# Configuring Microsoft Entra ID for SSO Access Merchandisers can now access the Merchandising Studio and Preview pages as well as the Insights dashboards using SSO. This means teams can use their corporate credentials, managed by their internal IT and Security teams, to log in to Fredhopper applications. Here you can find instructions on how to configure **Microsoft Entra ID** as your **Identity Provider (IdP)** for single sign-on (SSO). Microsoft Entra ID is a commonly used service for enterprise authentication. For more information on how to sign in to Merchandising Studio using SSO, see [here](https://support.crownpeak.com/hc/en-us/articles/28936764509469-Sign-In-to-the-FHR-Merchandising-Studio-Using-SSO). {% hint style="info" %} We currently support Microsoft Entra ID for SSO in Merchandising Studio. If you’d like to use an **alternative identity provider or protocol** that supports SAML 2.0 or OIDC, we’re happy to **evaluate it upon request**. Such custom configurations may require an alignment discussion with our technical team. Please reach out to [Crownpeak Customer Support](https://support.crownpeak.com/hc/en-us) to initiate this conversation. {% endhint %} ## Implementing SSO To enable SSO, a few setup steps are required that involve both your organization and Crownpeak. 1. Reach out to [Customer Support](https://support.crownpeak.com/hc/en-us/requests/new) or your Crownpeak CSM to request an SSO setup. 2. Crownpeak shares a **Redirect URL** with you, which is needed for the [Microsoft Entra ID configuration](#configuring-microsoft-entra-id). 3. Your IT team [configures Microsoft Entra ID](#configuring-microsoft-entra-id) as the Idenity Provider (IdP) and decides which users or groups have access to Fredhopper applications. 4. Once your IT team has successfully completed the setup in Microsoft Entra ID, send the following information back to Crownpeak: **Application (Client) ID**, **Client Secret**, and **OpenID Connect Metadata URL** (optional). 5. Crownpeak installs the provided configuration, enables SSO for you, and completes the setup. 6. To test your access to Merchandising Studio, the Merchandising Studio admin (assigned by Crownpeak) must log in first. The admin can then assign the roles of all other authenticated users. {% hint style="success" %} Note that: * Only user authentication and generic access are managed via Microsoft Entra ID. * Upon first SSO access, users are assigned a default role within the application. If they existed previously, their permissions will be reset to the default role. * Once SSO is active, the Merchandising Studio, Preview pages, and Insights will no longer prompt for basic authentication. Users are redirected to the SSO login. * Enabling SSO disables local user access. {% endhint %} ### Configuring Microsoft Entra ID Before you begin, ensure you have the Redirect URL provided by Crownpeak. * To register a new application in Microsoft Entra ID: * In Microsoft Entra ID, navigate to **App registrations** > **New registration**. * Provide a descriptive name, e.g. "Fredhopper SSO Integration". * Set **Supported account types** appropriately (typically "Accounts in this organizational directory only"). * Enable "ID tokens" in "Implicit grant and hybrid flows." * Add the Redirect URL in the **Authentication** section of your **App Registration**, using the following format `https:///realms//broker/microsoft/endpoint` . * Copy the **Record Application (client) ID** from the App Registration's **Overview** page. * To retrieve the OpenID Connect Metadata URL, open **Endpoints** on your App Registration's **Overview** page and copy it. * To generate a Client Secret: * Navigate to **Certificates & secrets** and click **+ New client secret**. * Copy the `Value` of the Client Secret immediately as you won't be able to return to it. {% hint style="danger" %} Client secrets have an **expiration date**. Schedule a renewal process with your IT team to avoid unplanned access interruptions. {% endhint %} * To configure API permissions: * Navigate to **API permissions** > **Add a permission** > **Microsoft Graph** > **Delegated permissions**. * Add `openid`, `profile`, and `email` , and then grant admin permissions. * To configure user assignment for access control, which will allow you to control the subset of users: * Navigate to **Microsoft Entra ID** > **Enterprise applications.** * Select your newly registered application. * Navigate to **Properties** and set **"User assignment required?"** to **Yes**. * Navigate to **Users and groups** and **Add user/group**. Select *only* the specific users or groups from your Entra ID that should be allowed to log in via Keycloak. * Send the following information back to Crownpeak: **Application (Client) ID**, **Client Secret**, and **OpenID Connect Metadata URL**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://crownpeak.gitbook.io/product-discovery/fhr-merchandising-studio-sso-setup/configuring-microsoft-entra-id-for-sso-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.