Delivering Oracle Success
Identity Management and Single Sign-On
Al Lopez
RMOUG Training DaysFebruary 2012
© DBAK 2012 2
About DBAKOracle Solution Provider and License ResellerCore Technology and EBS ApplicationsColorado Owned and OperatedAverage 15 Years of Oracle Expertise “Top 250 Private Companies, 2011” – CoBIZ Magazine “Emerging Business of the Year, 2008” – South Metro Denver Chamber of Commerce100+ Clients170+ Implementations, Upgrades, Conversions, Support ProjectsOracle Gold PartnerOEM “Specialized”
© DBAK 2012 3
Agenda
IntroductionsDefining what Single Sign-On is and what it is not• Asking audience what they understand as SSO• The Perfect SSO• Oracle Enterprise Single Sign-On plus (ESSO+)
ESSO+ OverviewUse Case – Software company SSO implementationQuestions
© DBAK 2012 4
Background
Desire to improve end user application experience• Many applications
– Different logins– Many passwords– Prompting for login– Different password rules
Desire to improve application security processes• Password Reset process• Password consistency• Security• Standards based
© DBAK 2012 5
Oracle Enterprise Single Sign-On Overview
© DBAK 2012 6
Business Drivers
© DBAK 2012 7
Oracle ESSO Value Proposition
© DBAK 2012 8
Business Drivers - SecurityBad password management reduces security• Weak passwords are easy to guess or hack• Strong passwords get written down and are vulnerable• Password synchronization results in “Keys to the Kingdom”
Benefits• Enforces strongest password policies for all applications• Adheres to password change schedules
© DBAK 2012 9
Business Drivers - ROIEmployees lose productivity managing passwords• Complex userid’s and passwords are hard to remember• Employees get locked out of applications resulting in
helpdesk calls
Benefits• Reduce Help Call volume by 80%
– Provide self service password reset for windows password
– Manage application password for all other passwords• Provide instant hassle free access to applications for users
© DBAK 2012 10
Business Drivers - ComplianceAssure GRC policies are met (compliance)• HIPAA 164, PCI, SOX 404, HSPD – 12 • All compliance initiatives are driven around
– Assuring only the appropriate people have access to applications
– Auditing when and by whom that application was accessed
Costs• Fines• Civil Litigation• Loss of business/contracts (due to lack of compliance)
© DBAK 2012 11
What Customers Have Told Us About Enterprise Single Sign-On
Our users have too many UserIDs and Passwords• Reduces employee productivity• Hassle factor when forgotten (call helpdesk)
Poor password management creates a security risks• Sticky note factor – passwords written down in “secure places”• Password synchronization reduces security• Need strong passwords to adhere to GRC
Achieving enterprise SSO is hard• Integrate with the user work flow for seamless instant access• Must handle all applications and use cases• Bonus if it integrates strong authentication for application access
© DBAK 2012 12
Why customers choose Oracle ESSO?
Increases Security• Enforces complex password rules for all applications• Extends strong authentication to application access
Proven Solution• Two-tier architecture scales to meet the largest enterprises• Track record of enabling all applications in an organization
Reduces Costs• Eliminates password reset helpdesk calls
Increases User Productivity• Automatic sign in to applications• No down time while waiting for password reset process
Oracle Enterprise Single Sign On is a mature proven solution that increases security, reduces costs and increases user productivity
© DBAK 2012 13
Enterprise Access Challenges
Provisioning
Provisioning
ProvisioningA
uthe
ntic
atio
n
Aut
hent
icat
ion
Aut
hent
icat
ion
• Users have too many passwords• Need fast access to shared workstations• Need access from anywhere
• Hard to know who has access to what
• Secure delivery of application credentials to end users
• Users forget MS Windows passwords
• Strong authentication is too complex and expensive to deploy
Sign-onSignSign--onon
© DBAK 2012 14
ESSO Authentication Manager
ESSO Provisioning Gateway
ESSO Logon Manager
ESSO Password Reset
Provision
ing
Provision
ing
Provision
ing
Sign-OnSignSign--OnOn
Au
then
tica
tio
n
Au
then
tica
tio
n
Au
then
tica
tio
n
ESSO Kiosk ManagerESSO Anywhere
ESSO Logon Manager
ESSO Universal Authentication Manager
Oracle ESSO Suite PlusSolves Enterprise Access Challenges
© DBAK 2012 15
ESSO Logon Manager
© DBAK 2012 16
ESSO to Every Application
© DBAK 2012 17
Dr.Smith18273849
Hospital ID
ESSO with Strong Authentication
© DBAK 2012 18
ESSO Password Reset
© DBAK 2012 19
ESSO Universal Authentication Manager
© DBAK 2012 20
ESSO Kiosk Manager
© DBAK 2012 21
ESSO Provisioning Gateway
© DBAK 2012 22
ESSO Provisioning Gateway
© DBAK 2012 23
ESSO Anywhere
© DBAK 2012 24
ESSO from Anywhere
Internet
© DBAK 2012 25
Account Reconciliation with ESSO LM
© DBAK 2012 26
ESSO Application AuditingApplication Id User Event Date TimeSAP Americas GraceA Grace Adams Logon 11/15/2007 8:53amSAP Americas GraceA Grace Adams Logon 11/16/2007 8:28amSAP Americas GraceA Grace Adams Logon 11/17/2007 8:32amSAP Americas GraceA Grace Adams Logon 11/18/2007 8:50amSAP Americas GraceA Grace Adams Logon 11/19/2007 7:45amSAP Americas JohnJ John James Logon 11/22/2007 9:22amSAP Americas JohnJ John James Logon 11/23/2007 9:16amSAP Americas JohnJ John James Logon 11/24/2007 9:07amSAP Americas JohnJ John James Logon 11/25/2007 9:26am
© DBAK 2012 27
Sample Report
Oracle Confidential – Internal Use Only – Copyright © 2006, Oracle. All rights reserved.
