ORA SPACE

In this post, I am discussing about current Single Sign-On products available from Oracle, as a part of Oracle Identity Management (IDM) Suite, and plus OracleAS Single Sign-On.

IDM Suite comprises of more than dozen products to manage end-to-end lifecycle management for user identities. There are two different products that are available in Oracle IDM Suite to provide Single Sign-On functionality for web and desktop application resources:

Oracle Access Manager (OAM) : This is a identity management solution for web applications (legacy and custom applications) and user identity administration. OAM secure applications by providing centralized authentication, authorization and auditing to enable single sign-on for enterprise web applications. It also provides delegated administration and self-registration options with approval workflows.

OAM can use any LDAP-based directory as its backend repository to store policy, configuration, workflow, user, group and organization data.

OAM supports following authentication methods:

• Basic Username/Password
• X.509 Certificates
• Smart cards
• Two Factor Tokens
• Form-based
• Custom authentication via Authentication APIs

Oracle Enterprise Single Sign-On Suite: Oracle Enterprise Single Sign-On (eSSO) provides single sign-on functionality for all the enterprise applications i.e. web based, client-server and legacy applications. Users are able to use eSSO functionality whether they are connected to corporate network, traveling, or roaming between workstations. Oracle eSSO uses any LDAP directory or any SQL database as its user profile and credential repository. It accepts primary authentication from Windows logon. It acts as a Password Manager and provides n-level of authentication.

So where does OracleAS Single Sign-On fits into current identity management solution offering? or when I can’t use OracleAS Single Sign-On?

OracleAS Single Sign-On is a single sign-on solution available for Oracle Application Server 10g applications e.g. Portal, Discoverer, Forms, Reports etc. It also provides Single Sign-On functionality for Oracle Applications 11i/R12.

OracleAS Single Sign-On (SSO) has few limitations as far as OAM and eSSO is concerned:

• It needs Oracle Internet Directory as a authentication and authorization source, whereas OAM and eSSO can use any LDAP-based directory as a backend repository.
• OracleAS SSO cannot talk directly to any other directory service e.g. Active Directory or Sun LDAP. To achieve this, Oracle Internet Directory need to integrate with 3rd party directory service. It means customers ending up with one more directory service as a part of solution, even when they don’t need it.
• It has a limited auditing capabilities.
• OracleAS SSO provides a Windows Native Authentication (WNA) option for Windows users, which allows users to login seamlessly to OracleAS SSO applications e.g. Portal, Oracle Applicatons 11i/R12 etc., once they have logged in successfully into Windows domain. However, it provide single sign-on functionality for applications, which are integrated with OracleAS SSO only. Whereas, Oracle eSSO provides single sign-on functionality for all web and desktop applications (majority of them) that are running at user’s desktop, with minimal deployment effort.

To summarize, customer should use Oracle Access Manager to provide single sign-on functionality for web applications, and Oracle Enterprise Single Sign-On Suite to provide single sign-on functionality for desktop+web applications.

Stay tuned for more discussion on Oracle Identity and Access Management technologies and deployment scenarios.

References:

• Oracle Identity Management
• Oracle Access Manager
• Oracle Enterprise Single Sign-On