What a SSO integration gives you.
Users log in once via SSO and access ecommerce, trade portals, branch systems and customer-service tools without re-entering credentials. Eliminates password fatigue and support friction.
When a person's role changes or they move to a new team, permissions update automatically across all systems. No manual access grants or orphaned accounts.
Every login, permission change, and access cut is logged. Compliance teams can audit who accessed what, when, and under what authority.
When staff or suppliers leave, SSO deprovisioning cuts access across commerce, trade systems and branch terminals in minutes, not days.
Corporate accounts, buying limits, approval workflows and cost-centre controls are enforced at login time so procurement rules stay consistent across all channels.
Where a SSO integration earns its place.
If two or more of these are true, the integration usually pays for itself quickly.
Where off-the-shelf connectors fall short.
Vendor connectors are fine for simple cases. Here's where the real ones need more.
Standard SSO connectors often map identity-provider groups to simple commerce roles. They struggle with buying limits, cost-centre rules, approval authority and trade-specific permissions that sit between the identity layer and order workflow.
If a customer exists both as an online shopper and a trade account, the SSO flow may not know which record to link to, creating duplicate accounts or loss of purchase history.
Removing a user from the identity provider does not automatically revoke sessions or cut access in all downstream systems. Trade-portal access or dormant sessions may persist until manually cleared.
Commerce platforms and identity providers may enforce different session lifetimes, MFA policies or token refresh rules, leading to unexpected logouts or security gaps during peak trading.
SSO connectors often assume a single online storefront. They do not naturally support trade-portal access, branch staff accounts, corporate-account hierarchies or local permission overrides in physical locations.
Permission mapping and account linking are where SSO integration often breaks down; off-the-shelf connectors assume a single role-per-user model and do not handle buying limits, cost-centre rules or trade-account hierarchies.
Where this integration sits in your estate.
SSO holds the commercial record. The iWeb integration layer manages the rules, mappings, monitoring and exceptions. The commerce platform presents the customer-facing experience. The estate map helps agree ownership before anything is built.
Built for your platform, not a specific one. SSO integrates with any ecommerce core through the same contract.
- User identity and authentication credentials
- Group and role membership
- MFA policy and session lifecycle
- Audit events and login records
- Commerce customer account record
- Cart, orders and customer history
- Storefront session and checkout experience
- Commerce-side permission enforcement
Systems this integration usually sits next to.
Examples, not a closed list. iWeb is platform-agnostic on both sides: we wire this integration into whatever ecommerce platform and surrounding systems your estate already runs.
- Adobe Commerce
- Magento Open Source
- Shopify Plus
- BigCommerce
- Other storefronts
- Okta, Azure AD or other identity provider
- ERP system for trade-account and cost-centre rules
- Trade portal or B2B platform
- EPOS and branch systems
- Customer-service platform
- Audit and compliance logging
Not sure if this works with your stack?
Tell us what you’re using and what needs to connect. We’ll give you a straight view on what’s possible, what might be awkward, and the safest way to approach it.
The data flows we wire.
Each flow has a direction and an owner. We agree both before a line of code is written.
How iWeb configures the integration around your business.
Same method on every integration. The decisions come before the code.
- 01Design the authentication flow
iWeb defines whether your users log in via SAML, OAuth 2.0 or OpenID Connect; how sessions are held on the commerce platform; and what happens when a session expires or MFA fails.
- 02Map identity to commerce roles and permissions
iWeb translates identity-provider groups into commerce roles, buying limits, cost-centre codes, approval authority and trade-account membership so permissions reflect real business rules.
- 03Link accounts across systems
iWeb builds the logic to match an authenticated user to their commerce customer record, corporate account, trade profile or branch staff account so history and permissions stay coherent.
- 04Handle deprovisioning and session cut
iWeb builds workflows so when a user is removed from the identity provider, all sessions are revoked, trade-portal access is cut and branch terminals reflect the change within minutes.
- 05Monitor and audit identity flows
iWeb instruments the authentication and permission paths so security teams see login events, permission grants, group changes and access anomalies in real time.
Who owns what.
The single most important table in any integration. One system owns each field; everything else reads it.
Built this before
iWeb has designed and supported SSO integration patterns across ecommerce, trade portals, branch systems and corporate directories. We understand how identity provider protocols (SAML, OAuth 2.0, OpenID Connect) fit into commerce estates and where permission mapping and account linking usually cause friction.
What we test before launch.
Every one of these is rehearsed before a customer ever sees the integration.
Common risks and where they bite.
We name these on day one. A risk written down is a risk you can plan around.
