Want to know about "SiebelSSOAuth" library

book

Article ID: 207941

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

We're running an ERP Agent for Siebel and we'd like to know about the
library "SiebelSSOAuth" as we use it in an Authentication Scheme.

Could you give us more details about "SiebelSSOAuth" library ?

 

Environment

 

ERP Agent for Siebel 12.51

 

Resolution

 

At first glance, this library is an Authentication Scheme for the ERP
Agent for Siebel server and the Policy Server uses that library to
construct Responses.

  CA SiteMinder ERP Agents Agent Guide for Siebel r5.6 SP4

    A SiteMinder Active Response that generates an "Authentication Ticket"
    securely identifying the user

    A SiteMinder Authentication Scheme that accepts the Authentication
    tickets generated by the Active Response.
    p.11

    Note: Through a number of means, Siebel is enabled to accept the SiteMinder
    username and password as well as the database username and password. To
    enable this support, you will need to configure the SiteMinder Policy server to
    authenticate users out of both the enterprise directory and the Siebel
    database.
    p.12

    Web Agent intercepts the request, and uses Policy server to perform
    SiteMinder Authentication/Authorization.
    p.13

    Step 3 is carried out, and the Siebel Authentication Ticket
    (SIEBELTICKET) and SIEBELUSER responses are generated. Web
    Agent receives the above responses and generates HTTP headers
    HTTP_SIEBELUSER and HTTP_SIEBELTICKET from them.
    p.14

    Copy the Authentication Scheme library, SiebelSSOAuth, from the
    Siebel Agent Installation Directory/siebel/bin to the bin or lib
    directory in the Policy server.
    p.22

  https://ftpdocs.broadcom.com/cadocs/0/h005071e.pdf

This library has to be set on the Policy Server. The version to set on
Policy Server 12.8SP3 is the one here :

  SiteMinder SiebelAuth 12.6.1

    RS95509 SSO SIEBELAUTH 12.6.1

  https://support.broadcom.com/external/content/release-announcements/CA-Single-Sign-On-Hotfix-Cumulative-Release-Index/6544#SMSA

Note that :

1. As per documentation, the Active Response using this library does
   create an "Authentication Ticket", and the Authentication Scheme
   validates that ticket. For the Authentication Scheme to do the
   validation, the "Authentication Scheme verifies the user
   credentials, SIEBELUSER, and the Siebel authentication Ticket
   (SIEBELTICKET)" :

   An Active Response that generates an "Authentication Ticket"
   securely identifying the user.
   p.10

   An authentication scheme that accepts the Authentication tickets
   generated by the Active Response.
   p.11

   Active Response is fired, and generates the Siebel Authentication
   Ticket, SIEBELTICKET. This authentication ticket is specific to the
   user accessing the application.
   p.14

   
   3. If the authentication by Policy Server is successful, the
      following takes place:

     - Active Response is fired, and generates the Siebel
       Authentication Ticket, SIEBELTICKET. This authentication ticket
       is specific to the user accessing the application.

     - Siebel user response is fired, sending a user attribute, whose
       value maps to a valid Siebel user.

   p.14
   9. Policy Server uses the Siebel SSO authentication scheme to
      verify the user credentials.

      Authentication Scheme verifies the user credentials, SIEBELUSER,
      and the Siebel authentication Ticket (SIEBELTICKET).
   
   10. The Siebel SSO Authentication scheme results are returned to
       Policy Server.

   p.15

2. According to the documentation, accesses to the database using
   user's credentials aren't needed anymore once installed and
   configured :

   "Once an external authentication system such as CA SSO is
    implemented, Siebel is no longer capable of employing the
    individual user's credentials to connect to the database for the
    following reasons:

      CA SSO does not store or expose the user's credentials once the
      user has been authenticated. This is intentional for security
      reasons.

      Even if CA SSO stored the user's credentials, there is no way to
      know or guarantee that the database would be able to use those
      credentials - users might authenticate to CA SSO with certificates,
      SecurID or other one-time passwords, NTLM or some other
      authentication scheme which would not be acceptable to the
      database.

    The Siebel Object Manager continues to communicate with the
    database for all data; however, because users no longer present
    credentials that the Object Manager can use to connect on their
    behalf, a special administrative account is necessary. This
    account's credentials need not be published, and are not used by
    any person or application other than the Siebel Object Manager.

    The use of a generic database user does not in any way impair the
    ability to audit user activity because Siebel's internal access
    control, data protection, and audit capabilities continue to
    operate as with individual user database accounts. A database
    account should be created and the password set to a complex,
    non-guessable value.

    A benefit of Siebel using a generic database account is that after
    this product is installed, individual database accounts are no
    longer necessary. This relieves the system of the administrative
    burden of account creation, password maintenance or
    synchronization, and removal upon termination of employment.
   
    p.22

You'll find the above documentation here 

   CA SSO Agent 12.51 for Siebel
   https://ftpdocs.broadcom.com/cadocs/0/CA%20SSO%20Agent%20for%20Siebel%2012%2051-ENU/Bookshelf.html