Integrating Siebel with SSO

In this Document

1390451.1


        Purpose


        Scope


        Details


       Siebel Components


       Integration Architecture


       Preparing Your Environment


        References


APPLIES TO:

Siebel CRM - Version 7.8 [19038] to 8.2.2.1 SIA[23012] [Release V7  to V8]
 Information in this document applies to any platform.

PURPOSE


This article describes the integration of SSO with the Siebel  e-business platform. Siebel is a Web-based suite that combines customer  relationship management, partner relationship management, and employee  relationship management applications.

SCOPE


NOTE: This solution can be implemented with any 3rd Party SSO  system with the following prerequisites:

             The 3rd Party SSO system should be able to send the user identity in an HTTP  Header Variable.

             Siebel Web Single Sign On configuration is configured for the Siebel Web  Engine.

             Siebel Security Adapter (LDAP/ ADSI) Profile is used for authentication.

             SSO solutions using static trust token in the HTTP header.

DETAILS



Siebel Components

This integration involves the following Siebel components.

Siebel Gateway Name Server: The name server provides persistent  backing of Siebel server configuration information, including definitions and  assignments of component groups and component operational parameters as well  as Siebel server connectivity.

Siebel Database Server: The Siebel database server contains the  data used by Siebel clients.

Siebel Server and Siebel Web Server Extension: The Siebel Server  along with the Siebel Web Server Extensions supports Siebel Enterprise Web  Applications.

Integration Architecture

The preferred method of Web single sign-on with Siebel is achieved  by passing a header variable populated with an attribute value that is stored  in the LDAP directory. The SSO solution used permits passing the appropriate  HTTP header variable to Siebel. SSO solution intercepts the user's HTTP  request and checks for a session cookie. If the cookie does not exist or it  has expired, the user is challenged for credentials. The implemented SSO solution  verifies the credentials, and if the user is authenticated, the SSO solution  redirects the user to the requested resource and passes the required header  variable to the Siebel application. The Siebel application initiates a  session which is kept at the Siebel Web Engine.

Figure 1: SSO Integration with Siebel. Illustrates a scenario  where the user authenticates to a SSO-protected resource and is granted  access to a Siebel application.

                                                          l


Process overview: Authentication with the integration

1.     A user attempts to access content or an  application on a server.

2.     SSO intercepts the request.

3.     To determine if the resource is protected,  SSO checks for a security policy.

The security policy consists of an authentication scheme,  authorization rules, and allowed operations based on authentication and  authorization success or failure.

4.     If the resource is protected, SSO checks for  the user's session cookie.

If a valid session exists, SSO passes the header variable to the  Siebel server. If a valid session does not exist, SSO prompts the user for  credentials.

5.     If the credentials are successfully  validated, SSO executes the actions that are defined in the security policy  and sets an HTTP header variable that maps to the Siebel user ID.

6.     SSO redirects the user to the requested  Siebel resource.

7.     The Siebel application recognizes the SSO  header variable, authenticates the user, and initiates a session.

The header variable is stored in the Siebel Web Engine. The user  can now access any resource that is protected by SSO, for example, a Siebel  Web application, without being prompted for credentials.

If the user is not authorized, the user is denied access and  redirected to another URL as determined by the organization's administrator.

Preparing Your Environment

Complete the following steps to prepare your environment for the  integration.

Task overview: Prepare your environment for OM and LDAP  integration

Configure the out-of-box LDAP Security Adapter profile to talk to  the LDAP server for authentication. Refer to Siebel Security Guide >  Security Adapter Authentication > Process of Implementing LDAP or ADSI  Security Adapter Authentication http://download.oracle.com/docs/cd/E14004_01/books/Secur/Secur_SecAdaptAuth21.html#wp1598728

Configure the Web Single Sign On for the Siebel Application OM.  Refer to Siebel Security Guide > Web Single Sign-On Authentication >  Process of Implementing Web Single Sign-On

http://download.oracle.com/docs/cd/E14004_01/books/Secur/Secur_SSOAuth6.html#wp1003258

Task overview: Prepare your web environment for integration

1.     Install a supported directory server  according to vendor instructions.

2.     Install a supported Web server supported  both by Siebel CRM and the SSO solution

3.     Configure the Web browser to allow cookies  according to vendor instructions.

4.     Proceed to the next section.

Setting up Siebel for integration with SSO

The following procedures describe how to set up Siebel for this  integration.

