|Bookshelf Home | Contents | Index | Search | PDF|
Security Guide for Siebel eBusiness Applications > Authentication Details >
This section describes features and considerations associated with user login to Siebel applications.
A login page or a login form embedded in a Siebel application page is the means by which user credentials are collected. Figure 12 shows a login form embedded in the Siebel eService home page.
A user is required to login, thereby identifying himself or herself as a registered user, to be allowed access to protected views in Siebel applications. Protected views are designated for explicit login. Views that are not designated for explicit login are available for anonymous browsing, if the Siebel application allows anonymous browsing.
For information about setting view properties, see Siebel Tools Reference.
For information about anonymous browsing, see Anonymous Browsing.
Siebel applications also provide other features on a login form besides user credentials collection, such as remembering a user name and password and providing forgotten password support.
Alternatively, you can configure a Siebel application to bypass the login form by providing the required user ID and password in the URL that accesses the application.
Remember My User ID and Password
A user can check the Remember My User ID and Password check box when logging into a Siebel application. By doing so, the user can access the same Siebel application through other browser instances without having to log in again. The functionality is available only during the current Web session.
Remember My User ID and Password uses the auto-login cookie that the Siebel Web Engine provides when a session is started. This functionality requires that cookies are enabled.
For information about cookies and session management, see Cookies and Session Management.
Forgot Your Password?
Forgot Your Password? allows a user who has forgotten the login password to get a new password. A seed workflow process provides interactive questions by which the user identifies himself or herself.
For information about Forgot Your Password?, see Forgot Your Password?.
For enhanced security, you may want to implement the following account policies. Account policies are functions of your authentication service. If you want to implement account policies, you are responsible for setting them up through administration features provided by the authentication service vendor.
- Password syntax rules, such as minimum password length. When creating or changing passwords, minimum length requirements and other syntax rules defined in the external directory will be enforced by the Siebel application.
- An account lockout after a specified number of failed attempts to log in. Account lockout protects against password guessing attacks. Siebel applications support lockout conditions for accounts that have been disabled by the external directory.
- Password expiration after a specified period of time. The external directory can be configured to expire passwords and warn users that passwords are about to expire. Password expiration warnings issued by the external directory will be recognized by Siebel applications and users will be notified to change their passwords.
Password expiration is handled by the external LDAP directory or Active Directory. When a password is about to expire, the directory provides warning messages to the Siebel application to display when the user logs in. The warning indicates the user's password is about to expire and should be changed. If the user ignores such warnings and allows the password to expire, then the user will not be allowed to log into the application to change the password.
For example, to enable password expiration on a Sun ONE Directory Server, use the Directory Server's console or command line interface to set the passwordExp and passwordMaxAge attributes. For more information, see the documentation provided with your external LDAP directory.
To enable password expiration on ADSI, set the Maximum Password Age password policy (corresponding to the maxPwdAge domain attribute), and make sure that Password Never Expires is not set for each user. The Password Last Set (pwdLastSet) user attribute stores when the user's password was last changed. For more information, see the documentation provided with ADSI.
When you configure password expiration for LDAP or ADSI, you also add the
PasswordExpireWarnDaysparameter to the [LDAP] or [ADSI] section of the Siebel application configuration file, as appropriate. Set the value to the number of days you want to provide the warning message before the password expires.
Password expiration is supported for Security Adapter and Web Single Sign-On authentication, but not for database authentication.
Users can log into a Siebel application by presenting user credentials as parameters in a URL. The user does not have to manually type credentials into a login form.
CAUTION: By using URL login, user passwords are transmitted in clear text over the network.
The easiest, but least secure, option for a form of Web SSO to Siebel applications is to make explicit login requests to a Siebel customer or partner application from navigational entry points to the application. This option works best if the number of navigational entry points to the Siebel application is small, if you are not concerned about users knowing their Siebel username and password, and if you are not deploying a full Web SSO infrastructure.
Following is a sample showing the URL syntax:
NOTE: The parameter names in the URL are case-sensitive.
You can create a single URL that contains a path to a predefined view in addition to a user's login credentials. You must use a SWEAC expression, as shown in the following example. This example shows a drilldown to a particular service request, after the user has logged in. In this example, the username and password for GUEST are represented using escape characters: %48%4B%49%4D. (Note that such character strings are not secure.)
NOTE: You must use commas instead of ampersands (&) as delimiters between arguments in an SWEAC expression.
|Bookshelf Home | Contents | Index | Search | PDF|
Security Guide for Siebel eBusiness Applications
Published: 23 June 2003