Setting up federated login for Order Hub

Complete this task to set up federated login for Order Hub on-premises deployments. We currently support Google, OKTA, and ADFS integrations.

Before you begin

Prerequisite:

Ensure that you install IBM® Sterling Order Management System Software version 10.0.2309.0 or later (starting from September 2023), which includes Order Hub availability on premises.

Developer toolkit installation

Procedure

  1. Complete the following task: Supporting OIDC provider login in developer toolkit environment.

    Ensure that you complete step 3 to enable OIDC login for Order Hub when completing the task.

  2. Add the following property to the safestart.properties or customer_overrides.properties file:
    yfs.yfs.oh.return.url=https://<hostname>:<port>/order-management/login
  3. If you are using Google or OKTA:
    1. In the server.xml file, change the scope to scope="openid email" in the openidConnectClient element.
    2. Add the following properties in the safestart.properties file if you have not already updated them in step 1 :
      For Google:
      yfs.yfs.ibmid.provisioner.google.secondaryid=email
      yfs.yfs.ibmid.provisioner.google.uniqueClaim=sub
      yfs.yfs.ibmid.provisioner.google.logouturl=<logout URL>
      For OKTA:
      yfs.yfs.ibmid.provisioner.okta.secondaryid=email (or the email claim name you have configured in OKTA)
      yfs.yfs.ibmid.provisioner.okta.uniqueClaim=sub
      yfs.yfs.ibmid.provisioner.okta.logouturl=<logout URL>
  4. Restart the application server.

Traditional installation

Procedure

  1. Complete one of the following tasks, depending on your integration:
  2. Optional: If the openidConnectClient feature does not get installed with the server.xml change, install openidConnectClient manually.
    For example, run the following command for Liberty:
    ./featureManager install openidConnectClient-1.0 --verbose
  3. If you're using Google or OKTA, in the server.xml file, change the scope to scope="openid email"in the openidConnectClient element.
  4. Add the following properties in the customer_overrides.properties file if you have not already updated them in step 1:
    yfs.yfs.ibmid.provisioner.name=<name of the provider>
    yfs.yfs.ibmid.provisioner.<provider>.logouturl=<logout URL>
    yfs.yfs.oh.return.url=https://<hostname of your web server>:<port>/order-management/login
  5. Enable OIDC for Order Hub:
    1. In repository/orderhub/oh-setup.properties set the following properties:
      OIDC_ENABLE=Y
      OIDC_PROVIDER=<provider name>
    2. Run the Order Hub setup script:
      ./orderhub-setup.sh
  6. Add proxy_pass to your web server configuration.
    For example, add the following to your Nginx configuration:
        location /sbc {
             proxy_pass https://<hostname of your web server>:9443;
        }
  7. Start or restart your web server. Then, log in to Order Hub: https://<hostname>:<port>/order-management/login.

Container installation

Procedure

  1. Build a custom application image. See Customizing certified containers. Ensure that you complete step 3 to enable OIDC login for Order Hub when completing the task.
  2. Configure the deployment yaml:
    1. Use the custom image built in step 1 for the OMS application.
    2. Add an OIDC section to the spec common section:
      spec:
        common:
          oidc:
            enabled: true
            provider: <provider-name>
            discoveryurl: <provider-discovery-url>
            logouturl: <provider-logout-url>
      
      For example, if your provider is Google, add the following:
      spec:
        common:
          oidc:
            enabled: true
            provider: google
            discoveryurl: https://accounts.google.com/.well-known/openid-configuration
            logouturl: https://www.google.com/accounts/Logout
      
    3. Configure passwords by adding the following secrets to the secret defined in spec.secret:
      oidcClientId
      oidcSecret
    4. If you provide a configMap that contains a custom server.xml in the libertyServer.xml parameter, you must update the custom server.XML. See the following procedures:
    5. For Order Hub, deploy smcfs and sbc context roots on the same server.
  3. If required, download the root CA certificate for your provider and place in the /shared/certs/trustedCerts file in the persistent volume.
  4. For standalone Order Hub deployments, enable OIDC support by including the following in the spec section:
    spec:
      oidc:
        enabled: true
        provider: <provider>
    
  5. Deploy the application and log in to Order Hub: https://<hostname>:<port>/order-management/login.