1.     Install the following Siebel components, as  described in the Siebel documentation:

a.     Siebel Gateway Server

b.     Siebel Server

c.     Siebel Database Server

d.     Siebel Web Server Extension

2.     Verify that Siebel Industry Applications and  Web Server Extension are working properly.

3.     Ensure that the Siebel client and the Siebel  server are able to communicate with each other through TCP/IP, as described  in the Siebel documentation.

4.     Add at least three users to LDAP:

n       Test

n       The Siebel Anonymous User

n       The Siebel Application User

In addition to your regular users, Siebel uses two user accounts  from the directory: Anonymous User and Application User. You also need to  create an attribute in regular user accounts for storing the Siebel database  user information. See the information on creating users in the directory in  the Security Guide for Siebel Industry Applications for details.

5.     Add user records in the Siebel database that  correspond to the registered users.

You need a record in the Siebel database that corresponds to the  test user that you created in the LDAP directory. You also must confirm that  the seed data record exists for the Anonymous User for your Siebel customer  or partner application. This database record must match the Anonymous User  that you created in the LDAP directory. See the information on adding user  records in the Siebel Database in the Security Guide for Siebel Industry  Applications for details.

Table 1: “eapps.cfg parameters” describes the parameters to set  for the eapps.cfg file. This file contains configuration details for the  Siebel Web Server Extension component. It is located in the \BIN directory  where the Siebel Web Server Extension is installed (for example,  C:\siebel81\SWEApp). You can add these parameters to the [Default] section or  to the Siebel-specific application, for example, [/esales_enu].

Oracle recommends that you add these parameters to the specific  Siebel Industry application section.

To encrypt eapps.cfg parameters, follow the steps as per: Siebel  Security Guide > Changing or Adding Passwords > Managing Encrypted  Passwords in the eapps.cfg File

http://docs.oracle.com/cd/B40099_02/books/Secur/Secur_ChangePwd11.html#wp1053529


Table 1 eapps.cfg parameters


Parameter and value

Value

Notes

AnonUserName

GuestCST

The anonymous user is a Siebel user with very limited access. It    enables a user to access a login page or a page that contains a login form.    This user is defined in the Siebel database and must exist in the LDAP    directory.

AnonPassword

Ldap

The LDAP password for the anonymous user.

SingleSignOn

TRUE

When this parameter is set to true, the Siebel Web Server    Extension Engine (SWSE) operates in WebSSO mode.

TrustToken

HELLO

In a Web single sign-on environment, this token string is a    shared secret between the SWSE and the security adapter. It is a measure to    protect against spoofing attacks. This setting must be the same on both the    SWSE and the security chapter.

UserSpecSource

Header

In a Web single sign-on implementation, this parameter specifies    the source from which the SWSE derives the user credentials, as follows:

n        Server—Use if the value    is from the Web server name field

n        Header—Use if the    variable is in the HTTP request header

UserSpec

SSO_Siebel_User

In a Web single sign-on implementation, this variable name    specifies where the SWSE looks for a user’s user name in the source    provided by UserSpecSource.


The following is an example of a configured eapps.cfg file:

[/esales_enu]

SingleSignOn     = TRUE

TrustToken       = HELLO

UserSpec         =  SSO_SIEBEL_USER

UserSpecSource   = Header

ConnectString    =  siebel.TCPIP.None.None://sdchs24n336:3320/siebel/eSalesObjMgr_enu

StartCommand     =  SWECmd=GotoView&SWEView=Home+Page+View+(eSales)

WebPublicRootDir = c:\19213\eappweb\public\enu

WebUpdatePassword = tieeKaYLjfUBgdi+g==


Table 2: Siebel Application Parameter File for the Web Server  Extension describes the parameters that you specify in the Siebel  Application Parameter File (for example, siebel.cfg).

