In a Web SSO implementation, users are authenticated by a third party at the Web-site level. Siebel Business Applications support this mode of authentication by providing an interface that allows the third party to pass user information to a Siebel application. Once authenticated by the third party, a user does not have to explicitly log into the Siebel application.
Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session.
Web SSO architecture is appropriate for Web sites on which only approved registered users can gain access to sensitive data, such as a Web site on which you share data with your channel partners.
Web SSO Authentication Process
• The user enters credentials at the Web site that are passed to the Web server. A third-party authentication client on the Web server passes the user credentials to the third-party authentication service. The third-party authentication service verifies the user credentials and passes the authenticated user’s username to the Siebel Web Server Extension (SWSE).
• The SWSE passes the authenticated user’s username to the authentication manager. The username can be the Siebel user ID or another attribute.
• The security adapter provides the authenticated user’s username to a directory, from which the user’s Siebel user ID, a database account, and, optionally, roles are returned to the authentication manager.
• The Application Object Manager (AOM) uses the returned credentials to connect the user to the database and to identify the user.
Web SSO Limitations
• User self-registration
• Delegated administration of users
• Login forms
• Logout links or the Log Out menu item in the File application-level menu
• Change password feature (in Profile view of User Preferences screen)
Web SSO Implementation Considerations
• Users are authenticated independently of Siebel Business Applications, such as through a third-party authentication service or through the Web server.
• You must synchronize users in the authentication system and users in the Siebel Database at the Web site level.
• You must configure user administration functionality, such as self-registration, at the Web site level.
• A delegated administrator can add users to the Siebel Database, but not to the authentication system.
Implementing Web SSO Authentication
To provide user access to Siebel Business Applications on a Web site implementing Web SSO, the Siebel Business Applications must be able to determine the following from the authentication system:
• Verification that the user has been authenticated
• A user credential that can be passed to the directory, from which the user’s Siebel user ID and database account can be retrieved
In a Web SSO environment, you must also provide your authentication service and any required components, such as an authentication client component.
You can implement the following options in a Web SSO environment that uses a Siebel- compliant security adapter:
• User specification source: You must specify the source from which the Siebel Web Engine derives the user’s identity key: a Web server environment variable or an HTTP request header variable.
• Digital certificate authentication: Siebel Systems supports X.509 digital certificate authentication by the Web server.