Siebel_SSO_integration_with_OAM_v1.0.pdf

Oracle

SIEBEL SSO INTEGRATION OAM WEBGATE

Enabling Oracle Access Manager (SSO)/ Sample Steps

Oracle Corporation 9/18/2014 2

Overview: This document provides a guide of steps to deploying OAM with Siebel. It highlights environment specific values in red.

About the Integration with Siebel 8 The integration of Oracle Access Manager with Siebel 8 provides a secure Web-based infrastructure for identity management for all customer applications and processes. Oracle Access Manager integrates identity and access management across Siebel 8, enterprise resources, and other domains deployed on Industry networks. Oracle Access Manager provides the foundation for managing the identities of customers, partners, and employees across Internet applications. These user identities are combined with security policies for protected Web interaction.

This integration adds the following features to Siebel 8 implementations:

n Oracle Access Manager Authentication, authorization, and auditing services for Siebel 8 applications.

n Oracle Access Manager single sign-on (SSO) for Siebel 8 applications and other Oracle Access Manager-protected resources within a single domain or across multiple domains.

n Oracle Access Manager authentication schemes, the following schemes provide single sign-on for Siebel 8 applications:

Basic: Users must enter a user name and password in a window supplied by the Web server.

This method can be redirected to SSL.'

Form: This method is similar to the basic challenge method, but users enter information in the custom HTML form.

You can choose the information users must provide in the form that you create.

X509 Certificates: X.509 digital certificates over SSL.

A user's browser must supply a certificate.

Windows Integrated Authentication (WIA): Users will not notice a difference between an Oracle Access Manager Authentication and WIA when they log on to the desktop, open an Internet Explorer (IE) browser, request an Oracle Access Manager-protected Web resource, and complete single sign-on.

Custom: Additional forms of authentication can be incorporated through use of the Oracle Access Manager Authentication Plug-in API.

n Session timeout: Oracle Access Manager enables you to set the length of time that a user session is valid.

n Ability to use the Identity System for identity management: The Identity System provides identity management features such as portal inserts, delegated administration, workflows, and self-registration to applications such as Siebel 8.

The self-registration feature for new users and customers provides flexibility in terms of how much access to provide to people upon self-registration. Identity System workflows enable a self-registration request to be routed to appropriate personnel before access is granted.

Oracle Access Manager also provides self-service, allowing users to update their own identity profiles.



Supported Version and Platforms Any references to specific versions and platforms in this chapter are made for demonstration purposes.

For the latest support information, see the Oracle Technology Network (OTN). You must register with OTN to view this information.

To locate the latest certification details

1. Go to Oracle Technology Network:

http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html

2. Locate Oracle Identity and Access Management.

3. Click the link for the latest version. For example:

System Requirements and Supported Platforms for Oracle Identity and Access Management 10gR3 (html)

4. Click the link for Oracle Access Manager Certification.

Setting Up Single Sign-on for Siebel Application Server Setting single sign-on for Siebel 8 requires the installation and configuration of several Siebel and SSO components.

1. Install and configure Siebel 8, as described in Create/Enable an Access Gate Configuration in the Access Server section.

2. Install Oracle Access Manager and a WebGate, and configure access control policies to protect Siebel resources, as described in Installing the web gate plug-in on the Siebel web server. section

3. Test the integration, as described in Testing the resource rule with your browser section

To set up Oracle Access Manager for the integration

1. Install Oracle Access Manager and ensure that you have installed a WebGate on the Web server instance supporting the Siebel Web server extension, as described in Oracle Access Manager Installation Guide

2. Synchronize the time on all servers where Siebel and Oracle Access Manager Components are installed. Each Siebel application has its own document directory. You can either protect each application individually or protect the higher-level directory under which the applications reside.

3. In the Policy Manager, create a policy domain to protect Siebel resources on Web servers where Siebel and the WebGate are installed, as described in the Oracle Access Manager Access Administration Guide. Oracle Access Manager sets header variables that are passed on to the Siebel Industry Application to allow access only to specified users.

4. In the Authorization Rule, choose Actions page of the policy domain protecting the Siebel resource, configure the action to map a Oracle Access Manager Header variable uid to the Siebel uid

5. Remove the default no-cache HTTP pragmas that Oracle Access Manger sets as a default.. In Oracle Access Manager clear the values for the Access Gate configuration parameters for my Access Gate:

CachePragmaHeader=no-cache

CacheControlHeader=no-cache



6. Note: The Header variable set in the Oracle Access Manager policy should be equal to the value of the UserSpec parameter in the eapps.cfg file.

In the following example, the uid is mapped to the SSO_SIEBEL_USER HTTP header variable as follows:

Type: HeaderVar

Name: SSO_SIEBEL_USER

Attribute: uid

7. In the Authorization Rules, choose Allow Access page of the policy domain, select the Oracle Access Manager/Siebel users to whom you want to grant access to the resources that are protected by the policy domain.