If SSO account linking fails, users may create new accounts instead of linking to existing records, splitting purchase history and loyalty across duplicate identities.
If group-to-permission mapping is not automated, users may keep stale permissions after a role change, allowing access they should not have or blocking access they need.
If SSO session lifetime is too short or token refresh fails, users may be logged out mid-purchase, causing cart abandonment or lost orders.
If identity-provider changes do not propagate quickly to commerce and branch systems, a departing staff member or supplier may retain access for hours or days after they should be cut off.
If MFA policies drift or identity-provider certificates expire without rollover, users may be locked out entirely. Certificate and policy rotation must be monitored and tested regularly.
If SSO maps to commerce roles but does not translate to trade-account buying limits, approval workflows or cost-centre codes, users may bypass procurement rules or approve transactions outside authority.
Relevant services and sectors.
Common questions about SSO integrations.
Should we use SAML, OAuth 2.0 or OpenID Connect?
SAML works best for employee and trade-staff access where users are already in a corporate directory. OAuth 2.0 and OpenID Connect work best where users log in with social or consumer identities. iWeb recommends SAML for trade and branch access, and OIDC or OAuth for consumer accounts that may also link to corporate identity.
How do we link a user's identity-provider identity to their commerce customer account?
iWeb builds a matching strategy based on email, username, customer ID or a persistent identifier from the identity provider. For new users, a new commerce customer is created at first login. For existing users, iWeb uses a pre-loaded mapping or a just-in-time linking flow.
What happens if a user exists in both the identity provider and as an online shopper but under a different email?
This is a common scenario for shoppers who later join the company or a trade account. iWeb builds resolution logic so the first authenticated login either links to the existing customer or prompts the user to confirm. Manual reconciliation may be needed for legacy data.
How do we translate identity-provider groups into commerce buying permissions?
iWeb maps identity-provider groups to commerce roles and then translates those roles into buying limits, approval authority, cost-centre codes and trade-account access. The mapping is maintained by iWeb and reviewed during business-process changes.
How quickly are permission changes reflected when a user changes role in the identity provider?
If the identity provider supports real-time events, permissions can update within seconds. If using scheduled sync, updates happen at the next scheduled pull, typically every 15 minutes to hourly. iWeb recommends real-time events for trade staff and approval workflows.
What happens when a user is removed from the identity provider?
iWeb triggers deprovisioning workflows that revoke active sessions, cut trade-portal access and update the commerce customer record to disabled status. Branch terminals and customer-service systems are notified so the user cannot initiate new transactions.
How do we handle MFA for trade users and branch staff?
iWeb configures MFA policy at the identity provider level and ensures the commerce platform respects it. For branch staff, iWeb can support MFA on first login of the day or per-transaction depending on security policy.
Do we need to re-enter SSO credentials on mobile apps or at branch terminals?
iWeb can configure SSO to work seamlessly on mobile apps via OpenID Connect, and on branch terminals via cached sessions or device-level authentication. The approach depends on security policy and whether users are always online.
How do we handle trade-account hierarchies where some staff should see only certain divisions or locations?
iWeb uses identity-provider groups and attributes (like division code or location code) to filter the commerce and trade systems' visibility. For example, a user in the 'Manchester Branch' group sees only Manchester stock and orders.
What if the identity provider goes down? Can users still access ecommerce?
iWeb designs fallback behaviour: if the identity provider is unreachable and the user has an active session, they can continue. New logins are blocked until the identity provider recovers. For critical trade systems, iWeb may recommend a secondary identity provider or local cache.
How do we audit and report on who logged in and what they accessed?
iWeb instruments login, permission grant and access events and logs them to a central audit system. Security teams can report on login frequency, failed attempts, permission changes and suspicious activity patterns.
How do we handle SSO during an ecommerce platform upgrade or replatform?
iWeb re-establishes SSO configuration on the new platform and tests account linking and permission mapping thoroughly before cutover. If the identity provider certificate or protocol changes, both systems must be reconfigured in step.
Can we use SSO for customer-facing ecommerce, or only for trade and staff access?
SSO works for both. For consumer ecommerce, users log in via a social provider (Google, Microsoft, Apple) mapped to their consumer identity. For trade and corporate accounts, users log in via your corporate identity provider. iWeb can support both flows on the same storefront.
How does SSO work if we have multiple commerce platforms (ecommerce, trade portal, marketplace)?
iWeb configures the identity provider as a central hub so users authenticate once and receive tokens valid across all platforms. Each platform independently validates the token, but the user experience is a single login.



