Go to primary content
Siebel CRM Siebel Security Guide
Siebel Innovation Pack 2016, Rev. A
E24814-01
  Go to Documentation Home
Home
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
    View PDF

Login Security Features

This topic describes features and considerations associated with the user login process for Siebel Business Applications. A login page or a login form embedded in a Siebel application page collects user credentials.


Note:

You cannot log into a Siebel application by presenting user credentials as parameters in a URL.

A user must log in, thereby identifying himself or herself as a registered user, to access protected views in Siebel Business Applications. Protected views are designated for explicit login. Views that are not designated for explicit login are available for anonymous browsing, if the Siebel application allows anonymous browsing. For information about anonymous browsing, see "Configuring the Anonymous User".

Siebel Business Applications also provide other features on a login form besides user credentials collection, such as remembering a username and providing forgotten password support. For information on these features, see the following topics:

Implementing Secure Login

This topic describes how to implement secure login. With secure login, the Siebel Web Engine transmits user credentials entered in a login form from the browser to the Web server using TLS, that is, over HTTPS.

Secure login can be implemented in the following authentication strategies:

  • Security adapter authentication: database authentication

  • Security adapter authentication: Lightweight Directory Access Protocol (LDAP), Active Directory Service Interfaces (ADSI), or custom

  • Web SSO authentication

For each Siebel application where you want to implement secure login, you set the value of the SecureLogin component parameter to TRUE. The following procedure demonstrates how to set this parameter for the Siebel Call Center application. To implement secure login, you must also have a certificate from a certificate authority on the Web server where you installed SWSE.

To implement secure login 

  1. Navigate to the Administration - Server Configuration screen, then the Servers view.

  2. Select the Siebel Server of interest.

  3. Click the Components view and select the component of interest. For example, select Call Center Object Manager (ENU) in a U.S. English deployment if you want to set secure login for the Siebel Call Center application.

  4. Click the Parameters view and select the record for SecureLogin.

  5. In the Value on Restart field, enter TRUE.

  6. Restart the component to apply the change.

    For information about administering Siebel Server components, see Siebel System Administration Guide.

Related Topic

"Login Security Features"

Logging Out of a Siebel Application

Siebel application users can end a Siebel session by using the Siebel application log out features or by closing the browser window.

If you select the Siebel application Log Out menu option, you are logged out of the Siebel application and the user session is ended immediately. Alternatively, you can close the browser window to end the Siebel session.

If you are using Siebel Business Applications, clicking the X box in the top-right corner of the application window closes the window but does not terminate the Siebel user session until the session timeout is reached. The value of the session timeout is determined by the SessionTimeout parameter in the eapps.cfg file on the SWSE. For more information about this parameter, see "About Parameters in the eapps.cfg File".

Related Topic

"Login Security Features"

Login User Names and Passwords

Siebel Business Applications provide two features on the Siebel login dialog box to assist users. These features are:

Remember My User ID

A user can check the Remember My User ID check box when logging into a Siebel application. By doing so, whenever the user logs in to the same Siebel application in the future, the Username field is prefilled with the user's user name; the user simply has to enter the associated password to access the Siebel application.

The Remember My User ID functionality can be used by the same user on a number of different Siebel Business Applications simultaneously, provided the user checks the Remember My User ID check box when logging in to each application. This is particularly useful to users, for example, system administrators, who regularly log in to a number of different Siebel application environments.

Remember My User ID uses the auto-login credential cookie that the Siebel Web Engine provides when a session is started. This functionality requires that cookies be enabled. For information about the auto-login credential cookie, see "Auto-Login Credential Cookie".

Related Topic

"Login Security Features"

Account Policies and Password Expiration

For enhanced security, you might want to implement the following account policies. Account policies are functions of your authentication service. If you want to implement account policies, then you are responsible for setting them up through administration features provided by the authentication service vendor.

  • Password syntax rules, such as minimum password length.

    When creating or changing passwords, minimum length requirements and other syntax rules defined in the external directory are enforced by the Siebel application.

  • An account lockout after a specified number of failed attempts to log in.

    Account lockout protects against password guessing attacks. Siebel Business Applications support lockout conditions for accounts that have been disabled by the external directory.

  • Password expiration after a specified period of time.

    The external directory can be configured to expire passwords and warn users that passwords are about to expire. Password expiration warnings issued by the external directory are recognized by Siebel Business Applications and users are notified to change their passwords.

About Password Expiration

Password expiration can be implemented in the following authentication strategies:

  • Security adapter authentication: LDAP, ADSI, or applicable custom security adapter

  • Database authentication where supported by the RDBMS

If you are using an LDAP or ADSI security adapter, then password expiration is handled by the external LDAP directory or Active Directory, and is subject to the configuration of this behavior for the third-party directory product.

For example, when a password is about to expire, the directory might provide warning messages to the Siebel application to display when the user logs in. Such a warning would indicate the user's password is about to expire and must be changed. If the user ignores such warnings and allows the password to expire, then the user might be required to change the password before logging into the application. Or, the user might be locked out of the application once the password has expired.

Password expiration configuration steps for each directory vendor will vary. For more information, see the documentation provided with your directory product. More information about password expiration for use with Active Directory is provided below.

Password Expiration on Active Directory

On Active Directory, factors that affect the password state include the following attributes and parameters:

  • Password Never Expires (attribute for user object)

  • User Must Change Password At Next Logon (attribute for user object)

  • Last Time User Set Password (attribute for user object)

  • Maximum Password Age (attribute for domain)

  • Password Expire Warn Days (parameter for ADSI security adapter)

When you configure password expiration for Active Directory, you add the parameter Password Expire Warn Days (alias PasswordExpireWarnDays) to the ADSI security adapter. Set the value to the number of days you want to provide a warning message before a user's password expires.


Note:

The attributes Password Never Expires and User Must Change Password at Next Logon are mutually exclusive, and cannot both be checked for a user.

The state of each user's password is determined by the following logic:

  • If Password Never Expires is checked for a user, then this user never gets a password expired error, regardless of the settings of other attributes.

  • If User Must Change Password At Next Logon is checked for a user, then this user gets a password expired error, regardless of the settings of other attributes.

  • If neither of the above attributes are checked for a user, then the following behavior applies:

    • If Maximum Password Age is set to 0 for the domain, then a user will not get a password- expired error. No password will expire in the domain.

    • If a value is specified for Maximum Password Age, then the following behavior applies:

      • If the difference between the current time and the last time a user has set the password (the value of the Last Time User Set Password attribute for the user) is larger than the value of Maximum Password Age, then this user gets a password-expired error.

      • If the difference between current time and the last time a user has set the password is smaller than Password Expire Warn Days (set for the ADSI security adapter), then this user gets a password-expiring warning message.

      • If the difference between current time and the last time a user has set the password is smaller than Maximum Password Age, and larger than Password Expire Warn Days, then this user will log in successfully and will not get any error or warning message.


    Note:

    Confirm all third-party directory product behavior and configuration with your third-party documentation.