Next-generation platformNot published to prod KC

Enabling SSO authentication for Google ID

Sterling Store Engagement includes the Single-Sign On (SSO) for Google ID authentication so that business users can use their Google account credentials to log in to the application.

Before you begin

For the SSO authentication to work, the Google user ID must have a corresponding user in the Sterling Order Management System environment. While creating a user in Sterling Order Management System by using the Applications Manager, enter the Google credentials for the user wherever appropriate. For more information, see Creating a user.
Note:
  • The User ID or Login ID must not contain the @ character. If you are creating users by using the Applications Manager, the User ID field must not contain the @ character and if you are creating users by using the createUserHierarchy API, the Loginid attribute must not contain the @ character.
  • Adding Google credentials to an existing user in IBM® Sterling Order Management System does not map the Sterling Order Management System user with the Google user. For this purpose, you must delete and recreate the user. You can delete the user from Sterling Order Management System by using either the Applications Manager UI or calling the deleteUserHierarchy API.

Procedure

  1. Get a client ID and client secret.
    To set up the Google login feature for the application, you must have a Google account by using which the OAuth2 client ID and client secret can be created. For more information, see Set up client ID and secret. The person who handles the Google account for the client ID and secret configuration must add the allowed redirect URLs to the openid configuration. As part of this procedure, note down the IP Address (or domain) of the machines where you intend to deploy the application server containers. Add the redirect URIs under Authorized redirect URIs in the following format:
    
    https://<IP>:<sslport>/oidcclient/redirect/googleid
    or
    https://<domain>/oidcclient/redirect/googleid
  2. In the UCD tool, go to Home > Applications > <Your_Application> > Environments > <Environment_Name> > Configuration > Basic Settings and perform the following steps:
    1. Set the value of ibmidEnabled to Y.
    2. Set the values of ibmidClientId and ibmidClientSecret appropriately by using the information obtained in step#1.
  3. Build a new customized runtime image.
  4. Deploying a customized runtime to an application.

What to do next

Once the SSO is successfully set up, you can access the application by using your Google credentials. For example, when you access http://<IP_ADDRESS>:<PORT>/isf/store/index.html, you will be redirected to the Google Login page. On successful login, the application home page is displayed.
  • If the Google user is not mapped to an IBM Sterling Order Management System user, the application Login screen is displayed and an appropriate error message with a link to Login with Google ID. (Any active Google session is logged out in the background)
  • When you log out from the application, both the application and your Google sessions are logged out.
  • Similarly, if you attempt an action on the application UI when the session is expired, the application Login screen is displayed with a link to Login with Google ID. All the active Google sessions are logged out.
Notes:
  • Even if users are actively working for 13 hours after logging in, the session expires so they need to re-login after 13 hours.