The ABCs of Single Sign On (SSO) Stores

If you’ve pitched a company store program to a big corporate client in the last few years, you may have found that the process can be a little bit trickier than it used to be. None of this stuff has ever been easy, mind you. But many corporations now throw up all sorts of hurdles to connecting their employees and customers to your store. Sometimes they’ll push you into a procurement system, like Coupa or Ariba, and at that point the company store itself may become secondary. In that case, you may just be filling orders in that procurement system, no company store needed.

This is not yet the norm, thankfully. Company stores still have a good deal to offer in terms of product presentation, customization and other features that are not readily available in a procurement system. As much as corporations want to have tight-fisted control over every dollar their employees spend, they’re usually willing to let you manage the company store purchasing experience – provided you can do it securely.

In order to do that, you often need to talk to the corporation’s network itself. Yes, you can tell them that every one of their users need to create an account on the company store separate from their own corporate account. But it’s a hassle – another password to remember, which means another password to forget.

Thankfully, the dark overlords that design and manage massive corporate networks have gifted us with another solution.

Some background: To a corporate IT manager, the internet used to be like the Wild Wild West; once you left the safe confines of their network, you were on your own in the wilderness. In the last decade, though, more and more corporate users must access resources outside that walled garden of the corporation. There are just too many valuable resources on the web to justify keeping users penned up in your network.

Once those corporate networking overlords opened up a crack in the wall, they (surprisingly) took it one step further. Not only can users now venture outside the network; they can take their identity and privileges along with them when they do. In short, the key that opens a corporate network to a user becomes a sort of master key that can be used elsewhere on the internet at large. Provided all the pieces are in place and talking to each other, when Jane is logged in to her corporate network, she can automatically log in an external service like a company store. No more usernames and passwords to lose.

Not Exactly News

Now, you’ve probably already experienced something like this if you use certain very popular web services. Companies like Google and Facebook want to be not just a service you use but also an Identity provider – in other words, they want to be the people who verify that you are you, not just to their own services but to other services as well.

This is why you’ll so often see “Log in with Facebook” or “Register using Google” on websites these days. The idea is the same as the corporate one: Once you’ve verified who you are, there’s no reason you can’t leverage that verified identity in other places. This is a little bit like a passport, but instead of the government, it’s Facebook saying who you are!

Depending on how you feel about privacy, that might scare you. And to be clear, Facebook and Google (and many similar services) have an ulterior motive: They want to track you wherever you go so they can show ads to you. When you log in to, say, an e-commerce store with Facebook, you’re telling Facebook what you like to shop for (and often quite a bit more).

Regardless, these are good examples of identity management or provision. They’re everywhere on the web, and primary difference between these and what a corporation might do is that these are all services that originate on the web and aren’t tied to all the rules and regulations of a corporate network. Google might know that you work somewhere, but they don’t know who your boss is, who works for you, what buildings you have access to, and so on. That stuff is the domain of corporate networks and “access control”, and it tends to be very closely guarded.

Signing On

So, the people that manage corporate networks had to come up with their own solutions for passing user information onto third parties on the web. And hoo boy, did they ever come up with solutions; there are enough of them to make your head spin. Some don’t work with others; some are proprietary to specific types of networks; and some cost an arm and a leg to maintain.

About the only thing all these parties could agree upon was a name: Single Sign On, or SSO. SSO means that the identity you log on to a system with can be used in some way to log on to another system that supports it. Technically what Facebook and Google are doing is SSO as well, but for our purposes we’re going to focus on corporate Single Sign On, since this is what you’ll have to work with that RFP comes in the door with the foreboding letters “SSO” stamped on it.

The good news is that you don’t have to learn much about the mechanisms and technology of SSO in order to sell it. Your company store provider will talk with the corporate IT folks to do all the grunt work. But you should have a basic understanding of SSO terms in order to have a productive conversation and get the sales process going. Here are a few important definitions:

  • SSO: Single Sign On, the thing you’ve been reading about.
  • SAML: Security Assertion Markup Language – Encrypted, XML-based language for communicating user security access information to web services/resources. This is a standard that is often used to describe to the third-party website what a user has access to. In other words, it could tell a company store that a given user has access to a specific budget.
  • Identity Provider: Trusted third party that can communicate permissions, etc. about a given user to various requestors. These companies take the identity from a corporate network and make it available to third parties for the purpose of logging in and doing things.
  • AD, Active Directory: Microsoft network authentication/identity management for Windows networks. Most corporate networks run on Windows, although not all of them use Active Directory.
  • Azure AD: Essentially Active Directory in the cloud. Microsoft’s own solution for synchronized local network and cloud-based authentication. This is a way of eschewing third-party identity providers and using Microsoft instead. Expect a lot of the corporate world (especially the big ones) to move in this direction since it’s a relatively easy expansion of the networking they already use.
  • OAuth2: An open standard for access delegation; another way for users to grant websites or applications access to their information on other websites but without providing passwords.

