CA SSO Agent for Siebel Guide › Post-Installation Configuration of Servers › Additional Options

Additional Options

Disabling Password Acceptance

After completing the installation, you may select to disable the acceptance of passwords by the Authentication Scheme. Currently, the installation is configured in a way that allows a user, accessing the Siebel Object Manager, to provide a username and either a password or a single signon token generated through Active Response.

In many environments, Object Manager can be accessed through the Siebel Web Engine (SWE) components or via a thick client. Therefore, disabling password acceptance by the Authentication Scheme is valuable and necessary.

In other customer environments, once CA SSO is enabled, it mediates all access to the system; passwords are unacceptable and are considered a security risk. In these cases, access by a password can easily be disabled.

Once you disable the acceptance of passwords by the Authentication Scheme, the following occurs:

• Any realm protected by this Authentication Scheme will no longer accept a password, resulting in portions of the web site no longer accepting users.
• ProviderTest (or ProviderTest75) itself can fail, rendering troubleshooting extremely difficult.

Preventing Security Adapter from accepting passwords includes the following:

1. Make sure your environment is working properly.
2. Consider the implications and possibly create additional realms, rules and policies within CA SSO exclusively for use by Security Adapter. If you have any questions, contact CA for assistance.
3. Add the following text to the existing parameter for the SiebelSSOAuth Authentication Scheme:

   ;AcceptPassword=No
   

Providing Siebel Roles from CA SSO Policies

In addition to supporting single sign-on and authentication, this product has the ability to provide Siebel with a set of roles and responsibilities for individual users. The roles and responsibilities to be presented are collected from CA SSO responses by the connector at login time and are presented to the Siebel server whenever needed.

Note: The connector can add to a user's privileges but cannot remove roles and responsibilities configured within Siebel itself. This is an important consideration for privilege management because security can be compromised if roles and responsibilities are administered in both the enterprise directory and Siebel.

To provide roles to Siebel via the connector, create responses (and appropriate values) with the name SIEBELROLE. The connector does not attempt to validate the roles provided to Siebel; it simply passes to Siebel the values provided as responses for Siebel’s use.

Using Load Balanced Web Servers with Siebel

This product does not impart any additional restrictions on load balancing. For information on configuring a web load balancer in a Siebel environment, see the Siebel documentation.

Security Adapter is a CA SSO Agent in its own right. Security Adapter is independent of the Web Agent and should not use the same agent name as any of the Web Agents in the environment.

When you configure policies, create an agent group, which should contain all of the Web Agents that will be protecting Siebel, and add the Security Adapter agents to that Agent Group.

To understand why each Security Adapter has its own agent name, consider the following environment as a similar case:

1. CA Access Gateway (formerly Secure Proxy Server) can be used as a front-end proxy to a number of web servers. Each web server can have a Web Agent installed. Each Web Agent is configured to use its own name; the fact that the user passed through CA Access Gateway makes no difference in the Web Agent configuration.
2. When this environment includes more than one CA Access Gateway in a load balanced configuration, the Web Agent configuration remains unchanged; it makes no difference to the Web Agents which CA Access Gateway instance sent the request to the web server, or even that CA Access Gateway was involved.

Using a number of web servers in front of a single Siebel Object Manager with this productl is virtually identical to CA Access Gateway and Web Agent environment described above. Access permissions to the Siebel Object Manager, protected by CA SSO Security Adapter, are predicated upon the policies and it makes no difference what web server was used to reach Object Manager.

Use a Different Authentication Scheme

You may use an authentication scheme other than Siebel SSO Authentication Scheme. For example, you might use SecurID or Certificates instead of the username and password-based authentication.

The following steps assume that the Web Agent and Siebel Security Adapter use different agent names and are in a common Agent Group. If both the Web Agent and Security Adapter are configured to use the same agent name, one of the agent names will need to be changed and the relevant system restarted.

To use a different authentication scheme

1. Open the SiteMinder Policy Management GUI and create another realm.
   1. For the agent, select the agent name used by Security Adapter.
   2. For the Authentication Scheme, select the Siebel SSO Auth scheme you already created.
   3. For the resource, enter /SecurityAdapter/
2. Create a rule for GET and POST to the resource *.
3. Create a Policy binding the GET/POST rule to the existing response for all users that should gain access to Siebel.
4. In the SmSiebelSSO.conf file, change the resource to:

   /SecurityAdapter/
   

5. Run ProviderTest (or ProviderTest75) to verify the new configuration.
6. Restart Siebel Object Manager.
7. Change the realm for the Web Agent to use the desired Authentication Scheme.
8. Remove the Security Adapter’s realm from the Agent Group.
9. Retest the environment, paying particular attention to the log files.

Once the system is working properly, consider changing the Authentication Scheme’s configuration to prevent it from accepting passwords.

More information:

Disabling Password Acceptance

Supporting Multiple Siebel User Attribute Responses for Siebel 7.8, 8.0.x, or 8.1.x

In the current design of the application, only one of the user attributes, such as uid, can be passed via the Siebel User attribute response header, SIEBELUSER.

The new parameter, UsernameHeaders, in the SmSiebelSSO.conf file, enables the SiteMinder agent for Siebel to support multiple Siebel User attribute response headers, as follows:

• In the SmSiebelSSO.conf file, set the UsernameHeaders parameter to multiple Siebel user response names in a comma-separated list, for example SIEBELUSER1,SIEBELUSER2, . . ..
• In the Policy server, create Siebel user attribute responses that are identical to the names entered as values in the UsernameHeaders A different user attribute can be configured for each Siebel user attribute response.

  Note: For the multiple user attribute functionality to be used correctly with the SiteMinder agent for Siebel, for any user request only one of the Siebel user attribute responses configured in Policy server should carry a value. All other Siebel user attribute responses should be empty for the signing in user.

• Based on your environment, modify the following Siebel agent web server files to check for the Siebel user response, which is carrying a value, and pass a valid non-null and non-empty value to the SWEUsername parameter in URL before redirection:
  • functions.inc, for ASP-based files.
  • getheaders.jsp, for JSP-based files.
  • siebelstartup.pl, for Perl-based files.

Note: If parameter UsernameHeaders is not configured in the SmSiebelSSO.conf file, the Siebel agent will continue to look only for the SIEBELUSER response.