the assertion from the identity provider.
What happens to the customer session when we change the identity provider certificate or signing key?
The SAML certificate is used to validate assertions; if it changes, the commerce platform must have the new certificate in its configuration before users attempt login. Existing sessions remain valid until they expire naturally. The certificate rollover must be planned and coordinated between the identity provider and commerce operations teams.
How often do SAML tokens expire, and what happens at the storefront?
SAML assertions are typically short-lived (5-15 minutes) and are used only for the initial login handshake. After the commerce platform validates the assertion, it creates its own session token (typically valid for hours). If the user's identity provider session expires, they are not automatically logged out of commerce - they stay logged in until the commerce session naturally expires or the user manually logs out.
Can we use SAML for both staff and external customers?
SAML works for any user population with an identity provider - staff, trade-account customers, agency partners, or consumer customers linked to a directory. The integration must distinguish between these groups (usually via SAML assertion attributes) and route them to the correct account type and permission model in the storefront.
How do we monitor SAML integration health and spot failures?
Monitoring should track assertion validation success rate, account linking match rate, role-mapping application, token refresh failures and deprovisioning latency. Alerts should trigger on validation errors, persistent mismatches, or role changes that fail to apply. Without monitoring, broken SAML flows can go unnoticed until customers report login failures.
What if an incoming SAML assertion is missing a required attribute like email or account ID?
The account-linking logic will fail because it cannot match the identity to a customer record. The integration should log the missing attribute, reject the login with a clear error, and alert operations. Your identity provider configuration must be validated to ensure all required attributes are included in every assertion.
How do we test SAML integration before launch?
Testing should cover: identity validation with test accounts in a staging identity provider, account linking for existing and new customers, group-to-role mapping for each permission level, token refresh and session timeout, MFA enforcement, deprovisioning workflow, assertion attribute completeness, certificate rollover without login downtime, and error handling for assertion validation failures. A parallel production environment or feature flag is essential for safe go-live.
What happens if our identity provider goes offline during peak trading?
If the identity provider is unreachable, SAML login will fail and users cannot authenticate. The commerce platform may offer a fallback authentication method (such as local password login) if SAML is down, but this must be configured and tested. Without a fallback, an identity provider outage blocks all SAML-dependent users.
Can we use SAML for API access and backend order integration?
SAML is designed for web-browser login flows. For API access and backend-to-backend integration (e.g. ERP order sync), OAuth 2.0 or mutual TLS certificates are typically more suitable. Some platforms support SAML for API tokens, but this is less common. Separate authentication strategy for APIs is recommended.
How do we handle trade-account hierarchies and cost-centre permissions with SAML?
SAML groups can represent departments or cost centres, but complex hierarchies (parent account, subsidiary accounts, cost-centre trees) are not natively supported. The integration can include cost-centre attributes in the SAML assertion and map them to commerce permissions, but the trade-account structure itself must be modelled in the commerce platform or ERP.



