We're running an ERP Agent for Siebel and we'd like to know about the
library "SiebelSSOAuth" as we use it in an Authentication Scheme.
Could you give us more details about "SiebelSSOAuth" library ?
ERP Agent for Siebel 12.51
At first glance, this library is an Authentication Scheme for the ERP
Agent for Siebel server and the Policy Server uses that library to
construct Responses.
CA SiteMinder ERP Agents Agent Guide for Siebel r5.6 SP4
A SiteMinder Active Response that generates an "Authentication Ticket"
securely identifying the user
A SiteMinder Authentication Scheme that accepts the Authentication
tickets generated by the Active Response.
p.11
Note: Through a number of means, Siebel is enabled to accept the SiteMinder
username and password as well as the database username and password. To
enable this support, you will need to configure the SiteMinder Policy server to
authenticate users out of both the enterprise directory and the Siebel
database.
p.12
Web Agent intercepts the request, and uses Policy server to perform
SiteMinder Authentication/Authorization.
p.13
Step 3 is carried out, and the Siebel Authentication Ticket
(SIEBELTICKET) and SIEBELUSER responses are generated. Web
Agent receives the above responses and generates HTTP headers
HTTP_SIEBELUSER and HTTP_SIEBELTICKET from them.
p.14
Copy the Authentication Scheme library, SiebelSSOAuth, from the
Siebel Agent Installation Directory/siebel/bin to the bin or lib
directory in the Policy server.
p.22
https://ftpdocs.broadcom.com/cadocs/0/h005071e.pdf
This library has to be set on the Policy Server. The version to set on
Policy Server 12.8SP3 is the one here :
SiteMinder SiebelAuth 12.6.1
RS95509 SSO SIEBELAUTH 12.6.1
https://support.broadcom.com/external/content/release-announcements/CA-Single-Sign-On-Hotfix-Cumulative-Release-Index/6544#SMSA
Note that :
1. As per documentation, the Active Response using this library does
create an "Authentication Ticket", and the Authentication Scheme
validates that ticket. For the Authentication Scheme to do the
validation, the "Authentication Scheme verifies the user
credentials, SIEBELUSER, and the Siebel authentication Ticket
(SIEBELTICKET)" :
An Active Response that generates an "Authentication Ticket"
securely identifying the user.
p.10
An authentication scheme that accepts the Authentication tickets
generated by the Active Response.
p.11
Active Response is fired, and generates the Siebel Authentication
Ticket, SIEBELTICKET. This authentication ticket is specific to the
user accessing the application.
p.14
3. If the authentication by Policy Server is successful, the
following takes place:
- Active Response is fired, and generates the Siebel
Authentication Ticket, SIEBELTICKET. This authentication ticket
is specific to the user accessing the application.
- Siebel user response is fired, sending a user attribute, whose
value maps to a valid Siebel user.
p.14
9. Policy Server uses the Siebel SSO authentication scheme to
verify the user credentials.
Authentication Scheme verifies the user credentials, SIEBELUSER,
and the Siebel authentication Ticket (SIEBELTICKET).
10. The Siebel SSO Authentication scheme results are returned to
Policy Server.
p.15
2. According to the documentation, accesses to the database using
user's credentials aren't needed anymore once installed and
configured :
"Once an external authentication system such as CA SSO is
implemented, Siebel is no longer capable of employing the
individual user's credentials to connect to the database for the
following reasons:
CA SSO does not store or expose the user's credentials once the
user has been authenticated. This is intentional for security
reasons.
Even if CA SSO stored the user's credentials, there is no way to
know or guarantee that the database would be able to use those
credentials - users might authenticate to CA SSO with certificates,
SecurID or other one-time passwords, NTLM or some other
authentication scheme which would not be acceptable to the
database.
The Siebel Object Manager continues to communicate with the
database for all data; however, because users no longer present
credentials that the Object Manager can use to connect on their
behalf, a special administrative account is necessary. This
account's credentials need not be published, and are not used by
any person or application other than the Siebel Object Manager.
The use of a generic database user does not in any way impair the
ability to audit user activity because Siebel's internal access
control, data protection, and audit capabilities continue to
operate as with individual user database accounts. A database
account should be created and the password set to a complex,
non-guessable value.
A benefit of Siebel using a generic database account is that after
this product is installed, individual database accounts are no
longer necessary. This relieves the system of the administrative
burden of account creation, password maintenance or
synchronization, and removal upon termination of employment.
p.22
You'll find the above documentation here
CA SSO Agent 12.51 for Siebel
https://ftpdocs.broadcom.com/cadocs/0/CA%20SSO%20Agent%20for%20Siebel%2012%2051-ENU/Bookshelf.html