OIDC authentication FAQs
This FAQ provides you with answers to common questions about OIDC and IBMid authentication in IBM Sterling® Order Management System.
Is OIDC service used for both authentication and authorization?
No
OIDC service is used only for authentication. Authorization is handled by Sterling™ Order Management System.
What OIDC providers are supported?
Sterling Order Management System supports the following OIDC identity providers:
- Microsoft Entra ID
- Google OpenID Connect
- Okta
- Active Directory Federation Services
How are new users onboarded to Sterling Order Management System system on which OIDC login is enabled?
You need to create a new user in the Sterling Order Management System system. The Sterling Order Management System user creation can be done by using either the Applications Manager UI or calling the createUserHierarchy API. For more information, see Creating a user.
How are users offboarded from Sterling Order Management System system on which OIDC authentication is enabled?
You must remove the users from the IBM Sterling Order Management System system. You can delete a user from Sterling Order Management System by using either the Applications Manager UI or calling the deleteUserHierarchy API. For more information, see Deleting a user.
When OIDC authorization is enabled, is it mandatory for all new users to have an OIDC account?
Yes.
OIDC login is enabled at environment level. Therefore, all the users must have the OIDC login credentials to access any applications.
When OIDC login is enabled, how are existing users updated?
Existing users must log in either with their corporate login (if federated) or create the account with OIDC provider. After the user logs in with the OIDC, the Sterling Order Management System login screen is displayed. On the Sterling Order Management System login screen, enter the OMS user credentials. For any subsequent login, user is automatically logged on to the Sterling Order Management System application home page as an OMS user.
What is the timeout interval for a user session?
Can OIDC provider login be configured from the developer toolkit environment?
Yes.
You can configure the application to support OIDC provider login from the developer toolkit environment. For more information, see Supporting OIDC provider login in developer toolkit environment.
Can a custom package that is created by using developer toolkit be deployed on the cloud environment?
Yes.
A custom package that is created by using developer toolkit can be deployed to any cloud environment irrespective of whether OIDC is enabled on the target environment or not.
Is OIDC enabled for all applications? Are there any exceptions?
Yes.
OIDC is enabled for all the Sterling Order Management System applications except for the REST API Tester tool. For more information, see Accessing IBM Sterling Order Management System web applications after enabling your OIDC account.
After OIDC authentication is enabled for IBM Sterling Order Management System, how do I access the applications?
You can access the Sterling Order Management System web-based applications and tools either by using the full URL or by using only the context root in the URL. For more information, see Accessing IBM Sterling Order Management System web applications after enabling your OIDC account.
How do I unlink an admin user from an existing OIDC?
It is not recommended that you unlink an admin user from an existing OIDC account. However, if you want to unlink an admin user from an existing OIDC account based on your business requirement, raise a Case with the IBM Support team.
Is there a 1-1 relation between an OIDC account and an OMS user ID?
Yes.
There is 1-1 relation between an OIDC account and an OMS user ID. When you are creating new users in the Sterling Order Management System system, the email ID must be provided in the contact information. This email ID of the OMS user is used to link the OMS user with the OIDC account that uses the same email ID.
What happens when multiple OMS users are mapped to same OIDC? account
If an OIDC account is associated with multiple OMS users, the OMS user that was created first gets associated to the OIDC. The rest of the OMS users cannot use the same account.
How can existing OMS users update their account to use OIDC authentication?
Users must log in either with their corporate login (if federated) or create an IBMid and log in with it. After the user logs in with the OIDC login credentials, the Sterling Order Management System login screen is displayed. On the Sterling Order Management System login screen, enter the existing OMS user ID and password. This links the OIDC account with the OMS login ID. For any subsequent login, user is automatically logged in to Sterling Order Management System application home page as an OMS user.
Can OMS user ID contain special characters?
Yes.
You can use special characters in the OMS user ID. For example, you can create an OMS user ID with an email ID.
After OIDC account is enabled in the Sterling Order Management System environment, can it be disabled?
For security reasons, it is not recommended that you disable OIDC account on a Sterling Order Management System environment. But if there is any requirement to do so, raise a Case with the IBM Support team.
When OIDC authentication is enabled, should I update the web.xml file to include the OIDC parameters before developing customizations?
No.
The OIDC parameters are automatically added to the web.xml file by the EAR build process.
Is LDAP authentication supported by OIDC?
No.