Tuesday Jun 25, 2013

It's not just “Single Sign-on” by Steve Knott (aurionPro SENA)

It is true that Oracle Enterprise Single Sign-on (Oracle ESSO) started out as purely an application single sign-on tool but as we have seen in the previous articles in this series the product has matured into a suite of tools that can do more than just automated single sign-on and can also provide rapidly deployed, cost effective solution to many demanding password management problems.

In the last article of this series I would like to discuss three cases where customers faced password scenarios that required more than just single sign-on and how some of the less well known tools in the Oracle ESSO suite “kitbag” helped solve these challenges.

Case #1

One of the issues often faced by our customers is how to keep their applications compliant. I had a client who liked the idea of automated single sign-on for most of his applications but had a key requirement to actually increase the security for one specific SOX application. For the SOX application he wanted to secure access by using two-factor authentication with a smartcard. The problem was that the application did not support two-factor authentication. The solution was to use a feature from the Oracle ESSO suite called authentication manager. This feature enables you to have multiple authentication methods for the same user which in this case was a smartcard and the Windows password.  Within authentication manager each authenticator can be configured with a security grade so we gave the smartcard a high grade and the Windows password a normal grade. Security grading in Oracle ESSO can be configured on a per application basis so we set the SOX application to require the higher grade smartcard authenticator.

The end result for the user was that they enjoyed automated single sign-on for most of the applications apart from the SOX application. When the SOX application was launched, the user was required by ESSO to present their smartcard before being given access to the application.

Case #2

Another example solving compliance issues was in the case of a large energy company who had a number of core billing applications. New regulations required that users change their password regularly and use a complex password. The problem facing the customer was that the core billing applications did not have any native user password change functionality. The customer could not replace the core applications because of the cost and time required to re-develop them. With a reputation for innovation aurionPro SENA were approached to provide a solution to this problem using Oracle ESSO.

Oracle ESSO has a password expiry feature that can be triggered periodically based on the timestamp of the users’ last password creation therefore our strategy here was to leverage this feature to provide the password change experience. The trigger can launch an application change password event however in this scenario there was no native change password feature that could be launched therefore a “dummy” change password screen was created that could imitate the missing change password function and connect to the application database on behalf of the user.

Oracle ESSO was configured to trigger a change password event every 60 days. After this period if the user launched the application Oracle ESSO would detect the logon screen and invoke the password expiry feature. Oracle ESSO would trigger the “dummy screen,” detect it automatically as the application change password screen and insert a complex password on behalf of the user. After the password event had completed the user was logged on to the application with their new password. All this was provided at a fraction of the cost of re-developing the core applications.

Case #3

Recent popular initiatives such as the BYOD and working from home schemes bring with them many challenges in administering “unmanaged machines” and sometimes “unmanageable users.”

In a recent case, a client had a dispersed community of casual contractors who worked for the business using their own laptops to access applications. To improve security the around password management the security goal was to provision the passwords directly to these contractors. In a previous article we saw how Oracle ESSO has the capability to provision passwords through Provisioning Gateway but the challenge in this scenario was how to get the Oracle ESSO agent to the casual contractor on an unmanaged machine.

The answer was to use another tool in the suite, Oracle ESSO Anywhere. This component can compile the normal Oracle ESSO functionality into a deployment package that can be made available from a website in a similar way to a streamed application. The ESSO Anywhere agent does not actually install into the registry or program files but runs in a folder within the user’s profile therefore no local administrator rights are required for installation. The ESSO Anywhere package can also be configured to stay persistent or disable itself at the end of the user’s session.

In this case the user just needed to be told where the website package was located and download the package. Once the download was complete the agent started automatically and the user was provided with single sign-on to their applications without ever knowing the application passwords.

Finally, as we have seen in these series Oracle ESSO not only has great utilities in its own tool box but also has direct integration with Oracle Privileged Account Manager, Oracle Identity Manager and Oracle Access Manager. Integrated together with these tools provides a complete and complementary platform to address even the most complex identity and access management requirements.

So what next for Oracle ESSO?

