1. Extending Oracle Commerce
  2. Implement Single Sign-On for Internal Users
  3. Configure SSO with OpenID Connect

Configure SSO with OpenID Connect

You can configure Oracle Identity Cloud Service to provide single sign-on (SSO) for Oracle Commerce applications using OpenID Connect.

This section applies to both OSF and Storefront Classic. This section applies to Open Storefront Framework (OSF) and Storefront Classic.

Before you begin, you will need the following:

  • An Oracle Commerce account with authorization rights to configure federated authentication.
  • An Oracle Identity Cloud Service account with authorization rights to manage applications and users (Identity Domain Administrator or Application Administrator).

IDCS must be configured to require multi-factor authentication (MFA) logins for users that can access the Oracle Commerce administration interface, to meet the requirements of PCI.

Configure Oracle Commerce in Oracle Identity Cloud Service

This section describes how to register and activate the Oracle Commerce administration and agent applications in Oracle Identity Cloud Service. You can then assign users or groups to these Oracle Commerce applications.

Register and activate the Oracle Commerce administration application

  1. In the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click Confidential Application.
  3. Enter the name: Oracle CX Commerce Admin
  4. Verify that the Display in My Apps checkbox is selected, and then click Next.
  5. Click Configure this application as a client now.
  6. For Allowed Grant Types, check Resource Owner, Client Credentials, Refresh Token, and Authorization Code.
  7. For Redirect URL, enter: https://<admin-server>/occs-admin/sso-login.jsp
  8. For Logout URL, enter: https://<admin-server>/occs-admin/sso-logout.jsp
  9. For Post Logout Redirect URL, enter: https://<admin-server>/occs-admin
  10. In the Token Issuance Policy section, under Authorized Resources, select Specific.
  11. Under Grant the client access to Identity Cloud Service Admin APIs, click Add, and add Identity Domain Administrator.
  12. Click Next.
  13. Under Expose APIs to Other Applications, select Configure this application as a resource server now.
  14. For Primary Audience, enter: https://<admin-server>/occs-admin
  15. Click Next.
  16. Under Authorization, check Enforce Grants as Authorization.
  17. Click Finish. Oracle Identity Cloud Service should display a confirmation message.

Register and activate the Oracle Commerce agent application

  1. In the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click Confidential Application.
  3. Enter the name: Oracle CX Commerce Agent
  4. Verify that the Display in My Apps checkbox is selected, and then click Next.
  5. Click Configure this application as a client now.
  6. For Allowed Grant Types, check Resource Owner, Client Credentials, Refresh Token, and Authorization Code.
  7. For Redirect URL, enter: https://<agent-server>/occs-agent/sso-login.jsp
  8. For Logout URL, enter: https://<agent-server>/occs-agent/sso-logout.jsp
  9. For Post Logout Redirect URL, enter: https://<agent-server>/occs-agent
  10. In the Token Issuance Policy section, under Authorized Resources, select Specific.
  11. Under Grant the client access to Identity Cloud Service Admin APIs, click Add, and add Identity Domain Administrator.
  12. Click Next.
  13. Click Next.
  14. Under Authorization, check Enforce Grants as Authorization.
  15. Click Finish. Oracle Identity Cloud Service should display a confirmation message.

Configure OpenID Connect SSO for Oracle Commerce

This section describes how to configure SSO in Oracle Commerce applications with Oracle Identity Cloud Service.

Configure an identity provider

  1. Log in as an administrator at: https://<commerce-admin-domain>/occs-admin/#/adminLogin

    This is a special login path that allows your primary administrator direct access to the Oracle Commerce administration interface even when SSO is enabled, so that edits can be made to the SSO settings. This login requires multi-factor authentication.

  2. Click the menu icon and select Settings.
  3. On the Settings page, click Oracle Integrations section.
  4. Select IDCS from the popup menu.

    If IDCS is not available as an option on this menu, contact your Oracle representative.

