Broader Look at Kerberos, Active Directory and Oracle Products
This one has been kicking around in the "post to the homepage bin" for a while. Finally got a chance to do that.
Jackson Shaw recently wrote a post "Listen up Oracle and IBM!! You should support direct authentication against Active Directory"
In short - he wants Oracle products to integrate with AD using Kerberos.
To be honest I'm a bit puzzled here. I suppose we just need to do a better job of getting the word out.
The database has supported Kerberos for a very long time - at least since 9i.
Oracle Single Sign-On - aka our "classic" Web SSO product which has been a part of Oracle Application Server has supported Windows Native Authentication which leverages Kerberos over HTTP for a while now.
The same goes for Oracle Access Manager which is the Web Access Management technology we acquired via Oblix a couple of years ago.
Between the database, OSSO and OAM - that covers the vast majority of Oracle technologies since most of them can use one or the other for authentication.
FYI - Oracle Virtual Directory even has the ability to translate simple LDAP binds to OVD to Kerberos authentication calls to Active Directory (good if you can do LDAP over SSL to OVD but can't do it across all of your AD servers for cost or management reasons & still want secure LDAP binds).
Obviously some applications may still use a native thick-client to authenticate and it may not support Kerberos. For those that's where Oracle Enterprise SSO can provide secure desktop SSO. And since it integrates with Windows authentication - technically it leverages Kerberos :).
Finally as we gaze into the future - the predicted model is that technologies like Secure Token Services (STS) will emerge. These systems will allow the translation/exchange of security tokens from one service to another. Thus we will have a standard model to translate a SAML token into a Keberos TGT. Things like STS are really the only way to get to a point where we can more seamlessly integrate different SSO systems.
