Setting up federated login for IBM Sterling Call Center

Complete this task to set up federated login for Sterling™ Call Center on-premises deployments. Currently, Google, OKTA, and ADFS integrations are supported.

Before you begin

Ensure that you install IBM® Sterling Order Management System Software version 10.0.2309.1 or later (starting from September 2023), which includes Sterling Call Center availability on premises.

Developer toolkit installation

Procedure

  1. Complete the Supporting OIDC provider login in developer toolkit environment task.

    Complete step 3 to enable the OIDC login for Sterling Call Center when completing the task.

  2. Add the following property to the customer_overrides.properties file. 
    yfs.yfs.cc.return.url=https://<hostname>:<port>/call-center/login
  3. If you are using Google or OKTA,
    1. In the om-appserver:/opt/ibm/wlp/usr/servers/defaultServer/server.xml file, change the scope to scope="openid email" in the openidConnectClient element.
    2. Add the following properties in the customer_overrides.properties file if you have not already updated them in step 1.
      For Google.
      yfs.yfs.ibmid.provisioner.google.secondaryid=email
yfs.yfs.ibmid.provisioner.google.uniqueClaim=sub
yfs.yfs.ibmid.provisioner.google.logouturl=<logout URL>
      For OKTA.
      yfs.yfs.ibmid.provisioner.okta.secondaryid=email (or the email claim name you have configured in OKTA)
yfs.yfs.ibmid.provisioner.okta.uniqueClaim=sub
yfs.yfs.ibmid.provisioner.okta.logouturl=<logout URL>
  4. Restart the application server.

Traditional installation

Procedure

  1. Complete one of the following tasks, depending on your integration.
  2. Optional: If the openidConnectClient feature does not get installed with the server.xml change, install openidConnectClient manually.
    For example, run the following command for Liberty:
    ./featureManager install openidConnectClient-1.0 --verbose
  3. If you're using Google or OKTA, in the server.xml file, change the scope to scope="openid email" in the openidConnectClient element.
  4. Ensure that the server.xml includes icc in the URL pattern. 
    <requestUrl id="myURL" urlPattern="/sbc|/isccs|/wsc|/sfs|/sma|/smcfs|/isf|/icc" matchType="contains" />
  5. Add redirectToRPHostAndPort in server.xml for openidConnectClient.
    For example,
    <openidConnectClient id="google" clientId="yourclientid" clientSecret="yourclientsecret" discoveryEndpointUrl= "your_google_discovery_url" scope="openid email" redirectToRPHostAndPort="your_OMS_environment_url_and_port" httpsRequired="true" signatureAlgorithm="RS256" authFilterRef="myAuthFilter" />
  6. Add the following properties in the customer_overrides.properties file if you have not already updated them in step 1. 
    yfs.yfs.ibmid.provisioner.<provider>.logouturl=<logout URL>
yfs.yfs.cc.return.url=<url to your web server including port>/call-center/login
  7. Create shell-ui/assets/app-bootstrap-config.json in <nginx html>/ext/call-center/.
  8. Add the following details to the app-bootstrap-config.json file. 
    {
"oidcEnabled":true,
"oidcProvider":"<provider, e.g. okta>"
}

    For customization of Sterling Call Center for the traditional installation, see Setting up the development environment.

Container installation

Procedure

  1. Build a custom application image. For more information, see Customizing and generating container images. Ensure that you complete step 3 to enable OIDC login for Sterling Call Center when completing the task.
  2. Configure the deployment yaml:
    1. Use the custom image built in step 1 for the OMS application.
    2. Add an OIDC section to the spec common section. 
      spec:
  common:
    oidc:
      enabled: true
      provider: <provider-name>
      discoveryurl: <provider-discovery-url>
      logouturl: <provider-logout-url>
      For example, if Google is your provider, add the following details.
      spec:
  common:
    oidc:
      enabled: true
      provider: google
      discoveryurl: https://accounts.google.com/.well-known/openid-configuration
      logouturl: https://www.google.com/accounts/Logout
    3. Configure passwords by adding the following secrets to the secret defined in spec.secret. 
      oidcClientId
oidcSecret
    4. If you provide a configMap that contains a custom server.xml in the libertyServer.xml parameter, you must update the custom server.XML. See the following procedures.

      For OKTA integration with Liberty

      For Google ID integration with Liberty

      For ADFS integration with Liberty

  3. If required, download the root CA certificate for your provider and place in the /shared/certs/trustedCerts file in the persistent volume.
  4. For stand-alone Sterling Call Center deployments, enable OIDC support by including the following in the spec section. 
    spec:
  oidc:
    enabled: true
    provider: <provider>
  5. Deploy the application and log in to Sterling Call Center: https://<domain name>/call-center/login.