search cancel

What is the "SiebelSSOAuth" library from ERP Agent for Siebel

book

Article ID: 207941

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When running an ERP Agent for Siebel, what is the library
"SiebelSSOAuth" as it's used in an Authentication Scheme.

 

Environment

 

ERP Agent for Siebel 12.51

 

Resolution

 

At first glance, this library is an Authentication Scheme for the ERP
Agent for Siebel server and the Policy Server uses that library to
construct Responses (1).

This library has to be set on the Policy Server. The version to set on
Policy Server 12.8SP3 is 12.6.1 (2).

1. As per documentation (3), the Active Response using this library
   does create an "Authentication Ticket", and the Authentication
   Scheme validates that ticket. For the Authentication Scheme to do
   the validation, the "Authentication Scheme verifies the user
   credentials, SIEBELUSER, and the Siebel authentication Ticket
   (SIEBELTICKET)" :

   An Active Response that generates an "Authentication Ticket"
   securely identifying the user.
   p.10

   An authentication scheme that accepts the Authentication tickets
   generated by the Active Response.
   p.11

   Active Response is fired, and generates the Siebel Authentication
   Ticket, SIEBELTICKET. This authentication ticket is specific to the
   user accessing the application.
   p.14
   
   3. If the authentication by Policy Server is successful, the
      following takes place:

     - Active Response is fired, and generates the Siebel
       Authentication Ticket, SIEBELTICKET. This authentication ticket
       is specific to the user accessing the application.

     - Siebel user response is fired, sending a user attribute, whose
       value maps to a valid Siebel user.

   p.14
   
   9. Policy Server uses the Siebel SSO authentication scheme to
      verify the user credentials.

      Authentication Scheme verifies the user credentials, SIEBELUSER,
      and the Siebel authentication Ticket (SIEBELTICKET).
   
   10. The Siebel SSO Authentication scheme results are returned to
       Policy Server.

   p.15

2. According to the documentation, accesses to the database using
   user's credentials aren't needed anymore once installed and
   configured :

   "Once an external authentication system such as CA SSO is
    implemented, Siebel is no longer capable of employing the
    individual user's credentials to connect to the database for the
    following reasons:

      CA SSO does not store or expose the user's credentials once the
      user has been authenticated. This is intentional for security
      reasons.

      Even if CA SSO stored the user's credentials, there is no way to
      know or guarantee that the database would be able to use those
      credentials - users might authenticate to CA SSO with certificates,
      SecurID or other one-time passwords, NTLM or some other
      authentication scheme which would not be acceptable to the
      database.

    The Siebel Object Manager continues to communicate with the
    database for all data; however, because users no longer present
    credentials that the Object Manager can use to connect on their
    behalf, a special administrative account is necessary. This
    account's credentials need not be published, and are not used by
    any person or application other than the Siebel Object Manager.

    The use of a generic database user does not in any way impair the
    ability to audit user activity because Siebel's internal access
    control, data protection, and audit capabilities continue to
    operate as with individual user database accounts. A database
    account should be created and the password set to a complex,
    non-guessable value.

    A benefit of Siebel using a generic database account is that after
    this product is installed, individual database accounts are no
    longer necessary. This relieves the system of the administrative
    burden of account creation, password maintenance or
    synchronization, and removal upon termination of employment.
   
    p.22

Additional Information

 

(1)

    CA SiteMinder ERP Agents Agent Guide for Siebel r5.6 SP4

      A SiteMinder Active Response that generates an "Authentication Ticket"
      securely identifying the user

      A SiteMinder Authentication Scheme that accepts the Authentication
      tickets generated by the Active Response.
      p.11

      Note: Through a number of means, Siebel is enabled to accept the SiteMinder
      username and password as well as the database username and password. To
      enable this support, you will need to configure the SiteMinder Policy server to
      authenticate users out of both the enterprise directory and the Siebel
      database.
      p.12

      Web Agent intercepts the request, and uses Policy server to perform
      SiteMinder Authentication/Authorization.
      p.13

      Step 3 is carried out, and the Siebel Authentication Ticket
      (SIEBELTICKET) and SIEBELUSER responses are generated. Web
      Agent receives the above responses and generates HTTP headers
      HTTP_SIEBELUSER and HTTP_SIEBELTICKET from them.
      p.14

      Copy the Authentication Scheme library, SiebelSSOAuth, from the
      Siebel Agent Installation Directory/siebel/bin to the bin or lib
      directory in the Policy server.
      p.22

    https://ftpdocs.broadcom.com/cadocs/0/h005071e.pdf

(2)

    SiteMinder SiebelAuth 12.6.1

      RS95509 SSO SIEBELAUTH 12.6.1

    https://support.broadcom.com/external/content/release-announcements/CA-Single-Sign-On-Hotfix-Cumulative-Release-Index/6544#SMSA

(3)

    CA SSO Agent 12.51 for Siebel
    https://ftpdocs.broadcom.com/cadocs/0/CA%20SSO%20Agent%20for%20Siebel%2012%2051-ENU/Bookshelf.html