Putting the EASY into ESSO! by Matthew Scott (aurionPro SENA Blog Series - Ch1)
By Greg Jensen on Jun 04, 2013
Enterprise Single Sign-On occupies an unusual position in the field of IAM. In automating the sign-on of users to their applications, it is somewhat uniquely, a client-side application. For some of our customers, the role of enterprise SSO in an IAM programme isn’t entirely clear. I’ve spoken with many security architects who view its use as somehow tantamount to cheating. Surely, they assert, if we fully integrate systems at the back-end then the need for a client component doing sign-on becomes unnecessary. Architecturally this may be true. But the realities are that users have issues with passwords right now. Enterprise single sign-on addresses problems immediately. However, it’s also much more than just a tool that signs the user on to anything from their desktop. It is a tool that can be used to solve related business problems and technical challenges just as well as it can deliver users from their credential nightmares.
In this series of four articles, we will explore how enterprise SSO can be used to deliver these additional benefits. We will cover zero touch credential provisioning, making enterprise single sign-on an integrated part of an IAM programme and the management of delegated accounts. First, however, we’ll start with an easy one… making everyone happy all at the same time!
Capturing business requirements for identity and access management projects can be an art. There are so many interested parties – technical, legal, HR, end-users, application owners to name but a few – that it’s rare to reach a speedy consensus. I was in one such meeting with a customer a while back who were trying to explore what the success criteria would be for their enterprise single sign-on initiative. Relatively straightforward, you’d think, but after five hours the customer was still going round in circles! It wasn’t until the project sponsor finally arrived at the meeting and spoke about his vision that sanity was restored. His single request? His single measure? “Make it easy for my users!” That’s all he wanted. If other benefits accrued, that was a bonus.
Oracle’s Enterprise Single Sign-non Suite Plus (Oracle ESSO) is designed to do precisely what the project sponsor wanted. It includes a number of technologies designed to relieve the pain of passwords, by reducing the number of forgotten or incorrect credentials that a user has, whilst simultaneously making it easier to provide those same credentials to users without compromising security. What’s more, these benefits can be obtained surprisingly quickly – Oracle ESSO has a very light footprint and a flexible framework approach to managing credentials for almost any application. Web, Windows, Cloud or mainframe, passwords can quickly be eliminated as a source of pain for users and IT staff alike.
Oracle ESSO takes the management of credentials away from users. It stores passwords in a secure manner so that the user cannot forget it. It manages the password lifecycle, securely updating credentials when they expire. And it streamlines the user experience – application logon is handled automatically, so the user can get to work immediately without having to fumble over the username and password.
Of course, Oracle ESSO also allows the organisation to achieve lots of other benefits if it’s implemented correctly – reduced number of calls to helpdesk, increased productivity through faster password resets and so on. But fundamentally, as a user-facing tool it has to be one that’ll gain rapid acceptance for its deployment to be heralded as a success. The additional benefits won’t appear if the users don’t adopt the new tools they’re given.
aurionPro SENA has considerable experience with the Oracle ESSO suite. In fact, we’ve got the deployment of Oracle ESSO down to a fine art. Referring back to our original customer above – speed of deployment was important. “Proof of concept in days, pilot in weeks, deployment in two months” was the mantra. All with no significant operational impact on either end-users or IT personnel. We helped the customer achieve these goals. Deploying Oracle ESSO requires a delicate balance of technical knowledge, light-touch project management and extremely well-managed engagement with the end-user community. The last element is the most important. Involving key users as early as possible when their applications are being ‘profiled’ for single sign-on helps to ensure that they buy in to the end goal. They understand how Oracle ESSO will enhance the way that they work and are keen to share this with other users. If done right, a cascade of anticipation can ripple through the user community so that, rather than fearing change as can often happen with IT projects, the users are willing the change to arrive sooner! The use of appropriate briefing tools, promotion of the new system and similar techniques can further enhance the effectiveness of the final Oracle ESSO rollout.
So, Oracle ESSO makes it easy for end-users. That’s great, that’s exactly what our customer wanted, and it’s what any user-facing application should strive to do. Deploying Oracle ESSO, when managed properly, is one of those very unusual IT projects, though. Not only does it make things easier for end-users, it also makes things easier for IT support teams, helpdesk operators, auditors and a whole range of teams within the organisation. So it’s win-win all round.
But this is just the starting point. Oracle ESSO acts as a great launch pad for customers looking to further streamline credential management, giving users a better experience whilst also improving security and providing previously unavailable audit data. Stay tuned as we demonstrate how you can unlock the potential of Oracle ESSO.