Table 2: Siebel Application Parameter File for the Web    Server Extension

Parameter

Value

Description

ApplicationUser

Cn=sadmin,cn=users,dc=us,dc=oracle,dc=com

DN of Siebel Application User

ApplicationPassword

Ldap

LDAP password

BaseDN

Cn=users,dc=us,dc=oracle, dc=com

LDAP directory base DN

CRC


CRC code

CredentialsAttribute

Mail

LDAP attribute used to store the user’s database credentials

SecAdptDllName

Sscfldap

Security Adapter DLL

HashAlgorithm

RSASHA1

Hash algorithm

HashDBPPwd

FALSE

Should the shared database password be hashed

HashUserPwd

FALSE

Should the user’s password be hashed by Siebel

Port

389

LDAP server port

PropagateChange

TRUE

Propagate user changes to an external repository

PasswordExpireWarning

30

Number of days before password expiry, when the user should be    warned.

PasswordAttributeType

UserPassword

LDAP attribute used to store the user’s password

RolesAttributeType


LDAP attribute used to store the user’s responsibilities

ServerName

Ldap.us.oracle.com

LDAP Server Name

SharedCredentialsDN

Cn=sadmin,cn=users,dc=us,dc=oracle,dc= com

DN of LDAP user storing the DB credentials

SiebelUsernameAttribute Type

Uid

LDAP attribute used to store the user’s user ID

SSLDatabase

C:\oblix-data\oid-key

Path of the SSL database certificate file (required if LDAPS is    used)

SingleSignon

TRUE

Is single sign-on enabled

TrustToken

HELLO

Web single sign-on trust token



 Siebel User ID Attribute: The Siebel User ID attribute for the  adapter-defined user name. Corresponds to the SiebelUsernameAttributeType parameter.


 Siebel Username Attribute. The Siebel user ID attribute used by the  directory. An example entry for an LDAP directory is uid. An example entry  for Active Directory is sAMAccountName (maximum length 20 characters). If  your directory uses a different attribute for the Siebel user ID, then enter  that attribute instead. Corresponds to theUsernameAttributeType parameter.

To set the Siebel Server Configuration Parameters

1.      Log in to a Siebel employee  application, such as Siebel Call Center, and make one of the following  choices from the application-level menu:

n       To set enterprise level  parameters, choose View, select Site Map, then select Server Administration  and then select Enterprise Configuration.

n       To set server level parameters,  choose View, select Site Map, then select Server Administration and then  select Servers.

n       To set component level  parameters, choose View, select Site Map, then select Server Administration  and then select Components.

If you are setting parameters at the server or component level:

n       To set enterprise-level  parameters, click the Enterprise Parameters view tab.

n       To set server-level parameters,  click the Server Parameters view tab.

n       To set component-level  parameters, click the Component Parameters view tab.

Because application-level parameters override enterprise level  settings, Oracle recommends that you set the Siebel parameters for SSO  integration at the application level.

The following screen shot illustrates setting Siebel Server  configuration parameters:


2.     Select a parameter record, edit the Current  Value field, and then click Save.

3.     Restart the Siebel Server to allow the  changes to take effect.

Setting up SSO for Integration with Siebel

Setting up SSO for integration with Siebel involves the following  steps.

Install all needed componets for the SSO solution as described by  vendor.

Synchronize the time on all servers where Siebel and the SSO  solution.  Each Siebel application has its own document directory. You  can either protect each application individually or protect the higher-level  directory under which the applications reside.

Configure SSO to map a SSO Header variable uid to the Siebel uid

Remove default no-cache HTTP pragmas that SSO sets as a  default..

