- This feature is currently in beta and only available to select merchants on Enterprise plans.
If you use a centralized identity provider (IDP) and single sign-on (SSO) authentication to manage access across your business platforms, you can now connect your identity provider to Retail POS (X-Series) to streamline processes and manage accesses all in one place.
Understanding SSO access and management
Connecting Retail POS (X-Series) to your identity provider with SSO means you can leverage your existing organizational and compliance security standards and link your IDP users to your Retail POS users, automating the creation and management of user credentials and role assignment.
Retail POS can integrate with identity providers that support the OAuth and Open ID connect protocols.
When the integration is complete, the way users access and manage the platform will change:
Account Owners
- Must log in using Retail POS credentials.
- Can enable or disconnect the Retail POS and IDP integration.
- Will modify Retail POS user accounts and manage credentials through the identity provider.
Users with SSO enabled
- Must log in using IDP credentials (will no longer be able to log in using Retail POS credentials).
- User switching authenticated with IDP credentials.
- Will have their user role assignment managed through the IDP (role permissions will still be managed by Admins in Retail POS).
When you integrate Retail POS with an IDP, troubleshooting SSO login issues will need to be handled by your IT team or identity provider.
Connecting Retail POS to your IDP
Account Owners can set up the Retail POS and IDP integration and enable SSO in the Security settings page in Retail POS. For best results, enable pop-ups in your browser window during SSO setup.
It’s recommended to try out the setup using a Retail POS test account to familiarize yourself with the process and resolve any issues before enabling on live accounts.
- In Retail POS, navigate to Setup > Security.
- Under Authentication method, in the Tips for connecting SSO box, click Get started.
- From the pop up window, Download CSV file to get the role and outlet IDs associated with your Lightspeed Retail account.
- Enter the role and outlet IDs into your identity provider.
- In Retail POS, check I have entered the role and outlet IDs into my IDP, then click Next.
- Click Copy URL to copy the vendhq.com redirect URL. Paste the vendhq.com redirect URL into your identity provider.
- Click Copy URL to copy the retail.lightspeed.app redirect URL. Paste the retail.lightspeed.app redirect URL into your identity provider.
- In Retail POS, click Next.
- In your IDP, copy the OpenID Connection Configuration URL.
- In Retail POS, paste the OpenID Connection Configuration URL in the box. Edit the Authorization URL, JWKS URL, and Token URL as needed to configure your IDP connection, then click Next.
- Enter your IDP Client ID and Client Secret in the boxes.
- You will be prompted to Sign in with SSO to test using a user account from your IDP. This needs to be a different account than the Account Owner account, as Account Owners log in using their Retail POS credentials.
- After a successful login, a green checkmark will appear next to IDP configured correctly. Click Next.
- In Retail POS, map the IDP user attributes to Retail POS user attributes using the dropdowns.
- Username
- Display name
- Email (optional)
- Role
- Outlet
- Click Finish.
The integration is now configured and will need to be enabled.
Enabling SSO
Once SSO is enabled, it will be set as the default authentication method for all users (except for the Account Owner).
To enable SSO:
- On the Security page in Retail POS, click Enable SSO.
- Read the warning pop up window and when ready, click Enable SSO.
- You will get a confirmation email from Lightspeed confirming SSO is now enabled.
When SSO is enabled, it's set as the default authentication method for all users. Employees will need to log in to Retail POS using their IDP credentials. If exceptions are needed, you can override the authentication method under Role specific settings. Set the Authentication method dropdown to Username and password or Username and password with multi-factor authentication. These users will need to log in using their Retail POS credentials.
Default settings should be configured at the top of the Security page. Role level settings should only be changed when exceptions are required.
Disconnecting SSO
To disconnect SSO:
- Click Disconnect SSO.
- Read the warning pop up window and when ready, click Disconnect SSO. This action cannot be undone.
- You will get a confirmation email from Lightspeed confirming SSO has been disconnected.
Logging in with SSO
To sign in using SSO once enabled:
- On the Retail POS login page, click into the Username box to prompt the SSO login window to pop up.
- Fill out your IDP Username and Password and click Sign in.
Switching users on the Sell screen with SSO
If you choose to require passwords when switching users, you must allow browser pop-ups on your devices. If pop-ups are blocked, users will not be able to enter their credentials in the SSO window to complete the switch.
To set up additional security when switching user accounts on the Sell screen with SSO:
- In Retail POS, navigate to Setup > Security.
- Under Switching user accounts, select from the following options:
- Never require a password when switching between users.
- Don’t require a password to switch users when switching with a barcode.
- Require a password when switching to a user with more privileges.
- Always require a password when switching between users.
Not requiring a password (options A and B) will override SSO on the Sell screen, meaning users will not be required to enter their SSO credentials when switching between users.
- Click Save.
To switch users in Retail POS with SSO:
- From the Sell screen, click Switch user.
- Choose the user you’d like to switch to.
- An IDP authentication window will pop up. Enter the IDP Username and Password and click Sign in.
- A confirmation message will appear at the top of the screen indicating the user switch was successful.
To switch to a Account Owner user:
- From the Sell screen, click Switch User.
- Select the Account Owner user.
- You will be prompted to enter the Account Owner’s Retail POS password, as Account Owners must use their Retail POS credentials to log in.
- Click Switch User.
- A confirmation message will appear indicating the user switch was successful.