{"section":"tutorials","requestedLocale":"en","requestedSlug":"login-for-b2b-stores","locale":"en","slug":"login-for-b2b-stores","path":"docs/en/tutorials/b2b/b2b-buyer-portal/login-for-b2b-stores.md","branch":"main","content":"> ⚠️ This feature is only available for stores using [B2B Buyer Portal](https://help.vtex.com/docs/tutorials/b2b-buyer-portal), which is currently available for selected accounts.\n\nIn B2B environments, access to the storefront is usually linked to an organization. For this reason, the authentication process may use identifiers other than email and can be integrated with corporate identity systems.\n\nAuthentication options for user access to the B2B store include:\n\n- Login with username and password\n- Login with external identity provider (SSO)\n\n## Overview\n\nThe diagram below provides an overview of the B2B login flow, from user identification to final authentication.\n\n```mermaid\nflowchart LR\nA[Start login] --> B[Enter username]\n\nB --> C{Organization<br />identified?}\nC -- No --> X[Access denied]\nC -- Yes --> D{Authentication<br />method}\n\nD -- Password --> E[Login with password]\nD -- SSO --> F[Login with IdP]\n\nE --> G[Login completed]\nF --> G\n```\n\nLogging in to B2B stores can occur via different authentication mechanisms. Depending on the store configuration and the user's organization, authentication may occur using username and password or via an external identity provider (IdP).\n\n> ℹ️ The authentication methods used by the organization are defined through an API configuration. Learn more in [Setting up authentication methods per organizational unit](#).\n\nIn the login component, the buyer first enters their username. Based on this identifier, the VTEX platform determines the contract associated with the user and identifies the authentication method that should be used.\n\nBased on this information, the login component dynamically displays the authentication method configured for that organization, such as password login or authentication via an external identity provider.\n\n## Login with username\n\nIn the B2B authentication model, users can access the storefront using their username as the primary identifier.\n\nThis model is common in scenarios such as:\n\n- Corporate portals for employees or representatives\n- Companies that use corporate IDs\n- Organizations that adopt standardized username login\n\n### Username rules\n\nThe username must follow these rules:\n\n- 3 to 30 characters\n- Not case-sensitive\n- Allowed characters: Letters, numbers, `.`, `@`, `-`, and `_`\n- No spaces allowed\n\n### Emails\n\nIn B2B environments, email isn't required as a login identifier. Users may have two types of email for different purposes: recovery and transactional.\n\n| Email type | Use | Rules |\n| :---- | :---- | :---- |\n| Access recovery email | Used for actions related to authentication, such as password recovery or reset.      | Must be unique in the store. Can be optional. Can be the same as the transactional email, but doesn't have to be. |\n| Transactional email   | Used for store communications, such as order confirmations and status notifications. | Doesn't need to be unique and can be shared by multiple users. Can also be optional. |\n\n#### Usage example\n\nConsider a medical office (organization) with three employees who make purchases. All employees can share a corporate transactional email used for store communications, such as order confirmations.\n\nAdditionally, two of these employees may also have their own individual access recovery emails. These individual emails are used for authentication-related actions, such as password recovery or reset, following the rule that the recovery email must be unique in the store.\n\n## Login with external identity provider (IdP)\n\nOrganizations can authenticate users using an external identity provider (IdP) through Single Sign-On (SSO).\n\nThe authentication flow is as follows:\n\n1. The user enters their username during login.\n2. The VTEX platform identifies the organization associated with the user.\n3. The user is redirected to the configured identity provider.\n4. The provider authenticates the user.\n5. After authentication, the user returns to the storefront with authorized access.\n\n> ℹ️ Identity providers are configured by the merchant. Learn more in [Login (SSO)](https://developers.vtex.com/docs/guides/login-integration-guide).\n>\n> The buyer organization must also enable login with the external identity provider in the buyer portal. Learn more in [Login to organization with an external identity provider](#).\n\nThe diagram below illustrates the authentication flow when an organization uses an external identity provider (IdP).\n\n```mermaid\nsequenceDiagram\nparticipant U as User\nparticipant S as Storefront\nparticipant I as IdP\n\nU->>S: Start login + username\nS->>S: Resolve organization/method\nS->>I: Redirect for authentication\nI-->>S: Return result (assertion)\nS->>S: Validate return (identity/username)\nS-->>U: Authorized access\n```\n\nWhen the store uses authentication with an external identity provider (IdP), the provider is configured by the merchant in the Admin through **Account settings > Authentication**, just as is currently done for VTEX stores.\n\n## Unsupported login methods\n\nFor B2B users, some login methods available in B2C stores **are not supported**, including:\n\n- **Access code**\n- **Google**\n- **Facebook**\n\n## Password recovery\n\nPassword recovery uses verification codes sent to the channels available to the user.\n\nThe behavior varies depending on the contact information that's in the system:\n\n| User situation | How the access code is sent | Notes |\n| :---- | :---- | :---- |\n| User has email | Code sent by email | Follows the same access code rules as B2C stores. |\n| User has email and phone | Code sent by email | - |\n| User doesn't have email or phone | Code generated by organization admin | The admin generates and shares the code with the user. Access codes generated by organization admins are valid for 12 hours. Learn more in [Adding users to buyer organizations](https://help.vtex.com/docs/tutorials/adding-users-to-buyer-organizations). |\n\nWhen an access code is generated and sent to the user, the previous password is removed from VTEX systems.\n\nThe diagram below shows the main password recovery paths, depending on the channels available to the user.\n\n```mermaid\nflowchart LR\nA[Forgot password] --> B[Enter username]\n\nB --> C{Available channels?}\n\nC -- Email --> D[Send code<br />by email]\nC -- Email + phone --> D\nC -- None --> F[Admin generates code valid for 12h]\n\nD --> G[Validate code]\nF --> G\n\nG --> H[Reset password<br />Previous password removed]\n```\n\n## Access restrictions\n\nAccess to the storefront can be blocked when there are restrictions related to the user's organization. These cases include:\n\n- User isn't associated with a valid organization\n- Organization without active contract\n\nIn these cases, the user must contact the organization admin."}