Advantages

This still sounds complicated, and honestly it is. Beyond the ease of use for a user to not have to log in a second time with another set of credentials to a company store, why go through all this rigamarole? A big part of the reason is scale.

Think of it this way: Many big corporations have thousands or tens of thousands of employees. They hire and fire every day, so the marketing manager who had access to the company store yesterday may no longer be at the company tomorrow. If the company store has separate logins for everyone, someone has to be responsible for disabling/enabling access for everyone on third party sites like company stores as well.

This can be done with user imports and synchronization, but that can become painful, especially with large lists and frequent updates. The benefit of SSO is that there’s no need for synchronization because the user’s access is only as good as their identity provider says it is. If Jane from marketing leaves for greener pastures tomorrow, her access and roles are revoked at the corporate level, and that magically populates to everything else Jane had access to, like a company store. Jane’s access or lack thereof is automatically kept in sync with any service that supports SSO.

How do I sell the darn things?

Honestly, this is where you call in a ringer – your company store provider probably needs to enter the conversation sooner rather than later. Your short answer to “Can your company store handle SSO?” should be “yes but we need to talk about how.” Like anything else, there is a process for sorting through all this. Your company store provider is going to be best qualified to sort through all the jargon and technology changes, but here are some basic questions to get the gears moving:

  1. What do you want to accomplish with SSO? Most often with company stores, SSO is used to automatically log in corporate users to a company store that’s not available to the general public. But it can also be part of a more complex set of rules, like who gets to buy certain categories of items.
  2. What type of corporate network and SSO implementation do you have? There is a good deal of basic info you’ll need to collect at the outset, which is why we’ll say once again that it’s good to have your company store provider in the loop as early as possible.
  3. What’s your timeline and budget? SSO integrations can often involve a lot of analysis, planning and testing. By asking this question, you can establish how serious your customer is about the implementation. They may not have a good answer yet as they’re just exploring options. But if they say “we need it immediately and we’re not paying for it,” you should probably run as fast as possible in the other direction.

This sounds like it’s out of my wheelhouse. I’m scared.

SSO company stores are a big step up from your garden variety company store. But they’re completely feasible for any distributor who has a good technology partner. And they offer a number of benefits to you and your customer:

Lock-in

The tighter your company store is integrated with your customer’s systems and policies, the less likely they are to switch providers.

Compliance

Corporations want the world to work the way they expect it to work. That means that, for better or worse, they often get to dictate how you do business with them. You may already have to submit your invoices a certain way, or use a procurement system to handle orders. SSO pulls your company store out of the wild west and into the realm of safe, compliant software. Your customer will get all the warm fuzzies.

Future-Proofing

No technology is perfect, but by letting the SSO identity provider do most of the heavy lifting, you can help insulate yourself against problems that might arise with technology and security changes. That’s not to say you won’t have to deal with them at all, but at the end of the day, the identity provider is going to bear most of the burden.

Ready to get started or need more info? You can head over to our SSO Company Stores signup page and we’ll be happy to get the process started. Just need us to help you with the initial analysis? No problem! We’re here to assist you with any and all opportunities.

Ready for more?

Here are some resources you might find helpful:

  • ABCs of Company Stores: All the knowledge and training you need to get started with company stores.
  • ABCs of Reward Stores: The lowdown on points, rewards and incentive programs.
  • ABCs of Popup Stores: Learn about pop-up (or “flash”) stores for temporary programs like holiday stores and fundraisers.
  • ABCs of Redemption Stores: The basics of redemption programs, including employee onboarding, uniform fulfillment and single-use gift/incentive stores.
  • ABCs of Single Sign On (SSO) Stores: Discover the fun, somewhat complex world of Single Sign On (SSO) and how you can build a company store that supports it.
  • eBlox Blog: 10+ years of Identity Marketing magazine articles, in-depth feature discussions and more.
  • SAGE Blog: Great general resources on promotional products and technology.
  • Counselor: ASI’s online magazine for ad specialty industry professionals.
  • PromoCorner: Articles, videos and news for the industry.
  • Resource Center: Lots of educational materials, presentations, videos and general training stuff to help you sell and manage company stores.