Siebel/Siteminder Netegrity (Computer Associates) SSO Integration

Hello,
The end client wants to integrate a SSO solution with Siteminder without purchasing the Siteminder custom security adapter. I have not yet seen this done before as I have always utilized the Siteminder custom security adapter when implementing SSO with Siebel. Currently, I have configured their authentication into Siebel using the standard Siebel LDAP Security Adapter to connect and authenticate to an Active Directory Server. I believe it would be possible to configure Siteminder to use the LDAP Security adapter and achieve SSO however; I am not clear as to what steps would need to be done in order to get this to work properly. Outside of the basic Siebel Enterprise Setup and the SWSE eapps.cfg setups for SSO would I just add the anonymous user account, which is currently being used by the LDAP Security Adapter by the SharedCredentinalsDN and which also holds the LDAP DB username and password, into the Siteminder HTTP header? Any advice on this would be greatly appreciated.
Thanks

With Siebel 7.7 and later (and possibly 7.5) it is theoretically possible to use Siteminder SSO with Siebel without the Computer Associates custom adapter. Please note, however, that Computer Associates does not officially support this approach and Oracle/Siebel's ability to support Siteminder issues is very limited.
The basic outline of what needs to be done:
1. You will use either the LDAPSecAdpt or ADSISecAdpt depending on what directory backends your Siteminder implementation. This must be an LDAP directory or Active Directory server that is supported by the Siebel security adapter. If it is not, then you will have to use the Siteminder customer adapter.
2. Determine which attribute in the LDAP or ADSI directory contains the userID that matches up to a valid Siebel userID (i.e. in S_USERS). By default this would be sAMAccountName for ADSI and uid for LDAP. But this often is customized/changed.
3. Configure Siteminder to pass the contents of that attribute as a custom HTTP header variable. For example SIEBEL_SSO_USER.
The rest of the setup is documented in the Security Guide in the Single Sign-On Section. You will basically just need to add a few variables in the eapps.cfg and/or eapps_sia.cfg file(s) and then set the SingleSignOn and TrustToken parameters in the security adapter profile.
Hope this helps.
Stevan

Similar Messages

  • Siebel SSO Integration with Novell eDirectory

    I am wondering if anyone on this forum has worked with integrating a SSO solution using Novell eDirectory and Siebel. I have personally worked on SSO integrations with Siebel using Cleartrust and Siteminder and they are all basically the same concept however, I am facing issues trying to get the Novell SSO solution to work with Siebel.
    I am using the standard LDAP Security adapter and I can make a basic connection into Siebel using LDAP. When implementing SSO I am using a "header" value and a custom userspec name that is different then then "Remote_Use" name mentioned in the Siebel SSO documentation. With SSO turned on I am successfully able to authenticate and almost get all the way into the home page of Siebel before the IE browser crashes. The SWSE log files, interestingly enough, show that my userspecsource is equal to header and that my userspec is correct and then I see the SISNAPI connection occurring between the Siebel We Server and the Siebel AOM but then after the IE browser crashes I see the SWSE log which then tries to picks up Siebel's default userspec " Remote_User" value which is not confiugred or turned on anywhere from within the application. I was just wondering if anyone else had faced similar issues when integrating Siebel into Novell eDirectory for SSO. I have also reviewed the configuration on Novell's side and they are protecting the correct object manager and are also using the same exact userspec name as what we have defined within the eapps.cfg of Siebel. We are using Siebel 8.1.1 Any ideas or help would be greatly appreciated as I have not gotten much support from my open SR on this issue.

