| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
Siebel Business Applications include security adapters that are based on LDAP standards, allowing customers to use LDAP directory products for user authentication. LDAP security adapter authentication can offer the following benefits:
User authentication external to the database
Automatic updating of the directory with new or modified user information entered through the Siebel Business Applications user interface by an internal administrator, a delegated administrator, or a self-registering user
Security adapter authentication provides a user with access to the Siebel application for which the security adapter is configured. Different Siebel Business Applications can be configured to use different security adapters.
Before implementing security adapter authentication for LDAP security adapters, note the following:
You must install the Oracle Database Client, which contains the Oracle LDAP Client, on the Siebel Server or Siebel Gateway computer if you choose the LDAP security adapter.
How you configure communications encryption between the Siebel security adapter and the directory server differs depending on the security adapter you use. TLS encryption is supported with the LDAP security adapter. For more information, see "Configuring Secure Communications for Security Adapters".
For more information about LDAP security adapter authentication, see the following topics:
"Directory Servers Supported by Siebel Business Applications"
"Administering the Directory through Siebel Business Applications"
In an implementation using LDAP authentication, the security adapter authenticates a user's credentials against the directory and retrieves database login credentials from the directory. The security adapter functions as the authentication service in this architecture. The steps in the LDAP security adapter authentication process are:
The user enters credentials to a Siebel Business Applications login form.
These user credentials (a user name and password) can vary depending on the way you configure the security adapter. For example, the user name could be the Siebel user ID or an identifier such as an email address or telephone number. The user credentials are passed to the Siebel Application Interface and then to the Application Object Manager, which in turn passes them to the authentication manager.
The authentication manager determines how to process the user credentials and calls the security adapter to validate the credentials against the directory.
|
Note: The LDAP security adapter used with Siebel Business Applications allows special characters in passwords. Be aware, however, that only a limited number of special characters are supported for use in Siebel passwords. Passwords are also subject to the requirements and limitations imposed by the external directory service. For additional information, see "Characters Supported in Siebel Passwords". |
The security adapter returns the Siebel user ID and a database credential assigned to this user to the authentication manager. (If roles are used, they are also returned to the authentication manager.)
The Application Object Manager (or other module that requested authentication services) uses the returned credentials to connect the user to the database and to identify the user.
This topic outlines the directory servers supported by the Siebel LDAP security adapters. Siebel Business Applications support the following directory servers:
LDAP directory servers. Siebel Business Applications support any directory server that meets both of the following requirements:
The LDAP directory server is compliant with the LDAP 3.0 standard
Password management is handled in either one of the following ways:
The directory server implements the IETF password policy draft (09) standard.
Password management functions, such as password expiry and other password-messaging features, are handled externally to the directory server.
If you choose to administer the LDAP directory through Siebel Business Applications, then be aware that in large implementations timeout issues can occur. To prevent timeout issues:
Use the LDAP security adapter.
Do not set the Base DN to the root level of your directory server.
For help with overall design recommendations and performance improvement, contact your Oracle sales representative for Oracle Advanced Customer Services to request assistance.
The LDAP security adapter provided with Siebel Business Applications currently does not support communication with more than one directory server. However, the following options are available:
Failover functionality can be implemented to a limited degree for the LDAP security adapter. To implement failover functionality, specify the names of the primary and secondary servers for the Server Name parameter of the LDAP security adapter profile. For example:
ServerName=ldap1 ldap2
If communication cannot be established between the Siebel Application Object Manager and the primary LDAP server, then failover to the secondary LDAP server occurs. If the Application Object Manager can communicate with the primary server, but LDAP functionality on the server is not available, then failover to the secondary server does not occur.
