Module 12 Securing Access to the Application

7/30/2019 Module 12 Securing Access to the Application

1/18

Securing access to the application 1 of 18

Siebel 8.0 Essentials


2/18

Module 12: Securing Access to the Application


3/18


Module Objectives

To describe the types of user authentication in use by Siebelapplication

To explain the role of the security adapter

To describe Single Sign On (SSO) security and how it differs

from other authentication methods


4/18


Siebel Application Security

Siebel applications are secured at various levels:

Security in restricting data and access to views corresponding to

different users

Subject of previous module

Only authorized users can access the application

Subject of this module

Securing the Communication between architecture components

Subject of subsequent module


5/18


Authentication

Is the process of validating a users identity

It concerns with verifying the identity of users beforethey gain

access to a Siebel application

Typically consists of collecting a set of user credentials such as

user ID and password and comparing them to pre-stored values


6/18


Supported Authentication Methods

Siebel applications carry out authentication by either the

Siebel servers or the Web server. In this case, its done withthe help of :

Siebel security adapters are software programs that allow Siebel

servers to authenticate users

Single Sign On (SSO) allows the Web server to authenticate

users

Siebel Web Server Extension performs authentication check

Security adapter is still involved in verifying the trust token

passed to it by the Web server

A trust token is a software object confirming the identity og

the sender. May contain additional information such as user

identity or database login to be passed to the server


7/18Securing access to the application 7 of 18

Siebel Security Adapters

A security adapter is a piece of software that connects to an

authentication service

It is Implemented as a part of the Application Object Manager (AOM)

An authentication service

A store of credentials plus a mechanism to compare user provided

credentials against the stored credentials



Authentication Services

Siebel applications support multiple authentication services:

Database authentication Lightweight Database Authentication Protocol (LDAP)

Active Directory Services Interface (ADSI)

Custom authentication using the Siebel Security Adapter Software

Developers Kit (SSASDK)

Creating custom security adapters is beyond the scope of this

course Refer to the Siebel Security Adapter SDK in Bookshelf



Database Authentication

Users are authenticated against the underlying database

The database Security Adapter uses is the default for Siebelapplications



Database Authentication Considerations

Additional infrastructure components such as directory servers

are not required

Uses a separate database login for each user

Requires ongoing support from a database administrator

May support the following account policies :

Password expiration

Password syntax

Account lockout

Supports minimal user self-management

User cannot perform self-management without being granted

direct access to the database server



Directory Server Authentication

Authentication for users is carried out against an external directory service

The directory service contains the users credentials and administrativeinformation

A single reserved database login is typically used for all users

The default database login is LDAPUSER



Directory Service Considerations

Facilitates easier administration because it :

Eliminates maintenance of a separate database login for each user

Allows Web users to self-register and maintain login information

Allows automated creation of users from User Administration view

Allows external delegated administration of users

Allows credentials store to be shared across multiple

applications

May support account policies based on those of the directory

service

Password expiration

Password syntax

Account lockout



Single Sign On

Web Server provides credentials to third-party service

Security Adapter looks up and retrieves Siebel user ID, DB accountbased on identity key from external source



Single Sign On Considerations

Allows users to access multiple applications without any further

login For example, Windows Integrated Authentication allows users to

access Siebel applications directly once they have logged in to

their Windows accounts

Uses credentials that are collected and verified by the Web

server

Management of authentication can be performed from a single

centralized location

Requires the use of a trust token

Secret value shared by the Web server and Object Manager

This facilitates the deployment of Siebel Application in Web sites

and portals



Single Sign On Considerations

Some Siebel User Administration features that are not available

using SSO should be disabled for consistency, for example: User self-registration

Delegated administration of users

Change password

Requires synchronization of users between the Siebel

application and the external authentication system



Comparing Authentication Methods



Module Highlights

Siebel applications support three mechanisms for authenticating

users: Database authentication is the default; the Siebel Server verifies the

authentication information to the RDBMS for authentication

Directory Service authentication uses a directory service such as

LDAP or ADSI to perform the authentication; the Siebel Server

passes the authentication information to the directory service Single Sign On uses a directory service at the Web server level to

allow single sign-on to multiple applications; the Siebel Web

Server passes the authentication information to the directory

service and passes the returned trust token to the Siebel Server


18/18Securing access to the application 18 f 18

Lab

In the lab you will:

Create a database account for a new user

Documents

Module 12 Securing Access to the Application