5.       Note: The Header variable  set in the  SSO policy should be equal to the value of the UserSpec  parameter in the eapps.cfg file.

In the following example, the uid is mapped to the SSO_SIEBEL_USER  HTTP header variable as follows:

Type: HeaderVar

Name: SSO_SIEBEL_USER

Attribute: uid

Allow Access to users by selectinfg SSO/Siebel users to whom you  want to grant access to the resources that are protected by the policy  domain.

Testing Integration between SSO and Siebel

After configuring the integration of SSO with Siebel, you should  test for successful SSO authentication and single sign-on with Siebel.

The following is a test for single sign-on between a non-Siebel,  SSO-protected Web page and Siebel Web Server Extension.

To test single sign-on

1.     Create an SSO domain to protect a Siebel  Industry application (for example, eMarketing) and require basic LDAP  authentication for it.

2.     Open a Web browser and enter the URL for the  Web server's main page (http://hostname).

The main page is displayed. User authentication should not be  required.

3.     Access the Siebel Industry application URL  for the Web server from the same browser used in step 2.

Basic authentication should be required.

4.     Access the Siebel Industry application URL  for the Web server from the same browser used in step 2.

Access to the Siebel Industry application should be allowed. The  user should not be challenged for credentials.

5.     Close the browser and open a new browser  session. Access the Siebel Industry application URL for the Web server.

Basic authentication should be required. After the user enters  credentials, the Siebel Industry application should be displayed.

6.     Access the demo document directory URL for  the Web server from the same browser user in step 5.

The following is a test of the SSO session timeout.

To test SSO session timeout

1.     Configure the SSO session timeout to be five  (5) minutes and restart the Web servers.

2.     Open a Web browser and the Web server's main  page (http://hostname).

The main page is displayed. User authentication should not be  required.

3.     Access the Siebel Industry Application URL  for the web server from the same browser used in step 2.

Basic authentication should be required. After the user enters  credentials, the Siebel Industry application should be displayed.

4.     Leave the browser window open and idle for  more than five minutes.

5.     Refresh the browser window using the Refresh  button.

Basic authentication should be required. After the user enters  credentials, the Siebel Industry Application should be displayed.

6.     Repeat step 2 to step 4 for the implemented  web server.

Notes on Integrating in a Multi-Domain Active Directory Environment

There are considerations when configuring this integration in a  multi-domain Active Directory environment. When the Siebel application is  protected, it obtains the SAMAccountname from the HTTP header variable  SSO_SIEBEL_USER. However, the Siebel security adapter performs a lookup in  Active Directory to verify the account. In a forest, it is best to perform  the query against a single domain controller with a query against port 3268.  This is the port that is used for the global catalog.

See the section on configuring LDAP and ADSI security adapters in  the Siebel Security Guide on the Siebel Bookshelf for details.

Task overview: Configuration in a multi-domain Active Directory  environment

1.     Enable Siebel to use Active Directory for  authentication, configuring the authentication to start at the root of the  forest.

2.     Configure the Siebel part of the Active  Directory search with the global catalog port number as part of the ldap  query.

Add the port number to the hostname in the configuration information,  as follows:

hostname.domainname.com:3268

Configuring Session Logout

You can configure an expiration period for a session by setting a  session timeout value in both Siebel and many SSO solutions. The timeout  values should be the same for both applications. If you configure a timeout  value for Siebel that is shorter than the one you configure for SSO, users  can re-establish their Siebel session after it times out without providing  login credentials.

The rest of this section discusses the following topics:

Configuring the Siebel Timeout

Configuring the  SSO Session Timeout

Configuring the Siebel Logout Behavior.

Configuring the Siebel Timeout

The following procedure describes configuring the timeout. For  users to be asked to re-authenticate after the timeout limit is reached, you  must also configure the same timeout value in SSO.

To configure the Siebel timeout

1.     Open the eapps.cfg file.

It is located in the \BIN directory where the Siebel Web Server  Extension is installed (for example, C:\siebel81\SWEApp).

