Security Guide for Siebel Business Applications > Web Single Sign-On Authentication >
About Web Single Sign-On
In a Web SSO implementation, users are authenticated by a third party at the Web-site level. Siebel Business Applications support this mode of authentication by providing an interface that allows the third party to pass user information to a Siebel application. Once authenticated by the third party, a user does not have to explicitly log into the Siebel application. Web SSO allows you to deploy Siebel Business Applications into existing Web sites or portals.
Web SSO architecture is appropriate for Web sites on which only approved registered users can gain access to sensitive data, such as a Web site on which you share data with your channel partners.
NOTE: Web SSO authentication does not apply to the Siebel Mobile Web Client.
Web SSO Authentication Process
The steps in the Web SSO authentication process shown are:
- The user enters credentials at the Web site that are passed to the Web server. A third-party authentication client on the Web server passes the user credentials to the third-party authentication service. The third-party authentication service verifies the user credentials and passes the authenticated user's username to the Siebel Web Server Extension (SWSE).
- The SWSE passes the authenticated user's username to the authentication manager. The username can be the Siebel user ID or another attribute.
- The security adapter provides the authenticated user's username to a directory, from which the user's Siebel user ID, a database account, and, optionally, roles are returned to the authentication manager.
- The Application Object Manager (AOM) uses the returned credentials to connect the user to the database and to identify the user.
Web SSO Limitations
Because Web SSO deployments assume that user authentication and user management are the responsibility of the third-party security infrastructure, the following capabilities are not available, as Siebel Business Applications features, in a Web SSO environment:
- User self-registration
- Delegated administration of users
- Login forms
- Logout links or the Log Out menu item in the File application-level menu
- Change password feature (in Profile view of User Preferences screen)
Your Siebel Business Applications may require configuration changes to hide such functionality. For more information, see Configuring Siebel Business Applications.
NOTE: Because Siebel application users in a Web SSO environment cannot use logout features, such users must end the application session by closing the browser window. In Microsoft Internet Explorer, do this by choosing File > Close or by clicking X in the top-right corner of the window. The AOM terminates the task (thread) for the user's session when the session timeout has been reached. The
SessionTimeout parameter is located in the eapps.cfg file, on the SWSE. For more information about this parameter, see Parameters in the eapps.cfg File.
Web SSO Implementation Considerations
Following are some implementation considerations for a Web SSO strategy:
- Users are authenticated independently of Siebel Business Applications, such as through a third-party authentication service or through the Web server.
- You must synchronize users in the authentication system and users in the Siebel Database at the Web site level.
- You must configure user administration functionality, such as self-registration, at the Web site level.
- A delegated administrator can add users to the Siebel Database, but not to the authentication system.
For more information about integrating third-party authentication software with Siebel Business Applications, see Siebel SupportWeb or contact the Siebel Alliance Group.
Microsoft Windows Integrated Authentication
If you deploy Microsoft Windows Integrated Authentication as your Web SSO solution, make sure that your client and Web server meet one of the following conditions:
- Are in the same Windows 2000/2003 domain.
- Are in a trusted Windows 2000/2003 domain where a user's account can be granted access to resources on the computer hosting Microsoft IIS.
NOTE: To deploy Microsoft Windows Integrated Authentication as your Web SSO solution, your Web server must be Microsoft ISS 5.0 or Microsoft ISS 6.0.
For more information, see Microsoft documentation.