SSO

Get Started
Functionality
Learning
Extension
Dev Tooling
APIs
Releases

Essential knowledge

Intended Audience:

Technical User

Author:

Fluent Commerce

Changed on:

9 Oct 2025

Overview

Single Sign-On (SSO) in Fluent OMS allows organizations to centralize authentication through corporate Identity Providers (IdPs) such as Azure AD, Okta, or Google Workspace. Managed through PingOne, SSO provides a unified and secure login experience across users and environments.SSO is supported only for the OMX framework.

Key points

SSO provides unified authentication across multiple IdPs.
Fluent integrates with PingOne for routing, authentication flows, and user provisioning.
Once SSO is enabled, Admin and API users cannot log in to the Fluent Web Apps front end.
Each Fluent account operates in a dedicated PingOne SSO vendor environment.
All API users are stored in the Fluent IdP and authenticate via machine-to-machine flow.

SSO Environment Setup

Each Fluent account is provisioned with an independent PingOne environment during SSO enablement. Setup is handled by the SRE or Success team and includes:

Creating and configuring the admin user.
Setting up authentication and password policies (default configuration is permissive and can be adjusted later).
Enabling Fluent branding and Fluent OMX applications.
Adding authentication flows for user and API access.

Once the environment is active, ongoing configuration can be managed directly by the client’s IT team or administrator in PingOne.

Fluent User Creation and SSO Admin Permissions

All Fluent users must be created in the Fluent application, regardless of the selected IdP. User creation follows the standard process — users can be added via the API or through the Admin section in Fluent Web Apps.SSO vendor environment admin users have the following permissions:

Add integrations with Corporate IdPs (SAML / OpenID Connect)
Enable or disable Fluent users
Enable multi-factor authentication (MFA)
Modify password policies
Change environment branding

📘 For steps to create additional SSO admins, refer to the official PingOne Documentation.

User Types & Access

The following table summarizes how different user types authenticate within an SSO-enabled environment:

User Type	Authentication Source	Notes
Corporate Users	Corporate IdP (e.g., Azure AD, Okta, Google Workspace)	Log in via corporate credentials through PingOne.
API Users	Fluent IdP	Use API authentication only. Cannot log in to Fluent Web Apps UI.
Admin Users	Fluent IdP	Manage SSO environment and integrations. Cannot log in to Fluent Web Apps UI.

API User Management

API users represent system integrations rather than individuals. They must be stored in Fluent IdP and managed via API. They cannot exist within a Corporate IdP and do not interact with the Fluent Web Apps UI.API user credentials are maintained within the connected SSO vendor environment.

Access Limitations

When SSO is active:

Only ADMIN and API users can generate API tokens.
Regular users authenticate only via the external IdP.
Direct Fluent login (username/password) is unavailable for SSO-enabled users.

Password Policy Configuration

Password policies apply to both Corporate IdP and Fluent IdP users, ensuring consistent security standards.

For Corporate IdP, password policies affect only API users.
For Fluent IdP, policies apply to all users.

Default Behavior:All password policy settings are disabled to ensure smooth login behavior after user migration to Fluent IdP. If the policy is modified, users will be prompted to change their passwords during their next login.Password policies are defined once per SSO vendor environment and managed within PingOne.📘 For detailed configuration steps, see the official PingOne Documentation on password policies.

Branding

PingOne supports custom branding for the SSO login page, allowing organizations to align the interface with their corporate identity. This customization applies only to Fluent IdP users. Corporate IdP users are redirected to their organization’s login page during authentication.By default, Fluent branding is provided but can be changed.📘See Branding and Themes

PingOne Configuration and Reference

The official PingOne Documentation provides detailed guidance on setup, configuration, and daily use of the PingOne environment.It includes instructions for authentication policies, password policies, user management, and IdP integrations.

SSO Configuration and Management Guides

Collection of articles covering SSO and identity configuration.

Azure AD & Microsoft Entra ID OIDC Configuration: Unified Guide

Azure AD & Microsoft Entra ID SAML Configuration: Unified Guide

Azure AD Configuration via OIDC

Azure Single Logout configuration

Configure Okta connection via SAML

Explore This Category

Single Sign-On (SSO) Configuration Essentials

This collection covers the foundational concepts and key configuration principles for enabling and managing Single Sign-On (SSO) in Fluent Web Apps. Explore how SSO works, how identity providers are integrated, and how authentication flows are managed securely.

Authentication and Single sign-on (SSO)

Authentication policies

Corporate Identity Provider (IdP) Integration

Federated Identity Provider (IdP)

Fluent Commerce Fundamentals

Explore This Category