Bookshelf Home | Contents | Index | PDF |
Security Guide for Siebel eBusiness Applications > Security Features of Siebel Web Server Extension > Login FeaturesThis section describes features and considerations associated with user login to Siebel applications. A login page or a login form embedded in a Siebel application page is the means by which user credentials are collected. Figure 8 shows the Siebel eService home page with the login form embedded in it. A user is required to login, thereby identifying himself or herself as a registered user, to be allowed access to protected views in Siebel applications. Protected views are designated for explicit login. Views that are not designated for explicit login are available for anonymous browsing, if the Siebel application allows anonymous browsing. For information about setting view properties, see Configuring Siebel eBusiness Applications. For information about anonymous browsing, see Configuring the Anonymous User. Siebel applications also provide other features on a login form besides user credentials collection, such as remembering a username and password and providing forgotten password support. Alternatively, you can configure a Siebel application to bypass the login form by providing the required user ID and password in the URL that accesses the application. Secure LoginWith secure login, you can specify to the Siebel Web Engine to transmit user credentials entered in a login form from the browser to the Web server by using Secure Sockets Layer (SSL)—that is, over HTTPS. Secure login can be implemented in the following authentication strategies:
For information about setting Siebel configuration parameters, see Configuration Parameters Related to Authentication. Remember My User ID and PasswordA user can check the Remember My User ID and Password check box when logging into a Siebel application. By doing so, the user can access the same Siebel application without having to log in again—as long as the user did not log out of the Siebel application using the File > Log Out command. Remember My User ID and Password uses the auto-login credential cookie that the Siebel Web Engine provides when a session is started. This functionality requires that cookies are enabled. For information about cookies and session management and the auto-login credential cookie, see Cookies and Siebel Applications. Forgot Your Password?Forgot Your Password? allows a user who has forgotten the login password to get a new password. A seed workflow process provides interactive questions by which the user identifies himself or herself. For information about Forgot Your Password?, see Managing Forgotten Passwords. Account PoliciesFor enhanced security, you may want to implement the following account policies. Account policies are functions of your authentication service. If you want to implement account policies, you are responsible for setting them up through administration features provided by the authentication service vendor.
Password ExpirationPassword expiration is handled by the external LDAP directory or Active Directory, and is subject to the configuration of this behavior for the third-party directory product. For example, when a password is about to expire, the directory may provide warning messages to the Siebel application to display when the user logs in. Such a warning would indicate the user's password is about to expire and should be changed. If the user ignores such warnings and allows the password to expire, then the user may be required to change the password before logging into the application. Or, the user may be locked out of the application once the password has expired. Password expiration configuration steps for each directory vendor will vary. For more information, see the documentation provided with your directory product. More information about password expiration for use with Active Directory is provided below. Password expiration can be implemented in the following authentication strategies:
Password Expiration on ADSOn ADS, factors that affect the password state include the following attributes and parameters:
When you configure password expiration for ADSI, you add the parameter NOTE: The attributes The state of each user's password is determined by the following logic:
NOTE: Confirm all third-party directory product behavior and configuration with your third-party documentation. URL LoginUsers can log into a Siebel application by presenting user credentials as parameters in a URL. The user does not have to manually type credentials into a login form. CAUTION: When URL login is used, user passwords may be transmitted in clear text over the network. However, The easiest, but least secure, option for a form of Web SSO to Siebel applications is to make explicit login requests to a Siebel customer or partner application from navigational entry points to the application. This option works best if the number of navigational entry points to the Siebel application is small, if you are not concerned about users knowing their Siebel username and password, and if you are not deploying a full Web SSO infrastructure. Following is a sample showing the URL syntax: http://yourhost/eservice/start.swe?SWECmd=ExecuteLogin&SWEUserName=HKIM&SWEPassword=HKIM NOTE: The parameter names in the URL are case-sensitive. You can create a single URL that contains a path to a predefined view in addition to a user's login credentials. You must use a SWE expression, as shown in the following example. This example shows a drilldown to a particular service request, after the user has logged in. In this example, the username and password for HKIM are represented using escape characters: %48%4B%49%4D. (Note that such character strings are not secure.) http://siebel.com/eservice/start.swe?SWECmd=ExecuteLogin&SWEUserName=%48%4B%49%4D&SWEPassword=%48%4B%49%4D &SWEAC="SWECmd=InvokeMethod,SWEMethod=Drilldown,SWEView=Service+Request+List+View+(SCW),SWEApplet=Service+Request+List+Applet+(SCW),SWEField=SR+Number,SWERowIds=SWERowId0%3d1-15P" NOTE: You must use commas instead of ampersands (&) as delimiters between arguments in an SWEAC expression. |
Security Guide for Siebel eBusiness Applications |