Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006



Similar documents
An Oracle White Paper July Introducing the Oracle Home User in Oracle Database 12c for Microsoft Windows

Long User ID and Password Support In JD Edwards EnterpriseOne

Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory. Overview August 2008

An Oracle White Paper Dec Oracle Access Management Security Token Service

OpenLDAP Oracle Enterprise Gateway Integration Guide

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

An Oracle White Paper August Oracle OpenSSO Fedlet

Deliver Oracle BI Publisher documents to Microsoft Office SharePoint Server An Oracle White Paper July 2008

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

An Oracle White Paper September Oracle WebLogic Server 12c on Microsoft Windows Azure

Virtual Contact Center

Achieving Sarbanes-Oxley Compliance with Oracle Identity Management. An Oracle White Paper September 2005

Oracle Business Intelligence Enterprise Edition Plus and Microsoft Office SharePoint Server. An Oracle White Paper October 2008

Integrating Tutor and UPK Content: A Complete User Documentation Solution. An Oracle White Paper April 2008

Next Generation Siebel Monitoring: A Real World Customer Experience. An Oracle White Paper June 2010

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

One View Report Samples Financials

An Oracle White Paper March Integrating Microsoft SharePoint Server With Oracle Virtual Directory

Virtual Contact Center

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Virtual Contact Center

Migration Best Practices for OpenSSO 8 and SAM 7.1 deployments O R A C L E W H I T E P A P E R M A R C H 2015

An Oracle White Paper June Security and the Oracle Database Cloud Service

Implementing a Custom Search Interface with SES - a case study with search.oracle.com. An Oracle White Paper June 2006

An Oracle White Paper March Managing Metadata with Oracle Data Integrator

Oracle Easy Connect Naming. An Oracle White Paper October 2007

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

Oracle Business Intelligence ADF Custom Visualizations and Integration. An Oracle White Paper November 2012

One View Report Samples Warehouse Management

An Oracle White Paper Dec Oracle Access Management OAuth Service

IIS Reverse Proxy Implementation

Virtual Contact Center. Release Notes. Version Revision 1.0

Microsoft Office 365 Using SAML Integration Guide

Monitoring and Diagnosing Production Applications Using Oracle Application Diagnostics for Java. An Oracle White Paper December 2007

HP Software as a Service. Federated SSO Guide

Managed Storage Services

How To Load Data Into An Org Database Cloud Service - Multitenant Edition

Virtual Contact Center

An Oracle White Paper June RESTful Web Services for the Oracle Database Cloud - Multitenant Edition

CA Performance Center

Oracle Enterprise Single Sign-on Provisioning Gateway. Administrator Guide Release E

An Oracle White Paper September Oracle Team Productivity Center

An Oracle White Paper August Oracle Service Cloud Integration with Oracle Siebel Service

An Oracle White Paper November Oracle Business Intelligence Standard Edition One 11g

An Oracle White Paper February Oracle Data Integrator 12c Architecture Overview

ORACLE SELF INSURANCE

Oracle Insurance General Agent Hardware and Software Requirements. Version 8.0

MANAGING A SMOOTH MARKETING AUTOMATION SOFTWARE IMPLEMENTATION

An Oracle White Paper January Integrating Oracle Application Express with Oracle Access Manager. Revision 1

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y

An Oracle Communications White Paper December Serialized Asset Lifecycle Management and Property Accountability

How To Configure An Orgaa Cloud Control On A Bigip (Cloud Control) On An Orga Cloud Control (Oms) On A Microsoft Cloud Control 2.5 (Cloud) On Microsoft Powerbook (Cloudcontrol) On The

Oracle BI Publisher Enterprise Cluster Deployment. An Oracle White Paper August 2007

June, 2015 Oracle s Siebel CRM Statement of Direction Client Platform Support

An Oracle White Paper May Distributed Development Using Oracle Secure Global Desktop

An Oracle White Paper July Oracle Desktop Virtualization Simplified Client Access for Oracle Applications

Oracle Primavera Gateway

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Mobile-First Strategy. CIO Executive Interview

SAML Authentication with BlackShield Cloud

SAML Authentication Quick Start Guide

An Oracle White Paper September Directory Services Integration with Database Enterprise User Security

Highmark Unifies Identity Data With Oracle Virtual Directory. An Oracle White Paper January 2009

10 Questions to Ask Your On-Demand Contact Center Provider. An Oracle White Paper September 2006

Oracle FLEXCUBE Direct Banking Release Corporate E-Factoring User Manual. Part No. E

Express Implementation for Electric Utilities

Maximum Availability Architecture. Oracle Best Practices For High Availability. Backup and Recovery Scenarios for Oracle WebLogic Server: 10.