Oracle provides products that enable LDAP security adapters to communicate with multiple LDAP-compliant directories. For information on Oracle Virtual Directory, go to
http://www.oracle.com/technetwork/testcontent/index-093158.html
If you implement LDAP security adapter authentication with Siebel Business Applications, then you must provide a directory product that meets the requirements outlined in this topic. The directory product you provide can be one of the directory servers supported by the security adapters provided with Siebel Business Applications, or another directory server of your choice. The following options are available:
If you provide one of the directory servers supported by Siebel Business Applications (that is, a supported LDAP directory), then you can use a security adapter provided by Siebel Business Applications, or you can create your own security adapter that complies with Siebel Business Applications.
If you provide a directory other than those supported by the security adapters provided with Siebel Business Applications, then you are responsible for implementing a security adapter that supports this directory.
For specific information about directory server products supported by Siebel Business Applications, see the Certifications tab on My Oracle Support.
To provide user access to a Siebel application implementing an LDAP security adapter, the Siebel application must be able to retrieve credentials to access the database and the user's Siebel user ID. Therefore you must set up a directory from which a database account and a Siebel user ID can be retrieved for each user.
Your LDAP directory must store, at a minimum, the following data for each user. Each piece of data is contained in an attribute of the directory:
Siebel user ID. This attribute value must match the value in the user ID field for the user's Person record in the Siebel database. It is used to identify the user's database record for access-control purposes.
Database account. This attribute value must be of the form username=U password=P, where U and P are credentials for a database account. You can have any amount of space between the two key-value pairs, but you cannot have any space within each pair. The keywords, username and password, must be lowercase.
If you choose, you can configure a designated directory entry to contain credentials of a database account that is shared by many users; this is the shared database account. If you implement a shared database account, then you can specify the value for the shared database account user name and password in profile parameters for the LDAP Security Adapter profile instead of in an attribute value for the directory entry. For more information, see "Configuring the Shared Database Account".
|
Note: Even if you use a shared database account with external directory authentication, you must create a separate database account for any user who requires administrator access to Siebel Business Applications functionality, for example, any user who has to perform Siebel Server management and configuration tasks. The database account user ID and password you create for the user must match the user ID and password specified for the user in the external directory. |
Username. This attribute value is the key passed to the directory that identifies the user. In a simple implementation, the user name might be the Siebel user ID, and so it might not have to be a separate attribute.
Password. Stores a user's login password for the LDAP server. Whether or not the password is stored in the directory depends on whether or not you are using Web SSO:
If the user authenticates through the LDAP directory using the LDAP security adapter, then the login password must be stored in the userPassword attribute of the LDAP directory.
If the user is authenticated by an authentication service, such as in a Web SSO implementation, then a password attribute is not required.
The Password Attribute Type parameter is used to specify the attribute type under which the user's login password is stored in the directory. For additional information on the Password Attribute Type parameter, see "Server Parameters for Siebel Gateway".
It is recommended that you implement password hashing for both user passwords and database credentials stored in the directory. You can also define access control lists (ACLs) to restrict access to directory objects containing password information. For information on setting up directory ACLs, see your directory vendor documentation. For information on password hashing, see "About Password Hashing".
You can use additional user attributes to store data, for example, first and last name, as required by your authentication solution.
If you create a new attribute object for your directory to store Siebel attributes (for example, Siebel User ID), then you can use the Private Enterprise Number that Siebel Business Applications has registered with the Internet Assigned Numbers Authority (http://www.iana.org) to provide a unique X.500 Object ID. This number is 1.3.6.1.4.1.3856.*.
An additional type of data, roles, is supported, but is not required. Roles are an alternate means of associating Siebel responsibilities with users. Responsibilities are typically associated with users in the Siebel database, but they can instead be stored in the directory. Leave role values empty to administer responsibilities from within Siebel Business Applications. For more information, see "Configuring Roles Defined in the Directory".
Depending on your authentication and registration strategies, and the options that you implement for your deployment, you must define a user, called the application user, in the directory.
The application user is the only user who can read or write user information in the directory. Therefore, it is critical that the application user has appropriate search and write privileges to the directory. For information on creating the application user, see "Configuring the Application User".
