Setting up single sign-on login for Order Hub

Complete this task to set up single sign on (SSO) for Order Hub on-premises deployments.

Before you begin

Prerequisite:

Ensure that you install IBM® Sterling™ Order Management System Software version 10.0.2501.0 or later.

Developer toolkit installation

Procedure

  1. Configure the properties required for SSO. For more information, see Security yfs.properties. 
    yfs.yfs.security.singlesignon.enabled=Y
yfs.yfs.login.singlesignon.checkuser=Y
yfs.yfs.login.singlesignon.class=<classname>
yfs.yfs.authentication.type.class=<classname>
  2. Add the following property to the safestart.properties or the customer_overrides.properties file. 
    yfs.yfs.oh.return.url=https://<hostname>:<port>/order-management/login
  3. Restart the application server.
  4. Add the following two properties to the devtoolkit_docker/compose-orderhub/docker/oh-docker-compose.properties file. 
    OIDC_ENABLE=Y
OIDC_PROVIDER=<provider name>
    The value for OIDC_PROVIDER can be any text string. It is used as text on the login button on the Order Hub login page.
  5. In the devtoolkit_docker/compose directory, run the following command. 
    ./om-compose.sh setup-orderhub
  6. Log in to Order Hub at https://<hostname>:<port>/order-management/login.

Traditional installation

Procedure

  1. Configure the properties required for SSO. For more information, see Security yfs.properties. 
    yfs.yfs.security.singlesignon.enabled=Y
yfs.yfs.login.singlesignon.checkuser=Y
yfs.yfs.login.singlesignon.class=<classname>
yfs.yfs.authentication.type.class=<classname>
  2. Add the following property to the customer_overrides.properties file. 
    yfs.yfs.oh.return.url=https://<hostname of your web server>:<port>/order-management/login
  3. Restart the application server.
  4. Enable OIDC for Order Hub by setting the following properties in the repository/orderhub/oh-setup.properties file. 
    OIDC_ENABLE=Y
OIDC_PROVIDER=<provider name>
    The value for OIDC_PROVIDER can be any text string. It is used as text on the login button on the Order Hub login page.
  5. Run the Order Hub setup script. 
    ./orderhub-setup.sh
  6. Add a proxy in your Order Hub web server Nginx configuration to the sbc application. The proxy is required as Order Hub uses two servlets (OrderHubAuthServlet, OrderHubAuthLogoutServlet) that are in the sbc application. 
        location /sbc {
         proxy_pass https://<hostname of your web server>:<port>;
    }
    For example, add the following to your Nginx configuration: 
     server {
    listen              7446 ssl;
    server_name         localhost;
    ssl_certificate      /etc/ssl/certs/myssl.crt;
    ssl_certificate_key  /etc/ssl/private/myssl.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
    ssl_prefer_server_ciphers  on;
    server_tokens off;

    root    /usr/share/nginx/html;
    include /etc/nginx/orderhub/orderhub.conf;
	
    location /sbc {
       proxy_pass https://my-oms-server.domain.com:9443;
    }
}
  7. Start or restart your web server. Then, log in to Order Hub at https://<hostname>:<port>/order-management/login.

Container installation

Procedure

  1. Configure the properties required for SSO. For more information, see Security yfs.properties. 
    yfs.yfs.security.singlesignon.enabled=Y
yfs.yfs.login.singlesignon.checkuser=Y
yfs.yfs.login.singlesignon.class=<classname>
yfs.yfs.authentication.type.class=<classname>
  2. Configure the deployment yaml:
    1. For integrated deployments, add an OIDC section to the orderhub section. 
      orderHub:
    base:
      ...
    extn:
      ... 
    oidc:
      enabled: true
      provider: <provider name>
    2. For standalone Order Hub deployments, enable OIDC support by including the following in the spec section. 
      spec:
  oidc:
    enabled: true
    provider: <provider name>
      The value for provider can be any text string. It is used as text on the login button on the Order Hub login page.
    3. Configure the smcfs and sbc context roots to be on the same application server.
      For example,
      - appServer:
      libertyServerXml: oidc-server-xml 
      ingress:
        contextRoots:
        - smcfs
        - sbc
  3. Deploy the application and log in to Order Hub at https://<hostname>:<port>/order-management/login.