Setting up federated login for Order Hub
Complete this task to set up federated login for Order Hub on-premises deployments. We currently support Google, OKTA, and ADFS integrations.
Before you begin
Prerequisite:
Ensure that you install IBM® Sterling Order Management System Software version 10.0.2309.0 or later (starting from September 2023), which includes Order Hub availability on premises.
Developer toolkit installation
Procedure
- Complete the following task: Supporting OIDC provider login in developer toolkit environment.
Ensure that you complete step 3 to enable OIDC login for Order Hub when completing the task.
- Add the following property to the safestart.properties or
customer_overrides.properties file:
yfs.yfs.oh.return.url=https://<hostname>:<port>/order-management/login
- If you are using Google or OKTA:
- In the server.xml file, change the scope to
scope="openid email"
in the openidConnectClient element. - Add the following properties in the safestart.properties file if
you have not already updated them in step 1 : For Google:
yfs.yfs.ibmid.provisioner.google.secondaryid=email yfs.yfs.ibmid.provisioner.google.uniqueClaim=sub yfs.yfs.ibmid.provisioner.google.logouturl=<logout URL>
For OKTA:yfs.yfs.ibmid.provisioner.okta.secondaryid=email (or the email claim name you have configured in OKTA) yfs.yfs.ibmid.provisioner.okta.uniqueClaim=sub yfs.yfs.ibmid.provisioner.okta.logouturl=<logout URL>
- In the server.xml file, change the scope to
- Restart the application server.
Traditional installation
Procedure
- Complete one of the following tasks, depending on your integration:
- Optional: If the openidConnectClient feature does not get installed with the
server.xml change, install openidConnectClient manually. For example, run the following command for Liberty:
./featureManager install openidConnectClient-1.0 --verbose
- If you're using Google or OKTA, in the server.xml file, change the
scope to
scope="openid email"
in the openidConnectClient element. - Add the following properties in the customer_overrides.properties
file if you have not already updated them in step 1:
yfs.yfs.ibmid.provisioner.name=<name of the provider> yfs.yfs.ibmid.provisioner.<provider>.logouturl=<logout URL> yfs.yfs.oh.return.url=https://<hostname of your web server>:<port>/order-management/login
- Enable OIDC for Order Hub:
- In repository/orderhub/oh-setup.properties set the following
properties:
OIDC_ENABLE=Y OIDC_PROVIDER=<provider name>
- Run the Order Hub setup script:
./orderhub-setup.sh
- In repository/orderhub/oh-setup.properties set the following
properties:
- Add proxy_pass to your web server configuration. For example, add the following to your Nginx configuration:
location /sbc { proxy_pass https://<hostname of your web server>:9443; }
- Start or restart your web server. Then, log in to Order Hub: https://<hostname>:<port>/order-management/login.
Container installation
Procedure
- Build a custom application image. For more information, see Customizing and generating container images. Ensure that you complete step 3 to enable OIDC login for Order Hub when completing the task.
- Configure the deployment yaml:
- Use the custom image built in step 1 for the OMS application.
- Add an OIDC section to the spec common section:
spec: common: oidc: enabled: true provider: <provider-name> discoveryurl: <provider-discovery-url> logouturl: <provider-logout-url>
For example, if your provider is Google, add the following:spec: common: oidc: enabled: true provider: google discoveryurl: https://accounts.google.com/.well-known/openid-configuration logouturl: https://www.google.com/accounts/Logout
- Configure passwords by adding the following secrets to the secret defined in
spec.secret
:oidcClientId oidcSecret
- If you provide a configMap that contains a custom
server.xml
in thelibertyServer.xml
parameter, you must update the customserver.XML
. See the following procedures: - For Order Hub, deploy
smcfs
andsbc
context roots on the same server.
- If required, download the root CA certificate for your provider and place in the
/shared/certs/trustedCerts
file in the persistent volume. - For standalone Order Hub deployments, enable OIDC support by including the following in
the spec section:
spec: oidc: enabled: true provider: <provider>
- Deploy the application and log in to Order Hub: https://<hostname>:<port>/order-management/login.