Oracle FLEXCUBE Direct Banking Release Retail Credit Card User Manual. Part No. E

Oracle Identity Analytics Architecture. An Oracle White Paper July 2010

Oracle JD Edwards EnterpriseOne Mobile Sales Order Entry

Using SAML for Single Sign-On in the SOA Software Platform

PeopleSoft Enterprise Directory Interface

An Oracle White Paper March Integrating the SharePoint 2007 Adapter with WebCenter Spaces ( & )

An Oracle White Paper October Frequently Asked Questions for Oracle Forms 11g

An Oracle White Paper November Oracle Primavera P6 EPPM Integrations with Web Services and Events

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Oracle Application Server 10g Web Services Frequently Asked Questions Oct, 2006

Oracle VM Manager Template. An Oracle White Paper February 2009

SIMPLIFY MICROSOFT CRM AND QUICKBOOKS INTEGRATION Microsoft Dynamics CRM Online to QuickBooks Bidirectional

An Oracle White Paper February Real-time Data Warehousing with ODI-EE Changed Data Capture

Configuring Microsoft Active Directory for Oracle Net Naming. An Oracle White Paper April 2014

An Oracle White Paper October Oracle Database and IPv6 Statement of Direction

CRM to Exchange Synchronization

HP Software as a Service

Perceptive Experience Single Sign-On Solutions

An Oracle White Paper October BI Publisher 11g Scheduling & Apache ActiveMQ as JMS Provider

IBM WebSphere Application Server

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Virtual Contact Center

Oracle Application Integration Architecture: Business Process Modeling and Analysis. An Oracle White Paper April 2009

Clearview Customer Web Access

Simplifying Contact Center Technology

SAML SSO Configuration

An Oracle White Paper December Advanced Network Compression

Google Apps Deployment Guide

Transcription:

Siebel CRM On Demand Single Sign-On An Oracle White Paper December 2006

Siebel CRM On Demand Single Sign-On Introduction... 3 Single Sign-On with Siebel CRM On Demand... 4 Customer Requirements... 4 SSO Processing... 4 Web SSO Source-Site-First Scenario Using the Browser/Artifact Profile... 5 Siebel CRM On Demand SSO Configuration... 6 Client Support... 7 Conclusion... 8 For More Information... 8 SAML Resources... 9 Glossary... 10 Siebel CRM On Demand Single Sign-On Page 2

Siebel CRM On Demand Single Sign-On Single sign-on enables companies to integrate the hosted Siebel CRM On Demand service with their other systems that have the ability to manage user credentials and authentication. INTRODUCTION Siebel CRM On Demand is a hosted CRM offering. Companies using hosted applications often require a secure, standards-based mechanism for integrating the hosted application with their other systems (hosted or on-premise). The solution must have the ability to manage user credentials and authentication between the hosted system and customer systems. Siebel CRM On Demand s Single Sign-On (SSO) feature allows for such integration. Goals of SSO Usability When users move between applications, they don t need to signon at each site where they have an account. Security One identity management system for all applications means one security policy, one set of user credentials. Management IT departments prefer to manage only one user identity (credentials) per user. Siebel CRM On Demand Single Sign-On Page 3

