1. Extending Oracle Commerce
  2. Implement Single Sign-On for Internal Users
  3. Configure SSO with SAML 2.0

Configure SSO with SAML 2.0

You can configure Oracle Identity Cloud Service to provide single sign-on (SSO) for Oracle Commerce applications using SAML 2.0.

This section applies to both OSF and Storefront Classic. This section applies to Open Storefront Framework (OSF) and Storefront Classic.

Before you begin, you will need the following:

  • An Oracle Commerce account with authorization rights to configure federated authentication.
  • An Oracle Identity Cloud Service account with authorization rights to manage applications and users (Identity Domain Administrator or Application Administrator).
  • Identity provider metadata. Use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata

IDCS must be configured to require multi-factor authentication (MFA) logins for users that can access the Oracle Commerce administration interface, to meet the requirements of PCI.

Note: SAML 2.0 SSO does not support using IDCS OAuth 2 application keys with Oracle Commerce. If you want to use IDCS OAuth 2 application keys, use OpenID Connect SSO instead.

Configure SAML 2.0 SSO for Oracle Commerce

This section describes how to configure SSO in Oracle Commerce apps with Oracle Identity Cloud Service.

Configure an identity provider

  1. Log in as an administrator at: https://<commerce-admin-domain>/occs-admin/#/adminLogin

    This is a special login path that allows your primary administrator direct access to the Oracle Commerce administration interface even when SSO is enabled, so that edits can be made to the SSO settings. This login requires multi-factor authentication.

  2. Click the menu icon and select Settings.
  3. On the Settings page, click Oracle Integrations section.
  4. Select IDCS from the popup menu.

    If IDCS is not available as an option on this menu, contact your Oracle representative.

  5. Upload the identity provider metadata file (see above).
  6. Logout.

Configure Oracle Commerce in Oracle Identity Cloud Service

This section describes how to register and activate the Oracle Commerce applications. You can then assign users or groups to these applications.

Register and activate the Oracle Commerce administration application

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click SAML Application.
  3. Enter the name: Oracle CX Commerce Admin
  4. Verify that the Display in My Apps checkbox is selected, and then click Next.
  5. For Entity ID, enter: https://<commerce-admin-domain>/occs-admin
  6. For Assertion Consumer URL, enter: https://<commerce-admin-domain>/occs-admin/sso-login.jsp
  7. For NameID Format, use: Persistent
  8. For NameID Value, use: User Name
  9. Open Advanced Settings.
  10. For Signed SSO, use: Assertion
  11. For Signature Hashing Algorithm, use: SHA-256
  12. Select Enable Single Logout.
  13. For Logout Binding, use: POST
  14. For Single Logout URL, enter: https://<commerce-admin-domain>/occs-admin/sso-logout.jsp
  15. For Logout Response URL, enter: https://<commerce-admin-domain>/occs-admin
  16. Open Attribute Configuration.
  17. Add the following attributes:
Name Format Entry Value
uid Basic User Attribute User Name
email Basic User Attribute Primary Email
firstName Basic User Attribute First Name
lastName Basic User Attribute Last Name

Now click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Register and activate the Oracle Commerce agent application

  1. In the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click SAML Application.
  3. Enter the name: Oracle CX Commerce Agent
  4. Verify that the Display in My Apps checkbox is selected, and then click Next.
  5. For Entity ID, enter: https://<commerce-agent-domain>/occs-agent
  6. For Assertion Consumer URL, enter: https://<commerce-agent-domain>/occs-agent/sso-login.jsp
  7. For NameID Format, use: Persistent
  8. For NameID Value, use: User Name
  9. Open Advanced Settings.
  10. For Signed SSO, use: Assertion
  11. For Signature Hashing Algorithm, use: SHA-256
  12. Select Enable Single Logout.
  13. For Logout Binding, use: POST
  14. For Single Logout URL, enter: https://<commerce-agent-domain>/occs-agent/sso-logout.jsp
  15. For Logout Response URL, enter: https://<commerce-agent-domain>/occs-agent
  16. Open Attribute Configuration.
  17. Add the following attributes:
Name Format Type Value
uid Basic User Attribute User Name
email Basic User Attribute Primary Email
firstName Basic User Attribute First Name
lastName Basic User Attribute Last Name

Now click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Verify the integration

This section describes how to verify that SSO and single log-out (SLO) work when initiated from Oracle Identity Cloud Service (identity provide initiated SSO and SLO) and from Oracle Commerce (service provider initiated SSO and SLO).

Verify identity provider initiated SSO

  1. Access the Oracle Identity Cloud Service My Console at: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole
  2. Log in using credentials for a user that is assigned to the Oracle Commerce agent and administration applications. (Oracle Identity Cloud Service displays a shortcut to Oracle Commerce applications under My Apps).
  3. Click the Oracle Commerce agent application. The Oracle Commerce agent home page appears.
  4. On the home page, verify that the logged-in user is the same for both Oracle Commerce and Oracle Identity Cloud Service. This confirms that SSO that is initiated from Oracle Identity Cloud Service is working.

Verify service provider initiated SSO

  1. Access Oracle Commerce at: https://<commerce-admin-domain>/occs-admin

    You will redirected to the Oracle Identity Cloud Service Sign In page

  2. Log in using credentials for a user that is assigned to the Oracle Commerce administration application. The Oracle Commerce administration home page appears.
  3. On the Oracle Commerce administration home page, verify that the logged-in user is the same for both Oracle Commerce and Oracle Identity Cloud Service. This confirms that SSO initiated from Oracle Commerce administration is working.

If the user can access only the dashboard page in Oracle Commerce administration after logging in, your Commerce Administrator will need to add the appropriate roles in the administration interface. By default, new users have dashboard access only.

Verifying identity provider initiated SLO

  1. On the Oracle Identity Cloud Service home page, click the user name in the upper-right corner, and then select Sign Out from the drop-down list.
  2. Access the user profile in Oracle Commerce, and verify that the login page appears. This confirms that SLO is working and that the user is no longer logged in to Oracle Commerce and Oracle Identity Cloud Service.

Verify service provider initiated SLO

  1. On the Oracle Commerce administration interface or agent console, click the user icon in the upper-right corner, and then select Logout from the drop-down list.
  2. Click OK at the confirmation message that displays.
  3. Access the Oracle Identity Cloud Service My Console, and then confirm that the login page appears. This confirms that SLO is working and that the user is no longer logged in to Oracle Commerce and Oracle Identity Cloud Service.

Troubleshooting

Oracle Identity Cloud Service may display the following message:

"You are not authorized to access the app. Contact your system administrator."

The two most likely causes are:

  • The administrator revokes access for the user at the same time as the user tries to access Oracle Commerce using Oracle Identity Cloud Service. If this happens, access the Oracle Identity Cloud Service administration console, select Applications, Oracle CX Commerce Admin (or Oracle CX Commerce Agent), Users, and then click Assign to re-assign the user.
  • The SAML 2.0 integration between the Oracle Identity Cloud Service and Oracle Commerce has been deactivated. In this case, access the Oracle Identity Cloud Service administration console, select Applications, Oracle CX Commerce Admin (or Oracle CX Commerce Agent), click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

For other issues, contact your Oracle representative.