Supporting OIDC provider login in developer toolkit environment

You can configure the application to support OIDC provider login from the developer toolkit environment.

Procedure

  1. Collect the user's data by configuring the following properties:
    • OIDC_PROVIDER name
    • OIDC_CLIENTID and OIDC_SECRET
    • OIDC_DISCOVERYURL
    • OIDC_LOGOUTURL
    • OIDC_UNIQUECLAIM and OIDC_SECONDARYID

      In ADFS, if you do not configure the values of OIDC_UNIQUECLAIM and OIDC_SECONDARYID properties, the default values sub and email are considered.

    Note: The OIDC_LOGOUTURL, OIDC_UNIQUECLAIM, and OIDC_SECONDARYID properties are applicable only for ADFS. For other OIDC providers, override the yfs.properties for logout, secondaryId, and UniqueClaim. For example, yfs.yfs.ibmid.provisioner.google.secondaryid=emailId.
  2. In the om-compose.properties file, add the following properties and set OIDC_ENABLE=Y.
    • OIDC_ENABLE – Y or N.
    • OIDC_PROVIDER – ibmid, adfs, google, okta, entra.
    • OIDC_CLIENTID
    • OIDC_SECRET
    • OIDC_DISCOVERYURL
    The following properties are applicable only for ADFS:
    • OIDC_LOGOUTURL
    • OIDC_UNIQUECLAIM – Default value is sub.
    • OIDC_SECONDARYID – Default value is email.
    The following properties are applicable only for Microsoft Entra:
    • OIDC_LOGOUTURL
    • OIDC_UNIQUECLAIM – Default value is sub.
    • OIDC_SECONDARYID – Default value is email.
      Note: To link users, the email ID token claim is mandatory. Ensure that your active directory configuration contains an email ID that is configured for users who want to log in to Sterling™ Order Management System. Also, ensure that you configure your OIDC provider to pass the email ID as an ID token claim. In case your claim is named anything other than email, configure the OIDC_SECONDARYID property.

      For example, if you define your email claim as email_id, update the OIDC_SECONDARYID=email_id property.

  3. Apply the configuration.
    1. Import the certificate with the .cer or .crt extension by placing the certificate under the certificates directory of the developer toolkit. For more information, see ./om-compose.sh import-cert docker compose command.
    2. Build EAR and redeploy. This deployment applies only to setup or setup-upg commands of the developer toolkit. For more information, see Docker Compose commands reference.