SINGLE SIGN-ON WITH SIEBEL CRM ON DEMAND This document explains how customers with existing on-premise identity management systems may implement Single Sign-On with Siebel CRM On Demand. This allows users to be authenticated against their company s internal security provider, and thereby they: a) are not required to re-authenticate to access Siebel CRM On Demand, and b) are not required to maintain a separate set of credentials for Siebel CRM On Demand. To enable the broadest support for single sign-on, Siebel CRM On Demand supports the OASIS SAML standard. Customer Requirements In order for a customer to implement Single Sign-On with the Siebel CRM On Demand environment, the customer s on-premise identity management and federation infrastructure must, at a minimum, support version 1.1 of the SAML standard. The Security Assertion Markup Language (SAML) standard defines a framework for exchanging security information between online business partners. It was developed by the Security Services Technical Committee (SSTC) of the standards organization OASIS (the Organization for the Advancement of Structured Information Standards). SSO Processing For the purpose of Single Sign-On to CRM On Demand, the customer s system is the Asserting Party (SAML assertion producer) and Siebel CRM On Demand is the Relying Party (SAML assertion consumer). A trust relationship is setup between the two parties so that when the customer system asserts that the user is a particular entity, the CRM On Demand system can validate and trust this information. The typical use case is referred to in the SAML standard as Web Single Sign-On (SSO) Source-Site-First scenario using the Browser/Artifact Profile. In this use case: 1. The user logs on to their local system and establishes an authenticated session. 2. To access the external CRM On Demand, the user clicks on an internal link that generates a SAML assertion and redirects the request to CRM On Demand. 3. CRM On Demand passes the artifact to the customer s site to retrieve the SAML assertion, whose subject refers implicitly to the user that has been authenticated. 4. CRM On Demand validates the assertion based on the company s configured security profile. Once validated, the user is mapped to a CRM On Demand user entity and granted an authenticated CRM On Demand Siebel CRM On Demand Single Sign-On Page 4

session. Authorization to access application features and data is handled by CRM On Demand. Web SSO Source-Site-First Scenario Using the Browser/Artifact Profile The following diagram shows the detailed message flows for the Browser/Artifact profile in the Source-Site-First scenario. The component on the customer s site called the Inter-site Transfer Service (ITS) provides SAML processing such as artifact and redirect generation. In this scenario, the customer site is the Asserting Party, and CRM On Demand is the Relying Party or Service Provider. Browser/Artifact Profile Source-Site-First - Detailed Processing The processing is as follows: 1. The user logs on to the internal company infrastructure or portal. 2. The on-premise identity provider performs an access check and determines that the user does not have a current session and requires the user to be authenticated. As a result, the user is challenged to authenticate. 3. The user supplies back credentials, for instance username and password. 4. If the authentication is successful, then a session is created for the user and the appropriate welcome screen of the Portal application may be displayed to the user. 5. The user selects a menu option (or function) on the displayed screen that means the user wants to access the Siebel CRM On Demand Web application (although, of course, the user may not be made aware of this). This causes a Web request to be sent to the customer site s Inter-site Siebel CRM On Demand Single Sign-On Page 5

Transfer Service (in this example, hosted on the same Web site). The request contains the URL of the Siebel CRM On Demand Web application. 6. The Inter-site Transfer Service generates an assertion for the user while also creating an artifact and then sends back a redirection response to the browser, with the Location header containing the URL of the Artifact Receiver service, the CRM On Demand URL, and the artifact. On processing the redirect, the Browser will issue a request to the CRM On Demand Artifact Receiver. 7. On receiving the HTTP message, the CRM On Demand Artifact Receiver extracts the source-id and sends a SAML request to the customer s SAML responder containing the artifact supplied by the Inter-site Transfer Service of customer. 8. The customer s SAML responder supplies back a SAML response message containing the assertion generated during step 7. If a valid assertion is received back, then a session on CRM On Demand is established for the user. 9. The CRM On Demand Artifact Receiver sends a redirection message containing a session cookie back to the browser. The browser then processes the redirect message and issues a request to CRM On Demand providing the session cookie supplied by the Artifact Receiver. An access check is then performed to establish whether the user has the correct authorization to access the Siebel CRM On Demand Web site and the specific requested web page. NOTES: Steps 1 through 5 are examples of how the initial logon, assertion generation and redirection might be implemented on the customer site. This implementation may vary depending on the needs and infrastructure of the customer. It is required that all messages that cross the public Internet be exchanged using HTTP over SSL (https). Minimally, this includes steps 5 through 9. The trust relationship, mapping between source IDs and Receiver/Responders, and mappings between customer users and CRM On Demand users must be established administratively prior to using SSO. Siebel CRM On Demand offers several options for a company that is configuring the service to use single sign-on. Siebel CRM On Demand SSO Configuration Siebel CRM On Demand allows the following SSO configuration options: A unique External Identifier for Single Sign-On value is assigned for every Siebel CRM On Demand customer. This value can be viewed by the company administrator on the Company Profile page. Siebel CRM On Demand Single Sign-On Page 6

