Thursday, October 15, 2009

Enterprise Single Sign ON - Introduction

Oracle Enterprise Single Sign-On Suite Plus

Enterprise users can enjoy the benefits of single sign-on to all of their applications, whether they are connected to the corporate network, traveling away from the office, roaming between computers or working at a shared workstation.

Administrators have the flexibility of easily deploying Oracle Enterprise Single Sign-On into their existing infrastructure without change - no integration or large deployment effort. Oracle Enterprise Single Sign-On is architected to use any LDAP directory, Active Directory or any SQL database server as its user profile and credential repository. Enterprise Single Sign-On can accept primary authentication directly from the Windows logon, it also works with most industry-leading smart cards, biometrics or token solutions. Confidently delivering stronger password authentication or advanced authentication is simple with Oracle Enterprise Single Sign-On.

With introduction of Oracle Enterprise Single Sign-On Anywhere product, supports for enterprise users which include employees, Remote users like Partners and also users who are other non-employees like suppliers, contractors, outsources, resellers, distributors who fall into the extended enterprise users category that need Single Sign-On access to all enterprise applications will be avialable. Oracle ESSO supports all user work modes: Connected, Disconnected, Stand-Alone, Roaming, Mobile and Kiosk.

Oracle Enterprise Single Sign-On Suite is comprised of five components that improve authentication capabilities and deliver efficient access and self-service capabilities for Web and non Web-based applications. These include

Oracle Enterprise Single Sign-On Anywhere -

Simplifies Oracle Enterprise Single Sign-On deployments to client desktops thereby facilitating faster deployment, reduces overall deployment costs and automates updates and rollbacks and version control on the client deployment packages Helps increase security and decrease complexity by enabling individuals to securely use the same username and password for their Web-based and legacy applications;

Oracle Enterprise Single Sign-On Anywhere -

Simplifies Oracle Enterprise Single Sign-On Sign-On deployments to client desktops thereby facilitating faster deployment, reduces overall deployment costs and automates updates and rollbacks and version control on the client deployment packages

Oracle Enterprise Single Sign-On Logon Manager -

Strengthen security and improve user productivity by enabling individuals to securely use a single login credential to all web-based, client-server and legacy applications;

Oracle Enterprise Single Sign-On Password Reset -

Reduce helpdesk costs and improve user experience by enabling strong password management for Microsoft Windows through secure, flexible, self-service interfaces;

Can reduce costs by providing organizations the ability to set flexible, custom policies for users to recover lost or forgotten desktop passwords through secure, self-service interfaces;

Oracle Enterprise Single Sign-On Authentication Manager -

Enforce security policies and ensure regulatory compliance by allowing organizations to use a combination of tokens, smart cards, biometrics and passwords for strong authentication throughout the enterprise;

strengthens security and helps streamline compliance by allowing organizations to use a combination of tokens, smart cards, biometrics and passwords to control access to their applications throughout the enterprise;

Oracle Enterprise Single Sign-On Provisioning Gateway -

Improve operational efficiencies by enabling organizations to directly distribute single log-in credentials to Oracle Enterprise Single Sign-On Sign-On Manager based on provisioning instructions from Oracle Identity Manager;

Helps streamline the user provisioning process by allowing organizations to automatically provision diverse accounts through a single identity administration process and

Oracle Enterprise Single Sign-On Kiosk Manager -

Enhance user productivity and strengthen enterprise security by allowing users to securely access enterprise applications even at multi-user kiosks and distributed workstations.

Oracle Enterprise Single Sign-On Suite Delivers Extended Capabilities

Certified with Oracle’s family of identity and access management products, Oracle Enterprise Single Sign-On Suite delivers enterprise single sign-on for Oracle and non-Oracle systems.

Additionally, with the Suite, Oracle customers -- with a single sign-on -- can now access Oracle Web and non Web-based software such as Oracle Database, Oracle Forms, Oracle Discoverer, Oracle E-Business Suite, Oracle PeopleSoft applications and Oracle Siebel applications.

