Federated Single Sign-On Authentication Process for Interactive User Interfaces

Figure 6-4 shows the user authentication process in a federated environment for interactive user interfaces. The process uses Oracle Access Manager (identity management solution) and Oracle Webgate (gateway) for illustrative purposes, but you can use any identity management solution and gateway.

Figure 6-4 Example Federated  Single Sign-On Authentication Process

The steps in the federated SSO authentication process shown in Figure 6-4 (using Oracle Access Manager and Oracle Webgate for illustrative purposes) are:

1. A non-authenticated user requests a Siebel interactive UI protected by Oracle Webgate.

2. Oracle Webgate intercepts the request and redirects the user to Oracle Access Manager for authentication.

3. The user enters their credentials, Oracle Access Manager determines whether the federation SSO should occur and invokes the federation engine to create a SAML AuthN request.

   Oracle Access Manager redirects the user to the tenant's identity provider (IdP) with the SAML AuthN request.

4. The tenant's IdP processes the SAML AuthN request and authenticates the user if required.

5. The user's IdP creates an assertion containing the user data and session data, and redirects the user with an assertion to Oracle Access Manager.

6. Oracle Access Manager invokes the federation engine to validate the assertion and map it to a local user record. Oracle Access Manager creates a local session for the user, performs authorization policy evaluation and redirects the user to the protected resource.

7. If the user is authorized by Oracle Access Manager, then Oracle Webgate grants access to the protected resource.

About Configuring Interactive User Interfaces for Federated Single Sign-On

The following prerequisites are required on the Siebel side before configuring identity federation. You must install and set up the components to suit your own business needs. Consult the supporting documentation of your chosen components (for example, Oracle Access Manager and Oracle API Gateway) for more information.

• Siebel Object Manager configured for SSO.

• The following parameters must be set in the Siebel Application Interface profile:

  • Configure Web Single Sign-On must be set to TRUE to implement SSO.

  • Trust Token must be set to HELLO, or another contiguous string of your choice.

    In SSO mode when used with a custom security adapter, the specified value is passed as the password parameter to a custom security adapter if the value corresponds to the value of the Trust Token parameter defined for the custom security adapter.

    
    

    Note: Typically, password encryption applies to Siebel Application Interface configuration. In this case, you must specify the encrypted value. For more information, see "Encrypted Passwords in Siebel Application Interface Profile Configuration".

    
    

  • User Specification must be set to, for example, OAM_REMOTE_USER.

    
    

    Note: OAM_REMOTE_USER is the header which carries the Siebel ID set by the SSO process.