Skip to main content

Enable Microsoft Entra ID (Azure AD) SSO and MFA to Oracle Siebel via Datawiza

About 4 min


This tutorial shows how to enable Microsoft Entra ID (Azure AD) SSO and MFA for Oracle Siebel via Datawiza.

The benefits of integrating applications with Microsoft Entra ID via Datawiza includes:


This document focuses on Oracle Siebel application integration using HTTP header-based authentication to manage access to protected resources.

For legacy applications, due to the absence of modern SSO protocol (SAML or OIDC) support, a direct integration with a modern Identity Provider is difficult. Datawiza Access Proxy bridges the gap between the legacy application and the modern identity provider, through protocol transitioning. Datawiza Access Proxy lowers integration overhead, saves engineering time, and improves application security.


The solution contains the following components:

  • Microsoft Entra ID: Microsoft's cloud-based identity and access management service, which helps users sign in and access external and internal resources.
  • Oracle Siebel Application: the legacy application to be protected by Microsoft Entra ID and Datawiza.
  • Datawiza Access Proxy (DAP): A lightweight container-based reverse-proxy implements OIDC or SAML protocol for user sign-on flow and transparently passes identity to applications through HTTP headers.
  • Datawiza Cloud Management Console (DCMC): A centralized management console that manages DAP. DCMC provides UI and RESTful APIs for administrators to manage the configurations of DAP and its granular access control policies.

Steps Description

Oracle Siebel Microsoft Entra ID (Azure AD) SSO and MFA | Steps

  1. The user requests access to a DAP-protected Siebel resource.
  2. DAP redirects the user's browser to the identity provider (e.g.,Microsoft Entra ID, Okta, Ping or others).
  3. Identity Provider presents its login page to the user.
  4. The user submits their credentials to the identity provider.
  5. Upon successful authentication, the identity provider redirects the user's browser to DAP.
  6. DAP communicates with the identity provider to exchange tokens.
  7. Identity Provider issues the user's username and relative information to DAP.
  8. DAP sets an HTTP header variable that maps to the Siebel user ID, and passes the authenticated user's username in the header variable to the Siebel Application Interface.
  9. The Siebel Application Interface passes the authenticated user's user name and the value for the Trust Token parameter to the security adapter. Then the security adapter compares the Trust Token value, if the values match, then the Application Object Manager accepts the request.
  10. The Application Object Manager uses the returned token to retrieve the user's data based on their roles and visibility. If the user is not authorized, the user is denied access and redirected to another URL as determined by the organization's administrator. Otherwise, it presents the requested protected resource to the user.


Prior Datawiza Access Proxy experience isn't necessary, but you need:

Getting started with DAP

To integrate Oracle Siebel with Microsoft Entra ID:

  1. Sign in to Datawiza Cloud Management Consoleopen in new window.

  2. The Welcome page appears.

  3. Select the orange Getting started button. Oracle Siebel SSO and MFA | Getting Started

  4. In the Name and Description fields, enter the relevant information.

  5. Select Next. Oracle Siebel SSO and MFA | Create a New Deployment

  6. On the Add Application dialog, use the following values:

    App NameEnter a unique application name.
    Public DomainFor example: For testing, you can use localhost DNS. If you aren't deploying DAP behind a load balancer, use the Public Domain with the port.
    SSLCheck the Enable SSL and use datawiza self-signed certificate checkbox for testing if you are using SSL. For production, you can upload your own certificates.
    Listen PortThe port that DAP listens on. I use 443.
    Upstream ServersThe Oracle Siebel implementation URL and port to be protected.

    Oracle Siebel SSO and MFA | Create a New Application

  7. Select Next.

  8. On the Configure IdP dialog, enter the relevant information.


    DCMC has one-click integration to help complete Microsoft Entra ID configuration. DCMC calls the Microsoft Graph API to create an application registration on your behalf in your Microsoft Entra ID tenant.

  9. Select Create. Microsoft Entra ID (Azure AD) SSO and MFA | Creare a New Microsoft Entra ID (Azure AD) IdP

  10. The DAP deployment page appears.

  11. Make a note of the deployment Docker Compose file. The file includes the DAP image, also the Provisioning Key and Provisioning Secret, which pulls the latest configuration and policies from DCMC. DAP Docker Compose File

SSO and HTTP headers

The DAP gets user attributes from IdP and passes them to the upstream application via header or cookie.

For the Oracle Siebel application to recognize the user correctly, there's another configuration step. Using a certain name, it instructs DAP to pass the values from the IdP to the application through the HTTP header.

Such configuration will be done in the Applications tab on the left panel and go to Attribute Pass sub-tab. For Oracle Siebel, please refer to the screenshot below to configure the attribute pass:


Oracle Siebel SSO and MFA | Attribute Pass


In this setup, the mapping between the email and SSO_SIEBEL_USER serves as an example. You have the flexibility to modify this configuration by either adjusting the Field or altering the attribute mapping within the Mappings sub-tab.

(Optional) SSL Configuration

  1. By default, when you set up this application, it will use the Datawiza self-sign certificate, but you still have the chance to replace it with your own certificate. Select the Advanced tab. Click the edit button, then upload your own certificate. Enable SSLUpload self-signed Cert
  2. Select Save.

Enable SSO in the Oracle Siebel Portal

To enable header-based authentication SSO in the Oracle Siebel environment:

  1. Logon to Oracle Siebel Portal: http://{your-siebel-fqdn}:{port}/siebl/smc/index.html using Admin credentials.

  2. Enable Single Sign On for the LDAPSecAdpt Profile by going to Site Map >> Administration >> Server Configuration >> Profile Configuration and update the below parameters:

    • Configure Web SingleSignOn -- True
    • Trust Token -- Welcome1 Oracle Siebel SSO and MFA | Security Adapter
  3. Go to Siebel Deployment >> Profiles >> Application Interface (AI) profile and select the profile and click on Edit button to edit the profile.

  4. In Edit Profile, go to Applications and narrow down on the fins (enu) and expand Enhanced Authentication and check Configure Web Single Sign On checkbox and input Trust Token with the same as before: Welcome1. Then input User Specification as SSO_SIEBEL_USER.Oracle Siebel SSO and MFA | Trust Token

  5. Restart the Siebel server, Application Interface (AI) Application Container, Siebel Enterprise Server (SES) Application Container and Gateway server for changes to take effect.

Test an Oracle Siebel application

To confirm Oracle Siebel application access occurs correctly, access the new Siebel URL in the browser. A prompt appears to use a Microsoft Entra ID account for sign-in. Credentials are checked and the Oracle Siebel home page appears.

Next steps