2.     Modify the value for the Set SessionTimeout  parameter.

3.     Restart the Web server.

Configuring the SSO Session Timeout

The following procedure describes configuring the timeout.   Follow your SSO  vendor’s procedure for setting session timeouts.

Change the value of the Maximum user session time (seconds)  field.  This value should be the same as the one that you set for the  Siebel application.

Change the value of the Idle session time (seconds) field.   This value should be the same as the one that you set for the Siebel  application.

Configuring the Siebel Logout Behavior

In a Web single sign-on deployment, the user authentication and  user management features are the responsibility of SSO. The following  features in Siebel are not available in a Web single sign-on environment:

n       User self-registration

n       Delegated administration

n       Login and logout

n       Change password

You configure logout functionality for Siebel users by modifying  the Siebel Logout link and redirecting the users to the SSO solution logout  page. By doing this, the user is logged out of SSO and by extension from  Siebel.

The following procedures describe configuring Siebel to point to  the default SSO logout.html page. To ensure that logging out of Siebel is  also recognized by SSO, the page that logs users out of Siebel must contain  SSO logout functionality.

The following procedures describe configuring the logout behavior.

To prepare for configuration

1.     Create a text file that contains the HTML  required to redirect the user to the SSO logout page.

The following is a URL example:


The following is a Javascript example:

 

   

 


2.     Copy the file as follows:

$siebelroot/siebsrvr\WEBTEMPL\name.swt

Where name is the name of the file that you created in the  previous step, for example, coreidlogout.swt.

3.     Stop the Siebel server process.

4.     Start Siebel Tools.

To create a new project

1.     In the Object Explorer window, click  Project.

2.     Select Edit.

3.     Select New Record.

4.     Enter the name of the file that contains the  redirection information as the name for the new record.

Do not include the ".swt" extension. In the previous  procedure, this name was coreidlogout.

5.     Select Locked.

To create a Web template

1.     In the Object Explorer window, click Web  Template.

2.     Add a new record.

Use the name of the file with the redirection information. Do not  include the ".swt" extension.

In a previous procedure, an example name of coreidlogout was  provided.

3.     Enter the Project parameter.

As the name of this parameter, use the name of the file with the  redirection information. Do not include the ".swt" extension.

In a previous procedure, an example name of coreidlogout was  provided.

4.     Specify Web Page Template for the Type  parameter.

To create a Web template file

1.     Expand the Web Template tree.

2.     Click Web Template File.

3.     Add a record that is named using the name of  the file with the redirection information.

Do not include the ".swt" extension. In a previous  procedure, an example name of coreidlogout was provided.

4.     Enter the name of the file with the  redirection information, including the ".swt" extension, as the  Filename parameter.

To create a Web page for logout

1.     In the Object Explorer window, click Web  Page.

2.     Add a record that is named using the name of  the file with the redirection information.

Do not include the ".swt" extension. In a previous procedure,  an example name of coreidlogout was provided.

3.     Enter the name of the file with the  redirection information as the Project parameter.

Do not include the ".swt" extension. In a previous  procedure, an example name of coreidlogout was provided.

4.     Select the name of the file with the  redirection information as the Web Template parameter.

In a previous procedure, an example name of coreidlogout was  provided.

To complete logout configuration

1.     To lock the application project for each  project where you want to modify the logout behavior, in the Object Explorer  window, click Project.

2.     Locate the appropriate project.

3.     Select Locked.

4.     In the Application window, select the Siebel  module to be configured.

Each module must be configured separately.

5.     Scroll to the right and locate the Logoff  Acknowledgement Web Page parameter.

Make a note of this value before changing it.

6.     Select the name of the file with the  redirection information.

In a previous procedure, an example name of coreidlogout was  provided.

7.     Compile the changes.

8.     Restart the Siebel Server and the Web  server.


My Oracle Support resources:

OAM and Siebel Integration:1509338.1