I. Create/Enable an Access Gate Configuration in the Access Server. 1) Access the Oracle Access Manager Admin Site: example http://10.217.30.136/access/oblix/ or http://sdcr710i001n.us.oracle.com/access/oblix/

2) Click the Access System Console Link and login using example: oamadmin/oamadmin:



If a shared environment is used it is possible that someone has already setup an Access Gate for your VCAP machine name. First click the AccessGate Configuration and search for an AccessGate with your machine name. Note: Hitting Go on the right of the screen(scroll right) without specifying any search criteria will return all AccessGate configurations for this Access Server .

If the search returns an AccessGate with your machine name, click the name of the AccessGate and verify the settings with the following steps in this section of the



document.

After clicking an existing AccessGate configuration, the Modify and List Access Servers buttons at the bottom of the existing AccessGate configuration page will allow you modify the settings mentioned below if necessary.

If one does NOT exist with your machine name, click the Add New Access Gate click to create one.



Enter the following fields required fields: AccessGate Name: Example. SDCDL383I091 Hostname: < Siebel web server (SWSE) FQDN Name > Example. Sdcr710i006c.us.oracle.com Port: < Siebel web server SWSE web server port number> Example. 80



Access Gate Password and Re-type Access Gate Password: Example. Siebel

In the Web Server Client section: Primary HTTP Cookie Domain: < Siebel web server (SWSE) FQDN> eg.) Sdcr710i006c.us.oracle.com Preferred HTTP Host: < Siebel web server (SWSE) FQDN> eg.) Sdcr710i006c.us.oracle.com Remove the default no-cache HTTP pragmas that Oracle Access Manger sets as a default.. In Oracle Access Manager clear the values for the Access Gate configuration parameters for my Access Gate:

CachePragmaHeader: no-cache

CacheControlHeader: no-cache

Click the Save button at the bottom the page to save your new Access Gate Configuration. Note: You will receive an error message stating that this configuration is not associated with an Access Server.

This will be our next steps.



Click the List Access Servers button at the bottom of the page to associate this Access Gate Configuration with the TS Lab Access server.

Click Add. Select sdcr710i001n.us.oracle.com or 10.217.30.136 Access server. Set it as the Primary server.



Click Add to receive this screen showing the Access server has been added to the AccessGate Configuration.

Click Back and then click the AccessGate Configuration Button



Click the Go to show all the configured AccessGates. Confirm that your AccessGate configuration does exist.

II. Create a Host Identifier for the Siebel web server.



This will be used later in the Policy Domain configuration. Click the Host Identifiers on the left to show the existing Host that have been configured.

If your Siebel Web Server host name NOT exist, Please click add. NOTE: If your host name exists, move on to the WebGate Installation below. Enter the Siebel web server FQDN in the name and Hostname Variations: eg) Sdcr710i006c.us.oracle.com Click the + next to Hostname Variations. Add an entry for just the hostname of the Siebel web server machine. Click Save



III. Installing the web gate plug-in on the Siebel web server. (Oracle_Access_Manager10_1_4_0_1_Win32_ISAPI_WebGate.exe)

Click Next



Select webserver platform to be used: IIS:



Accept default directory:



Click Next:



Select Open as the transport security mode:

ClickNext.



The entries above tell this WebGate plug-in to use the the Access System Console AccessGate Configuration that was completed earlier in section I . WebGateID: eg sdcdl383i098 Password for WebGate: eg. siebel Access Server ID : eg. sdctslab_AccessSrvr1(lab access server) Hostname for the Access Server: eg. sdcr710i001n.us.oracle.com Access Server Port: eg. 6021 which is the default Access Srvr port. Click Next :



Continue clicking Next button on the setup wizard until the install is Complete. As stated in the above screen shot, restart the IIS Admin service after finishing the installation of the WebGate.

IV. Confirm the installation of the web gate plug-in on the Siebel web server. After the webserver (IIS) restart, confirm the webGate installation was successful using the following template URL for the Siebel web server: http(s)://host:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1 In this case, it would be:



http://Sdcr710i006c.us.oracle.com/access/oblix/apps/webgate/bin/webgate.dll?progid=1

This screen shows a successful installation of the WebGate.

IV. Add the AccessGate/WebGate to the Siebel Policy Domain. Access the Policy Manager by clicking the Policy Manager link in the top right hand corner of the Access System console.

Click the My Policy Domains link to access the Siebel Policy domain that has been setup for the TS Labs.

Click the Siebel link to access the configuration of this policy domain.



Click the Resource tab to view the current resources that this policy domain is protecting. This tab shows what web servers and URLs that are protected by this Siebel policy domain. In this example, this policy is protecting any URL(Url Prefix= /) for the sdcdl383i091.corp.siebel.com web server host machine. It is possible to protect a particular virtual directory instead of the whole web server by specifying a URL prefix like /callcenter_enu.

Note: Once Resource rule(s) are created they can not be modified. In order to change an existing resource rule, you have to delete it and create a new one. To delete an existing rule(s) Click the check box next to the rule and then click the delete button:



To add resource rule(s): Click the Add button

Select the Host identifier for your web server machine that was created earlier in these steps. Enter the appropriate Url Prefix(if necessary). In the example below, I am protecting the finsebanking_enu virtual directory on this web server. If this value is left blank, all URLs on the web server are protected. Remember you can create multiple resource rules for the same web server. This makes it possible to protect specific virtual directories on the web server. Click the Save button to save the rule.



