1. Security Guide
  2. Siebel IP 2016 integration with IDCS

Siebel IP 2016 integration with IDCS

This set up is for IDCS integration with Siebel IP 2016 and earlier versions.

The following figure describes the architecture of the set up.



The Siebel CRM 2016 integration with IDCS architecture has this workflow:

  1. User tries to access the application.
  2. The Apache reverse proxy with Open ID module intercepts the request (HTTPS / HTTP).
  3. OpenID checks for the existence of a session cookie on the user’s computer. If a valid cookie exists, then the OpenID populates the header variable and the UserID is passed to Siebel.
  4. If no cookie exists, then the user is prompted for credentials using the IDCS form. The user enters the credentials which are passed to the Identity Cloud Service.
  5. If the credentials are authenticated, then the IDCS session cookie is set and the OpenID sets the header variable and redirects the request to Siebel.
  6. Siebel security adapter retrieves the database account and role information from the directory server.
  7. Siebel session is started with the appropriate responsibilities.

To Set up the Apache HTTP Server

See 2364938.1 (Article ID) on My Oracle Support and follow all instructions listed in the document. At the end of this setup make sure that navigating to protected directory prompts the user with credentials from IDCS and after providing valid credentials in IDCS,the user can access the protected URL.

To Set up Siebel Object Managers

Two object managers, one with database authentication and one for setting up with IDCS authentication are needed during setup process. As an example, enable Siebel CME Component Group and use eCommunications_enu for database authentication and eCommunicationsWireless_enu as IDCS authentication.

Make sure the Siebel Administrator SADMIN privilege and environment have GUESTCST configured with the appropriate responsibility to enable minimum number of views.

To Configure Apache HTTP Server 2.x Server as Reverse Proxy

  1. Configure Apache to listen on SSL port 443. You need to do this because in the example setup, Apache and Siebel server are both on the same machine and the Siebel Web Server is listening on port 80.

    Listen 10.248.120.16:443

  2. Enable reverse proxy by uncommenting the following lines in httpd.conf file:
    LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
  3. Enable LoadModule xml2enc_module modules/mod_xml2enc.so
  4. Add the following lines before the protected directory:
    ProxyPass "/eCommunicationsWireless_enu"  "http://Siebel_Web_Server/eCommunicationsWireless_enu"
ProxyPassReverse "/eCommunicationsWireless_enu"  "http://Siebel_Web_Server/eCommunicationsWireless_enu"
  5. Make changes to protect the eCommunicationsWireless_enu object manager URL instead of the protected url.
    <Location /eCommunicationsWireless_enu>
   AuthType openid-connect
   Require valid-user
</Location>

To Configure the eApps_sia.cfg File

Since the example is using the eCommunicationsWireless application, modify the eapps_sia.cfg file. If you're using any other application, you may have to modify the eapps.cfg file.

[/eCommunicationsWireless_enu]
ConnectString = siebel.TCPIP.None.None://SiebelServer:SiebelServerPort/siebel/eCommWirelessObjMgr_enu
WebPublicRootDir = SIEBEL_ROOT_DIR\eappweb\public\
SingleSignOn = TRUE
TrustToken   = IDCSSIEBEL		#this value must match value in Security adapter in Siebel Enterprise Profile
UserSpec = OIDC_CLAIM_sub	# this is the HTTP header variable in which OIDC passes username to Siebel
UserSpecSource = Header
ProtectedVirtualDirectory = /eCommunicationsWireless_enu
EncryptedPassword = FALSE
AnonUserName  = GUESTCST
AnonPassword  = GUESTCST

To Configure Object Manager to enable LDAP Security Adapter

  1. Go to Administration > Server Configuration > Enterprises > Component Definition using eCommunications_enu object manager.
  2. Query for the Alias eCommWirelessObjMgr_enu
  3. Change the values of the following parameters in Component parameters.
    • Security Adapter Mode (SecAdptMode): LDAP (old value DB)
    • Security Adapter Name (LDAPSecAdpt): LDAPSecAdpt (old value DBSecAdpt)
    • EnforceSSL: True

To Set up Security Adapter

  1. Go to Administration > Server Configuration > Enterprises > Profile Configuration using eCommunications_enu object manager.
  2. Query for the Profile LDAP Security Adapter.
  3. Set the following parameters:
    • Single sign-on: True
    • Trust Token: IDCSSIEBEL (this value must match the value given in eapps.cfg file).

To Test the Configuration

Bounce the Siebel server, web server and start the httpd server.