Enterprises these days generally have Microsoft Windows® desktop users accessing diverse enterprise applications on a daily basis. Each enterprise application often has different security requirements and, as a consequence, users in many organizations are forced to remember multiple different passwords for various applications. In many organizations, users are often forced to remember more than six different passwords for various enterprise resources. As a result, there is a need to enable a simple and secure way for enterprise users to access heterogeneous applications (e.g. Microsoft Windows, Java, Mainframe applications etc) by signing on just once to their windows desktop. This should not only circumvent the need to remember credentials for individual applications but also enhance user productivity by eliminating helpdesk calls associated with forgotten passwords.





The Oracle Enterprise Single Sign-on (Oracle ESSO) Suite facilitates a way for desktop users to access enterprise applications by signing on just once to their desktops using a single set of credentials.




Enterprise users have a constant need to access various enterprise applications, irrespective of whether they are connected to the corporate network, traveling away from the office, roaming between computers or working at a shared workstation. Oracle ESSO lets users access enterprise applications using a single password for any password protected application on the desktop, network or Internet.

The basic steps during an Oracle ESSO enabled application logon include:

User requests access to an enterprise application, which can be a Windows®, mainframe, web or Java-based application. The Oracle ESSO Logon Manager Agent intercepts the user request on his desktop.

The Oracle ESSO Logon Manager retrieves the user record and then fills in the appropriate credentials for the Oracle ESSO enabled application. The application-specific username and password are then sent to the application.

User is granted access to the application.

The Oracle ESSO Suite supports an extensive list of directories and databases as a central repository for user credentials, application logon templates, password policies and client settings.
ARCHITECTURE:

The various components of Oracle ESSO. The ESSOLM agent and the ESSO-LM admin console form the base components and all the other components are offered as add-on modules. The ESSO-LM is the primary component for detecting requests for credentials, analyzing the response necessary, responding reliably, logging events and administering settings.
Oracle ESSO Logon Manager (ESSO-LM)
Oracle ESSO Password Reset (ESSO-PR)
Oracle ESSO Kiosk Manager (ESSO-KM)
Oracle ESSO Authentication Manager (ESSO-AM)
Oracle ESSO Provisioning Gateway (ESSO-PG)


Oracle ESSO Logon Manager (ESSO-LM)

Provides interfaces to network and computer logons as well as sign-on to applications, enabling users to log in one time with a single password. Once users are logged in, whatever application they open is served the correct ID and password transparently and automatically. This eliminates the need for users to remember and manage multiple user names and passwords for their applications, while allowing administrators to centrally manage passwords.

The Oracle ESSO Logon Manager Admin Console interacts with the Logon Manager and facilitates management and administration of ESSO attributes.

Oracle ESSO Password Reset (ESSO-PR)

Provides a recovery mechanism for users who forget their desktop passwords. If users forget their Windows password, then ESSO-PR enables them to regain access to their computer and the corporate network. This allows users to reset their password directly from the Windows logon prompt of their locked-out workstation, so that they can get to their applications within seconds - without having to call the help desk or go to another workstation.

Oracle ESSO Kiosk Manager (ESSO-KM)

Provides initial user authentication and automatic user sign-off to kiosk environments, enabling secure kiosk computing at any location within the enterprise. The system monitors and protects unattended kiosk sessions from

unauthorized access. Inactive sessions are protected by a secure screen saver, which permits the next user to sign on to a new session while safely terminating the prior session.

Oracle ESSO Authentication Manager (ESSO-AM)

Allows organizations to use any combination of tokens, smart cards, biometrics and passwords to control user access to their applications; making it easier to implement advanced authentication strategies. The software integrates seamlessly, providing granular control over the level of authentication required to access specific applications.

Oracle ESSO Provisioning Gateway (ESSO-PG)

Allows system administrators to directly distribute user credentials, usernames and passwords to Oracle ESSO. The administrator can add credentials for new applications and new users as well as modify or delete old credentials to Oracle ESSO. The Provisioning Gateway is also the interface that is used to integrate OIM, which enables provisioning of users to all enterprise applications and enables Oracle ESSO.