© DBAK 2012 28
ESSO Suite Plus Architecture
© DBAK 2012 29
What’s new in 11.1.1.5.0 – Key FeaturesSilent Credential Capture• Eliminates Pop Up boxes for capturing end user application
credentials• Configurable to not allow users to opt out of Logon Manager• Less confusing to end user as they don’t do anything different
Admin Console Enhancements• Automated application template creation that significantly
reduces the step needed to enable applications• Ability to test configuration setting prior to deploying them• Create custom MSI’s for deployment in the admin console
Ability to use Send Keys for Web ApplicationsAddition of OID & OVD for storage of all components
© DBAK 2012 30
What’s new in 11.1.1.5.0 – detailed viewLogon Manager Features• Administrative Improvements
• Simplified Template Creation• Template Test Facility• Reorganized Global Agent Settings• Configuration Wizard for Synchronizers• Application Username Exclusions• Support for SID Changes in Secondary Auth
• Applications Response Improvements• Field-Based Sharing for Credential Sharing Groups• Fall Back to SendKeys when Control IDs aren't
Available• Ability to Inject Credentials Multiple Times on the
Same Form• Form Awareness of Logon Loop Grace Period• Form-Based Settings for Auto-Submit and Auto-
Recognize• New Form Types for Logon Success and Failure
Screens• Silent Credential Capture for Windows, Java, and
Web Applications• Application Enablement Improvements
• SendKeys for Web Applications• Support Windows 7 Security dialogues• Window Title Matching for Mainframe Applications• Improved Support for PuTTY
Universal AuthenticationManager• Strong Network Authentication
• Fingerprints• Smart Cards• Proximity Cards
• In the flow user enrollment with grace period• Client utility to manage user credentials• No Strong Authentication Server to manage• Machine and User Policies
• Allowed Authentication Methods• Enrollment Policies; Mandatory, Optional,
Grace period• Available in offline mode
Password Reset• Section 508 compliance updates on
enrollment wizard• Support for credential storage in OID
© DBAK 2012 31
Oracle ESSO Suite PlusRoadmap Timelines
ESSO - LMAdmin Console ImprovementsImproved Application EnablementSimplified Credential Capture
H1 CY2011
H2 CY2011
CY2012
ESSO - UAM Biometrics AuthenticationPolicy Improvements
ESSO Suite Plus Client Language updateImproved Application enablementImproved Agent Diagnostics KM Windows 7 SupportUAM Windows 7 SupportUAM Roaming Support
100 Day (11gR1) 11gR1 PS2
ESSO Suite PlusIdentity Suite Integration Unified Admin ConsoleUniversal Provisioning Connector
12c
© DBAK 2012 32© DBAK 2012 32© DBAK 2012 32
Use Case – Software company SSOChallenges• 9000 + EBS users/employees
• Multiple Manufacturing, development and distribution divisions
• Continuously buying new businesses• Multi National access to IT systems• Multiple Microsoft AD domains• Multiple HR systems• Performance – during medical and insurance
benefit enrollment cycle, all 9000+ users connect during a 4 hours period
• Desire to eliminate two legacy identity management systems (Novell)
• Desire to federate all 9000+ users who were distributed among 12 different business groups
• Desire to use Oracle HR as user master for all 9000+ employees
• Short Project timeline• Decision to implement SSO for EBS users was
made during the later stages of an Oracle EBS implementation (CRP3)
• The federation of users implied using a new Identity management system
Solution• Oracle Access Manager (OAM)
• IIS Integration with Microsoft’s AD domains
• Integration with EBS• Authentication via Kerberos token• EBS Interface for User creation and
management• Microsoft’s Forefront Identity Management
(FIM)• Although Oracle Identity Management
(OIM) was a better fit, FIM was used as it required a shorter implementation timeline
• Couple of the client employees were very familiar with FIM, which also influenced the decision to use FIM
• Used to federate users from 12 dissimilar systems, also used as the user creation mechanism together with OAM and SOA
• Oracle Service Oriented Architecture (SOA)• Two BPEL processes were used as two
way interfaces to extract/import data to-from Oracle HR and FIM
• Microsoft’s AD and Oracle OID (sync)• User and password master repositories
Fortune 500 – one of 3 top Gaming Software companies in the world
© DBAK 2012 33
Solution Overview: ESSO Suite Plus
EBS
AS6
© DBAK 2012 34
Oracle Access Manager (OAM)
© DBAK 2012 35
Questions
© DBAK 2012 36
Contact
Al Lopez720.475-8600
Presentation available at:www.dbaknow.com/downloads
www.dbaknow.com
Top Related