Introduction to Single Sign-On - Refrence - "Open Group" - "Oracle ESSO"- PENDING

BASIC CONCEPT- "ESSO"

Enterprise single sign-on (E-SSO) systems are designed to minimize the number of times that a user must type their ID and password to sign into multiple applications. The E-SSO solution automatically logs users in, and acts as a password filler where automatic login is not possible.

Default Sign on in the Windows Interwork

Each enterprise application often has different security requirements and, as a consequence, users in many organizations are forced to remember multiple different passwords for various applications.In many organizations, users are often forced to remember more than six different passwords for various enterprise resources. As a result, there is a need to enable a simple and secure way for enterprise users to access heterogeneous applications (e.g. Microsoft Windows, Java, Mainframe applications etc) by signing on just once to their windows desktop. This should not only circumvent the need to remember credentials for individual applications but also
enhance user productivity by eliminating helpdesk calls associated with forgotten passwords.

The Oracle Enterprise Single Sign-on (Oracle ESSO) Suite facilitates a way for desktop users to access enterprise applications by signing on just once to their desktops using a single set of credentials.


As IT systems proliferate to support business processes, users and system administrators are faced with an increasingly complicated interface to accomplish their job functions. Users typically have to sign-on to multiple systems, necessitating an equivalent number of sign-on dialogues, each of which may involve different usernames and authentication information. System administrators are faced with managing user accounts within each of the multiple systems to be accessed in a co-ordinated manner in order to maintain the integrity of security policy enforcement. This legacy approach to user sign-on to multiple systems is illustrated below:



Historically a distributed system has been assembled from components that act as independent security domains. These components comprise individual platforms with associated operating system and applications.

These components act as independent domains in the sense that an end-user has to identify and authenticate himself independently to each of the domains with which he wishes to interact. This scenario is illustrated above. The end user interacts initially with a Primary Domain to establish a session with that primary domain. This is termed the Primary Domain Sign-On in the above diagram and requires the end user to supply a set of user credentials applicable to the primary domain, for example a username and password. The primary domain session is typically represented by an operating system session shell executed on the end user's workstation within an environment representative of the end user (e.g., process atrributes, environment variables and home directory). From this primary domain session shell the user is able to invoke the services of the other domains, such as platforms or applications.

To invoke the services of a secondary domain an end user is required to perform a Secondary Domain Sign-on. This requires the end user to supply a further set of user credentials applicable to that secondary domain. An end user has to conduct a separate sign-on dialogue with each secondary domain that the end user requires to use. The secondary domain session is typically represented by an operating system shell or an application shell, again within an environment representative of the end user. From the management perspective the legacy approach requires independent management of each domain and the use of multiple user account management interfaces. Considerations of both usability and security give rise to a need to co-ordinate and where possible integrate user sign-on functions and user account management functions for the multitude of different domains now found within an enterprise. A service that provides such co-ordination and integration can provide real cost benefits to an enterprise through:

reduction in the time taken by users in sign-on operations to individual domains, including reducing the possibility of such sign-on operations failing

improved security through the reduced need for a user to handle and remember multiple sets of authentication information.

reduction in the time taken, and improved response, by system administrators in adding and removing users to the system or modifying their access rights.

improved security through the enhanced ability of system administrators to maintain the integrity of user account configuration including the ability to inhibit or remove an individual user's access to all system resources in a co-ordinated and consistent manner.

Such a service has been termed Single Sign-On after the end-user perception of the impact of this service. However, both the end-user and management aspects of the service are equally important. This approach is illustrated in the diagram above. In the single sign-on approach the system is required to collect from the user as, part of the primary sign-on, all the identification and user credential information necessary to support the authentication of the user to each of the secondary domains that the user may potentially require to interact with. The information supplied by the user is then used by Single Sign-On Services within the primary domain to support the authentication of the end user to each of the secondary domains with which the user actually requests to interact.

The information supplied by the end-user as part of the Primary Domain Sign-On procedure may be used in support of secondary domain sign-on in several ways:

Directly, the information supplied by the user is passed to a secondary domain as part of a secondary sign-on.

Indirectly, the information supplied by the user is used to retrieve other user identification and user credential information stored within the a single sign-on management information base. The retrieved information is then used as the basis for a secondary domain sign-on operation.

Immediately, to establish a session with a secondary domain as part of the initial session establishment. This implies that application clients are automatically invoked and communications established at the time of the primary sign-on operation.

Temorarily stored or cached and used at the time a request for the secondary domain services is made by the end-user.

From a management perspective the single sign-on model provides a single user account management interface through which all the component domains may be managed in a coordinated and synchronised manner.

Significant security aspects of the Single Sign-On model are:

the secondary domains have to trust the primary domain to:

• correctly assert the identity and authentication credentials of the end user,
• protect the authentication credentials used to verify the end user identity to the secondary domain from unauthorised use.
  
  The authentication credentials have to be protected when transfered between the primary and secondary domains against threats arising from interception or eavsdropping leading to possible masquerade attacks.

General requirements for E-SSO

• The solution needs to be highly available.
• The solution needs to provide interfaces for backup, 24x7 monitoring and operations, etc.
  The solution needs to be able to scale to many thousands of users accessing enterprise software.
• The solution should be able to support the company-internal standards defined for efficient operations and integration without problems (e.g., directory server standards, authentication standards, etc.).
• The solution should be able to easily integrate in related IT solutions, for example existing identity management solutions, security event management solutions, application management solutions, or desktop software distribution solutions.

Oracle ESSO enabled application logon include

User requests access to an enterprise application, which can be a Windows®, mainframe, web or Java-based application.

The Oracle ESSO Logon Manager Agent intercepts the user request on his desktop.

The Oracle ESSO Logon Manager retrieves the user record and then fills in the appropriate credentials for the Oracle ESSO enabled application. The application-specific username and password are then sent to the application.

User is granted access to the application.

component of Oracle-ESSO

Oracle Enterprise Single Sign-On Anywhere

- Simplifies Oracle Enterprise Single Sign-On Sign-On deployments to client desktops thereby facilitating faster deployment, reduces overall deployment costs and automates updates and rollbacks and version control on the client deployment packages

Oracle Enterprise Single Sign-On Logon Manager

- Strengthen security and improve user productivity by enabling individuals to securely use a single login credential to all web-based, client-server and legacy applications;

Oracle Enterprise Single Sign-On Password Reset

- Reduce helpdesk costs and improve user experience by enabling strong password management for Microsoft Windows through secure, flexible, self-service interfaces;

Oracle Enterprise Single Sign-On Authentication Manager

- Enforce security policies and ensure regulatory compliance by allowing organizations to use a combination of tokens, smart cards, biometrics and passwords for strong authentication throughout the enterprise;

Oracle Enterprise Single Sign-On Provisioning Gateway

- Improve operational efficiencies by enabling organizations to directly distribute single log-in credentials to Oracle Enterprise Single Sign-On Sign-On Manager based on provisioning instructions from Oracle Identity Manager; and

Oracle Enterprise Single Sign-On Kiosk Manager

- Enhance user productivity and strengthen enterprise security by allowing users to securely access enterprise applications even at multi-user kiosks and distributed workstations.