Hi. How can we help?

Search

Connecting your identity provider to Retail POS

  • This feature is currently in beta. Once the beta concludes, access to this feature may require an upgrade or separate purchase.

If you use a centralized identity provider (IDP) and single sign-on (SSO) authentication to manage access across your business platforms, you can now connect your identity provider to Retail POS (X-Series) to streamline processes and manage accesses all in one place.

Understanding SSO access and management

Connecting Retail POS (X-Series) to your identity provider with SSO means you can leverage your existing organizational and compliance security standards and link your IDP users to your Retail POS users, automating the creation and management of user credentials and role assignment.

Retail POS can integrate with identity providers that support the OAuth and Open ID connect protocols.

When the integration is complete, the way users access and manage the platform will change:

Account Owners

  • Must log in using Retail POS credentials.
  • Can enable or disconnect the Retail POS and IDP integration.
  • Will modify Retail POS user accounts and manage credentials through the identity provider.

Users with SSO enabled

  • Must log in using IDP credentials (will no longer be able to log in using Retail POS credentials).
  • User switching authenticated with IDP credentials.
  • Will have their user role assignment managed through the IDP (role permissions will still be managed by Admins in Retail POS).

When you integrate Retail POS with an IDP, troubleshooting SSO login issues will need to be handled by your IT team or identity provider.

Connecting Retail POS to your IDP

Account Owners can set up the Retail POS and IDP integration and enable SSO in the Security settings page in Retail POS. For best results, enable popups in your browser window during SSO setup.

It’s recommended to try out the setup using a Retail POS test account to familiarize yourself with the process and resolve any issues before enabling on live accounts.

  1. In Retail POS, navigate to Setup > Security.
  2. Under Authentication method, click Set up SSO.

    Set up SSO button on the Security page.

  3. Select your preferred authentication configuration:

    • Authentication only (recommended): Manage usernames, emails, passwords, and multi-factor authentication (MFA) in your IDP. Assigning user roles and outlets will still be managed in Retail POS. Users will be created without a role and must have one assigned before they continue using Retail POS.

    • Access management: Manage usernames, emails, passwords, MFA, role and outlet assignments in your IDP.

      Select Authentication method.

      You will need to contact your IDP provider for specific instructions configuring your IDP to correctly return these attributes within an identity token.

  4. Click the Get started with... button to continue.
  5. If you selected Access management as your authentication configuration, click Download CSV file to get the role and outlet IDs associated with your Lightspeed Retail account.

    Download CSV file button.

  6. Enter the role and outlet IDs into your identity provider.

    Your IDP configuration must use Web application or a similar setting with confidential credentials and allow the authorization code OAuth flow. The credentials you provide to Lightspeed must be able to request scopes: openid, profile, and email.

  7. In Retail POS, check the confirmation box, then click Next.

    Confirmation box.

  8. Click Copy URL to copy the redirect URL, then paste it into your identity provider.

    Copy icon to copy the redirect URL.

  9. In Retail POS, click Next.
  10. In your IDP, copy the OpenID Connect Configuration URL.
  11. In Retail POS, paste the URL in the OpenID Connect Configuration URL box. The Authorization URL, JWKS URL, and Token URL fields will auto-populate using the data hosted at the URL. You can edit these values if needed. Click Next.

    OpenID Connect Configuration URL fields.

  12. In your IDP, copy your Client ID and Client secret. In Retail POS, paste the values in the Client ID and Client Secret fields, then click Next.

    Client ID and Client secret fields.

  13. To test the connection, click Sign in with SSO and sign in using IDP credentials. A different account will need to be used for testing, as Account Owners log in using Retail POS credentials. Make sure Retail POS has permission to open popups in your web browser.

    Sign in with SSO button to open SSO login modal.

  14. After a successful login, a green checkmark will appear in the popup window. Click Next.

    Successful login confirmation.

