Configure SSO with SAML 2.0

You can configure Oracle Identity Cloud Service to provide single sign-on (SSO) for Retail Digital Commerce applications using SAML 2.0.

This section applies to OSF. This section applies to Open Storefront Framework (OSF).

Before you begin, you will need the following:

  • An Retail Digital Commerce account with authorization rights to configure federated authentication.
  • An Oracle Identity Cloud Service account with authorization rights to manage applications and users (Identity Domain Administrator or Application Administrator).
  • Identity provider metadata. Use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata

IDCS must be configured to require multi-factor authentication (MFA) logins for users that can access the Retail Digital Commerce administration interface, to meet the requirements of PCI.

Note:

SAML 2.0 SSO does not support using IDCS OAuth 2 application keys with Retail Digital Commerce. If you want to use IDCS OAuth 2 application keys, use OpenID Connect SSO instead.

Configure SAML 2.0 SSO for Retail Digital Commerce

This section describes how to configure SSO in Retail Digital Commerce apps with Oracle Identity Cloud Service.

Configure an identity provider

  1. Log in as an administrator at: https://<Oracle-Retail-Digital-Commerce-admin-domain>/occs-admin/#/adminLogin

    This is a special login path that allows your primary administrator direct access to the Retail Digital Commerce administration interface even when SSO is enabled, so that edits can be made to the SSO settings. This login requires multi-factor authentication.

  2. Click the menu icon and select Settings.
  3. On the Settings page, click Oracle Integrations section.
  4. Select IDCS from the popup menu.

    If IDCS is not available as an option on this menu, contact your Oracle representative.

  5. Upload the identity provider metadata file (see above).
  6. Logout.

Configure Retail Digital Commerce in Oracle Identity Cloud Service

This section describes how to register and activate the Retail Digital Commerce applications. You can then assign users or groups to these applications.

Register and activate the Retail Digital Commerce administration application

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click SAML Application.
  3. Enter the name: Oracle Retail Digital Commerce Admin.
  4. Verify that the Display in My Apps checkbox is selected, and then click Next.
  5. For Entity ID, enter: https://<Oralce-Retail-Digital-Commerce-admin-domain>/occs-admin
  6. For Assertion Consumer URL, enter: https://<Oracle-Retail-Digital-Commerce-admin-domain>/occs-admin/sso-login.jsp
  7. For NameID Format, use: Persistent
  8. For NameID Value, use: User Name
  9. Open Advanced Settings.
  10. For Signed SSO, use: Assertion
  11. For Signature Hashing Algorithm, use: SHA-256
  12. Select Enable Single Logout.
  13. For Logout Binding, use: POST
  14. For Single Logout URL, enter: https://<Oracle-Retail-Digital-Commerce-admin-domain>/occs-admin/sso-logout.jsp
  15. For Logout Response URL, enter: https://<Oracle-Retail-Digital-Commerce-admin-domain>/occs-admin
  16. Open Attribute Configuration.
  17. Add the following attributes:
Name Format Entry Value
uid Basic User Attribute User Name
email Basic User Attribute Primary Email
firstName Basic User Attribute First Name
lastName Basic User Attribute Last Name

Now click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Register and activate the Oracle Retail Digital Commerce agent application

  1. In the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click SAML Application.
  3. Enter the name: Oracle Retail Digital Commerce Agent.
  4. Verify that the Display in My Apps checkbox is selected, and then click Next.
  5. For Entity ID, enter: https://<commerce-agent-domain>/occs-agent
  6. For Assertion Consumer URL, enter: https://<commerce-agent-domain>/occs-agent/sso-login.jsp
  7. For NameID Format, use: Persistent
  8. For NameID Value, use: User Name
  9. Open Advanced Settings.
  10. For Signed SSO, use: Assertion
  11. For Signature Hashing Algorithm, use: SHA-256
  12. Select Enable Single Logout.
  13. For Logout Binding, use: POST
  14. For Single Logout URL, enter: https://<Oracle-Retail-Digital-Commerce-agent-domain>/occs-agent/sso-logout.jsp
  15. For Logout Response URL, enter: https://<Oracle-Retail-Digital-Commerce-agent-domain>/occs-agent
  16. Open Attribute Configuration.
  17. Add the following attributes:
Name Format Type Value
uid Basic User Attribute User Name
email Basic User Attribute Primary Email
firstName Basic User Attribute First Name
lastName Basic User Attribute Last Name

Now click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Verify the Integration

This section describes how to verify that SSO and single log-out (SLO) work when initiated from Oracle Identity Cloud Service (identity provide initiated SSO and SLO) and from Retail Digital Commerce (service provider initiated SSO and SLO).

Verify identity provider initiated SSO

  1. Access the Oracle Identity Cloud Service My Console at: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole
  2. Log in using credentials for a user that is assigned to the Retail Digital Commerce agent and administration applications. (Oracle Identity Cloud Service displays a shortcut to Retail Digital Commerce applications under My Apps).
  3. Click the Retail Digital Commerce agent application. The Retail Digital Commerce agent home page appears.
  4. On the home page, verify that the logged-in user is the same for both Retail Digital Commerce and Oracle Identity Cloud Service. This confirms that SSO that is initiated from Oracle Identity Cloud Service is working.

Verify service provider initiated SSO

  1. Access Retail Digital Commerce at: https://<commerce-admin-domain>/occs-admin

    You will redirected to the Oracle Identity Cloud Service Sign In page

  2. Log in using credentials for a user that is assigned to the Retail Digital Commerce administration application. The Retail Digital Commerce administration home page appears.
  3. On the Retail Digital Commerce administration home page, verify that the logged-in user is the same for both Retail Digital Commerce and Oracle Identity Cloud Service. This confirms that SSO initiated from Oracle Retail Digital Commerce administration is working.

If the user can access only the dashboard page in Retail Digital Commerce administration after logging in, your Retail Digital Commerce Administrator will need to add the appropriate roles in the administration interface. By default, new users have dashboard access only.

Verifying identity provider initiated SLO

  1. On the Oracle Identity Cloud Service home page, click the user name in the upper-right corner, and then select Sign Out from the drop-down list.
  2. Access the user profile in Retail Digital Commerce, and verify that the login page appears. This confirms that SLO is working and that the user is no longer logged in to Retail Digital Commerce and Oracle Identity Cloud Service.

Verify service provider initiated SLO

  1. On the Retail Digital Commerce administration interface or agent console, click the user icon in the upper-right corner, and then select Logout from the drop-down list.
  2. Click OK at the confirmation message that displays.
  3. Access the Oracle Identity Cloud Service My Console, and then confirm that the login page appears. This confirms that SLO is working and that the user is no longer logged in to Retail Digital Commerce and Oracle Identity Cloud Service.

Troubleshooting

Oracle Identity Cloud Service may display the following message:

"You are not authorized to access the app. Contact your system administrator."

The two most likely causes are:

  • The administrator revokes access for the user at the same time as the user tries to access Retail Digital Commerce using Oracle Identity Cloud Service. If this happens, access the Oracle Identity Cloud Service administration console, select Applications, Oracle Retail Digital Commerce Admin (or Oracle Retail Digital Commerce Agent), Users, and then click Assign to re-assign the user.
  • The SAML 2.0 integration between the Oracle Identity Cloud Service and Retail Digital Commerce has been deactivated. In this case, access the Oracle Identity Cloud Service administration console, select Applications, Oracle Retail Digital Commerce Admin (or Oracle Retail Digital Commerce Agent), click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

For other issues, contact your Oracle representative.