{"section":"tutorials","requestedLocale":"en","requestedSlug":"enable-login-for-the-organization-via-an-external-identity-provider-idp","locale":"en","slug":"enable-login-for-the-organization-via-an-external-identity-provider-idp","path":"docs/en/tutorials/b2b/organization-account/enable-login-for-the-organization-via-an-external-identity-provider-idp.md","branch":"main","content":"> ⚠️ This feature is only available for stores using the [B2B Buyer Portal](https://help.vtex.com/en/docs/tutorials/b2b-buyer-portal), which is currently available for selected accounts.\n\nBuyer organizations can authenticate their members through an external identity provider (IdP) using Single Sign-On (SSO). For this process to work, the buyer organization needs to enable login with an external identity provider in the Buyer Portal interface, as described in this guide.\n\n## Prerequisites\n\nBefore enabling login via external IdP in the Buyer Portal, make sure that:\n\n* The retailer has already configured the identity provider in the VTEX Admin under **Account Settings > Authentication**, following the instructions in [Login (SSO)](https://developers.vtex.com/docs/guides/login-integration-guide) and [Webstore (OAuth 2.0)](https://developers.vtex.com/docs/guides/login-integration-guide-webstore-oauth2).\n* You have the **Organizational Unit Admin** role in the buyer organization.\n\n## Enable login via external IdP in the Buyer Portal\n\nFollow the instructions to enable login via external IdP:\n\n1. Go to the store using a browser and log in with your user account.\n2. In the top menu, click **Company**. The organization dashboard will be displayed.\n3. Click **Manage**.\n4. If you want to enable login for the organization, proceed to step 5. If you want to select a child organization to enable, click **Organizational Units** and then the name of the organizational unit.\n5. Click the **⋮** menu and then **Authentication**.\n\n   ![enable-login-for-the-organization-via-an-external-identity-provider-idp_1](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/b2b/organization-account/enable-login-for-the-organization-via-an-external-identity-provider-idp_1.png)\n\n6. In the **Authentication methods** section, select one or more desired options (in the example image below, the external IdP option is PingFederate (SSO)). Remember to deselect authentication methods that won't be used.\n\n![enable-login-for-the-organization-via-an-external-identity-provider-idp_2](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/b2b/organization-account/enable-login-for-the-organization-via-an-external-identity-provider-idp_2.png)\n\n7. Click `Save`.\n\n> ℹ️ You can also manage authentication options for the organization via API. See the [VTEX ID API reference](https://developers.vtex.com/docs/api-reference/vtex-id-api#post-/api/vtexid/organization-units/-unitId-/settings) for more details.\n\n## Authentication flow\n\nAfter enabling, the authentication flow for organization members works as follows:\n\n1. The user enters their username during storefront login.\n2. The VTEX platform identifies the organization associated with the user.\n3. The user is redirected to the configured identity provider.\n4. The provider authenticates the user.\n5. After authentication, the user returns to the storefront with authorized access. The diagram below illustrates this flow:\n\n```mermaid\nsequenceDiagram\nparticipant U as User\nparticipant S as Storefront\nparticipant I as IdP\n\nU->>S: Start login with username\nS->>S: Resolve organization/method\nS->>I: Redirect for authentication\nI-->>S: Return result\nS->>S: Validate return (identity/username)\nS-->>U: Authorized access\n```\n\n## Learn more\n\n* [Login (SSO)](https://developers.vtex.com/docs/guides/login-integration-guide)\n* [Webstore (OAuth 2.0)](https://developers.vtex.com/docs/guides/login-integration-guide-webstore-oauth2)\n* [Login for B2B](https://help.vtex.com/en/docs/tutorials/login-for-b2b-stores)"}