1. Security Guide
  2. Security Adapter Configuration When SSO is Enabled

Security Adapter Configuration When SSO is Enabled

Siebel offers multiple ways to communicate Siebel user identity to Siebel. Siebel understands user context only by the use of a user ID (for example: SADMIN). So if an Identity Provider (IdP) passes an email as an ID to Siebel (for example: SADMIN@oracle.com) , then it is Siebel’s responsibility to map that ID to a Siebel user ID. Nothing changes for Siebel Object Manager when Single Sign-on (SSO) or federation is in place. The authentication flow remains the same in Siebel for both SSO with SAML (federated SSO with Security Assertion Markup Language) and non-SSO. A trust token is used instead of a password in SSO cases. The selection of a security adapter is guided by implementation constraints.

About Using an LDAP Security Adapter When SSO is Enabled

When using an LDAP security adapter, LDAP is implemented to map IDs using a single database user. This eliminates the need to maintain a large set of database users for Siebel. LDAP validates users by checking the mapped Siebel database user credentials. In SSO cases, LDAP uses a trust token as the password and this password is common for all users.

  • If different attributes are propagated from an IdP or used for login, then configure and use an adapter-defined user name. In the case of SSO with SAML, a directory lookup is required to map the adapter-defined user name to the Siebel user ID. For more information, see Configuring Adapter-Defined User Name.

  • Optionally, LDAP can be used to store Siebel user responsibilities as roles in a directory attribute instead of in the Siebel database (for example, if you want to share the information). For more information, see Configuring Roles Defined in the Directory.

For production environments, it is recommended that you use an LDAP security adapter to maintain Siebel users.

About Using a Database Security Adapter When SSO is Enabled

When using a Database security adapter, the adapter is implemented to map IDs using a single database user. This approach eliminates the need to maintain a large set of database users for Siebel. Users are validated by checking the mapped Siebel database user credentials. In SSO cases, a trust token is used as the password and this password is common for all users.

Note: No directory support is available when using a Database security adapter. As a result, the Identity Provider (IdP) must pass the exact Siebel user ID as an ID to Siebel (for example: SADMIN).