Siebel Customer Care configures the Authentication Type for a company. Authentication Types include: Userid/Password Only The default configuration, where users authenticate directly with CRM On Demand via entry of their CRM On Demand credentials (username and password) on the CRM On Demand Sign-In page. SSO Only Requires all users to be authenticated by the company s onpremise identity provider. Users will not be able to sign in directly to the CRM On Demand application with CRM On Demand credentials. If this is attempted, they will be redirected to the customer site for authentication. Either Userid/Password or SSO Allows a company s users to sign in to CRM On Demand either via the CRM On Demand Sign-In page or via the SSO mechanism. A company administrator can configure the following for their company: Sign In Page for SSO Authentications: URL to redirect a user to when they sign off or their session times out and they had signed in via SSO. This setting is optional. Sign In Page for Userid/Pwd Authentications: Optional separate URL that performs the same function for users signed in via Userid/Password. ITS URL for SSO Authentications: URL for an Inter-site Transfer Service responsible for validating the user's identity, generating an assertion and redirecting the browser to the CRM On Demand assertion consumer service to validate the assertion.. Per-user, a company administrator can configure: Authentication Type: o o o o Blank Defaults to the company-level setting. Userid/Password Only SSO Only Either Userid/Password or SSO May only be set if companylevel setting is Either Userid/Password or SSO. External Identifier for SSO: The user identifier provided by the customer s on-premise identity management application. To ensure security, changes to this field are audited and also generate an e-mail notification sent out to the user. Client Support SSO is supported when accessing Siebel CRM On Demand through a web browser, the PIM Sync client, and via the web services interface - provided that the on- Siebel CRM On Demand Single Sign-On Page 7

premise security implementation satisfies the requirement of sending SAML v1.1- compliant assertions to CRM On Demand. CONCLUSION Siebel CRM On Demand s Single Sign-On feature allows companies to integrate the hosted Siebel CRM On Demand service with other systems that have the ability to manage user credentials and authentication. The SAML standard-based solution helps companies to achieve the goals of usability, security and management that SSO can provide. For More Information For more information call 1-866-906-7878 or visit www.crmondemand.com. Siebel CRM On Demand Single Sign-On Page 8

SAML RESOURCES The following resources provide additional details about SAML: The official SAML FAQ http://www.oasis-open.org/committees/security/faq.php SAML V1.1 Technical Overview document http://www.oasis-open.org/committees/download.php/6837/sstc-samltech-overview-1.1-cd.pdf Debunking SAML Myths and Misunderstandings http://www-128.ibm.com/developerworks/xml/library/x-samlmyth.html Siebel CRM On Demand Single Sign-On Page 9

GLOSSARY Entity (or system entity) An active element of a computer/network system. Principal Subject Identity Identifier An entity whose identity can be authenticated. A principal in the context of a security domain. The essence of an entity, often described by one s characteristics, traits, and preferences. A data object that uniquely refers to a particular entity. Federated identity Existence of an agreement between providers on a set of identifiers and/or attributes to use to refer to a principal. Account linkage Relating a principal s accounts at two different providers so that they can communicate about the principal. Asserting party (SAML authority) An entity that produces SAML assertions. Often called the AP. Identity provider Relying party Service provider Assertion Artifact An entity that creates, maintains, and manages identity information for principals and provides principal authentication to other service providers. An entity that decides to take an action based on information from another system entity. Often called the RP and often synonomous with Service Provider. An entity that provides services to principals or other entities. Often called the SP. An assertion is a declaration of fact, according to someone. SAML assertions contain one or more statements about a subject: Authentication statement: Joe authenticated with a password at 9:00am A small, fixed-size, structured data object pointing to a typically larger, variably sized SAML protocol message. Designed to be embedded in URLs and conveyed in HTTP messages. Allows for pulling SAML messages rather than having to push them. SAML defines one artifact format but custom formats can also be created. Siebel CRM On Demand Single Sign-On Page 10

Siebel CRM On Demand Web Services December 2006 Author: Kevin Kraemer Contributing Authors: Steve Bardowell Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2006, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information