You are on page 1of 17

12

Copyright 2007, Oracle. All rights reserved.


Module 12: Securing Access to the
Application
Siebel 8.0 Essentials
2 of 17
Copyright 2007, Oracle. All rights reserved.
Module Objectives
After completing this module you should be able to:
Describe the types of user authentication supported by Siebel
applications
Explain the role of the security adapter
Describe Single Sign On (SSO) security and how it differs from
other authentication methods

Why you need to know:
You must understand the security mechanisms in order to be able
to implement them
3 of 17
Copyright 2007, Oracle. All rights reserved.
Siebel Application Security
Siebel applications are secured at several levels:
Data visibility and view access should be restricted so users see
only the appropriate views and data
Subject of previous module
Access to the application should be restricted to authorized users
Subject of this module
Communication between architecture components may need to be
secured
Subject of subsequent module
4 of 17
Copyright 2007, Oracle. All rights reserved.
Authentication
Is the process of validating a users identity
Verifies the identity of users before they gain access to a Siebel
application
Typically consists of collecting a set of user credentials such as
user ID and password and comparing them to pre-stored values
5 of 17
Copyright 2007, Oracle. All rights reserved.
Supported Authentication Methods
Siebel applications support authentication by either the Siebel
servers or the Web server:
Siebel security adapters are software programs that allow Siebel
servers to authenticate users
Single Sign On (SSO) allows the Web server to authenticate users
Siebel Web Server Extension performs authentication check
Security adapter is still involved in verifying the trust token passed to
it by the Web server
6 of 17
Copyright 2007, Oracle. All rights reserved.
Siebel Security Adapters
A security adapter is a piece of software that connects to an
authentication service
Implemented as part of the Application Object Manager (AOM)





Credentials
Siebel Object
Manager
SWSE
Web
Server
Browser
Security
Adapter
Authentication
Service
1. User
provides
credentials
in browser
3. Security adapter authenticates
credentials using authentication service
2. Credentials are passed
through Web server to
AOM. Web server does
not check the credentials
7 of 17
Copyright 2007, Oracle. All rights reserved.
Authentication Services
Siebel applications support multiple authentication services:
Database authentication
Lightweight Database Authentication Protocol (LDAP)
Active Directory Services Interface (ADSI)
Custom authentication using the Siebel Security Adapter Software
Developers Kit (SSASDK)
Creating custom security adapters is beyond the scope of this course
Refer to the Siebel Security Adapter SDK in Bookshelf




Siebel Object
Manager
Security
Adapter
Authentication
Service
8 of 17
Copyright 2007, Oracle. All rights reserved.
Credentials
Database Authentication
Users are authenticated against the
underlying database
The database Security Adapter is the
default for Siebel applications


Siebel Object Manager
SWSE
Web
Server
Browser
Siebel
Database
Connect using DB account
1. User
provides
name and
password
2. Password may be hashed to
prevent direct database access
3. Connect to database using user ID
and (possibly hashed) password.
RDBMS performs authentication
Security
Adapter
Hash password
9 of 17
Copyright 2007, Oracle. All rights reserved.
Database Authentication Considerations
Does not require additional infrastructure components such as
directory servers
Uses a separate database login for each user
Requires ongoing support from a database administrator
May support account policies based on those of the RDBMS
Password expiration
Password syntax
Account lockout
Supports minimal user self-management
User cannot perform self-management without being granted
direct access to the database server
10 of 17
Copyright 2007, Oracle. All rights reserved.
Directory Server Authentication
Users are authenticated against an
external directory service
The directory service contains the
users credentials and administrative
information
A single reserved database login is
typically used for all users


Credentials
Siebel Object
Manager
SWSE
Web
Server
Browser
Connect using DB account
Security
Adapter
Authentication
Service
Login
Retrieve
reserved DB
Account
Directory
1. User
provides
information
3. Connect
to database
2. Verify
credentials
Siebel
Database
11 of 17
Copyright 2007, Oracle. All rights reserved.
Directory Service Considerations
Reduces administrative overhead
Eliminates maintenance of a separate database login for each user
Allows Web users to self-register and maintain login information
Allows automated creation of users from User Administration view
Allows external delegated administration of users
Allows credentials store to be shared across multiple
applications
May support account policies based on those of the directory
service
Password expiration
Password syntax
Account lockout

12 of 17
Copyright 2007, Oracle. All rights reserved.
Single Sign On
Web Server provides credentials to
third-party service
Security Adapter looks up and
retrieves Siebel user ID, DB
account based on identity key from
external source
Authenticated User ID
and Trust Token
Siebel Object
Manager
SWSE
Web Server
Browser
Connect Using DB Account
Security
Adapter
Authentication
Service
Login
Directory
5. Connects
to database
2. Verifies
credentials
Siebel
Database
User Credentials
1. User
provides
information
3. Passes
authenticated
user ID and
trust token
Retrieves
Siebel user ID
and DB
account
4. Verifies
trust token
and collects
user ID
13 of 17
Copyright 2007, Oracle. All rights reserved.
Single Sign On Considerations
Allows users to access multiple applications without any further
login
For example, Windows Integrated Authentication allows users to
access Siebel applications directly once they have logged in to
their Windows accounts
Uses credentials that are collected and verified by the Web
server
Management of authentication can be performed from a single
centralized location
Requires the use of a trust token
Secret value shared by the Web server and Object Manager
Allows Siebel applications to be deployed into existing Web
sites and portals
14 of 17
Copyright 2007, Oracle. All rights reserved.
Single Sign On Considerations Continued
Some Siebel User Administration features that are not available
using SSO should be disabled for consistency, for example:
User self-registration
Delegated administration of users
Change password
Requires synchronization of users between the Siebel
application and the external authentication system
15 of 17
Copyright 2007, Oracle. All rights reserved.
Comparing Authentication Methods
Database
Authentication
Directory Service
Authentication
Single Sign On
Requires additional
infrastructure
No Yes Yes
Supports account
policies such as
password expiration
Depends on
RDBMS
Depends on
directory service
Depends on
directory service
Supports user self-
management
No Yes No
Allows creation of
users from within the
Siebel application
No Yes No
Allows using same
credentials across
multiple applications
No Yes Yes
Allows single sign-on
No No Yes
Allows external
management of
users
No Yes Yes
16 of 17
Copyright 2007, Oracle. All rights reserved.
Module Highlights
Siebel applications support three mechanisms for authenticating
users:
Database authentication is the default; the Siebel Server passes
the authentication information to the RDBMS for authentication
Directory Service authentication uses a directory service such as
LDAP or ADSI to perform the authentication; the Siebel Server
passes the authentication information to the directory service
Single Sign On uses a directory service at the Web server level to
allow single sign-on to multiple applications; the Siebel Web
Server passes the authentication information to the directory
service and passes the returned trust token to the Siebel Server


17 of 17
Copyright 2007, Oracle. All rights reserved.


Lab
In the lab you will:
Create a database account for a new user

You might also like