After completing the installation, you may select to disable the acceptance of passwords by the Authentication Scheme. Currently, the installation is configured in a way that allows a user, accessing the Siebel Object Manager, to provide a username and either a password or a single signon token generated through Active Response.
In many environments, Object Manager can be accessed through the Siebel Web Engine (SWE) components or via a thick client. Therefore, disabling password acceptance by the Authentication Scheme is valuable and necessary.
In other customer environments, once CA SSO is enabled, it mediates all access to the system; passwords are unacceptable and are considered a security risk. In these cases, access by a password can easily be disabled.
Once you disable the acceptance of passwords by the Authentication Scheme, the following occurs:
Preventing Security Adapter from accepting passwords includes the following:
;AcceptPassword=No
In addition to supporting single sign-on and authentication, this product has the ability to provide Siebel with a set of roles and responsibilities for individual users. The roles and responsibilities to be presented are collected from CA SSO responses by the connector at login time and are presented to the Siebel server whenever needed.
Note: The connector can add to a user's privileges but cannot remove roles and responsibilities configured within Siebel itself. This is an important consideration for privilege management because security can be compromised if roles and responsibilities are administered in both the enterprise directory and Siebel.
To provide roles to Siebel via the connector, create responses (and appropriate values) with the name SIEBELROLE. The connector does not attempt to validate the roles provided to Siebel; it simply passes to Siebel the values provided as responses for Siebel’s use.
This product does not impart any additional restrictions on load balancing. For information on configuring a web load balancer in a Siebel environment, see the Siebel documentation.
Security Adapter is a CA SSO Agent in its own right. Security Adapter is independent of the Web Agent and should not use the same agent name as any of the Web Agents in the environment.
When you configure policies, create an agent group, which should contain all of the Web Agents that will be protecting Siebel, and add the Security Adapter agents to that Agent Group.
To understand why each Security Adapter has its own agent name, consider the following environment as a similar case:
Using a number of web servers in front of a single Siebel Object Manager with this productl is virtually identical to CA Access Gateway and Web Agent environment described above. Access permissions to the Siebel Object Manager, protected by CA SSO Security Adapter, are predicated upon the policies and it makes no difference what web server was used to reach Object Manager.
You may use an authentication scheme other than Siebel SSO Authentication Scheme. For example, you might use SecurID or Certificates instead of the username and password-based authentication.
The following steps assume that the Web Agent and Siebel Security Adapter use different agent names and are in a common Agent Group. If both the Web Agent and Security Adapter are configured to use the same agent name, one of the agent names will need to be changed and the relevant system restarted.
To use a different authentication scheme
/SecurityAdapter/
Once the system is working properly, consider changing the Authentication Scheme’s configuration to prevent it from accepting passwords.
In the current design of the application, only one of the user attributes, such as uid, can be passed via the Siebel User attribute response header, SIEBELUSER.
The new parameter, UsernameHeaders, in the SmSiebelSSO.conf file, enables the SiteMinder agent for Siebel to support multiple Siebel User attribute response headers, as follows:
Note: For the multiple user attribute functionality to be used correctly with the SiteMinder agent for Siebel, for any user request only one of the Siebel user attribute responses configured in Policy server should carry a value. All other Siebel user attribute responses should be empty for the signing in user.
Note: If parameter UsernameHeaders is not configured in the SmSiebelSSO.conf file, the Siebel agent will continue to look only for the SIEBELUSER response.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|