Implement Single Sign-On for Your Storefront
By default, the Communications Open Storefront Framework provides Single Sign-On (SSO) access to Oracle Identify Cloud Service and the reference storefront and self-care application on Oracle Commerce Cloud.
The SSO access facilitates the use of Oracle Commerce
Cloud's secure routing feature for your application. The secure routing
feature prevents users from accessing URLs that they don't have access
to. For example, it prevents an anonymous user trying to access the /myAccount
URL, without first signing in. Also,
allow both anonymous and signed in access to TMF APIs with the appropriate
access tokens.
You can implement the default SSO for your storefront, or implement SSO using an external identity management tool. For information on implementing storefront SSO in OCC, see Related Topics.
Note that in the default SSO implementation, the communications storefront and self-care application is the service provider, while the Oracle Identity Cloud Service that provides authentication is the identity provider.
Understand the SSO Message Flow
The default SSO uses SAML (
Security Assertion Markup Language)
2.0. SAML 2.0 supports a variety of different message
flows for authentication and authorization.
In the default SSO process, when an anonymous user creates an account during checkout, an account is automatically created in Oracle Identify Cloud Service. Once the user completes the order, Oracle Identify Cloud Service sends an email to the user requesting to activate the user's account. Once the account is activated, the user can sign in using storefront SSO and access the account information.
Here's the SSO message flow that describes the approach for the communications storefront and self-care application. It shows the flow of messages when a shopper sign-in using SSO.
-
When the user clicks Sign In, the ssoLogin action is triggered.
-
The ssoLogin action calls the /ccstore/v1/samlAuthnRequest?encode=true endpoint to get the following:
-
authnRequestTarget
: The identify provider SSO URL. For example, https://<your_IDCS_Instance>.com/fed/v1/idp/sso -
authnRequest
: The SAML 2.0 request conforming to the authentication request protocol.
-
-
The ssoLogin submits an XHTML form to the identify provider SSO URL (which is
authnRequestTarget
) containing a SAMLRequest, which is authnRequest, and the RelayState , which is/myAccount
. -
The browser redirects the user to the identify provider login page.
-
After successful login, identify provider redirects a POST request to the Assertion Consumer URL (https://<cc-store>/SAML/post ) with a samlResponse and the RelayState as provided in step 3.
-
The myAccount page detects the samlResponse and triggers the OCC login action to generate an access token. In the reference application, you must manually generate the access token by using endpoints. For more information on generating access tokens, see the Use Server-Side Extensions chapter in this guide.
-
The access token is stored in the browser local storage and cookie. It expires in 15 minutes.
However, there's a limitation in this SSO implementation. The sign-out doesn't log the user out of the identity provider. For more information on this limitation, see the Understand storefront SSO limitations topic in the Extending Oracle Commerce Cloud guide.