    I am wondering if anyone on this forum has worked with integrating a SSO solution using Novell eDirectory and Siebel. I have personally worked on SSO integrations with Siebel using Cleartrust and Siteminder and they are all basically the same concept however, I am facing issues trying to get the Novell SSO solution to work with Siebel.
    I am using the standard LDAP Security adapter and I can make a basic connection into Siebel using LDAP. When implementing SSO I am using a "header" value and a custom userspec name that is different then then "Remote_Use" name mentioned in the Siebel SSO documentation. With SSO turned on I am successfully able to authenticate and almost get all the way into the home page of Siebel before the IE browser crashes. The SWSE log files, interestingly enough, show that my userspecsource is equal to header and that my userspec is correct and then I see the SISNAPI connection occurring between the Siebel We Server and the Siebel AOM but then after the IE browser crashes I see the SWSE log which then tries to picks up Siebel's default userspec " Remote_User" value which is not confiugred or turned on anywhere from within the application. I was just wondering if anyone else had faced similar issues when integrating Siebel into Novell eDirectory for SSO. I have also reviewed the configuration on Novell's side and they are protecting the correct object manager and are also using the same exact userspec name as what we have defined within the eapps.cfg of Siebel. We are using Siebel 8.1.1 Any ideas or help would be greatly appreciated as I have not gotten much support from my open SR on this issue.

  • Computer Associates Harvest Version Ctrl

    Has anyone successfully integrated Computer Associates Harvest version control s/w with JDeveloper?
    Thanks.

    We [Oracle] haven't done an integration for this SCM system, however maybe someone else has.
    <shameless_plug>If someone wants to, there is now a good sample RCS extension online here at http://otn.oracle.com/products/jdev/tips/clevenger/jdev_vcs_rcs.zip </shameless_plug>
    Rob
    Team JDev

  • OBIEE Security - How to setup SSO-integrated EBS users & mobile access?

    I'm looking for the best approach to solution my company's OBIEE Security requirements, they are:
    1) Create a standard authentication/security process at an enterprise level
    2) Maintain EBS Roles to provide object-level and data-level security in OBIEE
    3) EBS Users must go through the EBS portal to get to OBIEE (ie. single signon integration)
    4) non-EBS users must go through the OBIEE portal
    5) Both EBS and non-EBS users need ability to use the OBIEE iPad mobile application
    So for the EBS users, I've implemented the SSO integration between OBIEE 11.1.1.5.0 and EBS R11 based on the Oracle white paper [ID 1343143.1]. I've also set up an Authorization session init block to read the user's EBS Roles and set up object/data level security.
    For the non-EBS users, I've kept the default identity store (WLS-LDAP) and authentication provider.
    My question is what's the best approach for providing mobile access to the EBS users? Obviously I can't pass an HTML cookie to the iPad for these guys. Assuming these EBS users are in an corporate-LDAP store, I was thinking to setup a dual authentication store that connects to both corporate-ldap(EBS) and the WLS-integrated LDAP(non-EBS).
    Will this work? Does anyone have a better approach they'd like to share?

    Please post the details of the application release, database version and OS.
    We have a customer, who has upgraded to EBS R12 recently. With EBS R12 there comes a responsibility that enables users to directly open embedded BI in EBS. When people do LDAP authentication to EBS, they can directly open the OBIEE inside the EBS. But, when the EBS is SSO (OAM+WNA) integrated, OBIEE SSO in EBS does not work. What is the error?
    It could be related that OAM generated cookies are not recognized by embedded OBIEE.
    Is there a way to do a setup with both OAM SSO enabled to EBS, and EBS-OBIEE SSO is enabled inside EBS ? I do not think there is a single document that covers all the above (I believe you are aware of the individual docs).
    For urgent issue, please always log a SR.
    Thanks,
    Hussein

  • Solman - CA Computer Associates

    Hello, to request information about SAP Solution Manager product, specifically in Service desk component. In FIRA , we want to integrate it component with our Service Desk tool, we need to know how this interaction is, now we use a tool  of CA Computer Associates to manage our Service Desk.
    We are interested in the details of how it could integrate both tools, prerequisites, the possible investment and clients with whom already have installed a similar installation.
    Thanks in advance

    Using Snmp with PIX?ASA
    http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/13822-pixsnmp.html

  • Assign roles to SSO integrated users

    Hello everyone,
    I'm trying to assign roles to SSO users but I can't. I achieved it with local and LDAP users, but not for SSO users (I want to use my AD users but without LDAP config)
    My platform is vCenter 5.5 U1 for SSO, vCAC appliance + IaaS server, and vCAD appliance. When you register your vCAD with vCAC you can use SSO integrated authentication of vCAC. But, how can I assign roles to SSO users?
    I can access to vCAD with AD users through SSO integrated authentication but all options are read-only.
    Best regards,
    Jose Luis Gomez

