Upload
realvasyapupkin
View
216
Download
0
Embed Size (px)
Citation preview
7/30/2019 Module 12 Securing Access to the Application
1/18
Securing access to the application 1 of 18
Siebel 8.0 Essentials
7/30/2019 Module 12 Securing Access to the Application
2/18
Module 12: Securing Access to the Application
7/30/2019 Module 12 Securing Access to the Application
3/18
Securing access to the application 3 of 18
Module Objectives
To describe the types of user authentication in use by Siebelapplication
To explain the role of the security adapter
To describe Single Sign On (SSO) security and how it differs
from other authentication methods
7/30/2019 Module 12 Securing Access to the Application
4/18
Securing access to the application 4 of 18
Siebel Application Security
Siebel applications are secured at various levels:
Security in restricting data and access to views corresponding to
different users
Subject of previous module
Only authorized users can access the application
Subject of this module
Securing the Communication between architecture components
Subject of subsequent module
7/30/2019 Module 12 Securing Access to the Application
5/18
Securing access to the application 5 of 18
Authentication
Is the process of validating a users identity
It concerns with verifying the identity of users beforethey gain
access to a Siebel application
Typically consists of collecting a set of user credentials such as
user ID and password and comparing them to pre-stored values
7/30/2019 Module 12 Securing Access to the Application
6/18
Securing access to the application 6 of 18
Supported Authentication Methods
Siebel applications carry out authentication by either the
Siebel servers or the Web server. In this case, its done withthe help of :
Siebel security adapters are software programs that allow Siebel
servers to authenticate users
Single Sign On (SSO) allows the Web server to authenticate
users
Siebel Web Server Extension performs authentication check
Security adapter is still involved in verifying the trust token
passed to it by the Web server
A trust token is a software object confirming the identity og
the sender. May contain additional information such as user
identity or database login to be passed to the server
7/30/2019 Module 12 Securing Access to the Application
7/18Securing access to the application 7 of 18
Siebel Security Adapters
A security adapter is a piece of software that connects to an
authentication service
It is Implemented as a part of the Application Object Manager (AOM)
An authentication service
A store of credentials plus a mechanism to compare user provided
credentials against the stored credentials
7/30/2019 Module 12 Securing Access to the Application
8/18Securing access to the application 8 of 18
Authentication Services
Siebel applications support multiple authentication services:
Database authentication Lightweight Database Authentication Protocol (LDAP)
Active Directory Services Interface (ADSI)
Custom authentication using the Siebel Security Adapter Software
Developers Kit (SSASDK)
Creating custom security adapters is beyond the scope of this
course Refer to the Siebel Security Adapter SDK in Bookshelf
7/30/2019 Module 12 Securing Access to the Application
9/18Securing access to the application 9 of 18
Database Authentication
Users are authenticated against the underlying database
The database Security Adapter uses is the default for Siebelapplications
7/30/2019 Module 12 Securing Access to the Application
10/18Securing access to the application 10 of 18
Database Authentication Considerations
Additional infrastructure components such as directory servers
are not required
Uses a separate database login for each user
Requires ongoing support from a database administrator
May support the following account policies :
Password expiration
Password syntax
Account lockout
Supports minimal user self-management
User cannot perform self-management without being granted
direct access to the database server
7/30/2019 Module 12 Securing Access to the Application
11/18Securing access to the application 11 of 18
Directory Server Authentication
Authentication for users is carried out against an external directory service
The directory service contains the users credentials and administrativeinformation
A single reserved database login is typically used for all users
The default database login is LDAPUSER
7/30/2019 Module 12 Securing Access to the Application
12/18Securing access to the application 12 of 18
Directory Service Considerations
Facilitates easier administration because it :
Eliminates maintenance of a separate database login for each user
Allows Web users to self-register and maintain login information
Allows automated creation of users from User Administration view
Allows external delegated administration of users
Allows credentials store to be shared across multiple
applications
May support account policies based on those of the directory
service
Password expiration
Password syntax
Account lockout
7/30/2019 Module 12 Securing Access to the Application
13/18Securing access to the application 13 of 18
Single Sign On
Web Server provides credentials to third-party service
Security Adapter looks up and retrieves Siebel user ID, DB accountbased on identity key from external source
7/30/2019 Module 12 Securing Access to the Application
14/18Securing access to the application 14 of 18
Single Sign On Considerations
Allows users to access multiple applications without any further
login For example, Windows Integrated Authentication allows users to
access Siebel applications directly once they have logged in to
their Windows accounts
Uses credentials that are collected and verified by the Web
server
Management of authentication can be performed from a single
centralized location
Requires the use of a trust token
Secret value shared by the Web server and Object Manager
This facilitates the deployment of Siebel Application in Web sites
and portals
7/30/2019 Module 12 Securing Access to the Application
15/18Securing access to the application 15 of 18
Single Sign On Considerations
Some Siebel User Administration features that are not available
using SSO should be disabled for consistency, for example: User self-registration
Delegated administration of users
Change password
Requires synchronization of users between the Siebel
application and the external authentication system
7/30/2019 Module 12 Securing Access to the Application
16/18Securing access to the application 16 of 18
Comparing Authentication Methods
7/30/2019 Module 12 Securing Access to the Application
17/18Securing access to the application 17 of 18
Module Highlights
Siebel applications support three mechanisms for authenticating
users: Database authentication is the default; the Siebel Server verifies the
authentication information to the RDBMS for authentication
Directory Service authentication uses a directory service such as
LDAP or ADSI to perform the authentication; the Siebel Server
passes the authentication information to the directory service Single Sign On uses a directory service at the Web server level to
allow single sign-on to multiple applications; the Siebel Web
Server passes the authentication information to the directory
service and passes the returned trust token to the Siebel Server
7/30/2019 Module 12 Securing Access to the Application
18/18Securing access to the application 18 f 18
Lab
In the lab you will:
Create a database account for a new user