Enable Single Sign-On (SSO) for Nutrislice Admin and Ordering

Overview

Single Sign-On is now configurable for these Nutrislice workflows:

• Nutrislice Admin: SSO access using IDP credentials instead of username and password.

• Nutrislice Ordering: SSO access for end users to provide a seamless ordering experience linked to the user’s payment account.

SSO provides a seamless login and enhances security for application access. Below are steps to configure SSO for admin and ordering.

Configuring Single Sign-On (SSO)

1. Navigate to the admin settings and select “Single Sign-on.” 

   

2. On the Single Sign-on page, select “Create Single Sign-on Option.”

   

3. To configure, ensure the following fields are set:

   • Active: enabling the checkbox will enable SSO, leave it unchecked until your organization is ready to turn on SSO.

   • Configuration Type: Select if the SSO configuration is for Admin or Ordering.

     • To enable SSO for both admin and ordering, you will need to create two separate SSO configurations.

   • Enforce SSO Login: Optional field based on your organizations' login preference.

     • Enabling will require all users (non-organization admins) to use SSO to log into Nutrislice.

     • Disabling will allow users to login via username/password OR SSO.

   • Identity Provider Metadata Source: Use the following options to provide your IDP’s metadata to Nutrislice:

     • Metadata URL: Nutrislice will use the URL to collect the XML needed to configure SSO

     • Metadata XML: Users can paste their XML file directly.

       

4. Once the metadata XML has been provided by either method, click “Test IdP Metadata” to ensure there are no errors with the XML provided. Common errors include:

   • Formatting

   • Valid endpoints

   • Required fields are provided in the XML:

     • EntityID: Provided and “validUntil” attribute is in the future

     • SPSSO Descriptor: verifies protocolSupportEnumeration is set to: urn:oasis:names:tc:SAML:2.0:protocol

     • SSO endpoint: At least one SSO endpoint — <SingleSignOnService> [1..*], each with required Binding and Location (URL) attributes. (Example bindings: HTTP-Redirect, HTTP-POST.)

     • <ds:X509Certificate> — Signing certificate is included

       

5. Navigate to the “User Field Mappings” and fill in the following fields from your IDP:

   • First Name

   • Last Name

   • Email

   • External ID (optional)

   • Payment Token (optional)

     

6. Click “Save Progress” or “Save and Close”

7. After saving, reopen the SSO configuration to gather the service provider metadata, which will need be entered into your IDP to complete configuration.

   

Customizing SSO Login Button Text (Ordering only)

The SSO login button can be customized to provide additional context to users on how to log in. Customization of button text is only available for Ordering SSO. 

1. Ensure the configuration type is “Ordering.”

2. Navigate to the “Button Styling” Tab.

3. Enter custom text for the log in button.

   

4. Users will see the following when logging into Nutrislice menus

   

FAQs

• Why do organization admins need to have the option for username/password even with SSO enforced?

  • In the event that SSO doesn’t work (e.g. IDP certificate expired), organization admins should still have a way to access Nutrislice without relying on SSO.

• Can the same IDP be used for ordering and admin?

  • Yes, but you will still need to setup two different SSO configurations: one for admin, one for ordering.

• Which IDP systems are supported?

  • Any IDP system that supports SAML 2.0, which applies to all major providers, such as (but not limited to) Microsoft Entra ID (Azure AD), Google Workspace, Okta, OneLogin, Auth0, and Amazon Cognito.