    Hello everyone,
    Auto-response.
    When you've registered your vCAD with vCAC, new roles appears in vCAC. This roles are:
    Application Architect
    Application Catalog Administrator
    Application Cloud Administrator
    Application Publisher And Deployer
    Application System Administrator
    You can apply this roles to users or groups but always from vCAC --> Administration --> Groups/Users
    Best regards,
    Jose Luis Gomez

  • Benefits of SAP Web AS ERP Connector? vs/ native SSO integration capability

    What are the benefits of using SAP Web AS ERP connector vs. SAP's own utilization of their native SSO integration capability of the SAP WebAS environment?
    Please help me understand how the ERP connector adds value if we were to instead use a web agent on a supported platform as a proxy to the SAP Web AS, with the Session Linker, and use the above noted out of the box integration capability?

    Hi,
    Don't worry : these test results are meaningless. You should test a real BSP application and see if it works.
    Regards,
    Pierre

  • Password reset page problem after sso integration

    Dear all,
    We've integrated ERP 12.0.4 with SSO. Integration is fine
    the url http://hostname:8010/ is redirecting to
    the portal login page ( as per the design)
    if any user password is reset,before SSO integration the above redirects to a new password reset page, where the user can reset his password. Now after integration, the SSO page redirects directly to the home page of the user.We need to have the password reset page also.IS there any option to do this ?
    Thanks
    Yoosuf

    Hi,
    Please verify that you have completed all the steps in these docs.
    Enabling Register Here Link in Login Page in 11i and 12+ [ID 874373.1]
    Reset Password Functionality FAQ [ID 399766.1]
    Thanks,
    Hussein

  • Siebel 7.8 siteminder 12 can be sso and integrate?

    Hi guys:
    Can siebel 7.8 and siteminder r12 be integrate ?
    I‘ve read the <Policy Server Configuration Guide r12.0 SP2>
    <CA ETRUST SITEMINDER SSO AGENT VERSION 5.6 INTEGRATION WITH SIEBEL CRM RELEASE 7.8>
    and other write book,there is no exactly explain。
    So,i dont know how to configuration software。
    Great Appreciation
    不胜感激
    Edited by: user10739954 on 2011-12-4 下午7:15

    Hi,
    You need to contact CA to confirm if they have tested Siteminder R12 integration with Siebel 7.8 and created a siebel agent for R12. They have performed this test and created the integration document for eTrust 5.6.
    Thanks
    Wilson

  • SSO - integrated ITS - SRM 5(EBP)

    Hi all,
    I am just wondering if we need Java stack in order to set up Single sign on for SRM/EBP shopping cart (bbpstart).
    We are on SRM Server 5.5 with integrated ITS. We don't have Portal. We currently have SSO implemented on all Gui interfaces for all SAP systems via Active directory.
    What is the correct documentation for my case?
    Thanks a lot and looking forward to hearing from any good instruction,
    Kev

    Hi,
        If your password field is already pre filled with some value due to which you are unable to enter the password then you need to maintain the foll parameers in RZ10:
    The foll tasks need to carried out preferably by a BASIS person after which you need to restart the SRM server for changes to be effective:-
    1.Select the instance profile in RZ10 and  goto Extended maintainence.
    2.login/create_sso2_ticket  = 2
       login/accept_sso2_ticket   = 1
    Also check if the values for the SRM server are properly maintained in the table TWPURLSVR.
    HTH.
    BR,
    Disha.
    Pls reward points for useful answers.

  • Want to install Siebel CRM in my PC for integrating with UCM.

