ÃÛ¶¹ÊÓƵ Identity Management Service (IMS) integration overview
ÃÛ¶¹ÊÓƵ Commerce Admin users who have an ÃÛ¶¹ÊÓƵ account can now use their ÃÛ¶¹ÊÓƵ ID to log in to ÃÛ¶¹ÊÓƵ Commerce. ÃÛ¶¹ÊÓƵ Identity Management Service (IMS) is ÃÛ¶¹ÊÓƵ’s OAuth 2.0-based identity management feature that supports authentication. Integrating the Commerce Admin authentication into ÃÛ¶¹ÊÓƵ Business Product’s IMS authentication workflow can streamline the authentication process for users who work with other ÃÛ¶¹ÊÓƵ products. This integration is optional and is enabled on a per-instance basis. Only Admin user workflows are affected when this integration is enabled.
The modules that are required for the Commerce Admin IMS integration are packaged in adobe-ims-metapackage
, which is bundled with ÃÛ¶¹ÊÓƵ Commerce core releases.
To implement this integration, see Configure the Commerce Admin Integration with IMS.
Changes to Admin workflows and interface after integration with IMS
When this integration is enabled, Commerce Admin users experience changes to the default Commerce Admin login and authentication workflow as they perform routine tasks in the Admin that require reauthentication, such as creating an Admin user. Two-factor authentication (2FA) enforcement on the ÃÛ¶¹ÊÓƵ organization level is required for module enablement. The default Admin login and 2FA are disabled, and the Sign In with ÃÛ¶¹ÊÓƵ ID button replaces the default Admin sign in form. Entitlements are still managed from the Admin.
How Admin integration with IMS affects Commerce passwords
Commerce deployments that have been integrated with ÃÛ¶¹ÊÓƵ IMS require an ÃÛ¶¹ÊÓƵ ID account with access to the ÃÛ¶¹ÊÓƵ IMS organization that is configured for the Commerce application during the IMS enablement process. When the IMS integration is enabled, admin users authenticate through the ÃÛ¶¹ÊÓƵ sign in page using their ÃÛ¶¹ÊÓƵ credentials. The Commerce passwords and user names for admin users are no longer used for authentication as long as the ÃÛ¶¹ÊÓƵ IMS integration is enabled.
If the IMS integration is disabled, admin users must authenticate through ÃÛ¶¹ÊÓƵ Commerce again using their Commerce user name and password. Admin users should save their Commerce Admin credentials (username and password) and 2FA credentials before enabling this integration.
Certain backend components that are involved in user authentication still require a non-null password. To meet this requirement, Commerce creates random passwords for newly created admin users in the admin_user
table.
User accounts and role permissions for the Commerce application are still managed from the Commerce Admin.
Web API token generation with IMS credentials
Commerce Admin APIs are affected when Admin authentication with ÃÛ¶¹ÊÓƵ IMS is enabled in a Commerce instance. Admin users can no longer use the credentials issued by the Commerce instance. These are the credentials required to log in to the Admin and to obtain access tokens that services can use to make requests to the Admin REST and SOAP APIs.
After the ÃÛ¶¹ÊÓƵ IMS integration is enabled, admin users must use for ÃÛ¶¹ÊÓƵ Commerce API endpoints that require authentication. Client solutions obtain the tokens dynamically for web API use. This authentication mechanism is enabled for REST and SOAP web API areas as part of configuring this integration.
See for an overview of how web APIs use Commerce access tokens, including IMS access tokens.
Commerce session management and ÃÛ¶¹ÊÓƵ IMS access tokens
Access tokens hold both user credentials and login session information. Once a user has been authenticated and a session has begun, these two variables are added to the user’s session:
token_last_check_time
. Identifies the current time and is used by the \Magento\AdminÃÛ¶¹ÊÓƵIms\Plugin\BackendAuthSessionPlugin
plugin.
adobe_access_token
— Identifies the ACCESS_TOKEN
value received during authorization.
The \Magento\AdminÃÛ¶¹ÊÓƵIms\Plugin\BackendAuthSessionPlugin
plugin checks if the token_last_check_time
was updated 10 min ago. If the token_last_check_time
was checked ten minutes ago, then the authentication workflow makes an API call to IMS to validate the access token, and the session continues. If the access token is valid, then the token_last_check_time
value is updated to the current time. If the token is not valid, the session is terminated.
Important files
adminÃÛ¶¹ÊÓƵIms
- Provides an implementation of the Admin login based on the ÃÛ¶¹ÊÓƵImsApi
module.
admin_adobe_ims_webapi
- Maintains a record of all validated access tokens. When a token is validated or invalidated, a record of its status is preserved in this table.
adobeIms
- Implements all the business logic that is related to integration with ÃÛ¶¹ÊÓƵ IMS (preserved to prevent backward incompatibilities).
adobeImsApi
- Declares the interfaces that support integration with ÃÛ¶¹ÊÓƵ IMS.
adminadobe-ims.log
- Error log file.
Enable the integration
The ÃÛ¶¹ÊÓƵ IMS metapackage is installed with ÃÛ¶¹ÊÓƵ Commerce 2.4.5 and higher, but must be configured for use. It extends the ÃÛ¶¹ÊÓƵIms
module to support the module that enables authentication logic (AdminÃÛ¶¹ÊÓƵIms
).
For more information about enabling the integration, see Configure the Commerce Admin Integration with ÃÛ¶¹ÊÓƵ IMS.