Siebel Security Guide > Security Adapter Authentication >

About Siebel Security Adapters

When you install your Siebel Business Applications, these security adapters are provided for user authentication:

• Database security adapter (enabled by default)

  For more information, see Configuring Database Authentication.

• ADSI (Active Directory Services Interface) security adapter
• LDAP (Lightweight Directory Access Protocol) security adapter

The security adapter is a plug-in to the authentication manager. The security adapter uses the credentials entered by a user (or supplied by an authentication service) to authenticate the user, as necessary, and allow the user access to Siebel Business Applications.

You can implement a security adapter other than one of those provided by Siebel Business Applications provided the adapter you implement supports the Siebel Security Adapter Software Development Kit. For more information, see Security Adapter SDK.

Do not use the ADSI security adapter or LDAP security adapter to authenticate access to batch components such as, for example, the Communications Outbound Manager. Configure batch components to use the database security adapter instead. Batch components access the Siebel database directly and, as a result, must use the database security adapter. Note also that Siebel Server infrastructure and system management components such as Server Request Broker and Server Request Processor access the Siebel database directly. For this reason, these components cannot use the LDAP or ADSI security adapters.

Authentication Directories

An LDAP directory or Microsoft Active Directory is a store in which information that is required to allow users to connect to the Siebel database, such as database accounts, Siebel user IDs, or roles, is maintained external to the Siebel database, and is retrieved by the security adapter. For specific information about third-party directories supported by the security adapters provided with Siebel Business Applications, see Siebel System Requirements and Supported Platforms on Oracle Technology Network.

Security Adapter Authentication

In general, the process of security adapter authentication includes the following principal stages:

1. The user provides identification credentials.
2. The user's identity is verified.
3. The user's Siebel user ID and database account are retrieved from a directory (LDAP and ADSI security adapters), from the Siebel database, or from another external source (for Web Single Sign-On).
4. The user is granted access to Siebel Business Applications and the Siebel database.

Depending on how you configure your authentication architecture, the security adapter can function in one of the following modes, with respect to authentication:

• With authentication (LDAP or ADSI security adapter authentication mode). The security adapter uses credentials entered by the user to verify the user's existence and access rights in the directory. If the user exists, the adapter retrieves the user's Siebel user ID, a database account, and, optionally, a set of roles which are passed to the Siebel Application Object Manager (AOM) to grant the user access to Siebel Business Applications and the database. This adapter functionality is typical in a security adapter authentication implementation.
• Without authentication (Web SSO mode). The security adapter passes an identity key supplied by a separate authentication service to the directory. Using the identity key to identify the user in the directory, the adapter retrieves the user's Siebel user ID, a database account, and, optionally, a set of roles that are passed to the AOM to grant the user access to Siebel Business Applications and the database. This adapter functionality is typical in a Web SSO implementation.

  NOTE:  The security adapter does not provide authentication for Web SSO. Web SSO is the ability to authenticate a user one time for access to multiple applications, including Siebel Business Applications. However, when implementing Web SSO, you must also deploy a security adapter.

  For more information, see Web Single Sign-On Authentication.

In an environment using external security adapter authentication (such as LDAP or ADSI), the security adapter can create a record in the directory when a user is created in the Siebel database.

For information on the most commonly reported error messages when implementing standard Siebel security adapters, see 477528.1 (Article ID) on My Oracle Support. This document was formerly published as Siebel Troubleshooting Steps 56.

Event Logging for Siebel Security Adapters

Siebel Business Applications provide the following event types to set log levels for security adapters:

• Security Adapter Log

  This event type traces security adapter events.

• Security Manager Log

  This event type traces security manager events.

Modify the values for these two event types to set the log levels that the Siebel Application Object Manager writes to the log file. For more information about how to set the log levels for event types, see Siebel System Monitoring and Diagnostics Guide.