Siebel Security Guide > About Security for Siebel Business Applications > Siebel Security Architecture >

User Authentication for Secure System Access

Siebel Business Applications provide an open authentication architecture that integrates with a customer's selected authentication infrastructure. For more information, see Security Adapter Authentication and Web Single Sign-On Authentication. Siebel Business Applications support three types of user authentication. A logical view of each type of authentication is illustrated in Figure 1, where each arrow represents a Siebel CRM authentication mechanism:

1. Database authentication. A database security adapter is provided to support database credential collection and verification of users.
2. LDAP and ADSI authentication. LDAP and ADSI security adapters are provided to support credential collection and verification of users in an LDAP or ADSI-compliant directory.
3. Web Single Sign-On (Web SSO). A configurable mechanism for communicating with Web SSO infrastructures is provided, allowing for Siebel user authentication by a third party at the Web-site level.

Figure 1. Logical Diagram of User Authentication Methods Within a Siebel Site

Customers can also develop custom security adapters using a security adapter SDK.

The authentication mechanisms illustrated in Figure 1 apply whether users access Siebel Business Applications from within a LAN or WAN, or remotely. Additional information on each method of authentication is provided in the following topics.

Security Adapter for Database Authentication

Siebel Business Applications provide a database security adapter mechanism for credential collection and verification. The default login form collects Siebel user name and password credentials. The security adapter works with the underlying security systems of the database to verify users' credentials.

With database authentication, each user must have a valid database account in order to access a Siebel application. The database administrator (DBA) must add all user database accounts. Database authentication deployment supports password hashing for protection against hacker attacks.

Any Siebel application can use database authentication, which is configured as the default. However, some functionality provided by Siebel Business Applications, such as workflow processes to support user self-registration or forgotten password scenarios (capabilities commonly used in customer applications), require authentication using LDAP or ADSI security adapters. For this reason, database authentication is rarely used with customer applications.

NOTE:  The exact valid character set for a Siebel user name and password depends on the underlying authentication system. For database authentication, refer to documentation from your RDBMS vendor.

Security Adapters for LDAP and ADSI Authentication

For employee or customer applications, Siebel Business Applications include a preconfigured security adapter interface to allow organizations to externalize credential verification in an LDAP or ADSI-compliant directory. The interface connects to a security adapter, which contains the logic to validate credentials to a specific authentication service.

NOTE:  The exact valid character set for a Siebel user name and password depends on the underlying authentication system. For LDAP or ADSI authentication, refer to documentation from your vendor, such as one of those listed below.

Siebel Business Applications customers can therefore verify user credentials with security standards such as LDAP or ADSI.

Siebel CRM provides security adapters for leading authentication services:

• LDAP security adapter integration is supported for directory servers that are compliant with the LDAP 3.0 standard.
• ADSI security adapter integration is certified and supported for Microsoft Active Directory.

For information about third-party LDAP directory servers supported or validated for use with Siebel Business Applications, see Directory Servers Supported by Siebel Business Applications. You can also build security adapters to support a variety of authentication technologies. For information on custom security adapters, see Security Adapter SDK.

Web Single Sign-On

Siebel Business Applications offer customers the capability of enabling a single login across multiple Web applications; this is known as Web Single Sign-On (SSO). Siebel Business Applications provide a configurable mechanism for communicating with Web SSO infrastructures, identifying users, and logging users into the Siebel application.

With Web SSO, users are authenticated independently of Siebel Business Applications, such as through a third-party authentication service, or through the Web server.

NOTE:  The exact valid character set for a Siebel user name depends on the underlying authentication system. For Web SSO, refer to documentation from your vendor.

Security Adapter SDK

Oracle offers the Siebel Security Adapter Software Developers Kit (SDK) to allow companies to build additional security adapters. Such additional adapters can support other authentication technologies such as digital certificates, biometrics, or smart cards.

For example, a security adapter might be created for a portable device that provides users with a key that changes at frequent intervals. When a security adapter for this device is deployed, only by supplying both the currently displayed key and the user's password or other credentials can the user gain access to the Siebel application.

The security adapter interface is critical to the Siebel architecture because, for most Siebel Business Applications customers, authentication has become an enterprise decision, rather than an application-specific decision. The authentication service can be a shared resource within the Enterprise, thereby centralizing user administration. The Siebel Security Adapter SDK is described in 476962.1 (Article ID) on My Oracle Support.