Sie sind auf Seite 1von 36

Oracle

SIEBEL SSO INTEGRATION


OAM WEBGATE

Enabling Oracle Access Manager (SSO)/ Sample Steps

Overview:
This document provides a guide of steps to deploying OAM with Siebel. It highlights
environment specific values in red.

About the Integration with Siebel 8


The integration of Oracle Access Manager with Siebel 8 provides a secure Web-based infrastructure for identity
management for all customer applications and processes. Oracle Access Manager integrates identity and access
management across Siebel 8, enterprise resources, and other domains deployed on Industry networks. Oracle
Access Manager provides the foundation for managing the identities of customers, partners, and employees across
Internet applications. These user identities are combined with security policies for protected Web interaction.
This integration adds the following features to Siebel 8 implementations:
n

Oracle Access Manager Authentication, authorization, and auditing services for Siebel 8 applications.
Oracle Access Manager single sign-on (SSO) for Siebel 8 applications and other Oracle Access Managerprotected resources within a single domain or across multiple domains.
Oracle Access Manager authentication schemes, the following schemes provide single sign-on for Siebel 8
applications:

Basic: Users must enter a user name and password in a window supplied by the Web server.
This method can be redirected to SSL.'

Form: This method is similar to the basic challenge method, but users enter information in the custom
HTML form.
You can choose the information users must provide in the form that you create.

X509 Certificates: X.509 digital certificates over SSL.


A user's browser must supply a certificate.

Windows Integrated Authentication (WIA): Users will not notice a difference between an Oracle Access
Manager Authentication and WIA when they log on to the desktop, open an Internet Explorer (IE)
browser, request an Oracle Access Manager-protected Web resource, and complete single sign-on.

Custom: Additional forms of authentication can be incorporated through use of the Oracle Access
Manager Authentication Plug-in API.

Session timeout: Oracle Access Manager enables you to set the length of time that a user session is valid.
Ability to use the Identity System for identity management: The Identity System provides identity
management features such as portal inserts, delegated administration, workflows, and self-registration to
applications such as Siebel 8.
The self-registration feature for new users and customers provides flexibility in terms of how much access to
provide to people upon self-registration. Identity System workflows enable a self-registration request to be
routed to appropriate personnel before access is granted.
Oracle Access Manager also provides self-service, allowing users to update their own identity profiles.

Oracle Corporation

9/18/2014

Enabling Oracle Access Manager (SSO)/ Sample Steps

Supported Version and Platforms


Any references to specific versions and platforms in this chapter are made for demonstration purposes.
For the latest support information, see the Oracle Technology Network (OTN). You must register with OTN to view
this information.
To locate the latest certification details
1. Go to Oracle Technology Network:
http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html
2.

Locate Oracle Identity and Access Management.

3.

Click the link for the latest version. For example:


System Requirements and Supported Platforms for Oracle Identity and Access Management 10gR3 (html)

4.

Click the link for Oracle Access Manager Certification.

Setting Up Single Sign-on for Siebel Application Server


Setting single sign-on for Siebel 8 requires the installation and configuration of several Siebel and SSO components.
1.

Install and configure Siebel 8, as described in Create/Enable an Access Gate Configuration in the Access
Server section.

2.

Install Oracle Access Manager and a WebGate, and configure access control policies to protect Siebel
resources, as described in Installing the web gate plug-in on the Siebel web server. section

3.

Test the integration, as described in Testing the resource rule with your browser section

To set up Oracle Access Manager for the integration


1.

Install Oracle Access Manager and ensure that you have installed a WebGate on the Web
server instance supporting the Siebel Web server extension, as described in Oracle Access Manager
Installation Guide

2.

Synchronize the time on all servers where Siebel and Oracle Access Manager Components
are installed. Each Siebel application has its own document directory. You can either protect each
application individually or protect the higher-level directory under which the applications reside.

3.

