Web SSO Configuration Guide |
Chapter 1
Setting Up Web Single Sign-on SolutionThis guide describes the steps required to enable Web Single Sign-On (SSO) between Siebel 7.5 and the Sun ONE Identity Server 6.0. Web SSO services allow a user to access multiple, distributed web-based applications, services, or sites during a single session without having to reauthenticate while switching between applications or services.
The topics covered in this document include:
Need for Identity ManagementToday, a typical business environment has numerous applications and services deployed throughout its enterprise. The identity information for each of these applications and services is most likely maintained separately. If each component manages its own identities, identity information tends to be widely distributed. It runs on different operating systems, uses different rules and standards for security, and is owned and controlled by a widespread group of individuals. As the number of components in an enterprise grows, distributed identity management becomes problematic for IT organizations as the size, cost, and maintenance of the infrastructure sky rockets, redundancy increases, and security risks become a concern.
The solution to this problem lies in implementing a centralized identity management infrastructure. If every application and service in an enterprise used the same identity management infrastructure for managing the identities of their users, including authentication, authorization, roles and policies, then a lot of the problems that IT organizations face today, including increased cost, redundancy, and security risks, could be alleviated. Such a centralized identity management infrastructure, which includes directory services, access management, identity provisioning, and identity administration, is what the Sun ONE Identity Management framework provides through its suite of products.
Sun ONE Identity Server 6.0
One of the core products in the Sun ONE Identity Management framework is the Sun ONE Identity Server. It helps organizations manage secure access to web-based resources via access management services that enable web single sign-on, identity administration, and directory services. Web single sign-on services allow a user to access multiple, distributed web-based applications, services, or sites during a single session without the need for reauthentication as the user switches between components. Since web single sign-on through Sun ONE Identity Server greatly enhances the overall user experience and solves one of the most complex IT problems, it is the focus of this integration with Siebel.
Siebel 7.5 and Security Architecture
Siebel 7.5 applications, the latest release of Siebel eBusiness Applications, provide market leading depth and breadth of functionality in sales, marketing, service, and partner relationship management.
To understand the web single sign-on solution between Sun ONE Identity Server 6.0 and Siebel 7.5, it is important to understand the security architecture of this product. Siebel 7.5 adheres to commonly accepted security standards to facilitate the integration of the application into the customer’s business environment and security infrastructure. These industry-wide security standards are used to support three authentication methods in Siebel 7.5. Each of these authentication methods is briefly explained below.
- Native Database Authentication - In this method, the underlying security system of the database verifies user credentials for Siebel 7.5. Each user must have a valid database account in order to access the Siebel application.
- Security Adapters for External Authentication - Siebel 7.5 includes a preconfigured security adapter interface to allow organizations to externalize credential verification. The interface connects to a security adapter, which contains the logic to validate credentials to a specific authentication service. Customers of Siebel Systems, Inc. can therefore verify user credentials with security standards such as the Lightweight Directory Access Protocol (LDAP). Siebel 7.5 includes security adapters for the leading authentication services. In addition, Siebel also provides a developer’s toolkit so that customers can build customized security adapters.
- Web Single Sign-On - Siebel 7.5 offers customers the ability to enable a single login across multiple web applications. This is also known as Web SSO. With Web SSO, users are authenticated independently of Siebel applications, either through a third-party authentication service or through the web server. Web SSO with Siebel can be achieved in two different modes: server mode and header mode.
Integration ProcessThis section provides an overview of the integration between Sun ONE Identity Server 6.0 and Siebel 7.5 to achieve Web SSO.
This integration has been done using the Siebel 7.5 application Call Center. The integration can, however, be applied to other Siebel applications as well. The header mode is the Web SSO mode used for this solution. Header mode works by setting a HTTP header variable and passing it to the Siebel Web Engine.
Supported Platforms
The following table displays the agents available for the web servers supported by Siebel.
Overview
This integration uses Siebel’s LDAP Security Adapter in conjunction with the LDAP authentication module of Sun ONE Identity Server. All user data and application information for Siebel are stored in a relational database. This integration uses Sun ONE Identity Server and Siebel Security Adapter for authentication only. To understand how the users get logged onto their Siebel application, even though they authenticate to Sun ONE Identity Server, it is important to know how the Siebel Security Adapter works in conjunction with Sun ONE Identity Server.