  5. For IDP Base URL, enter the URL of your IDCS instance.
  6. For Admin App Client ID , enter the Client ID of the Oracle Commerce administration application you set up in IDCS. (You can find this value on the Configuration Page, under General Information.)
  7. For Admin App Client Secret, enter the Client Secret for the Oracle Commerce administration application from IDCS. (Click Show Secret to reveal this value.)
  8. For Agent App Client ID, enter the Client ID of the Oracle Commerce agent application you set up in IDCS. (You can find this value on the Configuration Page, under General Information.)
  9. For Agent App Client Secret, enter the Client Secret for the Oracle Commerce agent application from IDCS. (Click Show Secret to reveal this value.)
  10. Click Save to save your changes, then logout.

Use IDCS OAuth 2 application keys with Oracle Commerce

OpenID Connect SSO supports the use of IDCS OAuth 2 application keys with Oracle Commerce, to simplify integration with other Oracle applications. To set up an OAuth 2 application key:

  • Create a Confidential Client.
  • Under Allowed Grant Types, select Client Credentials.
  • Under Authorized Resources, select Specific.
  • Under Add Scope, select Oracle CX Commerce Admin. For the scope, enter: https://<commerce-URL>/occs-admin/auth/appid.full_control

An application with this scope will have access to both the Admin and Agent APIs.

Verify the integration

This section describes how to verify that SSO and single log-out (SLO) work when initiated from Oracle Identity Cloud Service (identity provide initiated SSO and SLO) and from Oracle Commerce (service provider initiated SSO and SLO).

Verify identity provider initiated SSO

  1. Access the Oracle Identity Cloud Service My Console at: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole
  2. Log in using credentials for a user that is assigned to the Oracle Commerce agent and administration applications. (Oracle Identity Cloud Service displays a shortcut to Oracle Commerce applications under My Apps.)
  3. Click the Oracle Commerce agent application. The Oracle Commerce agent home page appears.
  4. On the home page, verify that the logged-in user is the same for both Oracle Commerce and Oracle Identity Cloud Service. This confirms that SSO that is initiated from Oracle Identity Cloud Service is working.

Verify service provider initiated SSO

  1. Access Oracle Commerce at: <siteurl>/occs-admin

    You will redirected to the Oracle Identity Cloud Service Sign In page.

  2. Log in using credentials for a user that is assigned to the Oracle Commerce administration application. The Oracle Commerce administration home page appears.
  3. On the Oracle Commerce administration home page, verify that the logged-in user is the same for both Oracle Commerce and Oracle Identity Cloud Service. This confirms that SSO initiated from Oracle Commerce administration is working.

If the user can access only the dashboard page in Oracle Commerce administration after logging in, your Commerce Administrator will need to add the appropriate roles in the administration interface. By default, new users have dashboard access only.

Verify identity provider initiated SLO

  1. On the Oracle Identity Cloud Service home page, click the user name in the upper-right corner, and then select Sign Out from the drop-down list.
  2. Access the user profile in Oracle Commerce, and verify that the login page appears. This confirms that SLO is working and that the user is no longer logged in to Oracle Commerce and Oracle Identity Cloud Service.

Verify service provider initiated SLO

  1. On the Oracle Commerce administration interface or agent console, click the user icon in the upper-right corner, and then select Logout from the drop-down list.
  2. Click OK at the confirmation message that displays.
  3. Access the Oracle Identity Cloud Service My Console, and then confirm that the login page appears. This confirms that SLO is working and that the user is no longer logged in to Oracle Commerce and Oracle Identity Cloud Service.

Troubleshoot the integration

Oracle Identity Cloud Service may display the following message:

"You are not authorized to access the app. Contact your system administrator."

The two most likely causes are:
  • The administrator revokes access for the user at the same time as the user tries to access Oracle Commerce using Oracle Identity Cloud Service. If this happens, access the Oracle Identity Cloud Service administration console, select Applications, Oracle CX Commerce Admin (or Oracle CX Commerce Agent), Users, and then click Assign to re-assign the user.
  • The OpenID Connect integration between the Oracle Identity Cloud Service and Oracle Commerce has been deactivated. In this case, access the Oracle Identity Cloud Service administration console, select Applications, Oracle CX Commerce Admin, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

For other issues, contact your Oracle representative.