“Agentless ESSO available in the cloud” – but that will be a subject for a future Oracle ESSO series!


Thursday Mar 21, 2013

Managing Security in the Social, Mobile, Cloud World

As we look forward in 2013, we look at the key trends driving the IT transformation today. Surely, mobile, social and cloud would top the list. With the proliferation of mobile devices companies are looking to offer access to the most commonly used (or user facing) business applications on users’ personal mobile devices. The spread of social networking is forcing organizations to allow users to access company resources using their social media sign-ons. And regardless of whether it is in a datacenter or in the cloud, the business application needs to be just as secure and reliable.

Customers today are demanding a seamless online experience, one that is geography agnostic. But most applications that are required to support this seamless digital experience were architected 10 or 20 years ago and are not scalable or agile enough. Worse, the applications still keep user experience and security at cross-hairs; you inevitably compromise on one or the other.

The applications for today and tomorrow will need to support the internet scale, offer a seamless user experience across all channels and yet be secure to enable a digital interaction with confidence. Which means, a re-architecture that adopts SOA for flexibility, BPM for collaboration and participation, a scalable user portal and Big Data for better business analytics and Fast data for the massive scale that will be required and a Security Inside Out approach. To learn more about how each of the Fusion Middleware components fit into a social, mobile, cloud strategy, we recommend you peruse all the videos and assets for The New Business Imperative: Social, Mobile, Cloud screencast program here.

In our previous posts, we talked about the essentials for Securing the New Digital Experience and how Oracle has adopted a platform approach to provide a solid foundation to enable a secure, seamless digital experience.

Here, we wanted to share with you, some customer experiences. Industry leading organizations have adopted the platform approach to Identity Management and have started to leverage the capabilities of our latest release, Identity Management 11gR2, to enable secure mobile and social access. Companies, like SaskTel, are offering Identity Management in the cloud to some of the most security-conscious organizations.

SuperValu, for example, is leveraging Identity Management to bolster employee productivity in their stores by delivering secure, simplified sign-on for store managers on iPads.

And Oracle itself is using Oracle Identity Management internally to offer a centralized, single identity system, a simplified identity context to its employees across a myriad of applications the employees have (and need) access to. Managing a dynamic workforce across geographies, folding in M&As, leveraging Identity Management to power the cloud services – Oracle Identity Management within Oracle is another good example of the success of a platform approach to identity management and security. Catch this podcast to get the full Oracle on Oracle story.

Want to learn more? We recommend the following resources:

Engage with Us

Product Information on Oracle.com: Oracle Identity Management

OracleIDM Blog, Twitter and Facebook

Tuesday Mar 19, 2013

Identity Management Down Under at Victoria University

Educational institutions have a dynamic ecosystem with students, teachers and operational administration requiring significant IT and helpdesk resource investment. Victoria University in Melbourne, Australia embarked on an identity management project to automate and streamline access and authorization to the University’s systems for over 55,000 students and 3000 staff.

Check out the following video to see how the University simplified sign-on process for the students, empowered them with self service and, in the process, eliminated helpdesk overhead.

Tuesday Oct 25, 2011

ESSO Webcast

If you attended our webcast, thanks for listening and for all of the questions submitted. Click here for the replay. You can find more details on ESSO on our website at www.oracle.com/identity . If you enjoyed the video at the beginning of the presentation here is a link to the video on youtube. You can find a copy of the slides here. You can also download ESSO on our site.

There were a number of questions that we did not get to answer during the webcast so I have captured these here:

Q:  Does ESSO Suite include IAM and OIF ?

A: No ESSO suite is one component of the Identity Management portfolio and does not include Oracle Identity Federation. 

Q: Are there any issues implementing in a Citrix or thin client environment ?

A: ESSO deploys well in a Citrix environment. In Citrix environment the ESSO manager is deployed on the Citrix server and as users launch applications the ESSO manager can detect these and inject the right credentials to provide single sign-on. We have customers that have deployed to thousands of users in Citrix environments.

Q: Does ESSO work with the Microsoft client ?

