Enable Microsoft Entra ID (Azure AD) SSO and MFA to Oracle Siebel via Datawiza

About 4 min

Overview

This tutorial shows how to enable Microsoft Entra ID (Azure AD) SSO and MFA for Oracle Siebel via Datawiza.

The benefits of integrating applications with Microsoft Entra ID via Datawiza includes:

Improved Zero Trust securityopen in new window through Microsoft Entra ID, MFA and Conditional Accessopen in new window.
No-Code easy integrationopen in new window between Microsoft Entra ID and any web applications, including Oracle JD Edwards, E-Business Suite, Siebel, Peoplesoft and homegrown apps.
A single control plane, Datawiza Cloud Manage Consoleopen in new window, to manage access to applications in public clouds and on-premise.

Background

This document focuses on Oracle Siebel application integration using HTTP header-based authentication to manage access to protected resources.

For legacy applications, due to the absence of modern SSO protocol (SAML or OIDC) support, a direct integration with a modern Identity Provider is difficult. Datawiza Access Proxy bridges the gap between the legacy application and the modern identity provider, through protocol transitioning. Datawiza Access Proxy lowers integration overhead, saves engineering time, and improves application security.

Architecture

The solution contains the following components:

Microsoft Entra ID: Microsoft's cloud-based identity and access management service, which helps users sign in and access external and internal resources.
Oracle Siebel Application: the legacy application to be protected by Microsoft Entra ID and Datawiza.
Datawiza Access Proxy (DAP): A lightweight container-based reverse-proxy implements OIDC or SAML protocol for user sign-on flow and transparently passes identity to applications through HTTP headers.
Datawiza Cloud Management Console (DCMC): A centralized management console that manages DAP. DCMC provides UI and RESTful APIs for administrators to manage the configurations of DAP and its granular access control policies.

Steps Description

Oracle Siebel Microsoft Entra ID (Azure AD) SSO and MFA | Steps

The user requests access to a DAP-protected Siebel resource.
DAP redirects the user's browser to the identity provider (e.g.,Microsoft Entra ID, Okta, Ping or others).
Identity Provider presents its login page to the user.
The user submits their credentials to the identity provider.
Upon successful authentication, the identity provider redirects the user's browser to DAP.
DAP communicates with the identity provider to exchange tokens.
Identity Provider issues the user's username and relative information to DAP.
DAP sets an HTTP header variable that maps to the Siebel user ID, and passes the authenticated user's username in the header variable to the Siebel Application Interface.
The Siebel Application Interface passes the authenticated user's user name and the value for the Trust Token parameter to the security adapter. Then the security adapter compares the Trust Token value, if the values match, then the Application Object Manager accepts the request.
The Application Object Manager uses the returned token to retrieve the user's data based on their roles and visibility. If the user is not authorized, the user is denied access and redirected to another URL as determined by the organization's administrator. Otherwise, it presents the requested protected resource to the user.

Prerequisites

Prior Datawiza Access Proxy experience isn't necessary, but you need:

An Azure subscription. If you don't have a subscription, you can get a trial accountopen in new window.
An Microsoft Entra ID tenantopen in new window that's linked to your Azure subscription.
Dockeropen in new window and docker-composeopen in new window are required to run DAP.
User identities synchronizedopen in new window from an on-premises directory to Microsoft Entra ID or created directly within Microsoft Entra ID and flowed back to your on-premises directory.
An account with Microsoft Entra ID application admin permissionsopen in new window.
An existing Oracle Siebel environment and LDAP Security Adapter is installed on and enabled.

Getting started with DAP

To integrate Oracle Siebel with Microsoft Entra ID:

Sign in to Datawiza Cloud Management Consoleopen in new window.
The Welcome page appears.
Select the orange Getting started button.
In the Name and Description fields, enter the relevant information.
Select Next.

On the Add Application dialog, use the following values:

Property	Value
Platform	Web
App Name	Enter a unique application name.
Public Domain	For example: `https://siebel.example.com`. For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain with the port.
SSL	Check the Enable SSL and use datawiza self-signed certificate checkbox for testing if you are using SSL. For production, you can upload your own certificates.
Listen Port	The port that DAP listens on. I use 443.
Upstream Servers	The Oracle Siebel implementation URL and port to be protected.

Oracle Siebel SSO and MFA | Create a New Application

Select Next.
On the Configure IdP dialog, enter the relevant information.
Info
DCMC has one-click integration to help complete Microsoft Entra ID configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Microsoft Entra ID tenant.
Select Create.
The DAP deployment page appears.
Make a note of the deployment Docker Compose file. The file includes the DAP image, also the Provisioning Key and Provisioning Secret, which pulls the latest configuration and policies from DCMC.

SSO and HTTP headers

The DAP gets user attributes from IdP and passes them to the upstream application via header or cookie.

For the Oracle Siebel application to recognize the user correctly, there's another configuration step. Using a certain name, it instructs DAP to pass the values from the IdP to the application through the HTTP header.

Such configuration will be done in the Applications tab on the left panel and go to Attribute Pass sub-tab. For Oracle Siebel, please refer to the screenshot below to configure the attribute pass:

Property	Value
Field	Email
Expected	SSO_SIEBEL_USER
Type	Header

Oracle Siebel SSO and MFA | Attribute Pass

Info

In this setup, the mapping between the email and SSO_SIEBEL_USER serves as an example. You have the flexibility to modify this configuration by either adjusting the Field or altering the attribute mapping within the Mappings sub-tab.

(Optional) SSL Configuration

By default, when you set up this application, it will use the Datawiza self-sign certificate, but you still have the chance to replace it with your own certificate. Select the Advanced tab. Click the edit button, then upload your own certificate.
Select Save.

Enable SSO in the Oracle Siebel Portal

To enable header-based authentication SSO in the Oracle Siebel environment:

Logon to Oracle Siebel Portal: http://{your-siebel-fqdn}:{port}/siebl/smc/index.html using Admin credentials.
Enable Single Sign On for the LDAPSecAdpt Profile by going to Site Map >> Administration >> Server Configuration >> Profile Configuration and update the below parameters:
- Configure Web SingleSignOn -- True
- Trust Token -- Welcome1
Go to Siebel Deployment >> Profiles >> Application Interface (AI) profile and select the profile and click on Edit button to edit the profile.
In Edit Profile, go to Applications and narrow down on the fins (enu) and expand Enhanced Authentication and check Configure Web Single Sign On checkbox and input Trust Token with the same as before: Welcome1. Then input User Specification as SSO_SIEBEL_USER.
Restart the Siebel server, Application Interface (AI) Application Container, Siebel Enterprise Server (SES) Application Container and Gateway server for changes to take effect.

Test an Oracle Siebel application

To confirm Oracle Siebel application access occurs correctly, access the new Siebel URL https://siebel.example.com in the browser. A prompt appears to use a Microsoft Entra ID account for sign-in. Credentials are checked and the Oracle Siebel home page appears.