Site itself uses SSO, so what should the approach be for FoxyCart+SSO?

versatilversatil Member
in Help edited December 2012
We're trying to get a bunch of apps either up and running and/or working together. For one of them we've set up a CMS to be basically the glue for everything and have been punching in users manually ("registration" is "closed"). Logging into the CMS requires they use their email provider if their email address' domain matches a supported provider, otherwise they have to use Facebook with that email as the account's primary address (Facebook only allows verified emails to authorize apps).

We're finally moving on to integrating commerce, i.e. FoxyCart, which also means opening up registration. So there's a lot of planning (or rather re-visitation of old planning) & development up ahead...

Originally we were thinking once we got around to integrating FoxyCart we'd basically force the user to login/register, create a customer on FoxyCart's end (via the API?) if need be, then allow them to make purchases.

I was reviewing SSO Best Practices and I agree with the counsel it's better to remove hurdles.

However, I'm not sure how to go about that given our setup... probably the reason for forcing login/registration is that in FoxyCart's checkout process they'd have to use a password. We're trying to eliminate password entry, not to mention they'd have no idea what the password is in the CMS as it is not used (and depending on the app may not even exist).

I have not yet fiddled with API/DataFeed, am currently trying to figure out how to tailor FC + our CMS to our needs for immediate development as well as moving forward.

Is there any alternative streamlined checkout process we could provide with our given setup? The way I see it so far is that the alternative to CMS-initiated FC login (forced customer account) would be a guest account... If they checkout as a guest with a new email will that register in both our system via the datafeed as well as FoxyCart as a customer (as in maintain a history... as opposed to being like some standalone transaction...)?

As for if they type in an existing email...for example since FC automates finding existing customers (which brings up another question... can we make customers without transactions? e.g. with only an email make a new customer in FoxyCart?) via the email field... perhaps instead of the password prompt coming up we could just have a link back to our login/registration process? How then would the cart be maintained? fcsid would be good enough?

Please advise. If I need to elaborate/reiterate to be more clear let me know.

Basically...
TL;DR - We don't use passwords for our users to login. What can we do for SSO?
Tagged:
Comments
  • fc_adamfc_adam FoxyCart Team
    @versatil,

    FoxyCart user accounts to require a password, but using SSO you should be able to get away with not requiring them to ever enter a password. Essentially, when you integrate with SSO, the validation of the user can be setup to happen completely on your end - and not allow logins via the FoxyCart checkout.

    So the process would go like this:

    A user would add a product to their cart on your site, and then click 'checkout' in their cart. The customer is then sent to your SSO endpoint via our checkout to process. Your SSO script can check if a user is logged in - and if not, send them to a login page. If they are logged in, you grab their FoxyCart user id, and along with some other details (timestamp, store API key), you send them back to the checkout where they will already be logged into their account.

    One key point in there is where your SSO endpoint gets the customers FoxyCart customer ID. What you can do (and this answers your other question of creating customers) is if the customer hasn't yet purchased through FoxyCart is use the API to create a user in FoxyCart on demand - and then use the returned Customer ID from that interaction to send to the checkout. Considering your customers don't actually have passwords, you'd need to just generate a random password for their account - but considering the SSO process will log them in automatically, they don't need to worry about that.

    Does that make sense? If that doesn't seem to match up to what you're trying to do, or if I've misunderstood you at all - let us know! :)
  • Okay, so we would do customer accounts only, no guests. Basically make up our own cart data, pass it along to ourselves (as opposed to FC), if registration is required put them through that, create foxycart customer if required, then create/forward to checkout. This way everything's synced in advance.

    I guess the registration part is what I was most curious about, if there should've been some kind of guest thing allowed instead of requiring registration. So what we had in mind originally seems to be what you're recommending, too.

    Thanks.
  • fc_adamfc_adam FoxyCart Team
    @versatil,

    You can force people to just be guests as well if you want - but it would effectively be individual transactions, rather than transactions attached to a specific customer. It depends if that would be an issue for you or not.
Sign In or Register to comment.