This one has been kicking around in the "post to the homepage bin" for a while. Finally got a chance to do that.
Jackson Shaw recently wrote a post "Listen up Oracle and IBM!! You should support direct authentication against Active Directory"
In short - he wants Oracle products to integrate with AD using Kerberos.
To be honest I'm a bit puzzled here. I suppose we just need to do a better job of getting the word out.
The database has supported Kerberos for a very long time - at least since 9i.
Oracle Single Sign-On - aka our "classic" Web SSO product which has been a part of Oracle Application Server has supported Windows Native Authentication which leverages Kerberos over HTTP for a while now.
The same goes for Oracle Access Manager which is the Web Access Management technology we acquired via Oblix a couple of years ago.
Between the database, OSSO and OAM - that covers the vast majority of Oracle technologies since most of them can use one or the other for authentication.
FYI - Oracle Virtual Directory even has the ability to translate simple LDAP binds to OVD to Kerberos authentication calls to Active Directory (good if you can do LDAP over SSL to OVD but can't do it across all of your AD servers for cost or management reasons & still want secure LDAP binds).
Obviously some applications may still use a native thick-client to authenticate and it may not support Kerberos. For those that's where Oracle Enterprise SSO can provide secure desktop SSO. And since it integrates with Windows authentication - technically it leverages Kerberos :).
Finally as we gaze into the future - the predicted model is that technologies like Secure Token Services (STS) will emerge. These systems will allow the translation/exchange of security tokens from one service to another. Thus we will have a standard model to translate a SAML token into a Keberos TGT. Things like STS are really the only way to get to a point where we can more seamlessly integrate different SSO systems.
« Simplify Managing TNSNAMES.ORA | Main | Clarifying Questions On Kerberos and Oracle Products »
Broader Look at Kerberos, Active Directory and Oracle Products
Search All Blogs
Google Search
About This Entry
This page contains a single entry from the blog posted on November 26, 2007 9:55 PM.
The previous post in this blog was Simplify Managing TNSNAMES.ORA.
The next post in this blog is Clarifying Questions On Kerberos and Oracle Products.
Many more can be found on the main index page or by looking through the archives.
Comments (3)
I think you need to do a better job getting the word out and, unless I am mistaken, Oracle charges for Kerberos, smartcard and radius authentication (Oracle Advanced Security).
I realize as software vendors we all have to make money for our shareholders but charging for OAS? Microsoft doesn't charge for any of those capabilities.
Maybe I'm mistaken about that but if so, see your first take: "Maybe we need to get the word out."
Best,
Jackson
Posted by Jackson Shaw | November 27, 2007 12:21 AM
Posted on November 27, 2007 00:21
All the stuff that you mentioned requires OVD, I think Jackson wanted it to be supported in Oracle natively without having to acquire any additional products and/or licenses.
Posted by James | November 29, 2007 9:44 PM
Posted on November 29, 2007 21:44
What is required is for oracle to support kerberos GSSAPI across its product range Oracle. The strategy that we are moving with is to classify any product that doesn't support key open authentication/Authorisation technologies as a legacy product. The you need to buy magic product X unfortunately doesn't cut it. Oracle will have a considerable period of time to fix its product set as there is a large installed base however new capability using Oracle now requires CIO signoff because of its poor integration record.
Posted by ian | October 30, 2008 4:24 PM
Posted on October 30, 2008 16:24