STORING AND SYNCHRONIZATION OF USER CREDENTIALS3

Oracle ESSO stores user credentials locally in the encrypted Local Credential Storage. No unencrypted credentials are stored on disk or in memory. Oracle ESSO stores the local, secure credential file in a specific directory within the application data directory of the user profile. This file can be secured from other users by properly configuring Windows security on NTFS partitions. This also means that if Windows “Roaming Profiles” are enabled, users can log on to Windows from any computer within a domain and their credential file will be available to them.

The benefits of local user credential storage are:

• Encrypted storage for security.
• Credentials are secured because they are never exposed in memory.
• Local storage delivers faster access than server-based systems.
• Users can log on from any computer within a domain if Windows “Roaming Profiles” are enabled.


Synchronization of Credentials:

While Oracle ESSO stores user credentials locally, it can synchronize the credentials and settings with remote network shares, directories, devices and so on. Synchronizing user credentials to a directory service or network drive enables mobility, eases deployment, simplifies administration and increases security (for example, on public workstations)

Oracle ESSO supports multiple directory services including Oracle Internet Directory, Sun Directory Server, Novell NDS, and Microsoft Active Directory Server out-of-the-box to store users’ ESSO credentials.





The Benefits of synchronization for user credentials are:

• Ensures that the latest set of user credentials for each application is available from all locations at all times.
• Automatic backup of user credentials.
• Availability of user credentials from multiple computers without requiring a new infrastructure.

ADMINISTRATION AND MANAGEMENT

Oracle ESSO has a GUI based Administrative Console

Directory configuration and administration
Management of individual users or users by role and group
Application configuration and policy control
User configuration and policy control
All of Oracle ESSO settings including password policies, system rules, UI functionality, re-authentication parameters, etc.




HEALTHCARE USECASE FOR ESSO

Doctors often work at multiple hospitals – resulting in multiple passwords per location
Doctors often have limited time to access information to respond in an emergency to provide the best care possible
Doctors require access from anytime and anywhere, including Kiosks/Nurses Station, Private Office or another hospital
Doctors demand fast, convenient and simple access to information
Doctors may refer patients to another hospital that’s more efficient
HIPAA - Poor password/security practices and high Help Desk calls and costs


How Oracle ESSO can help Healthcare Organizations

Oracle ESSO would be installed on the hospital desktop and the doctor or health worker issued with a smartcard that can securely authenticate them to their computer or kiosk of choice.

Insert smartcard through the associated reader and insert PIN to logon
The access policy can be set to require stronger authentication (such as a password) for users after which a user-specific Oracle ESSO session is enabled
Oracle ESSO then provides single sign-on to the healthcare applications depending on the associated user access policy


ESSO Benefits for Healthcare


Deploying Oracle ESSO in healthcare helps doctors and healthcare providers to overcome sign-on challenges and provides the following benefits

• Provides converged access. Doctors can use a single card for both physical and logical access
• Provides Physicians fast, easy and convenient access to desktops, healthcare resources and applications
• Offers user identification, authentication and session management by leveraging authentication card and PIN
With no passwords to remember
• Provides a secure way to access applications from shared workstations minimizing infrastructure cost
• Facilitates access from anywhere. For example, home office, private office, or other hospitals
• Increases productivity
• Reduces Help Desk calls and user frustration
• Helps address HIPAA concerns


ESSO accelerates cost savings by virtually eliminating password-related Help Desk calls

• An average enterprise spends about $25 on a help desk call, and 40% to 60% of calls to Help Desk are password-related.
• ESSO also eliminates the need for enterprise users to remember multiple passwords.
ESSO helps address audit problems within an enterprise by facilitating these auditing capabilities.

Application access review by user
User account reconciliation
Cross-application access removal
Ability to enforce stronger password policy
Robust, repeatable process enforcement

ESSO improves user productivity and satisfaction through intuitive self-service password reset.