In the Policy Manager, create a policy domain to protect Siebel resources on Web servers
where Siebel and the WebGate are installed, as described in the Oracle Access Manager Access
Administration Guide. Oracle Access Manager sets header variables that are passed on to the Siebel
Industry Application to allow access only to specified users.

4.

In the Authorization Rule, choose Actions page of the policy domain protecting the Siebel
resource, configure the action to map a Oracle Access Manager Header variable uid to the Siebel uid

5.

Remove the default no-cache HTTP pragmas that Oracle Access Manger sets as a default..
In Oracle Access Manager clear the values for the Access Gate configuration parameters for my Access
Gate:
CachePragmaHeader=no-cache
CacheControlHeader=no-cache

Oracle Corporation

9/18/2014

Enabling Oracle Access Manager (SSO)/ Sample Steps


6.

Note: The Header variable set in the Oracle Access Manager policy should be equal to the value of the
UserSpec parameter in the eapps.cfg file.
In the following example, the uid is mapped to the SSO_SIEBEL_USER HTTP header variable as
follows:
Type: HeaderVar
Name: SSO_SIEBEL_USER
Attribute: uid

7.

In the Authorization Rules, choose Allow Access page of the policy domain, select the
Oracle Access Manager/Siebel users to whom you want to grant access to the resources that are
protected by the policy domain.

I. Create/Enable an Access Gate Configuration in the Access Server.


1) Access the Oracle Access Manager Admin Site: example http://10.217.30.136/access/oblix/
or http://sdcr710i001n.us.oracle.com/access/oblix/

2) Click the Access System Console Link and login using example: oamadmin/oamadmin:

Oracle Corporation

9/18/2014

Enabling Oracle Access Manager (SSO)/ Sample Steps

If a shared environment is used it is possible that someone has already setup an Access Gate for
your VCAP machine name. First click the AccessGate Configuration and search for an
AccessGate with your machine name.
Note: Hitting Go on the right of the screen(scroll right) without specifying any search criteria
will return all AccessGate configurations for this Access Server .

If the search returns an AccessGate with your machine name, click the name of the AccessGate
and verify the settings with the following steps in this section of the

Oracle Corporation

9/18/2014

Enabling Oracle Access Manager (SSO)/ Sample Steps


document.

After clicking an existing AccessGate configuration, the Modify and List Access Servers
buttons at the bottom of the existing AccessGate configuration page will allow you modify the
settings mentioned below if necessary.

If one does NOT exist with your machine name, click the Add New Access Gate click to create
one.

Oracle Corporation

9/18/2014

Enabling Oracle Access Manager (SSO)/ Sample Steps

Enter the following fields required fields:


AccessGate Name: <Siebel web server (SWSE) Machine Name> Example. SDCDL383I091
Hostname: < Siebel web server (SWSE) FQDN Name > Example. Sdcr710i006c.us.oracle.com
Port: < Siebel web server SWSE web server port number> Example. 80

Oracle Corporation

9/18/2014

Enabling Oracle Access Manager (SSO)/ Sample Steps


Access Gate Password and Re-type Access Gate Password: Example.
Siebel

In the Web Server Client section:


Primary HTTP Cookie Domain: < Siebel web server (SWSE) FQDN> eg.) Sdcr710i006c.us.oracle.com
Preferred HTTP Host: < Siebel web server (SWSE) FQDN> eg.) Sdcr710i006c.us.oracle.com
Remove the default no-cache HTTP pragmas that Oracle Access Manger sets as a default.. In Oracle Access
Manager clear the values for the Access Gate configuration parameters for my Access Gate:

CachePragmaHeader: no-cache
CacheControlHeader: no-cache

Click the Save button at the bottom the page to save your new Access Gate Configuration.
Note: You will receive an error message stating that this configuration is not associated with an Access
Server.

This will be our next steps.

Oracle Corporation

9/18/2014

Enabling Oracle Access Manager (SSO)/ Sample Steps

Click the List Access Servers button at the bottom of the page to associate this Access Gate
Configuration with the TS Lab Access server.

