Next-generation platform

OpenID Connect (OIDC) configuration

Configure OpenID Connect (OIDC) to authenticate users by using trusted identity providers, including Microsoft Entra ID, Google OpenID Connect, Okta, and Active Directory Federation Services. This configuration supports secure sign-on and centralizes identity management.

Users with Organization Administrator and Developer Production and Non-Production roles can modify the OIDC configuration.

OpenID Connect (OIDC) is an identity layer that is built on OAuth 2.0. It enables applications to authenticate users and obtain profile information from an identity provider.

IBM Sterling® Order Management System supports the following OIDC identity providers:

  • Microsoft Entra ID
  • Google Open ID Connect
  • Okta
  • Active Directory Federation Services

Before you begin

Complete the following actions.

  • Register your application with the identity provider.
  • Retrieve the values for client ID, client secondary ID, client secret, OIDC discovery endpoint URL, and OIDC logout URL.
  • If you are a new user, add a firewall policy in Self Service to enable communication with the OIDC server.
  • If you are a new user, import the OIDC server certificate as an outbound certificate by using the steps explained in Adding outbound certificates.
    Note:
    • If you are already using IBMid and want to migrate and use a new OIDC provider (Active Directory Federation Services, Google Open ID Connect, or Okta), contact IBM support.
    • When you use Microsoft Entra ID, firewall policies are not
 required, because certificate handling is supported in next-generation environments.
Note: Configure your authentication credentials for every environment. Configure OIDC authentication by registering the application with your identity provider. Then add the provider details in the Order Management System. Applying the configuration redeploys the environment with your latest customization. The latest saved OIDC configuration is used when changes are applied.

Procedure

  1. Access Self Service with your IBMid.
  2. From the Self Service menu, click Environments.
  3. From the list of environments, select an environment.
  4. Go to the OIDC configuration tab.
  5. Use the toggle to enable or disable configuring an alternative provider.
  6. Based on your role, view or modify the configuration.
  7. To modify, click the edit icon and select OIDC provider.
  8. Enter the values for the Client ID, Client secondary
ID, Client secret, Provider discovery endpoint
URL, and the Provider logout URL. You must retrieve the values
 for these fields from your OIDC provider. The fields you must set values for are displayed on the
 screen based on the OIDC provider that you choose.
  9. Save the changes and click Apply changes.

    Applying the OIDC configuration redeploys the environment with your latest customization. View the status in the OIDC deployment processes table.