Linking the OIDC account to an IBM Sterling® Order Management System user

After logging into Sterling™ Order Management System for the first time by using OIDC credentials, you must link the OIDC account to your Sterling Order Management System user email ID.

Throughout this topic, the following naming conventions are used when referring to user IDs:
  • OIDC account – OIDC account of the user.
  • OMS user ID - User ID defined in Sterling Order Management System for the user. This user ID determines the permissions that a user has in the Sterling Order Management System applications.

Guidelines for using an OIDC account in IBM Sterling Order Management System

  • If the user who owns admin user privileges and is associated to an OIDC account is no longer available, you must create a new user with admin privileges using REST API calls.
  • Ensure that there is unique mapping between OIDC users and OMS users. A single OIDC account cannot be associated with multiple users.
  • To remove the association between the OIDC account and the Sterling Order Management System user, you must remove the user from the Sterling Order Management System by using either the Applications Manager UI or by calling the deleteUserHierarchy API.
  • Ensure that the authentication type is set to BASIC for the HTTP REST XAPI Tester. For more information about how to set up the HTTP REST XAPI Tester, see Setting up HTTP REST XAPI Tester.

Linking an OMS user with an OIDC account

You must provide an email ID for any new users you create in the Sterling Order Management System. This email ID is used to link the OMS user with an OIDC account. Therefore, the email ID that is used when creating an OMS user and an OIDC account must be the same. You can create a user in Sterling Order Management System by either using the Applications Manager UI or by calling the createUserHierarchy API.

The following text demonstrates the sample input XML for the createUserHierarchy API:
<User Localecode=“en_US_EST” Username=“user1" Loginid=“user1” Password=“password”>
<ContactPersonInfo EMailID=“abc@xyz.com“/>
</User>

Login flow after an OIDC account is linked to an IBM Sterling Order Management System user

  1. User accesses the Sterling Order Management System application home page.
  2. User is redirected to the login page.
  3. User enters the OIDC account login credentials.
  4. If the login is successful, the user is logged in to Sterling Order Management System application as the mapped OMS user ID.
    Important: If a user signs in with an OIDC login that is not linked to any OMS user, the system displays the Unrecognized_User error message. In this case, the user must contact the administrator to ensure that the OIDC login is correctly mapped to an OMS user, as described on this page.
    Note: For security reasons, the default admin user cannot be linked to OIDC identities such as IBM ID. If the admin account is already linked to an OIDC identity, that OIDC user is not allowed to login. To use OIDC-based authentication with administrative access, you must create separate user accounts with administrative privileges and link those accounts to your OIDC identity provider. The default admin account should not be used for OIDC authentication.

The following image shows the login flow when an OIDC account is linked to an Sterling Order Management System user:

Figure 1. Login flow when an OIDC account is linked to an IBM Order Management user

Login flow when an OIDC account is linked to an IBM Sterling Order Management System user