Identity Access Management

Edit on GitHub
You are browsing a previous version of the document. The latest version is 202307.0.

The Identity Access Management capability enables all types of users in a Spryker shop to create and manage accounts. Different levels of security let users manage the access of other users.

Back Office authentication

To use the Spryker Back Office, users have to authenticate to the Back Office. They can authenticate by the following:

  • Regular Back Office user account.
  • Third-party sign-on (optional).

To authenticate as a regular Back Office user, you must have a Back Office user account. To learn how to create and manage Back Office user accounts, see Managing users.

You can also let your users sign in from a third-party service set up for your project. The third-party sign-on uses the OpenID protocol for authentication.

The feature is shipped with an exemplary ECO module that supports authentication using Microsoft Azure Active Directory. With the existing infrastructure, you can develop your own ECO modules for the identity managers you need.

If a user chooses to log in using a third party, the user is redirected to the OAuth provider’s sign-in page—for example, Microsoft Azure. If the user logs in to the third-party service successfully, the check is made if the user exists in the Spryker database. If the user exists in the database and is active, the user is logged in. If the user does not exist in the database, you can have one of the two different behaviors or strategies for your project:

Strategy 1: Upon the first login, create the Back Office admin user based on the third-party system’s user data.

If a user who does not exist in the Spryker database logs in for the first time, the following happens:

  • Based on the third-party system’s user data such as first name, last name, and email, the Back Office user is created and visible on the Users page in the Back Office.
  • The user is assigned to the default group.

With Strategy 1, the login process looks like this:


Strategy 2: Do not log in to the user unless they exist in the Spryker database.

Before a user can log in to Back Office with third-party service credentials, the user must be added and set to Active in the database. You can add the user using either the Back Office or the ACL module.

With Strategy 2, the login process looks like this:


Current constraints

The feature has the following functional constraint:

Each of the identity managers is an ECO module that must be developed separately. After the module development, the identity manager’s roles and permissions must be mapped to the roles and permissions in Spryker. The mapping is always implemented at the project level.

Install the Spryker Core Back Office feature Authentication and authorization
Install Microsoft Azure Active Directory Security and authentication
Install the Customer Access Glue API Create customers
Confirm customer registration
Manage customer passwords
Authenticate as a customer
Manage customer authentication tokens via OAuth 2.0
Manage customer authentication tokens
Authenticating as a company user
Manage company user authentication tokens
Authenticate as an agent assist
Managing agent assist authentication tokens
Delete expired refresh tokens