Integrating Global-e SP with IdP
This section details the steps required to register Global-e as a trusted entity within IdP.
To integrate Global-e SP with IdP:
Register the Global-E SP entity in IdP using the metadata endpoint links exchange method. (See Metadata)
In IdP, configure the list of user roles supported by Global-e SP. See User Roles.
Register IdP in Global-e SP using the metadata endpoint links exchange method. (See Metadata)
Global-e maps the merchant user roles in the Global-e system.
User Roles
To configure the list of user roles:
Prepare the list of employees (users) that will have permissions to use the Global-e Merchant Portal.
Associate each user to one or several roles supported by Global-e SP (see list of supported roles further below).
Provide this list of SSO users and associated roles to the Identity Provider so that they can configure and include these roles in the SAML response to be sent to Global-e.
Global-e supports the following roles:
1. HubAdmin
2. HubOperator
3. MerchantAdmin
4. MerchantCS
5. MerchantCSAdmin
6. StoreAdmin
7. StoreUser
In the IdP SAML response to Global-e, Global-e SP expects to get the list of SSO users associated with the roles supported by Global-e SP, as illustrated in the following section.
Configuring Merchant Domains
If you have more than one domain, send us the list of addresses of all the domains for which you want SSO support so that Global-e can set this up.
Example of SAML Communication between Global-e SP and IDP
Example of SAML Response with Linked Roles - Sent by IdP to Global-e
Sample SAML Request - Sent by Global-e SP to IdP
<?xml version="1.0" encoding="UTF-8"?> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxfb6ffca7-86f9-48c3-9c43-bde99801a526" Version="2.0" IssueInstant="2004-12-05T09:21:59Z" Destination="https://login.microsoftonline.com/951e7c97-7cdd-4af6-a822-c9482cae5056/saml2" AssertionConsumerService="https://securedev.bglobale.com/account/externallogin" AttributeConsumingServiceIndex="0"> <saml:Issuer>https://wwww.global-e.com/5f4f1908-c9e8-4617-ace7-7d8f44e490d6</saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest><?xml version="1.0" encoding="UTF-8"?>
Example of SAML Response – Sent by IdP to Global-e SP
<?xml version="1.0" encoding="UTF-8"?> <samlp:Response ID="_a225292d-cf07-43d8-83df-9246165ace4e" Version="2.0" IssueInstant="2021-01-11T18:47:39.327Z" Destination="https://secure-qa.bglobale.com/account/externallogin" InResponseTo="pfxf9c319d6-6797-452e-887b-5a3dcccf4ebc" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/951e7c97-7cdd-4af6-a822-c9482cae5056/</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="_2903b71e-4f90-4b5d-9156-b83de9b24c00" IssueInstant="2021-01-11T18:47:39.327Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer>https://sts.windows.net/951e7c97-7cdd-4af6-a822-c9482cae5056/</Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <Reference URI="#_2903b71e-4f90-4b5d-9156-b83de9b24c00"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <DigestValue>4VWqR0pUrTvBE8FVoOO3D8VFUNAIRHLePqpePWZJxKU=</DigestValue> </Reference> </SignedInfo> <SignatureValue>YCCkRSk0UduDisy4oZxD3v0qGM1wgd36Fg5FXtiL5pENNIcisYdDRquvjy4fNURXhNBMt1HoAeN9jDY8hcamw517X3lJk3imGiDhKT9yIB7VSjPS4azLDqym+uL48vuoUSXfRoaA9TYrLQMhWTn8U0KTB6M/PZlh+2aUSRyxAJiW8zdTNGeDAJM6ICgecQ0Z+wx1BZW6VmBRtH74VpSq3OXcF/1igZnkNRljhr5oKdLdtjJsENhthH1cCGq9q6igZLwalCZesTXCOjK0zO+iJSk7i4kh21X8314x/a6u5tjLr2OkMKP9ChwI1d+cfDe3YLRNvR7ipFGEP6vMR1w/LQ==</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIIC8DCCAdigAwIBAgIQEnS+YGZcgbxJ8hPIMskBvzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDA0MjYxNTA4MDJaFw0yMzA0MjYxNTA4MDJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1pukQAAW/qMeMMsD9LZiGwkRpv05y8GSuDx8hnkb5j2Ne+jL5DwAuZhpQAjVtLrMWww+CsScqOSRuXdZvQHzmPgxiD6ZoLxyZsG/EIcjTK80Sb3jruTW87x7Aci873STY0knfGoDfWnJF3QhRYXw0XJpT/1HMXBqnhVY/AzQZWkG70fQW4Hw1+RSTqSetY+Ju72/mR14JQg0eqXnYtpDyJV05JZHlpJ7mFpQVtLg2b9YhkGj/DItQAkvU8e9fuf3jNnPKAOVMPWfoWcbiq/Dyh5TnpNe/9zkruG46pS6eAyNOUyeYv3Vr5ZAw98/q9jJM/LaFn0KYVM5BMtcYDI6mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC01f16JITMAbLwXyYNU8y41YoHcNBbETESKhOlP6zT/zxH2k2XCap4WyXwdrUqFIA0mP/HKgdDdN4KiFUj3nXPXYSZaxjXqlrLRYMTJE4LKZ8iBdAEJ3OjJOA48guNPU+rsoCPTUX+74YOQ3w3XyDhKOWhNjj2fzaFEU6aaGOnHh6s6PHPgQL8uoXYhg6pMQ10m9PtPK12PY6RL+v9HuuRGb+itW1rarlAVS5EPCVxntnDTCv9UUXnEwyQmYp9tmMpkFBpSwjZmwK1BTrUhieJRutwCAM/jQ5cGNAVozr4bx8OV0+25Gd5+f6PIdddyeHCwCIn6wPlV6gwmQCqBzKC</X509Certificate> </X509Data> </KeyInfo> </Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">C1Y5LlgRS2Ms1wmUwkA8W5zCu6Q30w93nuMb5rL06RY=</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="pfxf9c319d6-6797-452e-887b-5a3dcccf4ebc" NotOnOrAfter="2021-01-11T19:47:38.951Z" Recipient="https://secure-qa.bglobale.com/account/externallogin" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2021-01-11T18:42:38.951Z" NotOnOrAfter="2021-01-11T19:47:38.951Z"> <AudienceRestriction> <Audience>https://wwww.global-e.com/5f4f1908-c9e8-4617-ace7-7d8f44e490d6</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid"> <AttributeValue>951e7c97-7cdd-4af6-a822-c9482cae5056</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier"> <AttributeValue>44036fae-af4f-4a18-bd14-dfc7de1487fd</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"> <AttributeValue>SSO01</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider"> <AttributeValue>https://sts.windows.net/951e7c97-7cdd-4af6-a822-c9482cae5056/</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences"> <AttributeValue>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"> <AttributeValue>HubAdmin</AttributeValue> <AttributeValue>HubOperator</AttributeValue> <AttributeValue>MerchantAdmin</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> <AttributeValue>SSO</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"> <AttributeValue>User</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> <AttributeValue>[email protected]</AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2021-01-11T18:46:02.700Z" SessionIndex="_2903b71e-4f90-4b5d-9156-b83de9b24c00"> <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> </samlp:Response>