Siebel Security Guide > Security Features of Siebel Web Server Extension >

Login Security Features

This topic describes features and considerations associated with user login to Siebel Business Applications. A login page or a login form embedded in a Siebel application page collects user credentials.

A user must login, thereby identifying himself or herself as a registered user, to be allowed access to protected views in Siebel Business Applications. Protected views are designated for explicit login. Views that are not designated for explicit login are available for anonymous browsing, if the Siebel application allows anonymous browsing.

For information about setting view properties, see Configuring Siebel Business Applications. For information about anonymous browsing, see Configuring the Anonymous User.

Siebel Business Applications also provide other features on a login form besides user credentials collection, such as remembering a username and password and providing forgotten password support. Alternatively, you can configure a Siebel application to bypass the login form by providing the required user ID and password in the URL that accesses the application.

Implementing Secure Login

With secure login, you can specify to the Siebel Web Engine to transmit user credentials entered in a login form from the browser to the Web server by using Secure Sockets Layer (SSL)—that is, over HTTPS.

Secure login can be implemented in the following authentication strategies:

• Security adapter authentication: database authentication
• Security adapter authentication: LDAP, ADSI, or custom
• Web SSO authentication

For each Siebel application where you want to implement secure login, you set the value of the SecureLogin component parameter to TRUE. The following procedure demonstrates how to set this parameter for the Siebel Call Center application. To implement secure login, you must also have a certificate from a certificate authority on the Web server where you installed SWSE.

To implement secure login

1. Navigate to the Administration - Server Configuration screen, and then the Servers view.
2. Select the Siebel Server of interest.
3. Click the Components view and select the component of interest. For example, select Call Center Object Manager (ENU) in a U.S. English deployment if you want to set secure login for the Siebel Call Center application.
4. Click the Parameters view and select the record for SecureLogin.
5. In the Value on Restart field, enter TRUE.
6. Restart the component to apply the change.

   For information about administering Siebel Server components, see Siebel System Administration Guide.

For information about setting Siebel configuration parameters, see Configuration Parameters Related to Authentication.

Logging Out of Siebel Business Applications

Users of Siebel Business Applications can end a Siebel session by using the application log out features or by closing the browser window.

In Microsoft Internet Explorer, the browser window is closed by choosing File and then Close, or by clicking X in the top-right corner of the window. For Siebel Business Applications that use high interactivity mode, either method of closing the browser window causes the Siebel user to be logged out of the application.

With Siebel Business Applications that use standard interactivity mode, clicking the X box in the top-right corner of the application window closes the window but does not log the user out of the Siebel application. Users of standard interactivity applications must end the Siebel session by choosing File, and then Close from the Web browser menu to make sure they have logged out of the application.

You cannot select File and then Close if Web Single Sign-On authentication is implemented.

Remember My User ID and Password

A user can check the Remember My User ID and Password check box when logging into a Siebel application. By doing so, the user can access the same Siebel application without having to log in again—provided the user did not log out of the Siebel application by selecting the Log Out option from the File menu.

Remember My User ID and Password uses the auto-login credential cookie that the Siebel Web Engine provides when a session is started. This functionality requires that cookies are enabled.

For information about cookies and session management and the auto-login credential cookie, see About Using Cookies with Siebel Business Applications.

Forgot Your Password?

Forgot Your Password? allows a user who has forgotten the login password to get a new password. A seed workflow process provides interactive questions by which the user identifies himself or herself.

For information about Forgot Your Password?, see Managing Forgotten Passwords.

Account Policies

For enhanced security, you might want to implement the following account policies. Account policies are functions of your authentication service. If you want to implement the following account policies, you are responsible for setting them up through administration features provided by the authentication service vendor:

• Password syntax rules, such as minimum password length.

  When creating or changing passwords, minimum length requirements and other syntax rules defined in the external directory are enforced by Siebel Business Applications.

• An account lockout after a specified number of failed attempts to log in.

  Account lockout protects against password guessing attacks. Siebel Business Applications support lockout conditions for accounts that have been disabled by the external directory.

• Password expiration after a specified period of time.

  The external directory can be configured to expire passwords and warn users that passwords are about to expire. Password expiration warnings issued by the external directory will be recognized by Siebel Business Applications and users will be notified to change their passwords.