This Web SSO solution uses the traditional policy agent implementation model, where a URL Policy Agent is installed on the web server hosting the Siebel application. All HTTP requests are intercepted by the agent, and in the absence of an SSOToken, the user is redirected to the Sun ONE Identity Server 6.0 login page for authentication. Upon successful authentication, the agent populates a pre-determined header variable with the Siebel uid. The Siebel Web Server Extenstion (SWSE) extracts this header value and passes the authenticated user’s name to the authentication manager, a component of the Siebel Object Manager. The security adapter then provides this user name to Sun ONE Directory Server from which the user’s Siebel uid and database account are returned to the authentication manager. Siebel Object Manager then uses the returned database credentials to connect the user to the database to identify the user. Figure 1 depicts the deployment architecture and SSO process flow.
Figure 1-1 Deployment Architecture and SSO Process Flow
Pre-requisites to Integration
Before you begin the integration, make sure that:
- Siebel and all of its required components, including the web server and the database server, are installed and running in the environment. For detailed information on how to do this, please refer to the Siebel Bookshelf.
- Sun ONE Identity Server, including Sun ONE Directory Server, is installed and running. For information on how to install these products, please refer to the Sun ONE Identity Server product documentation.
Integration Steps
Once you have the products mentioned above installed and running, follow the steps listed below to enable Web SSO between Siebel 7.5 and Sun ONE Identity Server.
- Set up Sun ONE Directory Server 5.1 so that the database accounts and the user’s Siebel uid can be retrieved.
Users in the Siebel database must correspond to users in Sun ONE Directory Server.
Users in Sun ONE Directory Server must have attributes containing values for Siebel uid, password and database account. Attribute names must correspond to what is configured in the web server plug-in configuration file, eapps.cfg, and the Call Center configuration file, uagent.cfg. The web server plug-in configuration file is located in $WEB_PLUGIN_HOME/bin directory on the web server machine. The Call Center configuration file is located in $SIEBEL_HOME/siebsrvr/bin directory on the Siebel server machine. If you are using a Siebel application other than Call Center, make sure you look at that particular application’s configuration file rather than the Call Center configuration file.
- Edit the parameters in the web server plug-in configuration file, eapps.cfg, residing on the web server machine to have the following values:
- Edit the parameters in the Call Center configuration file, uagent.cfg, as described below. If you are using another Siebel application, make sure to edit the appropriate configuration file in a similar manner (see Appendix C).
Code Example 1-2
[LDAP]
DllName = libsscfldap.so
ServerName = e450b.sunmde.com
Port = 389
BaseDN = "ou=People,o=siebel.com"
SharedCredentialsDN = "uid=sadmin,ou=People,o=siebel.com"
UsernameAttributeType = uid
PasswordAttributeType = userPassword
CredentialsAttributeType = dbaccount
;RolesAttributeType = siebelrole
;SslDatabase =
ApplicationUser = "uid=amAdmin,ou=People,o=siebel.com"
ApplicationPassword = netscape1
;EncryptApplicationPassword = FALSE
;EncryptCredentialsPassword = FALSE
SingleSignOn = TRUE
TrustToken = siebel2sun
;UseAdapterUsername = FALSE
;SiebelUsernameAttributeType =
;UseRemoteConfig =
- Install Sun One Identity Server Policy Agent, version 2.0 on the web server hosting the Siebel application. For information on how to install this agent, please refer to the policy agents documentation at http://docs.sun.com/db/coll/S1_IdServ_60.
- Modify the file amAgent.properties to allow the policy agent to set values in the HTTP header. The amAgent.properties file is the configuration file for the policy agent. It is typically located in /etc/opt/SUNWam/agents/es6/config/_opt_SUNWam_servers_<webserver_instance>/AMAgent.properties. In the file, modify the following properties as listed below:
com.sun.am.policy.am.fetchHeaders=true
com.sun.am.policy.am.headerAttributes=uid|uid
- Create policies in Sun ONE Identity Server 6.0 to allow/deny access to your Siebel application. The steps for creating policies are documented in the Sun ONE Identity Server Administration Guide, which is located at http://docs.sun.com/source/816-6686-10/index.html.
Policies can be set on users, roles, or organizations. For this integration, policies have been set on the organization.
- Stop the Web Server, Web Server Admin, Siebel Server, and then the Gateway Server. Restart them in the reverse order.
To verify if the integration is successful, access the Call Center application URL. You will redirected to Sun ONE Identity Server login page for authentication and upon successful authentication, you will be able to access the Call Center application.
Known Issues and Limitations
- In Header mode, Siebel applet pop-up window hangs after logging in. You can work around this by refreshing the browser.
- The integration has been validated in a Solaris environment with the browser Internet Explorer as the client program. The validation on an all Windows 2000 environment is soon to follow.