    I am very familiar with Oracle UCM and trying to integrate with Siebel CRM. I have UCM 11g installed in my PC with Oracle 11g DB and also I know the configuration process or steps from siebel end as well as UCM end. Now I want to install Siebel CRM for this integration.
    I searched in orcale and found that I need the below softawres and also I downloaded it from e-delivery:
    Oracle Base Application (V26510-01_1of2 and V26510-01_2of2)
    Oracle Siebel Image creator(V26511-01)
    Oracle DB11g: OracleXEUniv
    RCU
    What should I do now?
    1. Is the above softwares enough for installation of Siebel ? If yes then can anyone please tell me the installation guide docs.
    2. Should I require more softawre ?
    3. I have also V26699-01_1of6 to V26699-01_6of6 setup files for siebel but I do not know whether I should install from these because I do not have any idea regarding this setup files.
    Regards,
    Santanu

    I think you also need V14496-01 Part 1 of 2 and V14496-01 Part 2 of 2 (English Language Extension Packs).
    Installation is explained in the Bookshelf: V29095-01

  • OAM SSO integration question:How can I get a user identity from ObSSOCookie

    We are building an OAM SSO solution. The App server is both on OAS and WLS. My question is that, after I get the ObSSOCookie from httprequest.
    I need to verify whether the ObSSOCookie is a valid one, and I also need to get user identity from the cookie and pass it to login module to populate user principal
    Of course, one way of doing that is to install access manager SDK and go from there. But we support multiple OS, it's a pain to add Access manager SDK to different installer for different OS.
    I am trying to use IdentityXML Functions which is a SOAP based webservice so that I don't need to worry about the OS platform. But I can't find a webService which returns user identity based on a valid ObSSOCookie. It seems that I can invoke webService with valide ObSSOCookie, but there is no way to get the user identity back. Am I missing something?
    Hope someone can help me out.
    Thanks.
    -Wei

    Ok. Sounds like you are a vendor trying to play well in an SSO environment.
    Here is what I tell OAM customers when they are evaluating software to see if it will cooperate with a system like OAM.
    Can the software's native authentication scheme be explicitly turned off (usually a configuration in a file)?
    Can the software be configured to accept a token of identity in the form of a Cookie or HeaderVar (also configurable in a file)?
    If the answer to both is yes, then the system is capable of 'third party trust' for authentication.
    From your perspective, your logic for login should be something like:
    Is my native authN turned off?
    If yes, can I find the cookie or header that I should be looking for?
    If yes, take the value and proceed to create user session for this identity per usual (except that you never evaluated the authN - you trust that it was done).
    If no, present the native AuthN scheme anyway.
    If you follow this pattern, you are in the good company of folks like PeopleSoft and Plumtree who had these types of integrations working long ago.
    Yes, there are other ways to do this but, in my humble opinion, this remains the most stable and effective pattern we see.
    What you ask for as the identity token value is up to you. It is often the login ID value that you would have used in your own authN procedure. There's nothing particularly sensitive about having a webgate set headers - they are only available to the server and not to the client. Cookie of course could be seen but can't be spoofed as the webgate has the final word on it's content.
    Mark

  • Active Directory, SSO, Integrated Windows Authentication

    Hi,
    I have to setup a NW BPM environment using Windows/Active Directory SSO.
    In the desired scenario, I would use UME to create BPM specific roles and/or groups and then I would associate:
    - specific AD users to UME groups or roles, and/or
    - associate AD groups to UME groups or roles.
    Is it possible? I would really appreciate any directions/hints on how to do that.
    Thanks in advance,
    Ricardo Giacomin

    It is possible you have the xml configuration file in the administration of ume and  you need to edit that one in order to link it to your AD. if you're using LDAPs to connect you will also have to load the certificates in NWA before the first connection.

  • ECM 11.1.1.5.0 - need steps for SSO integration and configuration

    Hi,
    I want to upgrade recent UCM 10g to ECM (or Webcenter Content) 11g. I passed via upgrade process and it looks it is working fine. Need some validation, but basically upgrade went fine.
    But I lost SSO (Windows Login) functionality, asi this ECM 11g is weblogic based and uses a bit different authentication than old version.
    My current test instance setup is:
    Oracle database 11gR2
    Weblogic 10.3.6.0
    Oracle Enterprise Content Management Suite (ECM) 11.1.1.5.0
    All running on the same linux machine
    Currently I am only able to:
    - define static users / groups in the weblogic's default authenticator
    - define ldap authenticator in weblogic which can authenticate users defined in ldap
    And I need to make it SSO capable (meant once user is authenticated in our windows domain, then when using Internet Explorer there is no need to enter user/password anymore)
    I read some documentation and there they claim Oracle Identity Management / Access Manager is the right solution. But I do not know how to properly install and configuration of this.
    Is there anybody here in this world who would provide some simple steps what needs to be done for enabling SSO for ECM 11.1.1.5.0 ?
    When I read oracle documentation I am finding it to be written too much in general with too many referencing to too many other documents... I am searching for some kind of simplified installation guide for getting this SSO thing working.
    Anybody here who could support me?