Click Add. Select sdcr710i001n.us.oracle.com or 10.217.30.136 Access server. Set it as the


Primary server.

Oracle Corporation

9/18/2014

Enabling Oracle Access Manager (SSO)/ Sample Steps

Click Add to receive this screen showing the Access server has been added to the AccessGate
Configuration.

Click Back and then click the AccessGate Configuration Button

Oracle Corporation

9/18/2014

10

Enabling Oracle Access Manager (SSO)/ Sample Steps

Click the Go to show all the configured AccessGates.


Confirm that your AccessGate configuration does exist.

II. Create a Host Identifier for the Siebel web server.


Oracle Corporation

9/18/2014

11

Enabling Oracle Access Manager (SSO)/ Sample Steps


This will be used later in the Policy Domain configuration.
Click the Host Identifiers on the left to show the existing Host that have been configured.

If your Siebel Web Server host name NOT exist, Please click add.
NOTE: If your host name exists, move on to the WebGate Installation below.

Enter the Siebel web server FQDN in the name and Hostname Variations:
eg) Sdcr710i006c.us.oracle.com Click the + next to Hostname Variations.
Add an entry for just the hostname of the Siebel web server machine.
Click Save

Oracle Corporation

9/18/2014

12

Enabling Oracle Access Manager (SSO)/ Sample Steps

Oracle Corporation

9/18/2014

13

Enabling Oracle Access Manager (SSO)/ Sample Steps

III. Installing the web gate plug-in on the Siebel web server.
(Oracle_Access_Manager10_1_4_0_1_Win32_ISAPI_WebGate.exe)

Click Next

Oracle Corporation

9/18/2014

14

Enabling Oracle Access Manager (SSO)/ Sample Steps

Select webserver platform to be used: IIS:

Oracle Corporation

9/18/2014

15

Enabling Oracle Access Manager (SSO)/ Sample Steps

Accept default directory:

Oracle Corporation

9/18/2014

16

Enabling Oracle Access Manager (SSO)/ Sample Steps

Oracle Corporation

9/18/2014

17

Enabling Oracle Access Manager (SSO)/ Sample Steps


Click Next:

Oracle Corporation

9/18/2014

18

Enabling Oracle Access Manager (SSO)/ Sample Steps


Select Open as the transport security mode:

ClickNext.

Oracle Corporation

9/18/2014

19

Enabling Oracle Access Manager (SSO)/ Sample Steps

The entries above tell this WebGate plug-in to use the the Access System Console AccessGate
Configuration
that was completed earlier in section I .
WebGateID: <Is the name of the AccessGate setup earlier> eg sdcdl383i098
Password for WebGate: <password used in the AccessGate Configuration> eg. siebel
Access Server ID : <name of the Access Server> eg. sdctslab_AccessSrvr1(lab access server)
Hostname for the Access Server: <FQDN host of the Access Server> eg.
sdcr710i001n.us.oracle.com
Access Server Port: <Port of the Access server > eg. 6021 which is the default Access Srvr port.
Click Next :

Oracle Corporation

9/18/2014

20

Enabling Oracle Access Manager (SSO)/ Sample Steps

Continue clicking Next button on the setup wizard until the install is Complete.
As stated in the above screen shot, restart the IIS Admin service after finishing the installation
of the WebGate.

IV. Confirm the installation of the web gate plug-in on the Siebel web
server.
After the webserver (IIS) restart, confirm the webGate installation was successful using the
following template URL for the Siebel web server:
http(s)://host:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1
In this case, it would be:

Oracle Corporation

9/18/2014

21

Enabling Oracle Access Manager (SSO)/ Sample Steps


http://Sdcr710i006c.us.oracle.com/access/oblix/apps/webgate/bin/webgate.dll?progid=1

This screen shows a successful installation of the WebGate.

IV. Add the AccessGate/WebGate to the Siebel Policy Domain.


Access the Policy Manager by clicking the Policy Manager link in the top right hand corner of
the Access System console.

