Recently, Apple has decided to completely block 3rd party cookies for its Safari browser. This has major effects on all CIAM providers regarding session management solutions. SAP Customer Data Cloud is working on building a satisfactory, long-term solution to enable support for our session and sign-on features on Safari.
- In order to keep support for the Safari browser, all sites are now required to configure a custom API domain prefix. If you don’t have one already, you can use our certificate provisioning tool in order to create one.
This feature is still in development and subject to change. A solution is scheduled to be released on June 21, 2020. Until then, do not attempt to implement the following guide.
On Safari, to enable single sign-on, you must build a central login page, and redirect logins from all sites in the group for which to enable SSO, to that page. For example, a site group consists of sites A and B. A user visits site A, and clicks "login". They are redirected to the central login page, where they log in as usual. After successfully logging in, they are automatically redirected back to site A. Then, they visit site B, and click "login". They are again redirected to the central login page, that recognizes they have an active session, and redirects them back to site B.
On other browsers, in the same scenario, a user that navigates to site B after logging in to A, will be logged in automatically as part of the SSO experience.
To enable single sign-on (SSO) in site groups, that will work on browsers that include browser tracking prevention, do the following steps.
Central Login Page
On your site group, create a page to which all sites of the group redirect, for login purposes.
- Open the Admin menu in the Console.
- In the left menu, select Site Groups.
- On the row for the relevant site group for which you wish to enable SSO, under Actions, select Edit .
- Make sure SSO enabled is checked.
Add the Central Login Page URL.
SSO Segments are currently not supported.
- On the site page on which to enable login, load the SAP Customer Data Cloud Web SDK.
Set the login button to call the following method:
Note the following:
- The redirectURL and context parameters are not mandatory.
redirectURL: the page to which the user is redirected, after they complete a successful login on the Central Login Page. If none is specified, the user will be redirected to the page from which the login originated.
Any URLs to which the user is redirected, must be included in the list of Trusted Site URLs in your Site Settings.
- context: can include any context that will be carried on to the Central Login Page and handled there by your code. For example, it may be used to customize the user experience, by passing the originating API key and language.
- Repeat for all login pages in the site group for which you wish to enable an SSO experience.
- On the Central Login Page:
Load the SAP Customer Data Cloud Web SDK on the Central Login Page.
To ensure that logged in users will be automatically redirected, add the following code:
To customize the login experience on the central page, you can read the context from the query string parameters and implement some code around it.
- Log the user in using Screen-Sets or other authentication methods.