Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
Authentication is the process of verifying the identity of a user. Siebel Business Applications support multiple approaches for authenticating users. You choose either security adapter authentication or Web SSO authentication for your application users:
Security adapter authentication. Siebel Business Applications provide a security adapter framework to support several different user authentication scenarios:
Database authentication. Siebel Business Applications support authentication against the underlying database. In this architecture, the security adapter authenticates users against the Siebel database. Siebel Business Applications provide a database security adapter (it is configured as the default security adapter). For more information, see "About Database Authentication" and "Implementing Database Authentication".
Note: Database authentication is supported for development environments only, it is not supported for production environments. |
Lightweight Directory Access Protocol (LDAP) authentication. Siebel Business Applications support authentication against LDAP-compliant directories. In this architecture, the security adapter authenticates users against the directory. Siebel Business Applications provide the LDAP Security Adapter to authenticate against directory servers. For more information, see "About Authentication for LDAP Security Adapter" and "Process of Implementing LDAP Security Adapter Authentication".
Custom. You can use a custom adapter you provide, and configure the Siebel Business Applications to use this adapter. For more information, see "Security Adapter SDK".
Web Single Sign-On (Web SSO). This approach uses an external authentication service to authenticate users before they access the Siebel application. In this architecture, a security adapter does not authenticate the user. The security adapter simply looks up and retrieves a user's Siebel user ID and database account from the directory based on the identity key that is accepted from the external authentication service. For more information, see Chapter 6, "Single Sign-On Authentication".
You can choose the approach for user authentication individually for each application in your environment, based on the specific application requirements. However, there are administrative benefits to using a consistent approach across all of your Siebel Business Applications, because a consistent approach lowers the overall complexity of the deployment.
Configuration parameter values determine how your authentication architecture components interact. For information about the purpose of configuration parameters, see Appendix A, "Configuration Parameters Related to Authentication". For information about the seed data related to authentication, user registration, and user access that is installed with Siebel Business Applications, see Appendix B, "Seed Data".
The following special issues apply for authentication for deployments using Siebel Developer Web Client or Mobile Web Client:
For a particular Siebel application, when users connect from the Siebel Developer Web Client to the server database, the authentication mechanism must be the same as that used for Siebel Web Client users. This mechanism could be database authentication or a supported external authentication strategy, such as LDAP.
When connecting to the local database from the Mobile Web Client, mobile users must use database authentication. For information about authentication options for local database synchronization, see Siebel Remote and Replication Manager Administration Guide.
Table 5-1 highlights the capabilities of each authentication method to help guide your decision. Several options are available for each basic strategy. Comparisons do not apply for Siebel Mobile Web Client, for which only database authentication is available.
Table 5-1 Functionality Supported in Different Authentication Methods
Functionality | Database Security Adapter | LDAP Security Adapter | Web SSO |
---|---|---|---|
No |
Yes |
Yes |
|
Centralizes storage of user credentials and roles. |
No |
Yes |
Yes |
Limits number of database accounts on the application database. |
No |
Yes |
Yes |
Supports dynamic user registration. Users are created in real-time through self-registration or administrative views. |
No |
Yes |
Siebel Business Applications do not support the feature, but it might be supported by third-party components. For Web SSO, user registration is the responsibility of the third-party authentication architecture. It is not logically handled by the Siebel architecture. |
Supports account policies. You can set policies such as password expiration, password syntax, and account lockout. |
Only password expiration is supported and only on supported IBM DB2 RDBMS operating systems. |
Yes |
Siebel Business Applications do not support the feature, but it might be supported by third-party components. For Web SSO, account policy enforcement is handled by the third-party infrastructure. |
Supports Web Single Sign-On, the capability to log in once and access all the applications within a Web site or portal. |
No |
No |
Yes |
The Siebel LDAP security adapter supports the Internet Engineering Task Force (IETF) password policy draft (09) for handling password policy violations and error reporting. As a result, the LDAP security adapter returns meaningful error messages and takes appropriate actions when password policy violations occur, provided the adapter is used with directory servers that are compliant with the draft. For additional information on the IETF password policy draft, go the IETF Web site at
http://tools.ietf.org/html/draft-behera-ldap-password-policy-09