12 Securing Access to the Application
-
Upload
jayaram-kotha -
Category
Documents
-
view
227 -
download
0
Transcript of 12 Securing Access to the Application
-
8/13/2019 12 Securing Access to the Application
1/18
12Copyright 2007, Oracle. All rights reserved.
Module 12: Securing Access to the
Application
Siebel 8.0 Essen tials
-
8/13/2019 12 Securing Access to the Application
2/18
-
8/13/2019 12 Securing Access to the Application
3/18
-
8/13/2019 12 Securing Access to the Application
4/18
4 of 18Copyright 2007, Oracle. All rights reserved.
Authentication
Is the process of validating a users identity
Verifies the identity of users before they gain access to a Siebelapplication
Typically consists of collecting a set of user credentials such as
user ID and password and comparing them to pre-stored values
-
8/13/2019 12 Securing Access to the Application
5/18
-
8/13/2019 12 Securing Access to the Application
6/18
6 of 18Copyright 2007, Oracle. All rights reserved.
Siebel Security Adapters
A security adapter is a piece of software that connects to an
authentication service
Implemented as part of the Application Object Manager (AOM)
Credentials
Siebel Object
Manager
SWSE
Web
Server
Browser
Security
AdapterAuthentication
Service
1. User
provides
credentials
in browser
3. Security adapter authenticates
credentials using authentication service
2. Credentials are passed
through Web server to
AOM. Web server does
not check the credentials
-
8/13/2019 12 Securing Access to the Application
7/187 of 18Copyright 2007, Oracle. All rights reserved.
Authentication Services
Siebel applications support multiple authentication services:
Database authentication
Lightweight Database Authentication Protocol (LDAP)
Active Directory Services Interface (ADSI)
Custom authentication using the Siebel Security Adapter Software
Developers Kit (SSASDK)
Creating custom security adapters is beyond the scope of this course
Refer to the Siebel Security Adapter SDK in Bookshelf
Siebel Object
Manager
Security
AdapterAuthentication
Service
-
8/13/2019 12 Securing Access to the Application
8/188 of 18Copyright 2007, Oracle. All rights reserved.
Credentials
Database Authentication
Users are authenticated against the
underlying database The database Security Adapter is the
default for Siebel applications
Siebel Object Manager
SWSE
Web
Server
Browser
Siebel
Database
Connect using DB account
1. User
provides
name and
password
2. Password may be hashed to
prevent direct database access
3. Connect to database using user ID
and (possibly hashed) password.
RDBMS performs authentication
Security
Adapter
Hash password
-
8/13/2019 12 Securing Access to the Application
9/189 of 18Copyright 2007, Oracle. All rights reserved.
Database Authentication Considerations
Does not require additional infrastructure components such as
directory servers
Uses a separate database login for each user
Requires ongoing support from a database administrator
May support account policies based on those of the RDBMS
Password expiration
Password syntax
Account lockout
Supports minimal user self-management
User cannot perform self-management without being granted
direct access to the database server
-
8/13/2019 12 Securing Access to the Application
10/1810 of 18Copyright 2007, Oracle. All rights reserved.
Directory Server Authentication
Users are authenticated against an
external directory service
The directory service contains the
users credentials and administrative
information
A single reserved database login is
typically used for all usersCredentials
Siebel Object
Manager
SWSE
Web
Server
Browser
Connect using DB account
Security
Adapter
Authentication
ServiceLogin
Retrieve
reserved DBAccount
Directory
1. User
providesinformation
3. Connect
to database
2. Verify
credentials
Siebel
Database
-
8/13/2019 12 Securing Access to the Application
11/1811 of 18Copyright 2007, Oracle. All rights reserved.
Directory Service Considerations
Reduces administrative overhead
Eliminates maintenance of a separate database login for each user
Allows Web users to self-register and maintain login information
Allows automated creation of users from User Administration view
Allows external delegated administration of users
Allows credentials store to be shared across multiple
applications
May support account policies based on those of the directory
service
Password expiration
Password syntax Account lockout
-
8/13/2019 12 Securing Access to the Application
12/1812 of 18Copyright 2007, Oracle. All rights reserved.
Single Sign On
Web Server provides credentials tothird-party service
Security Adapter looks up andretrieves Siebel user ID, DBaccount based on identity key fromexternal source
Authenticated User ID
and Trust Token
Siebel Object
Manager
SWSE
Web Server
Browser
Connect Using DB Account
Security
Adapter
AuthenticationServiceLogin
Directory
5. Connects
to database
2. Verifies
credentials
Siebel
Database
User Credentials
1. User
providesinformation
3. Passesauthenticated
user ID and
trust token
Retrieves
Siebel user IDand DB
account
4. Verifies
trust tokenand collects
user ID
-
8/13/2019 12 Securing Access to the Application
13/1813 of 18Copyright 2007, Oracle. All rights reserved.
Single Sign On Considerations
Allows users to access multiple applications without any further
login
For example, Windows Integrated Authentication allows users to
access Siebel applications directly once they have logged in to
their Windows accounts
Uses credentials that are collected and verified by the Web
server Management of authentication can be performed from a single
centralized location
Requires the use of a trust token
Secret value shared by the Web server and Object Manager
Allows Siebel applications to be deployed into existing Web
sites and portals
-
8/13/2019 12 Securing Access to the Application
14/1814 of 18Copyright 2007, Oracle. All rights reserved.
Single Sign On Considerations Continued
Some Siebel User Administration features that are not available
using SSO should be disabled for consistency, for example:
User self-registration
Delegated administration of users
Change password
Requires synchronization of users between the Siebel
application and the external authentication system
-
8/13/2019 12 Securing Access to the Application
15/1815 of 18Copyright 2007, Oracle. All rights reserved.
Comparing Authentication Methods
Database
Authentication
Directory Service
Authentication
Single Sign On
Requires additionalinfrastructure
No Yes Yes
Supports account
policies such as
password expiration
Depends on
RDBMS
Depends on
directory service
Depends on
directory service
Supports user self-
management No Yes No
Allows creation of
users from within the
Siebel application
No Yes No
Allows using same
credentials acrossmultiple applications
No Yes Yes
Allows single sign-on No No Yes
Allows external
management of
users
No Yes Yes
-
8/13/2019 12 Securing Access to the Application
16/1816 of 18Copyright 2007, Oracle. All rights reserved.
Module Highlights
Siebel applications support three mechanisms for authenticating
users:
Database authentication is the default; the Siebel Server passes
the authentication information to the RDBMS for authentication
Directory Service authentication uses a directory service such as
LDAP or ADSI to perform the authentication; the Siebel Server
passes the authentication information to the directory service Single Sign On uses a directory service at the Web server level to
allow single sign-on to multiple applications; the Siebel Web
Server passes the authentication information to the directory
service and passes the returned trust token to the Siebel Server
-
8/13/2019 12 Securing Access to the Application
17/1817 of 18Copyright 2007, Oracle. All rights reserved.
Lab
In the lab you will:
Create a database account for a new user
-
8/13/2019 12 Securing Access to the Application
18/1818 of 18Copyright 2007 Oracle All rights reserved