    Hi
    Steps for integration SSO (be it OAM or Oracle SSO or AD / LDAP etc ) the steps remain same except for one .
    1. On WLS create the identity store provider .
    This can be OID Authenticator , AD Authenticator , LDAP Authenticator depending on what you are using to store the users and their roles /groups etc .
    2. Create SSO Identity Asserter .
    This should be either AD Asserter (in case of using AD) , OAM Identity Asserter (if using OAM) , SSO Asserter (if using OID based SSO solution) .
    3. Order the providers created in the following order and the respective flag settings :
    Identity Asserter - REQUIRED
    Identity Store Provider - SUFFICIENT
    Default Authenticator - SUFFICIENT
    After this is created stop UCM and WLS .
    Start WLS admin , once it is up and running start UCM server .
    Go to WLS - Security Realm - myrealm - Users and groups and verify the right set of users are seen with their correct groups .
    Now launch UCM server and depending on which SSO solution is used the login page will vary where in the SSO user id / pwd can be entered .
    Hope this helps .
    Thanks
    Srinath

  • OBIEE 11.1.1.5 SSO integration with OAM 11gR1 (11.1.1.5)

    Hi,
    I am integrating OBIEE 11.1.1.5 with OAM 11gR1 (11.1.1.5).
    I have configured as per section 12.3 of following link:
    http://docs.oracle.com/cd/E22203_01/doc.31/e20664/chapter_12.htm#CHDFAFHH
    After making all these configurtions, when i access:
    http://<OHS server>:<OHS port>/analytics
    User is getting prompted for auth from OAM. After successful auth, request gets redirected to WebLogic server hosting the OBIEE app. I have verified in OBI logs that the header value OAM_REMOTE_USER gets passed to OBI.
    But even with all this, after successful OAM authentication, user is getting prompted with OBI login page.
    Pls help.
    Thanks

    Hi Abhinay,
    I have already make the following configurations as per the documentation:
    To enable SSO:
    1.Log in to OBIEE at
    http://[OBIEE server:port]/em.
    2.Click Farm_<OBIEEDomain>_domain > Business Intelligence > Coreapplication.
    3.Click the Security tab.
    4.Select Enable SSO.
    5.Select SSO Provider: Oracle Access Manager.
    6.Click Apply and Activate Changes.
    Do we need to make some other configurations also at OBIEE EM ?
    Thanks

Maybe you are looking for

  • Finding the full path of a process binary using /proc

    Hello, I have an application where I need to monitor whether a certain other process is running. I'm using the /proc filesystem and an ioctl call - namely, PIOCPSINFO - to fetch process information into a prpsinfo_t, then use either the pr_fname fiel

  • Service Interfaces in PI 7.0?

    Hi Experts, PI 7.0 has been installed I just checked the SPROXY transaction in ECC, It shows the service interfaces not message interfaces... I was getting confused..cos i think service interfaces are only in PI 7.1 and its very different from 7.0 ca

  • G5 iMac bugs in Leopard?

    Hi, I've been having some trouble with my G5 iMac as of late. The soundcard will go through a spell whereby every time I turn it on, I get the chime, but the soundcard doesn't work by the time it has booted into Leopard. The soundcard is detected in

  • Date BETWEEN query with a difference?

    Hi, I have a BETWEEN query (at least I think that's what it will need), but with a difference. Normally you would specific a field which was BETWEEN two set variables ie. {fieldname} BETWEEN 1 AND 3 However I need mine the other way round. I have a s

  • Security Issues - E-Commerce 7.0 B2B

    Hi Experts, we assigned a secuirty web application test for SAP e-commerce. The result are two risks concerning the session management of the application: 1) The application is vulnerable to a Session Fixation Attack. This could cause users to unwitt