Click the My Policy Domains link to access the Siebel Policy domain that has been setup for
the TS Labs.

Click the Siebel link to access the configuration of this policy domain.

Oracle Corporation

9/18/2014

22

Enabling Oracle Access Manager (SSO)/ Sample Steps

Click the Resource tab to view the current resources that this policy domain is protecting. This
tab shows what web servers and URLs that are protected by this Siebel policy domain. In this
example, this policy is protecting any URL(Url Prefix= /) for the sdcdl383i091.corp.siebel.com
web server host machine. It is possible to protect a particular virtual directory instead of the
whole web server by specifying a URL prefix like /callcenter_enu.

Note: Once Resource rule(s) are created they can not be modified.
In order to change an existing resource rule, you have to delete it and create a new one.
To delete an existing rule(s)
Click the check box next to the rule and then click the delete button:

Oracle Corporation

9/18/2014

23

Enabling Oracle Access Manager (SSO)/ Sample Steps

To add resource rule(s):


Click the Add button

Select the Host identifier for your web server machine that was created earlier in these steps.
Enter the appropriate Url Prefix(if necessary). In the example below, I am protecting the
finsebanking_enu virtual directory on this web server. If this value is left blank, all URLs on the
web server are protected. Remember you can create multiple resource rules for the same web
server. This makes it possible to protect specific virtual
directories on the web server. Click the Save button to save the rule.

Oracle Corporation

9/18/2014

24

Enabling Oracle Access Manager (SSO)/ Sample Steps


Click the Save button and the OK button to save the rule.

This confirms the rule was created

IV. Testing the resource rule with the Access Tester.


On the Siebel web server machine, please restart the IIS admin service.

Oracle Corporation

9/18/2014

25

Enabling Oracle Access Manager (SSO)/ Sample Steps

Navigate back to OAM portal Policy Domain Section


Click the Access tester link in the Policy Domain Manager.
Enter the following:
URL: A Url that matches the resource rule that was created.
Resource Operation: Check both GET and POST.
Date/Time Access: any
Select All Users
Show Both
Check Show Matching Policy
Check Show Matching Rule

Oracle Corporation

9/18/2014

26

Enabling Oracle Access Manager (SSO)/ Sample Steps

Click Submit and then OK

The following shows a successful test.

Oracle Corporation

9/18/2014

27

Enabling Oracle Access Manager (SSO)/ Sample Steps

IV. Testing the resource rule with your browser.


Enter the Rule URL. You should receive a NT Dialog Box like the one shown here that prompts
you for credentials. These credentials would be LDAP users in the sdcr710i001n.us.oracle.com
or 10.217.30.136 LDAP directory.

Oracle Corporation

9/18/2014

28

Enabling Oracle Access Manager (SSO)/ Sample Steps

If you do not receive this dialog box, please check the previous steps in this document and also
ensure that you have restarted the IIS admin service.

Configuring the LDAPSecAdpt and OM for Oracle Access Manager SSO


authentication.
I. Configure the SWSE for SSO
Open the eapps*.cfg for the application that you are configuring for Single Sign On.

Oracle Corporation

9/18/2014

29

Enabling Oracle Access Manager (SSO)/ Sample Steps

Configure the following Single Sign Related parameters:


SingleSignOn = True (Turns on Single Sign On for the SWSE)
TrustToken = HELLO (Matches the value in the OM Configuration created later in document)
UserSpec = SIEBEL_SSO_USER (This is the name of HTTP header that the TS lab Access Server sends for
the user ID)
UserSpecSource = Header ( Tells SWSE to look for the UserSpec variable in a HTTP header).
ProtectedVirtualDirectory = /sales_enu ( Set the value of the section name)

Stop and restart IIS:

Oracle Corporation

9/18/2014

30

Enabling Oracle Access Manager (SSO)/ Sample Steps

II. Configure the LDAP enterprise profile for SSO


Important Note: In Siebel versions 7.5.3.4 and higher, 7.7, and 8.0 , the IBM 5.1 LDAP client
installation is required on the Siebel server running the Object Manager in order to use the
Siebel Standard LDAP security adapter. Please check this requirement for the Siebel version that
you are testing.
Login an employee facing application using sadmin. Click the Site Map button.

