By Naresh Persaud on Oct 25, 2011
If you attended our webcast, thanks for listening and for all of the questions submitted. Click here for the replay. You can find more details on ESSO on our website at www.oracle.com/identity . If you enjoyed the video at the beginning of the presentation here is a link to the video on youtube. You can find a copy of the slides here. You can also download ESSO on our site.
There were a number of questions that we did not get to answer during the webcast so I have captured these here:
Q: Does ESSO Suite include IAM and OIF ?
A: No ESSO suite is one component of the Identity Management portfolio and does not include Oracle Identity Federation.
Q: Are there any issues implementing in a Citrix or thin client environment ?
A: ESSO deploys well in a Citrix environment. In Citrix environment the ESSO manager is deployed on the Citrix server and as users launch applications the ESSO manager can detect these and inject the right credentials to provide single sign-on. We have customers that have deployed to thousands of users in Citrix environments.
Q: Does ESSO work with the Microsoft client ?
A: Yes ESSO works well in Microsoft environments.The ESSO client is integrated with the Microsoft GINA and allows users to sign-on and reset passwords.
Q: Does ESSO use SAML tokens ?
A: ESSO uses tokens for the integration with Oracle Access Manager but ESSO itself alone is not dependent on SAML.
Q: Does Oracle ESSO interact at the GINA-level and if so how does that interaction impact other GINA components such as the Novell GINA?
A: ESSO does GINA chaining and the biggest component is the password reset capability. It adds a bar above the GINA so that a user can change their password. It does not interfere with the normal operation of the GINA.
Q: I see a password reset capability. So, does ESSO include an enterprise password vault kind of capability?
A: ESSO Logon Manager manages all usernames and passwords for your applications. It stores information in a local cache and it leverages a central repository like a directory - ESSO manages the templates, passwords in a central repository.
Q: How is Active Directory integrated with this?
A: ESSO can use Active Directory as a repository and can propagate password changes to AD.
Q: we have a password vault (CyberArk). Will ESSO inter-operate with that?
A: ESSO does not work with CyberArk OOTB
Q: We are on Oracle 126.96.36.199 and uses Microsoft OID for network authentication. Will ESSO work with this installation ?
A: Yes, the latest version of ESSO 188.8.131.52 will work with with this configuration.
Q: Do we need to purchase any additional Software or any other licenses?
A: ESSO suite is a separate component in the stack and is licensed per user. The listing of components can be found in the slides.
Q: Please explain more about the cloud capabilities ?
A: With the ESSO Anywhere component the client actually downloads on demand and allows the user to sign-on to applications based in the cloud.
Q: Is this compatible with any applications or just Oracle products? Can this be used over Internet? (such as customers accessing hosted applications)
A: ESSO is not exclusive to Oracle products. It is a heterogenous single sign-on and password management solution. ESSO can be used over the internet with the ESSO Anywhere component.
Q: How susceptible is ESSO to changes in a logon screen for example: if a web app moves the login on a page, but keeps the field names the same ?
A: This has little impact on ESSO as long as the same control id's are being used ESSO can pick up the changes.
Q: Is there some industry average of self service password resets vs. help desk resetting the users passwords?
A: The typical cost for a password management call to the help desk can range from $30 to $40 per call. The cost is drive by the wait time and the time for the help desk person to actually execute all of the password changes.
Q: In a Java Server App. providing webservices to desktop clients within a corporate network, is there a clear benefit to using a keytab file vs. not using a keytab file if an SPN was setup?
A: This setup difference in the Kerberos deployment has no impact on ESSO.
Q: I thought SSO is embedded with oracle 10g or higher version.. is that correct? or do we need to purchse ESSO?
A: ESSO is a sperate component not embedded in 10g. ESSO needs to be purchases seperately.
Q: Is ESSO integrated with OIM and/or OAM within 11g only?
A: ESSO is integrated with OIM and OAM 10g as well.
Q: If ESSO is deployed, wouldn't OAM be excessive (for internal applications)?
A: No ESSO and OAM work well together. For the client server systems and mainframe systems that are not web access, ESSO serves a critical role and is integrated with OAM for a complete enterprise single sign-on solution.
Q: Which version of RDBMS Server or Fusion Middleware is good for implementing ESSO ?
A: ESSO does not require the entire Fusion Middleware stack. It can be deployed alone and supports number of databases and repositories. See the technical white paper
Q: What Directory Services can ESSSO connect with? For example Oracle Sun Directory Server, Active Directory, etc ?
A: ESSO supports a variety of directory repositories. See the technical white paper.
Q: Does the system integrate with VMS operating systems?
A: Yes ESSO supports the Vax.
Q: Would the ESSO system integrate with multi-factor applications? Does it store the information of the user to utilize once they authenticate to the ESSO?
A: Yes ESSo provides the capability to do multi-factor authentication with multiple solutions including SecurID. ESSO can even work with "One Time Password" generators.
Q: What components of ESSO is HSBC using and what other parts of the IAM Suite are in use? Also, how much staff is assigned to management of ESSO and the large IAM environment?
A: HSBC uses the ESSO Logon Manager. Globally HSBC has only 6 people managing ESSO across thousands of users supporting the entire rollout. After deploying ESSO HSBC saw a 30% to 50% reduction on calls to the help desk.
Q: Online training ?
A: Oracle University provides training. Here is a link to the on-line class
Q:How does ESSO work on mobile devices ?
A: We are currently working on the ability to support mobile devices which will be available in the future.
Q: How the licensing works? Component basis? suite? What are the minimum components?
A: The ESSO components are available in a suite. See the webcast slides for the components in the suite and the suite is licensed per user.
Q: How does ESSO works with Oracke EBS SSO? Is there any integration between the two? how does having some of the EBS modules available on DMZ server impacts it?
A: Oracle Ebiz SSO uses Oracle Access Manager for single sign on. ESSO integrates with this to provide sign-on between Ebiz and other applications. The Ebiz components on the DMZ do not impact this.
Q: We want to piggy back on AD security - primarily for password synchronization.
A: This can be done - ESSO does not interfere with AD security or AD password synch
Q: Can we deploy OAM without ESSO?
A: Yes, OAM does not require ESSO to be installed.
Q: Is it linked to OAM or can we use a separate DB from ESSO
A: ESSO is independent of OAM and can use a separate repository
Q: Can ESSO can be managed using Oracle Grid control?
A: Currently no.
Q: Question: if the password sync failed in the middle i.e. ldap password got changed but not the SAP then how do you revert or what will be the result?
A: ESSO would store the password in the central repository so it can be changed once SAP is available
Q:Can we just use Oracle Enterprise User Security for password synchronization with Active Directory
A: Yes you can see the link to the documentation
Q: We are using IBM’s Maximo application with an Oracle database. We use the BEA WebLogic “middleware” application. Will ESSO allow us to sign onto the network domain and skip the Maximo logon?
A: Not certain - It depends on wether Maximo can trust the network domain sign-on.
Q: Can it also manage users ? in other words, if user is dropped, can it dropped in all 400+ database ?
A: ESSO can do this see the documentation in the SSO provisioning gateway