Click the Save button and the OK button to save the rule.

This confirms the rule was created

IV. Testing the resource rule with the Access Tester. On the Siebel web server machine, please restart the IIS admin service.



Navigate back to OAM portal Policy Domain Section Click the Access tester link in the Policy Domain Manager. Enter the following:

URL: A Url that matches the resource rule that was created.

Resource Operation: Check both GET and POST.

Date/Time Access: any

Select All Users

Show Both

Check Show Matching Policy

Check Show Matching Rule



Click Submit and then OK

The following shows a successful test.



IV. Testing the resource rule with your browser. Enter the Rule URL. You should receive a NT Dialog Box like the one shown here that prompts you for credentials. These credentials would be LDAP users in the sdcr710i001n.us.oracle.com or 10.217.30.136 LDAP directory.



If you do not receive this dialog box, please check the previous steps in this document and also ensure that you have restarted the IIS admin service.

Configuring the LDAPSecAdpt and OM for Oracle Access Manager SSO

authentication.

I. Configure the SWSE for SSO Open the eapps*.cfg for the application that you are configuring for Single Sign On.



Configure the following Single Sign Related parameters: SingleSignOn = True (Turns on Single Sign On for the SWSE) TrustToken = HELLO (Matches the value in the OM Configuration created later in document) UserSpec = SIEBEL_SSO_USER (This is the name of HTTP header that the TS lab Access Server sends for the user ID) UserSpecSource = Header ( Tells SWSE to look for the UserSpec variable in a HTTP header). ProtectedVirtualDirectory = /sales_enu ( Set the value of the section name)

Stop and restart IIS:



II. Configure the LDAP enterprise profile for SSO Important Note: In Siebel versions 7.5.3.4 and higher, 7.7, and 8.0 , the IBM 5.1 LDAP client installation is required on the Siebel server running the Object Manager in order to use the Siebel Standard LDAP security adapter. Please check this requirement for the Siebel version that you are testing. Login an employee facing application using sadmin. Click the Site Map button.

Click the Administration - Server Configuration link. Click Profile Configuration for the enterprise

Select the standard LDAPSecAdpt Profile.



Configuring the LDAPSecAdpt and OM for Oracle Access Manager SSO authentication. Enter the following values for the Oracle Access Manager LDAP directory. Server Name: 10.217.30.136 or sdcr710i001n.us.oracle.com BaseDn: ou=people,dc=corp,dc=siebel,dc=com ApplicationUser: uid=appuser,ou=people,dc=corp,dc=siebel,dc=com ApplicationPassword: appuser SharedCredentialsDn: uid=sharedcredentials,ou=people,dc=corp,dc=siebel,dc=com CredentialsAttributeType: mail (username=sadmin password=sadmin) UserNameAttributeType: uid Propagate Change: False(turns off LDAP update from the Siebel application) Single Sign On: True Trust Token : HELLO (This value must match TrustToken in the SWSE application section) User Name Attribute Type: uid (attribute in the LDAP directory that contains Siebel username).



III. Configure the Object Manager to use the LDAPSecAdpt profile. Click the Site Map > Servers in Administration Server Configuration. Select Components



Select the Object Manager that you are configuring to use SSO

Click the Parameters tab in the lower applet. Query for Sec* and set Value on Restart to values below. While we are here, lets turn on security adapter logging in case errors occur or we want to confirm that the security adapter is in fact being used. Click the Events tab. Query for Sec* again (if necessary) and set the values below.

Restart the Siebel server service.



IV. Test the Object manager SSO configuration. A. Valid user test (sadmin seed data user) Enter the application URL and type sadmin/sadmin when prompted. Note: If you do not get prompted for this URL, the WebGate/AccessGate is not installed/configured correctly. Please review Part 1 -WebGate/AccessGate installation/configuration.

If you see this, you are almost there

.



This shows the home page welcome message for the sadmin SSO user.

Known Third Party issues The following issues are known related to third parties:

Siteminder: ERP Agent for Siebel (also known as Web Agent) and the Siteminder Policy Server are used to get the User Identity in the form of a HTTP Header variable called SIEBELUSER and the SSO Authentication Ticket. Keep the Siteminder ERP Agents running on Siebel Web Server 'as-is'.

Siteminder: For customers who have implemented Siteminder SSO with Siebel, it is important to note that the custom security adapter cannot be used for Siebel - BIP Reports integration.

Siteminder: An extra '//' in a URL being passed to Siebel, which gets blocked by Siteminder not meeting http://tools.ietf.org/html/rfc2397 Oracle has fixed this issue as of 8.1.1.9/8.2.2.2. As a workaround one can configure a special parameter called BadQueryChar in Siteminder and specify a single or multiple characters that are considered bad in an HTTP request.

My Oracle Support resources:

OAM and Siebel Integration:

Siebel SSO Integration with Third Parties (Doc ID ???????)

Documents

Siebel_SSO_integration_with_OAM_v1.0.pdf