Scribd Logo
Upload

Welcome to Scribd!

  • 12 Securing Access To The Application

    Uploaded by

    JayaRam Kotha
    93 views18 pages
    Siebel

    Original Title

    12 Securing Access to the Application

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Siebel

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    93 views18 pages

    12 Securing Access To The Application

    Uploaded by

    JayaRam Kotha
    Siebel

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    Siebel 8.

    0 Essentials

    Module 12: Securing Access to the Application

    12
    Copyright 2007, Oracle. All rights reserved.

    Module Objectives

    After completing this module you should be able to:


    Describe the types of user authentication supported by Siebel applications Explain the role of the security adapter Describe Single Sign On (SSO) security and how it differs from other authentication methods

    Why you need to know:


    You must understand the security mechanisms in order to be able to implement them

    Copyright 2007, Oracle. All rights reserved.

    2 of 18

    Siebel Application Security

    Siebel applications are secured at several levels:


    Data visibility and view access should be restricted so users see only the appropriate views and data

    Subject of previous module Subject of this module

    Access to the application should be restricted to authorized users

    Communication between architecture components may need to be secured

    Subject of subsequent module

    Copyright 2007, Oracle. All rights reserved.

    3 of 18

    Authentication
    Is the process of validating a users identity Verifies the identity of users before they gain access to a Siebel application Typically consists of collecting a set of user credentials such as user ID and password and comparing them to pre-stored values

    Copyright 2007, Oracle. All rights reserved.

    4 of 18

    Supported Authentication Methods

    Siebel applications support authentication by either the Siebel servers or the Web server:
    Siebel security adapters are software programs that allow Siebel servers to authenticate users Single Sign On (SSO) allows the Web server to authenticate users

    Siebel Web Server Extension performs authentication check Security adapter is still involved in verifying the trust token passed to it by the Web server

    Copyright 2007, Oracle. All rights reserved.

    5 of 18

    Siebel Security Adapters

    A security adapter is a piece of software that connects to an authentication service


    Implemented as part of the Application Object Manager (AOM)
    1. User provides credentials in browser 2. Credentials are passed through Web server to AOM. Web server does not check the credentials 3. Security adapter authenticates credentials using authentication service Security Adapter

    Browser

    Web Server

    SWSE
    Credentials

    Siebel Object Manager

    Authentication Service
    6 of 18

    Copyright 2007, Oracle. All rights reserved.

    Authentication Services

    Siebel applications support multiple authentication services:


    Database authentication Lightweight Database Authentication Protocol (LDAP) Active Directory Services Interface (ADSI) Custom authentication using the Siebel Security Adapter Software Developers Kit (SSASDK)

    Creating custom security adapters is beyond the scope of this course Refer to the Siebel Security Adapter SDK in Bookshelf

    Siebel Object Manager

    Security Adapter

    Authentication Service

    Copyright 2007, Oracle. All rights reserved.

    7 of 18

    Database Authentication

    Users are authenticated against the underlying database The database Security Adapter is the default for Siebel applications

    Browser

    Web Server SWSE Credentials

    1. User provides name and password

    2. Password may be hashed to prevent direct database access

    Siebel Object Manager Hash password

    Security Adapter

    3. Connect to database using user ID and (possibly hashed) password. RDBMS performs authentication

    Connect using DB account

    Siebel Database
    Copyright 2007, Oracle. All rights reserved. 8 of 18

    Database Authentication Considerations

    Does not require additional infrastructure components such as directory servers Uses a separate database login for each user
    Requires ongoing support from a database administrator

    May support account policies based on those of the RDBMS


    Password expiration Password syntax Account lockout

    Supports minimal user self-management


    User cannot perform self-management without being granted direct access to the database server

    Copyright 2007, Oracle. All rights reserved.

    9 of 18

    Directory Server Authentication


    Browser

    Web Server SWSE Credentials 1. User provides information

    Users are authenticated against an external directory service The directory service contains the users credentials and administrative information A single reserved database login is typically used for all users
    2. Verify credentials Authentication Service
    Directory

    Siebel Object Manager

    Security Adapter

    Login

    Connect using DB account 3. Connect to database

    Retrieve reserved DB Account

    Siebel Database

    Copyright 2007, Oracle. All rights reserved.

    10 of 18

    Directory Service Considerations

    Reduces administrative overhead


    Eliminates maintenance of a separate database login for each user Allows Web users to self-register and maintain login information Allows automated creation of users from User Administration view Allows external delegated administration of users

    Allows credentials store to be shared across multiple applications May support account policies based on those of the directory service
    Password expiration Password syntax Account lockout

    Copyright 2007, Oracle. All rights reserved.

    11 of 18

    Single Sign On

    Browser User Credentials


    Web Server SWSE Authenticated User ID and Trust Token Siebel Object Manager Security Adapter 1. User provides information

    Web Server provides credentials to third-party service Security Adapter looks up and retrieves Siebel user ID, DB account based on identity key from external source
    Login

    3. Passes authenticated user ID and trust token


    4. Verifies trust token and collects user ID

    Authentication Service
    2. Verifies credentials

    Connect Using DB Account

    Retrieves Siebel user ID and DB account

    Directory

    Siebel Database

    5. Connects to database
    12 of 18

    Copyright 2007, Oracle. All rights reserved.

    Single Sign On Considerations

    Allows users to access multiple applications without any further login


    For example, Windows Integrated Authentication allows users to access Siebel applications directly once they have logged in to their Windows accounts

    Uses credentials that are collected and verified by the Web server
    Management of authentication can be performed from a single centralized location

    Requires the use of a trust token


    Secret value shared by the Web server and Object Manager

    Allows Siebel applications to be deployed into existing Web sites and portals

    Copyright 2007, Oracle. All rights reserved.

    13 of 18

    Single Sign On Considerations Continued

    Some Siebel User Administration features that are not available using SSO should be disabled for consistency, for example:
    User self-registration Delegated administration of users Change password

    Requires synchronization of users between the Siebel application and the external authentication system

    Copyright 2007, Oracle. All rights reserved.

    14 of 18

    Comparing Authentication Methods


    Database Authentication
    Requires additional infrastructure
    Supports account policies such as password expiration Supports user selfmanagement Allows creation of users from within the Siebel application Allows using same credentials across multiple applications Allows single sign-on Allows external management of users

    Directory Service Authentication

    Single Sign On

    No
    Depends on RDBMS No No No No No

    Yes
    Depends on directory service Yes Yes Yes No Yes

    Yes
    Depends on directory service No No Yes Yes Yes

    Copyright 2007, Oracle. All rights reserved.

    15 of 18

    Module Highlights

    Siebel applications support three mechanisms for authenticating users:


    Database authentication is the default; the Siebel Server passes the authentication information to the RDBMS for authentication Directory Service authentication uses a directory service such as LDAP or ADSI to perform the authentication; the Siebel Server passes the authentication information to the directory service Single Sign On uses a directory service at the Web server level to allow single sign-on to multiple applications; the Siebel Web Server passes the authentication information to the directory service and passes the returned trust token to the Siebel Server

    Copyright 2007, Oracle. All rights reserved.

    16 of 18

    Lab

    In the lab you will:


    Create a database account for a new user

    Copyright 2007, Oracle. All rights reserved.

    17 of 18

    Copyright 2007, Oracle. All rights reserved.

    18 of 18

    You might also like