| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2016, Rev. A E24814-01 | 
 | 
|  Previous |  Next | View PDF | 
Figure 6-2 and Figure 6-3 show the typical steps in a Web SSO authentication process when Siebel REST and Web Services are invoked by a server that is part of a portal application. The process uses Oracle WebLogic server with Oracle Access Manager and Oracle API Gateway for illustrative purposes, but you can use any other Web application server with a SAML identity provider solution and a Service Provider Gateway.
There are three parts in the Web SSO authentication process shown in Figure 6-2 and Figure 6-3:
Figure 6-2 Web SSO Authentication Process When Using Siebel REST and Web Services in Portal Application (Part I)

Figure 6-3 Web SSO Authentication Process When Using Siebel REST and Web Services in Portal Application (Part II)

The steps in the Web SSO authentication process shown in Figure 6-2 and Figure 6-3 are:
GET/Access protected Siebel Portal. A non-authenticated user requests access to a protected Siebel Web Portal.
Redirect to Login page. There is no OAMAuthn cookie, so the user is redirected to the login page.
Enter credentials and submit login form. The user enters their credentials and submits the login form.
Validate credentials in IDStore. Oracle Access Manager validates the user credentials in the IDStore (Oracle LDAP or Oracle Unified Directory installed with Identity Store).
IDStore responds success. The IDStore returns success to Oracle Access Manager.
Respond with OAMAuthnCookie. Oracle Access Manager forwards the OAMAuthnCookie to Oracle Webgate.
Set OAMAuthnCookie and redirect to Portal. Oracle Webgate sets the OAMAuthnCookie and redirects the user to the portal.
Portal Home page. The user accesses the portal home page.
There is no step 9 in the Web SSO authentication process shown in Figure 6-2 and Figure 6-3.
Click on QUOTE link that points to REST service. The user initiates the REST invocation process by clicking the QUOTE link, which points to the REST service.
Validate authorization for QUOTE link URI. Oracle Webgate invokes Oracle Access Manger to validate authorization for the QUOTE link URI.
Return SAML assertion. Oracle Access Manager returns SAML assertion to Oracle Webgate.
Send original URL and SAML assertion to Oracle WebLogic Server. Oracle Webgate sends the original URL and SAML assertion to the servlets hosted in the Oracle WebLogic server.
Send SAML assertion with URI. Oracle WebLogic server sends the URL with SAML assertion to the Oracle API Gateway.
Validate SAML assertion. Oracle API Gateway validates SAML assertion, extracts the user ID, sets the user ID in the request header, and sends a REST call with the user ID header.
Return result. Siebel REST returns the result to the Oracle API Gateway.
Return result. Oracle API Gateway returns the result to the Oracle WebLogic server.
Return generated HTML page. Oracle WebLogic server returns the generated HTML page to the portal.
Display generated HTML page. Siebel Web portal displays the generated HTML page to the user.
Click Logout to kill Siebel session.The user clicks Logout to kill the Siebel session.
Trigger Oracle Access Manager logout URL. Siebel Web Portal invokes the Oracle Access Manager logout URL.
Oracle Access Manager triggers logout URL to kill the cookie and session. Oracle Webgate invokes the Oracle Access Manager Logout URL to kill the cookie and the session.
Oracle Webgate redirects to final logout page. Oracle Access Manager redirects Oracle Webgate to the final logout page.
User lands on logout page. The user lands on the logout page.
For more information about each step in this process, consult the supporting documentation for Oracle WebLogic, Oracle Access Manager, and Oracle API Gateway. For information about using OAuth with Siebel REST, see Siebel REST API Guide.