8/13/2019 12 Securing Access to the Application

1/18

12Copyright 2007, Oracle. All rights reserved.

Module 12: Securing Access to the

Application

Siebel 8.0 Essen tials

8/13/2019 12 Securing Access to the Application

2/18

8/13/2019 12 Securing Access to the Application

3/18

8/13/2019 12 Securing Access to the Application

4/18

4 of 18Copyright 2007, Oracle. All rights reserved.

Authentication

Is the process of validating a users identity

Verifies the identity of users before they gain access to a Siebelapplication

Typically consists of collecting a set of user credentials such as

user ID and password and comparing them to pre-stored values

8/13/2019 12 Securing Access to the Application

5/18

8/13/2019 12 Securing Access to the Application

6/18

6 of 18Copyright 2007, Oracle. All rights reserved.

Siebel Security Adapters

A security adapter is a piece of software that connects to an

authentication service

Implemented as part of the Application Object Manager (AOM)

Credentials

Siebel Object

Manager

SWSE

Web

Server

Browser

Security

AdapterAuthentication

Service

1. User

provides

credentials

in browser

3. Security adapter authenticates

credentials using authentication service

2. Credentials are passed

through Web server to

AOM. Web server does

not check the credentials

8/13/2019 12 Securing Access to the Application

7/187 of 18Copyright 2007, Oracle. All rights reserved.

Authentication Services

Siebel applications support multiple authentication services:

Database authentication

Lightweight Database Authentication Protocol (LDAP)

Active Directory Services Interface (ADSI)

Custom authentication using the Siebel Security Adapter Software

Developers Kit (SSASDK)

Creating custom security adapters is beyond the scope of this course

Refer to the Siebel Security Adapter SDK in Bookshelf

Siebel Object

Manager

Security

AdapterAuthentication

Service

8/13/2019 12 Securing Access to the Application

8/188 of 18Copyright 2007, Oracle. All rights reserved.

Credentials

Database Authentication

Users are authenticated against the

underlying database The database Security Adapter is the

default for Siebel applications

Siebel Object Manager

SWSE

Web

Server

Browser

Siebel

Database

Connect using DB account

1. User

provides

name and

password

2. Password may be hashed to

prevent direct database access

3. Connect to database using user ID

and (possibly hashed) password.

RDBMS performs authentication

Security

Adapter

Hash password

8/13/2019 12 Securing Access to the Application

9/189 of 18Copyright 2007, Oracle. All rights reserved.

Database Authentication Considerations

Does not require additional infrastructure components such as

directory servers

Uses a separate database login for each user

Requires ongoing support from a database administrator

May support account policies based on those of the RDBMS

Password expiration

Password syntax

Account lockout

Supports minimal user self-management

User cannot perform self-management without being granted

direct access to the database server

8/13/2019 12 Securing Access to the Application

10/1810 of 18Copyright 2007, Oracle. All rights reserved.

Directory Server Authentication

Users are authenticated against an

external directory service

The directory service contains the

users credentials and administrative

information

A single reserved database login is

typically used for all usersCredentials

Siebel Object

Manager

SWSE

Web

Server

Browser

Connect using DB account

Security

Adapter

Authentication

ServiceLogin

Retrieve

reserved DBAccount

Directory

1. User

providesinformation

3. Connect

to database

2. Verify

credentials

Siebel

Database

8/13/2019 12 Securing Access to the Application

11/1811 of 18Copyright 2007, Oracle. All rights reserved.

Directory Service Considerations

Reduces administrative overhead

Eliminates maintenance of a separate database login for each user

Allows Web users to self-register and maintain login information

Allows automated creation of users from User Administration view

Allows external delegated administration of users

Allows credentials store to be shared across multiple

applications

May support account policies based on those of the directory

service

Password expiration

Password syntax Account lockout

8/13/2019 12 Securing Access to the Application

12/1812 of 18Copyright 2007, Oracle. All rights reserved.

Single Sign On

Web Server provides credentials tothird-party service

Security Adapter looks up andretrieves Siebel user ID, DBaccount based on identity key fromexternal source

Authenticated User ID

and Trust Token

Siebel Object

Manager

SWSE

Web Server

Browser

Connect Using DB Account

Security

Adapter

AuthenticationServiceLogin

Directory

5. Connects

to database

2. Verifies

credentials

Siebel

Database

User Credentials

1. User

providesinformation

3. Passesauthenticated

user ID and

trust token

Retrieves

Siebel user IDand DB

account

4. Verifies

trust tokenand collects

user ID

8/13/2019 12 Securing Access to the Application

13/1813 of 18Copyright 2007, Oracle. All rights reserved.

Single Sign On Considerations

Allows users to access multiple applications without any further

login

For example, Windows Integrated Authentication allows users to

access Siebel applications directly once they have logged in to

their Windows accounts

Uses credentials that are collected and verified by the Web

server Management of authentication can be performed from a single

centralized location

Requires the use of a trust token

Secret value shared by the Web server and Object Manager

Allows Siebel applications to be deployed into existing Web

sites and portals

8/13/2019 12 Securing Access to the Application

14/1814 of 18Copyright 2007, Oracle. All rights reserved.

Single Sign On Considerations Continued

Some Siebel User Administration features that are not available

using SSO should be disabled for consistency, for example:

User self-registration

Delegated administration of users

Change password

Requires synchronization of users between the Siebel

application and the external authentication system

8/13/2019 12 Securing Access to the Application

15/1815 of 18Copyright 2007, Oracle. All rights reserved.

Comparing Authentication Methods

Database

Authentication

Directory Service

Authentication

Single Sign On

Requires additionalinfrastructure

No Yes Yes

Supports account

policies such as

password expiration

Depends on

RDBMS

Depends on

directory service

Depends on

directory service

Supports user self-

management No Yes No

Allows creation of

users from within the

Siebel application

No Yes No

Allows using same

credentials acrossmultiple applications

No Yes Yes

Allows single sign-on No No Yes

Allows external

management of

users

No Yes Yes

8/13/2019 12 Securing Access to the Application

16/1816 of 18Copyright 2007, Oracle. All rights reserved.

Module Highlights

Siebel applications support three mechanisms for authenticating

users:

Database authentication is the default; the Siebel Server passes

the authentication information to the RDBMS for authentication

Directory Service authentication uses a directory service such as

LDAP or ADSI to perform the authentication; the Siebel Server

passes the authentication information to the directory service Single Sign On uses a directory service at the Web server level to

allow single sign-on to multiple applications; the Siebel Web

Server passes the authentication information to the directory

service and passes the returned trust token to the Siebel Server

8/13/2019 12 Securing Access to the Application

17/1817 of 18Copyright 2007, Oracle. All rights reserved.

Lab

In the lab you will:

Create a database account for a new user

8/13/2019 12 Securing Access to the Application

18/1818 of 18Copyright 2007 Oracle All rights reserved