Integrating Oracle iStore with Oracle Single Sign-On

This chapter covers the following topics:

Overview of Integrating Oracle iStore with Oracle Single Sign-On Chapter

This chapter describes the integration of Oracle iStore with Oracle Single Sign-On (SSO).

Overview of Single Sign-On

Single Sign-On (SSO) provides the capability for enterprises to manage access to applications via a single-authentication architecture. Using SSO, an enterprise is able to avoid maintaining multiple user accounts, thus enhancing security and lowering costs. By leveraging SSO, companies are able to blend their e-commerce applications with existing corporate web assets to provide a single, comprehensive web presence. Single sign-on (SSO) supports this effort by allowing a number of different applications common to an enterprise to share a common authentication service. With Oracle's enterprise-wide Single Sign-On, a user is required to log on, or authenticate himself, only once. The verification of his identity is valid for the duration of the user's session, and for every application participating in the SSO framework. The user session ends, across every application, when he logs out.

For users of the Oracle E-Business Suite, the Single Sign-On framework is provided by Oracle 10G Single Sign-On Application Server (SSO Server). Participating applications can be Oracle E-Business (CRM/ERP) applications, other Oracle applications like Oracle Portal, as well as third-party applications.

Implementing Oracle Single Sign-On Server

Implement Oracle Single Sign-On Server using the appropriate version of the Oracle 10g Application Server documentation. See the Oracle Applications System Administrator's Guide - Security for more information.

Single Sign-On Functionality with Oracle iStore

This section describes Oracle iStore's behavior and related rules in the Customer Application with Oracle Single Sign-On enabled.

User Authentication

When integrating Oracle iStore with Oracle SSO, all user authentication processes (except the guest user authentication) are controlled by the SSO Server. Following is the authentication flow.

  1. A customer selects a specialty site and can browse the site as a guest user until login.

  2. When the customer attempts to log in, the system checks whether the customer has previously been authenticated with the SSO server.

  3. If the user has not been SSO-authenticated, the SSO Login page appears, prompting him to enter his credentials. Once authenticated, the customer is taken to the previously selected specialty site page. From here, the customer is treated differently, depending upon whether he is a registered Oracle iStore user:

    • If the customer is a registered Oracle iStore user, he now has full privileges in the sites.

    • If the customer's has submitted an Oracle iStore registration request but his approval is still pending, the system displays a message about the pending registration status; the customer continues to be treated as a guest user. The user's session remains SSO-authenticated.

    Note: Underneath the registration status message is a message placeholder for a link to the merchant's organization portal. The message reads, "Click here to go back to the organization portal". Since links directing the user back to the organization portal will be specific per organization, the message is displayed without an actual hyperlink. To alter the existing message placeholder, customize the message JSP, ibeCZzdMessages.jsp. Either add a hyperlink for the message, IBE_PRMT_CLICK_TO_ORG_PORTAL, or remove it to not use the placeholder.

ICX-Authenticated Users Can Browse as Guest Users

Oracle iStore allows authenticated users (authenticated ICX session), not registered for access to the application, to browse public pages without being automatically logged out. In other words, these users are treated as guest users, even though they are already authenticated. In the typical SSO setup, a user logs into the SSO portal and can then navigate to iStore sites. In this case, the user will have an authenticated ICX session but not be registered as an Oracle iStore user. Oracle iStore treats these users as guest users and displays the catalog and prices of a walk-in user. As with regular logged-in users, these user will see their name in the Welcome bin, will see the Logout icon, and will not see the Register icon. As with guest users, these users can add items to the shopping cart, but if they attempt to access any sensitive pages (e.g., checkout, profile) the system will prompt them to register using Online Access to Existing Account registration.

User Session Parameters

As users navigate the Oracle iStore Customer UI as guest users, they have the ability to choose different languages, currencies, and specialty sites. With SSO, a user's session selections are preserved as the user transitions from a guest user to an authenticated SSO user.

Login/Logout

All Oracle iStore login and logout (sign-in and sign-out) functionality will be provided by the SSO Server.

The sign-in/sign-out links in the Customer UI Welcome Bin and the global sign-in/sign-out icons will point to the SSO Server. The URL for the links and icons are derived from the Oracle Application Technology Foundation profile option that specifies the SSO server location.

User Notification Events

The Oracle iStore Forgot Password notification event will not be used when integrating Oracle iStore with the SSO Server.

For the registration notifications, implementers who use Oracle iStore as their external registration will see no change. If not using Oracle iStore, the notifications will not be used.

User Registration

If integrating Oracle iStore with Oracle SSO Server, the Oracle iStore user registration pages are used by default.

Registration Flow with SSO Enabled

Following is the typical registration flow with the SSO Server enabled. This flow is applicable to B2C, B2B, and partner users.

  1. A customer navigates to the Oracle iStore Customer Application.

  2. Oracle iStore checks if the user has a valid guest user session.

  3. If the user has a valid guest user session, the system considers the user a guest user in Oracle iStore, and the user can browse the catalog and add items to the cart.

  4. If the user does not have a valid guest user session, the system checks whether the user is a valid Oracle iStore user. If the user is a valid user, the system checks whether his approval is pending. If his registration is approved, he is considered a valid user for the remainder of the user session. If his registration is not approved, he is shown a message that his registration is not yet approved. If the user is found not to be a valid Oracle iStore user, the system collects his user information so that he can be validated.

