Configuring Microsoft Entra ID for SSO Access
Learn how to configure Microsoft Entra ID as the Identity Provider (IdP) to enable secure single sign-on (SSO) access to Merchandising Studio, Preview, and Insights.
Merchandisers can now access the Merchandising Studio and Preview pages as well as the Insights dashboards using SSO. This means teams can use their corporate credentials, managed by their internal IT and Security teams, to log in to Fredhopper applications.
Here you can find instructions on how to configure Microsoft Entra ID as your Identity Provider (IdP) for single sign-on (SSO). Microsoft Entra ID is a commonly used service for enterprise authentication.
For more information on how to sign in to Merchandising Studio using SSO, see here.
Implementing SSO
To enable SSO, a few setup steps are required that involve both your organization and Crownpeak.
Reach out to Customer Support or your Crownpeak CSM to request an SSO setup.
Crownpeak shares a Redirect URL with you, which is needed for the Microsoft Entra ID configuration.
Your IT team configures Microsoft Entra ID as the Idenity Provider (IdP) and decides which users or groups have access to Fredhopper applications.
Once your IT team has successfully completed the setup in Microsoft Entra ID, send the following information back to Crownpeak: Application (Client) ID, Client Secret, and OpenID Connect Metadata URL (optional).
Crownpeak installs the provided configuration, enables SSO for you, and completes the setup.
To test your access to Merchandising Studio, the Merchandising Studio admin (assigned by Crownpeak) must log in first. The admin can then assign the roles of all other authenticated users.
Note that:
Only user authentication and generic access are managed via Microsoft Entra ID.
Upon first SSO access, users are assigned a default role within the application. If they existed previously, their permissions will be reset to the default role.
Once SSO is active, the Merchandising Studio, Preview pages, and Insights will no longer prompt for basic authentication. Users are redirected to the SSO login.
Enabling SSO disables local user access.
Configuring Microsoft Entra ID
Before you begin, ensure you have the Redirect URL provided by Crownpeak.
To register a new application in Microsoft Entra ID:
In Microsoft Entra ID, navigate to App registrations > New registration.
Provide a descriptive name, e.g. "Fredhopper SSO Integration".
Set Supported account types appropriately (typically "Accounts in this organizational directory only").
Enable "ID tokens" in "Implicit grant and hybrid flows."
Add the Redirect URL in the Authentication section of your App Registration, using the following format
https://<fredhopper_sso_domain>/realms/<your_realm_name>/broker/microsoft/endpoint.Copy the Record Application (client) ID from the App Registration's Overview page.
To retrieve the OpenID Connect Metadata URL, open Endpoints on your App Registration's Overview page and copy it.
To generate a Client Secret:
Navigate to Certificates & secrets and click + New client secret.
Copy the
Valueof the Client Secret immediately as you won't be able to return to it.
Client secrets have an expiration date. Schedule a renewal process with your IT team to avoid unplanned access interruptions.
To configure API permissions:
Navigate to API permissions > Add a permission > Microsoft Graph > Delegated permissions.
Add
openid,profile, andemail, and then grant admin permissions.
To configure user assignment for access control, which will allow you to control the subset of users:
Navigate to Microsoft Entra ID > Enterprise applications.
Select your newly registered application.
Navigate to Properties and set "User assignment required?" to Yes.
Navigate to Users and groups and Add user/group. Select only the specific users or groups from your Entra ID that should be allowed to log in via Keycloak.
Send the following information back to Crownpeak: Application (Client) ID, Client Secret, and OpenID Connect Metadata URL.
Last updated