Go to primary content
Siebel CRM Siebel Security Guide
Siebel Innovation Pack 2017, Rev. A
E24814-01
  Go to Documentation Home
Home		 Go To Table Of Contents
Contents		 Go To Index
Index
Previous
Previous 		 Next
Next		     View PDF

Identity Provider-Initiated Single Sign-On Authentication Process

Figure 6-5 and Figure 6-6 show the typical steps in an identity provider-initiated SSO authentication process where the portal application, which links to Siebel REST and Web services, acts as the identity provider (IdP) and initiates the federation. The process uses Oracle WebLogic server with Oracle Access Manager and Oracle API Gateway for illustrative purposes, but any Web application server with a SAML identity provider solution and a gateway for the service provider can be used.


Note:

For Siebel REST, you can use any identity provider (IdP) or gateway solution from any vendor. For more information, see Siebel REST API Guide.

Figure 6-5 Identity Provider-Initiated Single Sign-On Authentication Process (Part I)

Identity provider-initiated SSO authentication process (1)

Figure 6-6 Identity Provider-Initiated Single Sign-On Authentication Process (Part II)

Identity provider-initiated SSO authentication process (2)

The typical steps in the IdP-initiated SSO authentication process shown in Figure 6-5 and Figure 6-6 (using Oracle WebLogic server with Oracle Access Manager and Oracle API Gateway for illustrative purposes) are:

  1. GET/Access protected Customer Portal. A non-authenticated user requests access to a protected Customer Web Portal.

  2. Redirect to Login page. There is no OAMAuthn cookie, so the user is redirected to the login page.

  3. Enter credentials and submit login form. The user enters their credentials and submits the login form.

  4. Validate credentials in IDStore. Oracle Access Manager validates the user credentials in the IDStore (Oracle LDAP or Oracle Unified Directory installed with Identity Store).

  5. IDStore responds success. The IDStore returns success to Oracle Access Manager.

  6. Respond with OAMAuthnCookie. Oracle Access Manager responds with the OAMAuthnCookie to Oracle Webgate.

  7. Set OAMAuthnCookie and redirect to portal. Oracle Webgate sets the OAMAuthnCookie and redirects the user to the portal.

  8. Land on portal index.html page. The user lands on the portal's index.html page.

  9. index.html loads IdP initiated Federation. The index.html page loads the IdP-initiated federation.

  10. Post SAML assertion with returnurl. Oracle Access Manager posts SAML assertion with returnurl.

  11. Lookup user from the SAML attribute. Oracle Access Manager checks with Oracle LDAP to look up the user from the SAML attribute.

  12. Return success. Oracle LDAP returns success.

  13. Set OAMAuthnCookie. Oracle Access Manager sets the OAMAuthnCookie.

  14. Redirect to portal landing page. The user is redirected to the portal landing page.

  15. Click on QUOTE link within iFrame that points to REST service. The user initiates the REST invocation process by clicking the QUOTE link, which points to the REST service.

  16. Validate authorization for QUOTE link URI. Oracle Webgate validates authorization for the QUOTE link URI.

  17. Validates OAMAuthnCookie. Oracle Webgate validates OAMAuthnCookie and sends the information on to Oracle Access Manager.

  18. Authorized and returns OAM SAML assertion. Oracle Access Manager authorizes and returns OAMSAML assertion to Oracle Webgate.

  19. Send REST request and SAML to WLS Servlet. Oracle Webgate sends the REST request and SAML to the Oracle WebLogic server.

  20. Send SAML assertion with URI. Oracle WebLogic server sends the SAML assertion with URI to the Oracle API Gateway.

  21. Validate SAML, extracts username, sends REST with call header. Oracle API Gateway validates SAML, extracts the user name, and sends a REST call with the header to Siebel REST.

  22. Return result. Siebel REST returns the result to the Oracle API Gateway.

  23. Return result. Oracle API Gateway returns the result to the Oracle WebLogic server.

  24. Return generated HTML page. Oracle WebLogic server returns the generated HTML page to the portal.

  25. Display generated HTML page. The portal displays the generated HTML page to the user.

  26. Click Logout to kill Siebel session.The user clicks Logout to kill the Siebel session.

  27. Trigger OAM logout URL. The portal invokes the Oracle Access Manager logout URL.

  28. OAM triggers Logout URL to kill the session. Oracle Webgate invokes the Oracle Access Manager logout URL to kill the session.

  29. Oracle Webgate redirects to final Logout page. Oracle Access Manager redirects Oracle Webgate to the final logout page.

  30. User lands on logout page. The user lands on the logout page.

For more information about each step in this process, consult the supporting documentation for your Web application server (for example, Oracle WebLogic), identity management solution (for example, Oracle Access Manager), and gateway (for example, Oracle API Gateway).


Note:

For information about using OAuth with Siebel REST, see Siebel REST API Guide.

  Previous
Previous 		 Next
Next
  Go to Documentation Home
Home		 Go To Table Of Contents
Contents		 Go To Index
Index