  15. Retail POS will receive an identity token containing cryptographically verified values (claims) representing the identity of the user stored in your IDP. To create a user from the token, specific claims from the token must be mapped to Lightspeed Retail user attributes. Consult your specific IDP documentation for the claims and values in the Open ID Connect Identity Token.

    Map your IDP user attributes to the Lightspeed Retail user attributes using the dropdowns.

    • Username
    • Display name
    • Email address
    • Role (Access management configuration only)
    • Outlet (Access management configuration only) 

      Mapping user attributes.

    Consult your specific IDP documentation for more information.

  16. Click Finish.

The integration is now configured and will need to be enabled.

Enabling SSO

Once SSO is enabled, it will be set as the default authentication method for affected users, except the Account Owner.

To enable SSO:

  1. In Retail POS, navigate to Setup > Security.
  2. Under Authentication method, click Enable SSO.
  3. In the popup window, select All users should login with SSO to require all users except the Account Owner to log in with SSO, or Some roles should login with SSO to select which user roles will be affected. Account Owners will continue to log in using their Retail POS credentials.
  4. Read the warning pop up window and when ready, click Enable SSO.

    Enable SSO button.

You will get a confirmation email from Lightspeed confirming SSO is now enabled.

When SSO is enabled, it's set as the default authentication method for all user roles that were selected during the enablement process. Affected employees will need to log in to Retail POS using their IDP credentials. If exceptions are needed, you can override the authentication method under Role specific settings. Set the Authentication method dropdown to Username and password or Username and password with multi-factor authentication. These users will need to log in using their Retail POS credentials.

Default settings should be configured at the top of the Security page. Role level settings should only be changed when exceptions are required.

Logging in with SSO

To sign in using SSO once enabled:

  1. On the Retail POS login page, click into the Username box to prompt the SSO login window to pop up.

    Retail POS login page.

  2. Fill out your IDP Username and Password and click Sign in.

    IDP login modal.

Managing unassigned users

Users without an assigned role will be unable to perform any actions until they are assigned a custom role.

Unassigned user warning page.

To assign a role to an unassigned user:

  1. Navigate to Setup > Users.
  2. Click the unassigned user.
  3. Under Role, click the dropdown to select a role.

    Role assignment dropdown.

  4. Click Save.

Once the custom role is assigned, the page will automatically refresh and allow the user into Retail POS.

Switching users on the Sell screen with SSO

If you choose to require passwords when switching users, you must allow browser popups on your devices. If popups are blocked, users will not be able to enter their credentials in the SSO window to complete the switch.

To set up additional security when switching user accounts on the Sell screen with SSO:

  1. In Retail POS, navigate to Setup > Security.

    Security page.

  2. Under Switching user accounts, select from the following options:
    1. Never require a password when switching between users.
    2. Don’t require a password to switch users when switching with a barcode.
    3. Require a password when switching to a user with more privileges.
    4. Always require a password when switching between users.

    Not requiring a password (options A and B) will override SSO on the Sell screen, meaning users will not be required to enter their SSO credentials when switching between users.

  3. Click Save.

To switch users in Retail POS with SSO:

  1. From the Sell screen, click Switch user.

    Switch user.

  2. Choose the user you’d like to switch to.

    Select user.

  3. An IDP authentication window will pop up. Enter the IDP Username and Password and click Sign in.

    Sign in popup for switching users.

  4. A confirmation message will appear at the top of the screen indicating the user switch was successful.

To switch to an Account Owner user:

  1. From the Sell screen, click Switch User.
  2. Select the Account Owner user.
  3. You will be prompted to enter the Account Owner’s Retail POS password, as Account Owners must use their Retail POS credentials to log in.

    Switching users admin.

  4. Click Switch User.
  5. A confirmation message will appear indicating the user switch was successful.

Disconnecting SSO

To disconnect SSO:

  1. Click Disconnect SSO.
  2. Read the warning pop up window and when ready, click Disconnect SSO. This action cannot be undone.

    Disconnecting SSO.

  3. You will get a confirmation email from Lightspeed confirming SSO has been disconnected.

Was this article helpful?