Password Expiration

Password expiration is handled by the external LDAP or ADSI directory, and is subject to the configuration of this behavior for the third-party directory product.

For example, when a password is about to expire, the directory might provide warning messages to Siebel Business Applications to display when the user logs in. Such a warning would indicate the user's password is about to expire and must be changed. If the user ignores such warnings and allows the password to expire, then the user might be required to change the password before logging into the application. Or, the user might be locked out of the application once the password has expired.

Password expiration configuration steps for each directory vendor will vary. For more information, see the documentation provided with your directory product. More information about password expiration for use with Active Directory is provided below.

Password expiration can be implemented if you are using security adapter authentication (LDAP, ADSI, or applicable custom security adapter), or if you are using database authentication and password expiration is supported by the RDBMS.

Password Expiration for ADSI Directories

For ADSI directories, factors that affect the password state include the following attributes and parameters:

• Password Never Expires (attribute for user object)
• User Must Change Password At Next Logon (attribute for user object)
• Last Time User Set Password (attribute for user object)
• Maximum Password Age (attribute for domain)
• Password Expire Warn Days (parameter for ADSI security adapter)

When you configure password expiration for ADSI, you add the parameter Password Expire Warn Days (alias PasswordExpireWarnDays) to the ADSI security adapter. Set the value to the number of days you want to provide a warning message before a user's password expires.

NOTE:  The attributes Password Never Expires and User Must Change Password at Next Logon are mutually exclusive, and cannot both be checked for a user.

The state of each user's password is determined by the following logic:

• If Password Never Expires is checked for a user, this user will never get a password expired error, regardless of the settings of other attributes.
• Else, if User Must Change Password At Next Logon is checked for a user, this user will get a password expired error, regardless of the settings of other attributes.
• If neither of the above attributes are checked for a user, the following behavior applies:
  • If Maximum Password Age is set to 0 for the domain, the user does not get a password expired error. No password expires in the domain.
  • If Maximum Password Age is not set to 0 for the domain, and if the difference between the current time and the last time a user has set the password (the value of the Last Time User Set Password attribute for the user) is larger than the value of Maximum Password Age, the user gets a password expired error.
  • If the difference between current time and the last time a user has set the password is smaller than the value of the Password Expire Warn Days parameter (set for the ADSI security adapter), the user gets a password expiring warning message.
  • If the difference between current time and the last time the user has set the password is smaller than Maximum Password Age, and larger than Password Expire Warn Days, the user logs in successfully and does not get error or warning message.

Confirm all third-party directory product behavior and configuration with your third-party documentation.

URL Login

Users can log into Siebel Business Applications by presenting user credentials as parameters in a URL. The user does not have to manually type credentials into a login form.

NOTE:  When URL login is used, user passwords might be transmitted in clear text over the network. However, you can encrypt the connection using SSL to make sure that user passwords are not transmitted in clear text. For more information about using SSL, see Process of Configuring Secure Communications.

The easiest, but least secure, option for a form of Web SSO to Siebel Business Applications is to make explicit login requests to a Siebel customer or partner application from navigational entry points to the application. This option works best if the number of navigational entry points to the Siebel application is small, if you are not concerned about users knowing their Siebel username and password, and if you are not deploying a full Web SSO infrastructure.

The following is a sample showing the URL syntax:

http://siebel.com/eservice_enu/start.swe?SWECmd=ExecuteLogin&SWEUserName=HKIM&SWEPassword=HKIM

The parameter names in the URL are case-sensitive.

You can create a single URL that contains a path to a predefined view in addition to a user's login credentials. You must use a SWE expression, as shown in the following example. This example shows a drilldown to a particular service request, after the user has logged in. In this example, the username and password for HKIM are represented using escape characters: %48%4B%49%4D. (Note that such character strings are not secure.)

http://siebel.com/eservice_enu/start.swe?SWECmd=ExecuteLogin&SWEUserName=%48%4B%49%4D&SWEPassword=%48%4B%49%4D &SWEAC="SWECmd=InvokeMethod,SWEMethod=Drilldown,SWEView=Service+Request+List+View+(SCW),SWEApplet=Service+Request+List+Applet+(SCW),SWEField=SR+Number,SWERowIds=SWERowId0%3d1-15P"

You must use commas instead of ampersands (&) as delimiters between arguments in a SWE expression.