To enable additional security, organizations can enable the Single Sign On (SSO) authentication method. This method allows users to authenticate with multiple applications, including IBM Sterling Order Management, by using their enterprise credentials. IBM Sterling Order Management allows business users to use their IBMid credentials as a single sign-on to access IBM Sterling Order Management web applications (Sterling Business Center, Sterling Call Center, Store Engagement, or Sterling Field Sales) and web-based tools (HTTP API Tester, DB Query Client, and HTTP REST XAPI Tester).
IBM Order Management provides a Service Provider Initiated Authentication, which is a two-step login process. Most business users prefer a simplified single-step sign-on process to access IBM applications. This article explains how to use an Identity Provided based authentication process to enable a single-step sign-on process.
Accessing the IBM web applications and cloud services
An organization can use federated authentication to access IBM web applications and cloud services. As a result, an organization can use its own login page and security controls to secure access to IBM Cloud Apps or IBM Services.
IBM Sterling Order Management supports both Service Provider Initiated (SP based) and Identity Provider Initiated (IdP) authentication.
Identity Provider Initiated SSO
Log on to the Identity Provider’s SSO page (MS Active directory, LastPass, Okta, or OneLogin) and then go to the IBM Sterling Order Management application. This option providse an enhanced user experience because users only have to provide their IBMid once.
Service Provider Initiated SSO
Users log on to the IBMid login page and send an authorization request to the Identity Provider (MS Active directory, LastPass, Okta, or OneLogin). After the IdP authenticates the user’s identity, the user goes to the IBM Sterling Order Management application.
Note: You can avoid the IBM Sterling Order Management application logon page. For information, see Linking an IBMid to an IBM Sterling Order Management user.
Enabling Identity Provider Initiated Authentication (with Microsoft Active Directory Federation service ADFS)
Follow these steps:
Step 1. Enable IdP Initiated Signon Page at ADFS
By default, ADFS has the IdP Initiated Signon Page property set to FALSE. Set this value to TRUE (see ADFS IdP- Initiated Sign On).
Step 2. Enable IdP Initiated Relay State
ADFS 2.0 can consume RelayState in order to redirect the user to the relaying party application. RelayState is a parameter used by some SAML protocol implementations to identify the specific resource at the resource provider in an IDP initiated SSO.
Use a URL similar to the following example for IdP initiated SSO:
- ADFS server name + idpinitiatedSignOn
- RPID value, which is the Entity ID from Idaas (IBMid Production)
It is consumed by the STS that receives the RelayState along with a SAMLResponse. It identifies the relaying party trust that the STS selects automatically. This eliminates the need for the user to select a relaying party trust interactively.
- RelayState: Where the users will redirect after they are authenticated (IBM Order Management).
ADFS recommends that the RPID and Relay State are encoded.
This is the URL with the values decoded: https://sts.xyz.com/adfs/ls/idpinitiatedSignOn.aspx?RelayState=RPID=https://idaas.iam.ibm.com/idaas/mtfim/sps/idaas/saml20&RelayState=https://oms.xyz.com/ws
For additional information, see Identity Provider Initiated RelayState.
Order Management user: user1 with Contact Email ( email@example.com)