OpenID Connect Single Sign-On Configuration

When implementing SSO using OpenID Connect, you must complete the following configurations.

Define the Redirect for Single Logout

When configuring SSO along with single logout (SLO), a redirect URL must be configured. This URL determines where customers are redirected to after the logout process is completed. If configured incorrectly, the logout process can produce an error or redirect the customers to an unintended location.

The redirect URL can be configured using the Post Logout Redirect URL parameter within the Oracle Identity and Access Management application created for Digital Self Service - Transactions, as well the logoutPath value which can be defined by Oracle Utilities. Oracle Utilities recommends defining both values to redirect to the same location, which provides the most consistent behavior for customers. Oracle Utilities also recommends to redirect customers to the main Overview page of the Digital Self Service - Transactions web portal. Refer to Configuring the Identity System below, which includes steps to define the Post Logout Redirect URL and provide an applicable logoutPath value to Oracle Utilities that results in customers being redirected to the Overview page.

Configuring the Identity System

Configuration steps may differ depending on your identity system. The following steps cover configuration with Oracle Identity and Access Management:

  1. Create a "Confidential Application" with the following definitions:
    • Application Name: Provide a descriptive name for the application.
    • Authorization: Within the Allowed Grant Types area, select both Client Credentials and Authorization Code.
    • Redirect URL: This URL must direct users to the appropriate location that hosts Digital Self Service - Transactions content. Redirect URL format is as follows https://[fqdn]/webcenter/edge/apis/identity-management-v1/cws/v1/auth/[utilityCode]/sso/login/callback where:
      • fqdn is the Fully qualified domain name of your Digital Self Service - Transactions web portal.
      • utilityCode is a three- or four-character code that identifies the utility.
    • Logout URL: Is required if SLO is enabled. The URL must direct users to the appropriate location that hosts Digital Self Service - Transactions. Logout URL format is as follows https://[fqdn]/webcenter/edge/apis/identity-management-v1/cws/v1/auth/[utilityCode]/sso/logout/external where:
      • fqdn is the Fully qualified domain name of your Digital Self Service - Transactions web portal.
      • utilityCode is a three- or four-character code that identifies the utility.
    • Post Logout Redirect URL: Is required if SLO is enabled. The URL must direct users to the appropriate location after they log out of Digital Self Service - Transactions. Post Logout Redirect URL format is as follows https://[fqdn]/[location] where:
      • fqdn is the Fully qualified domain name of your Digital Self Service - Transactions web portal or other redirect resource.
      • location is the relative path to the location in the Digital Self Service - Transactions web portal, or other redirect resource, to redirect customers to. For example, a value of dss/overview redirects customers to the main Overview page of Digital Self Service - Transactions web portal. For additional information on this resource, refer to Define the Redirect for Single Logout.
  2. Configure user groups if required:
    1. Create a separate user group.
    2. Assign the application created from the previous step to the new user group.
    3. When creating new users assign them to this user group. This also includes the users in the Confidential Application.
  3. After configuration of the application is complete, provide Oracle Utilities with the following information from your configuration through a service request (to create a service request, see Contacting Your Delivery Team):
    • The Client ID is a public identifier for the Digital Self Service - Transactions application.
    • The Client Secret is the secret that matches the application's Client ID.
    • The Identity and Access Management host, for example, https://[hostID].identity.preprod.oraclecloud.com/.
    • The logoutPath value, if single logout is configured and supported. To redirect to the recommended Overview page, the configuration can be requested as /oauth2/v1/userlogout?post_logout_redirect_url=https://FQDN/dss/overview where:
      • fqdn is the Fully qualified domain name of your Digital Self Service - Transactions web portal.
    • Post Logout Redirect URL: Is required if SLO is enabled. The URL must direct users to the appropriate location after they log out of Digital Self Service - Transactions. Post Logout Redirect URL format is as follows https://[fqdn]/[location] where:
      • fqdn is the Fully qualified domain name of your Digital Self Service - Transactions web portal or other redirect resource.
      • location is the relative path to the location in the Digital Self Service - Transactions web portal, or other redirect resource, to redirect customers to.
    • The web user accounts to be used for end-to-end testing.

Back to Top