A: Yes ESSO works well in Microsoft environments.The ESSO client is integrated with the Microsoft GINA and allows users to sign-on and reset passwords. 

Q: Does ESSO use SAML tokens ?

A: ESSO uses tokens for the integration with Oracle Access Manager but ESSO itself alone is not dependent on SAML.

Q: Does Oracle ESSO interact at the GINA-level and if so how does that interaction impact other GINA components such as the Novell GINA?

A: ESSO does GINA chaining and the biggest component is the password reset capability. It adds a bar above the GINA so that a user can change their password. It does not interfere with the normal operation of the GINA.

Q: I see a password reset capability. So, does ESSO include an enterprise password vault kind of capability?

A: ESSO Logon Manager manages all usernames and passwords for your applications. It stores information in a local cache and it leverages a central repository like a directory - ESSO manages the templates, passwords in a central repository. 

Q: How is Active Directory integrated with this?

A: ESSO can use Active Directory as a repository and can propagate password changes to AD.

Q: we have a password vault (CyberArk). Will ESSO inter-operate with that?

A: ESSO does not work with CyberArk OOTB 

Q: We are on Oracle and uses Microsoft OID for network authentication. Will ESSO work with this installation ?

A: Yes, the latest version of ESSO will work with with this configuration.

Q: Do we need to purchase any additional Software or any other licenses?

A: ESSO suite is a separate component in the stack and is licensed per user. The listing of components can be found in the slides.

Q: Please explain more about the cloud capabilities ?

A: With the ESSO Anywhere component the client actually downloads on demand and allows the user to sign-on to applications based in the cloud.

Q: Is this compatible with any applications or just Oracle products? Can this be used over Internet? (such as customers accessing hosted applications)

A: ESSO is not exclusive to Oracle products. It is a heterogenous single sign-on and password management solution.  ESSO can be used over the internet with the ESSO Anywhere component. 

Q: How susceptible is ESSO to changes in a logon screen for example: if a web app moves the login on a page, but keeps the field names the same ?

A: This has little impact on ESSO as long as the same control id's are being used ESSO can pick up the changes.

Q: Is there some industry average of self service password resets vs. help desk resetting the users passwords?

A: The typical cost for a password management call to the help desk can range from $30 to $40 per call. The cost is drive by the wait time and the time for the help desk person to actually execute all of the password changes.

Q: In a Java Server App. providing webservices to desktop clients within a corporate network, is there a clear benefit to using a keytab file vs. not using a keytab file if an SPN was setup?

A: This setup difference in the Kerberos deployment has no impact on ESSO.

Q: I thought SSO is embedded with oracle 10g or higher version.. is that correct? or do we need to purchse ESSO?

A: ESSO is a sperate component not embedded in 10g. ESSO needs to be purchases seperately.

Q: Is ESSO integrated with OIM and/or OAM within 11g only?

A: ESSO is integrated with OIM and OAM 10g as well. 

Q: If ESSO is deployed, wouldn't OAM be excessive (for internal applications)?

A: No ESSO and OAM work well together. For the client server systems and mainframe systems that are not web access, ESSO serves a critical role and is integrated with OAM for a complete enterprise single sign-on solution. 

Q:  Which version of RDBMS Server or Fusion Middleware is good for implementing ESSO ?

A: ESSO does not require the entire Fusion Middleware stack. It can be deployed alone and supports number of databases and repositories. See the technical white paper 

Q: What Directory Services can ESSSO connect with? For example Oracle Sun Directory Server, Active Directory, etc ?

A: ESSO supports a variety of directory repositories. See the technical white paper.

Q: Does the system integrate with VMS operating systems?

A: Yes ESSO supports the Vax.

Q: Would the ESSO system integrate with multi-factor applications? Does it store the information of the user to utilize once they authenticate to the ESSO?

A: Yes ESSo provides the capability to do multi-factor authentication with multiple solutions including SecurID. ESSO can even work with "One Time Password" generators.

Q: What components of ESSO is HSBC using and what other parts of the IAM Suite are in use? Also, how much staff is assigned to management of ESSO and the large IAM environment?

