How Admin integration with IMS affects Commerce passwords

Commerce deployments that have been integrated with Adobe IMS require an Adobe ID account with access to the Adobe IMS organization that is configured for the Commerce application during the IMS enablement process. When the IMS integration is enabled, admin users authenticate through the Adobe sign in page using their Adobe credentials. The Commerce passwords and user names for admin users are no longer used for authentication as long as the Adobe IMS integration is enabled.

If the IMS integration is disabled, admin users must authenticate through Adobe Commerce again using their Commerce user name and password. Admin users should save their Commerce Admin credentials (username and password) and 2FA credentials before enabling this integration.

Certain backend components that are involved in user authentication still require a non-null password. To meet this requirement, Commerce creates random passwords for newly created admin users in the admin_user table.

User accounts and role permissions for the Commerce application are still managed from the Commerce Admin.

Web API token generation with IMS credentials

Commerce Admin APIs are affected when Admin authentication with Adobe IMS is enabled in a Commerce instance. Admin users can no longer use the credentials issued by the Commerce instance. These are the credentials required to log in to the Admin and to obtain access tokens that services can use to make requests to the Admin REST and SOAP APIs.

After the Adobe IMS integration is enabled, admin users must use Adobe IMS OAuth tokens for Adobe Commerce API endpoints that require authentication. Client solutions obtain the tokens dynamically for web API use. This authentication mechanism is enabled for REST and SOAP web API areas as part of configuring this integration.

See Token-based authentication for an overview of how web APIs use Commerce access tokens, including IMS access tokens.

Commerce session management and Adobe IMS access tokens

Access tokens hold both user credentials and login session information. Once a user has been authenticated and a session has begun, these two variables are added to the user’s session:

token_last_check_time. Identifies the current time and is used by the \Magento\AdminAdobeIms\Plugin\BackendAuthSessionPlugin plugin.

adobe_access_token — Identifies the ACCESS_TOKEN value received during authorization.

The \Magento\AdminAdobeIms\Plugin\BackendAuthSessionPlugin plugin checks if the token_last_check_time was updated 10 min ago. If the token_last_check_time was checked ten minutes ago, then the authentication workflow makes an API call to IMS to validate the access token, and the session continues. If the access token is valid, then the token_last_check_time value is updated to the current time. If the token is not valid, the session is terminated.

Important files

adminAdobeIms - Provides an implementation of the Admin login based on the AdobeImsApi module.

admin_adobe_ims_webapi - Maintains a record of all validated access tokens. When a token is validated or invalidated, a record of its status is preserved in this table.

adobeIms - Implements all the business logic that is related to integration with Adobe IMS (preserved to prevent backward incompatibilities).

adobeImsApi - Declares the interfaces that support integration with Adobe IMS.

adminadobe-ims.log - Error log file.

Enable the integration

The Adobe IMS metapackage is installed with Adobe Commerce 2.4.5 and higher, but must be configured for use. It extends the AdobeIms module to support the module that enables authentication logic (AdminAdobeIms).

For more information about enabling the integration, see Configure the Commerce Admin Integration with Adobe IMS.

Previous pageYour Admin user account
Next pageConfigure the Admin integration with IMS