Identity Access Management

Last updated: October 2, 2022

Edit on GitHub

You are browsing a previous version of the document. The latest version is 202307.0.

The Identity Access Management capability enables all types of users in a Spryker shop to create and manage accounts. Different levels of security let users manage the access of other users.

Back Office authentication

To use the Spryker Back Office, users have to authenticate to the Back Office. They can authenticate by the following:

Regular Back Office user account.
Third-party sign-on (optional).

To authenticate as a regular Back Office user, you must have a Back Office user account. To learn how to create and manage Back Office user accounts, see Managing users.

You can also let your users sign in from a third-party service set up for your project. The third-party sign-on uses the OpenID protocol for authentication.

The feature is shipped with an exemplary ECO module that supports authentication using Microsoft Azure Active Directory. With the existing infrastructure, you can develop your own ECO modules for the identity managers you need.

If a user chooses to log in using a third party, the user is redirected to the OAuth provider’s sign-in page—for example, Microsoft Azure. If the user logs in to the third-party service successfully, the check is made if the user exists in the Spryker database. If the user exists in the database and is active, the user is logged in. If the user does not exist in the database, you can have one of the two different behaviors or strategies for your project:

Strategy 1: Upon the first login, create the Back Office admin user based on the third-party system’s user data.

If a user who does not exist in the Spryker database logs in for the first time, the following happens:

Based on the third-party system’s user data such as first name, last name, and email, the Back Office user is created and visible on the Users page in the Back Office.
The user is assigned to the default group.

With Strategy 1, the login process looks like this:

Strategy 2: Do not log in to the user unless they exist in the Spryker database.

Before a user can log in to Back Office with third-party service credentials, the user must be added and set to Active in the database. You can add the user using either the Back Office or the ACL module.

With Strategy 2, the login process looks like this:

Current constraints

The feature has the following functional constraint:

Each of the identity managers is an ECO module that must be developed separately. After the module development, the identity manager’s roles and permissions must be mapped to the roles and permissions in Spryker. The mapping is always implemented at the project level.

INSTALLATION GUIDES	GLUE API GUIDES
Install the Spryker Core Back Office feature	Authentication and authorization
Install Microsoft Azure Active Directory	Security and authentication
Install the Customer Access Glue API	Create customers
	Confirm customer registration
	Manage customer passwords
	Authenticate as a customer
	Manage customer authentication tokens via OAuth 2.0
	Manage customer authentication tokens
	Authenticating as a company user
	Manage company user authentication tokens
	Authenticate as an agent assist
	Managing agent assist authentication tokens
	Delete expired refresh tokens

Was this article helpful?

Tell us what could be better

Name (Optional)

Email (Optional) Invalid email format.

Type your thoughts here

We appreciate the time you took to share the feedback
and will consider it as soon as possible.

Identity Access Management

Back Office authentication

Current constraints

Related Developer documents

Thank you!