Click the Administration - Server Configuration link.


Click Profile Configuration for the enterprise

Select the standard LDAPSecAdpt Profile.

Oracle Corporation

9/18/2014

31

Enabling Oracle Access Manager (SSO)/ Sample Steps

Configuring the LDAPSecAdpt and OM for Oracle Access Manager SSO authentication.
Enter the following values for the Oracle Access Manager LDAP directory.
Server Name: 10.217.30.136 or sdcr710i001n.us.oracle.com
BaseDn: ou=people,dc=corp,dc=siebel,dc=com
ApplicationUser: uid=appuser,ou=people,dc=corp,dc=siebel,dc=com
ApplicationPassword: appuser
SharedCredentialsDn: uid=sharedcredentials,ou=people,dc=corp,dc=siebel,dc=com
CredentialsAttributeType: mail (username=sadmin password=sadmin)
UserNameAttributeType: uid
Propagate Change: False(turns off LDAP update from the Siebel application)
Single Sign On: True
Trust Token : HELLO (This value must match TrustToken in the SWSE application section)
User Name Attribute Type: uid (attribute in the LDAP directory that contains Siebel username).

Oracle Corporation

9/18/2014

32

Enabling Oracle Access Manager (SSO)/ Sample Steps

III. Configure the Object Manager to use the LDAPSecAdpt profile.


Click the Site Map > Servers in Administration Server Configuration.
Select Components

Oracle Corporation

9/18/2014

33

Enabling Oracle Access Manager (SSO)/ Sample Steps


Select the Object Manager that you are configuring to use SSO

Click the Parameters tab in the lower applet. Query for Sec* and set Value on Restart to
values below.

While we are here, lets turn on security adapter logging in case errors occur or we want to
confirm that the security adapter is in fact being used. Click the Events tab. Query for Sec*
again (if necessary) and set the values below.

Restart the Siebel server service.

Oracle Corporation

9/18/2014

34

Enabling Oracle Access Manager (SSO)/ Sample Steps

IV. Test the Object manager SSO configuration.


A. Valid user test (sadmin seed data user)
Enter the application URL and type sadmin/sadmin when prompted.
Note: If you do not get prompted for this URL, the WebGate/AccessGate is not
installed/configured correctly. Please review Part 1 -WebGate/AccessGate
installation/configuration.

If you see this, you are almost there

Oracle Corporation

9/18/2014

35

Enabling Oracle Access Manager (SSO)/ Sample Steps


This shows the home page welcome message for the sadmin SSO user.

Known Third Party issues


The following issues are known related to third parties:

Siteminder: ERP Agent for Siebel (also known as Web Agent) and the Siteminder Policy Server
are used to get the User Identity in the form of a HTTP Header variable called SIEBELUSER and
the SSO Authentication Ticket. Keep the Siteminder ERP Agents running on Siebel Web Server
'as-is'.

Siteminder: For customers who have implemented Siteminder SSO with Siebel, it is important
to note that the custom security adapter cannot be used for Siebel - BIP Reports integration.

Siteminder: An extra '//' in a URL being passed to Siebel, which gets blocked by Siteminder not
meeting http://tools.ietf.org/html/rfc2397 Oracle has fixed this issue as of 8.1.1.9/8.2.2.2. As a
workaround one can configure a special parameter called BadQueryChar in Siteminder and
specify a single or multiple characters that are considered bad in an HTTP request.

My Oracle Support resources:


OAM and Siebel Integration:

Siebel SSO Integration with Third Parties (Doc ID ???????)

Oracle Corporation

9/18/2014

36