A: HSBC uses the ESSO Logon Manager. Globally HSBC has only 6 people managing ESSO across thousands of users supporting the entire rollout. After deploying ESSO HSBC saw a 30% to 50% reduction on calls to the help desk.

Q: Online training ?

A: Oracle University provides training. Here is a link to the on-line class

Q:How does ESSO work on mobile devices ?

A: We are currently working on the ability to support mobile devices which will be available in the future.

Q: How the licensing works? Component basis? suite? What are the minimum components?

A: The ESSO components are available in a suite. See the webcast slides for the components in the suite and the suite is licensed per user.

Q: How does ESSO works with Oracke EBS SSO? Is there any integration between the two? how does having some of the EBS modules available on DMZ server impacts it?

A: Oracle Ebiz SSO uses Oracle Access Manager for single sign on. ESSO integrates with this to provide sign-on between Ebiz and other applications. The Ebiz components on the DMZ do not impact this.

Q: We want to piggy back on AD security - primarily for password synchronization.

A: This can be done - ESSO does not interfere with AD security or AD password synch

Q: Can we deploy OAM without ESSO?

A: Yes, OAM does not require ESSO to be installed.

Q: Is it linked to OAM or can we use a separate DB from ESSO

A: ESSO is independent of OAM and can use a separate repository 

Q: Can ESSO can be managed using Oracle Grid control?

A: Currently no.

Q: Question: if the password sync failed in the middle i.e. ldap password got changed but not the SAP then how do you revert or what will be the result?

A: ESSO would store the password in the central repository so it can be changed once SAP is available 

Q:Can we just use Oracle Enterprise User Security for password synchronization with Active Directory 

A: Yes you can see the link to the documentation

Q: We are using IBM’s Maximo application with an Oracle database. We use the BEA WebLogic “middleware” application. Will ESSO allow us to sign onto the network domain and skip the Maximo logon?

A: Not certain - It depends on wether Maximo can trust the network domain sign-on. 

Q: Can it also manage users ? in other words, if user is dropped, can it dropped in all 400+ database ?

A: ESSO can do this see the documentation in the SSO provisioning gateway

Monday Oct 17, 2011

Rapid ROI with Oracle Enterprise Single Sign-On Suite

We live in interesting economic times. The housing market has been in a slump for several years now. If you are going into invest in a property today purely for rental purposes, then most likely you will look at how quickly you can break even. I recently read somewhere that the historical price to rent ratio for most housing markets in the continental states is around 15. The price to rent ratio is the price paid for a property divided by the annual rent on the property. So in other words, it takes about 15 years on a historical average basis to break even on an investment in rental property. That’s a long time I would say, don’t you agree?

However, our Oracle Identity Management solutions are designed to offer extremely quick Return on Investment (ROI) to our customers. Let’s take the example of Oracle Enterprise Single Sign-On (ESSO) Suite Plus. Oracle ESSO overcomes the huge burden of productivity losses and helpdesk costs incurred from forgotten passwords. In addition to that, we offer one more compelling reason for our customers to invest in Oracle ESSO. That is its rapid ROI.

Let’s take the example of an organization with about 7000 users where strong password policies are enforced. In many organizations, users are required to change their application passwords frequently (about once a quarter is not uncommon). An average helpdesk call associated with a password reset can cost $40. If such an organization deploys Oracle ESSO, they can eliminate their password headaches and overcome productivity losses that forgotten passwords can inflict. In addition to all that, Oracle ESSO delivers an ROI of 140% within the first 12 months of deployment. In other words, the organization can recover their investment and save additionally with the first year. And within the first five years, Oracle ESSO can save nearly $5 million in costs. Now that’s a very compelling investment.

You can find the Oracle Enterprise Single Sign-On ROI calculator here.

You can download a copy of the Enterprise Single Sign-On Buyer’s Guide here.

Join us on our live webcast Oct 19th to find out how Oracle ESSO Suite Plus can deliver quick wins for your organization. Register here for this webcast.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016