Setup
Single Sign-On (SSO) is an authentication method that enables users to securely authenticate with Lightspeed applications using the customer’s SSO platform.
Single Sign-On to NuORDER is a paid feature that we offer to Enterprise brand and retail customers.
OpenID Connect setup (Enterprise customer IT Department)
OpenID Connect (OIDC) is an identity technology built on top of OAuth 2.0. Lightspeed and NuORDER use it to enable brands and retailers to use SSO to log into NuORDER. OIDC is the preferred SSO solution, as it is simpler to set up and more secure, we do not currently support SAML.
To enable SSO, Enterprise customers must gather information and send it to their NuORDER Account Manager.
These steps are first performed in a Sandbox environment. After testing the setup successfully, the process is replicated in a Production environment.
Note: These instructions pertain to OneLogin, and exact steps may differ depending on your Identity Provider (IDP).
- As an Administrator, log in to your IDP, such as OneLogin, Okta, Azure AD, etc.
- In the Admin section of your IDP, select Applications.
- Select Add App, search for OIDC, then select the OIDC application.
- Name the OIDC application “NuORDER (SBX)”, then upload the icons you want to display for this application in the portal. Optionally, you can add a description for this application.
- Select Save.
- In the Configuration tab, enter a Login URL provided to you by NuORDER. (e.g. https://api.lightspeed.app/auth/sso/<customer>?product=nuorder-sbx)
- Enter the Redirect URI that we provided to you.
- https://api.lightspeed.app/auth/sso/<customer>/callback
- In the SSO tab, collect the following information:
Date type Example Client ID 6779ef20e75817b79602 Client Secret GBAyfVL7YWtP6gudLIjbRZV_N0dW4f3xETiIx2zwP0OuO3pMVAUTid Issuer URL <issuer_url>/.well-known/openid-configuration Email domains
Note: Include all domains your employees
use to log in to NuORDER.Lightspeedhq.com
lightspeedretail.com
lightspeedhq.net
nuorder.com
- When you gather the information in the table above, send it to your Account Manager using OneTime Secret.
- Open https://ots.lightspeed.app/.
- Paste the information into the text box.
- Set the lifetime to One Week.
- One-time Download.
- Select Generate decryption key.
- Select Encrypt Message.
- Copy the share link URL and email it to your Account Manager.
Troubleshooting
Users may encounter problems when trying to log in to the NuORDER platform using SSO.
Your email is not associated with the SSO account
When logging in, users may get an error message stating: Your email is not associated with the SSO Account.
This error is experienced when the email address entered is not configured to use SSO in NuORDER.
Try the following:
- Verify you are logging into the correct environment.
- Sandbox: https://app.sandbox1.nuorder.com/
- Production: https://next.nuorder.com/
- Verify with your Account Manager that the NuORDER environment you are logging into has SSO enabled.
- Note: NuORDER SSO can only be enabled on either Sandbox or Production at any one time. When SSO is working in Sandbox it will be disabled to configure it on Production.
Error verifying credentials with product
When logging in, users may get an error message stating: Error verifying credentials with product.
This error is experienced when the user with this email has not been created in NuORDER (either in Sandbox or Production).
Try the following:
- Open NuORDER for the environment you are testing on. Access the list of users and verify this user is added and that the email address matches.
Identity Provider: End-user does not have access to this application
When logging in, users may get an error message stating: Identity Provider: End-user does not have access to this application.
This error is experienced when the user has not been granted access to the NuORDER app in the IDP application.
Try the following:
- Ensure the user is granted access to NuORDER in your IDP setup.
- Ensure the user is added to the correct user group that gives them access to NuORDER.
- Ensure the user group has access to NuORDER.
FAQ - NuORDER Enterprise customer
Q: How does SSO work?
A: NuORDER normally asks a user to authenticate themselves by giving us a username and password, which, when correctly entered, grants them access to a NuORDER account. SSO works by making a third-party identity provider (IDP) the authentication source of truth. If the IDP authenticates the user, then that person is given access to NuORDER.
Q: Who does SSO control access for?
A: SSO controls access for company users, not external users.
Example: Macy’s employees will use SSO, but brands who sell to Macy’s will not.
Example: Champion employees will use SSO, but buyers who purchase from them will not.
Q: How do I create and remove users with SSO?
A: You can create and remove users in both NuORDER and through your Identity Provider (IDP).
Creating: Users must be created in both NuORDER and your IDP before that person can log in to NuORDER via SSO.
Removing: When a user has their access removed in their IDP, their access is automatically revoked from NuORDER. It is optional to also remove them from NuORDER.
Q: How do I test SSO?
A: You can test SSO by setting it up in NuORDER’s Sandbox environment and your IDP. When you’re ready to go live, set SSO up in NuORDER’s Production environment. If you’re experiencing issues, revert to Sandbox and contact your Account Manager.
Q: How does NuORDER know to send my users to authenticate with my IDP?
A: NuORDER targets all users who log in with a specific email domain, or a list of email domains, that you control. These must be domain names controlled by your business and cannot be generic domains, such as “gmail.com.” Give us the list of domain names your internal users have and we will install those into NuORDER.
Q: Do we support SAML?
A: No, we don’t support SAML as an SSO setup method. We only support OIDC because it is both easier to set up for IT teams and more secure.