1. Using B2C Service
  2. Considerations When Using Single Sign-on

Considerations When Using Single Sign-on

When single sign-on (SSO) is enabled for agents on your site, an SSO Login (SAML 2.0) permission check box appears on the Administration tab of the Profiles editor. When you add this permission to a profile, staff members with that profile can log in only through an identity provider.

Configuration Settings—For security purposes, we recommend that if the SSO Login (SAML 2.0) permission is enabled, then SEC_END_USER_HTTPS also be enabled. If both are enabled, then the SAML assertion must be sent to a secure protocol (https://). To enable SEC_END_USER_HTTPS, contact your Oracle account manager. For an in-depth discussion about security practices in B2C Service, see Overview of Oracle B2C Service Security and Compliance.

Restrictions—Several restrictions apply to staff members whose profile includes the SSO Login (SAML 2.0) permission. Because of the restrictions described here, we recommend creating a profile that does not have the SSO Login (SAML 2.0) permission enabled and assign at least one staff account to that profile. In the event a problem occurs with your identity provider, that account can log in to B2C Service and change other staff member profiles (and assign them passwords, if necessary) so agents can continue to work until the problem is resolved.

  • The staff members cannot log in to B2C Service using their B2C Service credentials, and will see an access denied message if they try to do so. Possible reasons for the denial are displayed in the message, including that the account belongs to a profile that allows logins only through single sign-on.
  • The profile’s CP Promote, CP Stage, and CP Edit permissions are disabled and cannot be selected when the SSO Login (SAML 2.0) permission is selected. In addition, staff members using the profile cannot deploy the customer portal. For more information about Customer Portal permission options, see Assign Permissions for Customer Portal.
  • The staff members cannot edit development pages in WebDAV because WebDAV authentication requires a user name and password.
  • Agents associated with a profile that has the SSO Login (SAML 2.0) permission selected cannot use their username and password for SOAP API authentication.
  • The password options on the Staff Accounts editor are disabled; therefore, passwords cannot be modified for staff members with profiles that have the SSO Login (SAML 2.0) permission enabled. See Add or Edit a Staff Account.

Related Topics