  5. If the guest user attempts to perform some transaction, he will be prompted to either log in or register. If he attempts to log in, the system displays the SSO login page, where the user logs in (or, if his login is not successful, he is returned to the login page). The user may also register if his login is unsuccessful; in this case, Oracle iStore will call an Oracle Technology Foundation API to determine which registration page the user should be directed to. If it is determined that the Oracle iStore pages should be used, the system displays the Oracle iStore user type selection page, and the registration proceeds as in a non-SSO scenario. If his login is successful, the system validates the user's Oracle iStore user status as in step 4, above.

The following graphic depicts the flow.

Oracle iStore-Oracle SSO Registration Flow

the picture is described in the document text

User Registration with CAPs

For user registration, implementers can use either their own Central Account Provisioning system (CAPs) or Oracle iStore's registration pages. Oracle iStore's registration pages are used by default. To use a CAPs page, implementers should follow the instructions in the Oracle 10g Application Server documentation mentioned earlier in this chapter. As part of implementing a CAPs, implementers must set the profile option, APPS_CENTRAL_REGISTER_URL. When this profile is defined, the Register global icon in Oracle iStore's Customer Application leads to the CAPs registration page. If the CAPs URL profile is not defined and the profile option, APPS_SSO_USER_CREATE_UPDATE, is set to No, the system disables all registration links. In addition, Online Access to Existing Account functionality from the registration page is disabled when a CAPs page is enabled and user creation (APPS_SSO_USER_CREATE_UPDATE is set to N) is disabled.

When CAPs is enabled, the FND user is created by the CAPs registration framework. If the implementation is set up to require explicit approval of users, until a user is approved, he can access the Customer Application but will not be able to complete any secure actions (for example, checking on orders or checking out with a cart) until he is approved. In the meantime, he will see a pending approval message.

The following graphic shows how the Oracle iStore registration page might look with CAPs enabled.

Sample Registration Page with CAPs Enabled

the picture is described in the document text

Note that the above page would display the Online Access to Existing Account links only if at least one of the online access user types is enabled.

The following tables help illustrate the behavior of the CAPs URL definition and the user creation profile option setting when a user attempts to register.

Registration with CAPs URL Defined
APPS_SSO_USER_CREATE_UPDATE = Y APPS_SSO_USER_CREATE_UPDATE = N
If Online Access to Existing Account is enabled, the user type list displays with the online access links present. The CAPs registration page displays.
If Online Access to Existing Account is disabled, the CAPs registration page displays. Even if Online Access to Existing Account is enabled, the user type links would not be shown.
Registration with CAPs URL Not Defined
APPS_SSO_USER_CREATE_UPDATE = Y APPS_SSO_USER_CREATE_UPDATE = N
Oracle iStore registration pages display. No registration links or icons display anywhere in Oracle iStore.
If Online Access to Existing Account is enabled, the user type list displays with the online access links present. Registration through Oracle iStore is totally disabled (with the exception of Partial Registration).

For more information on user registration, see the chapter, Implementing User Management.

User Management

This section discusses user management functionality with Oracle iStore and SSO integration.

B2B User Management

Without SSO, an Oracle iStore B2B Primary User has the ability to create additional user accounts and to re-set these users' passwords. After these accounts are created -- and if SSO is enabled and passwords are managed external to the Oracle E-Business Suite -- the primary user will not be able to change the password for these users. The password reset box normally available to the Primary User will be unavailable in this scenario.

Oracle iStore does not provide the capability to manage multiple Oracle E-Business Suite accounts per SSO user. Only the current, default Oracle E-Business Suite account that is enabled for SSO is supported when using Oracle iStore.

Password Changes by Customers

Oracle iStore customers can change their passwords in the Customer UI personal information profile screens. In the Personal Information page, when SSO is enabled and passwords managed externally, customers will see a link directing them to the SSO page, where they can change their passwords.

Applications SSO User Creation and Updation Allowed Profile Impact

When the profile option, Applications SSO User Creation and Updation Allowed, is set to Disabled, primary users will be unable to set start and end dates for users in the Oracle iStore user management pages. The start/end date fields will be read-only. See the Oracle Single Sign-On Server documentation for more information about the profile option.

Oracle iStore Sensitive Pages

When SSO is enabled, Oracle iStore does not support forced re-authentication via sensitive pages. Implementers should set the profile option, IBE: Use Sensitive Pages, to No to turn off the forced re-authentication in Oracle iStore. Thus, when SSO is enabled, SSO-authenticated users are not prompted to re-enter their passwords when navigating from non-sensitive pages (for example, the shopping cart page) to sensitive pages (for example, the shipping page).

Language Support

Users will need to install languages for SSO that are supported by Oracle iStore. The SSO Login page will have the same UI for all users and sites, but will contain the content appropriate for a particular language based on the user's browser settings.

SSO Logout Page With Partner Site Outside of Oracle Applications

In the case of Oracle Partner Management integration with Oracle Single Sign-On Server (SSO), the logout page will be the Oracle iStore logout page if the following is true:

The flow below helps illustrate the scenario:

  1. User submits registration request from Oracle iStore registration page.

  2. User navigates to Partner application (outside of Oracle Applications), that is SSO-enabled.

  3. User returns to Oracle iStore site.

  4. User logs out.

  5. The Oracle iStore logout page is retrieved instead of the SSO logout page.

Implementing Oracle Single Sign-On with Oracle iStore

There are no Oracle iStore-specific setups that are required for SSO. Implement Oracle Single Sign-On Server using the appropriate version of the Oracle 10g Application Server documentation (See the section, "Implementing Oracle Single Sign-On Server", above).