Web Services using Single Sign On (SSO) is prompting for authentication

again [ID 561125.1]

Modified 23-JAN-2009 Type PROBLEM Status MODERATED

In this Document
Symptoms
Solution
References

Created from <SR 3-131875221>Platforms: 1-914CU;

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV)
process and therefore has not been subject to an independent technical review.

Applies to:

Siebel Sales - Version: 7.8.1.1 SIA [19044] - Release: V7

Information in this document applies to any platform.

Symptoms

Customer had developed .NET front end application, with back end Siebel UCM.

From .NET the single sign on credentials can be obtained through web services, but it's
prompting the user for credentials again. Is there a way to by pass the prompting of user
credentials again, as it is failing to login to siebel UCM web server.

Solution

Following information was provided :-

Please pay special attention to the SOAP messages being exchanged. You may want to trace the
network to get a dump of the SOAP messages + HTTP headers and compare to the information
below.

Key things are :

1) The Security subsystem and SWSE have TrustToken parameters, which need to match.

-SWEAPPS has parameters:

USerSpec= SIEBEL_SSO_USER
UserSpecSource = Header

2) Usually the 3rd party SSO software would authenticate the user and place the users name into
a variable (refernenced by UserSpec) into the HTTP header.

3) For WebServices we still need to supply a Username either in the URL or in the SOAP
headers. The password is set to the value of TrustToken.
4) The Anonymous Usernames Password (AnonPassword) also needs to map to the TrustToken
parameter.

Example setup:

WebService

Address : http://local/eai_anon_enu/start.swe?
SWEExtSource=SecureWebService&SWEExtCmd=Execute
Operation Authentication Type - Username/Password - clear text

SWEAPPS

[/eai_anon_enu]
ConnectString = siebel.TCPIP.None.None://localhost:2321/hor80/EAIObjMgr_enu
EnableExtServiceOnly = TRUE
UseAnonPool = TRUE
AnonUserPool = 10
WebPublicRootDir = C:\HOR80\SWEApp\public\enu
EncryptedPassword = False
AnonUserName = BI_V8_HOR_LDAP_ANON
AnonPassword = HELLO
;;WebPublicRootDir = C:\HOR80\SWEApp\public\enu
SiebEntSecToken = plMl9UrS8C4BIG3AXw==
SingleSignOn = True
TrustToken = HELLO
USerSpec= SIEBEL_SSO_USER
UserSpecSource = Header
ProtectedVirtualDirectory = /eai_anon_enu

SOAP REQUEST :

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:asi="http://siebel.com/asi/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
<wsse:UsernameToken>
<wsse:Username>jbarlow</wsse:Username>
<wsse:Password Type="wsse:PasswordText">HELLO</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>

<soapenv:Body>
<asi:SiebelAccountQueryById>
<PrimaryRowId>1</PrimaryRowId>
</asi:SiebelAccountQueryById>
</soapenv:Body>
</soapenv:Envelope>

The instructions imply EAI OM should be configured to authenticate against LDAP. If you use
ClearTrust, you have to configure the EAI OM for that.

Configuring an object manager for a specific security adapter is a generic task. All OMs are the
same and this is why Security and Authentication group specializes on this matter.

The following postings may be helpful to some degree.

Web SSO with RSA ClearTrust (Doc ID 531457.1)

Support for RSA from Cleartrust in Siebel 7.8 (Doc ID 544856.1)
SWSE LOGIN FAILED (Doc ID 534391.1)

If you need assistance on configuring SSO with ClearTrust, it is recommend to log a new SR to
the Security and Authentication area.