3 Enterprise Single Sign-On

Oracle Enterprise Single Sign-On Suite Plus provides users with unified sign-on and authentication across all their enterprise resources. Unlike Oracle Access Manager which focuses on web access management, Oracle Enterprise Single Sign-On Suite Plus also covers desktops, client-server, custom, and host-based mainframe applications.

Even if users travel or share workstations, they can enjoy the flexibility of a single log-on, eliminating the need for multiple user names and passwords and helping enforce strong password and authentication policies.

This chapter contains topics related to enterprise single sign-on:

See Also:

For the latest information about the suite, see Oracle Enterprise Single Sign-on Suite Plus Release Notes (Release 11.1.1.5.0).

3.1 Enterprise Single Sign-On Logon Manager

Oracle Enterprise Single Sign-On Suite Logon Manager (ESSO-LM) provides interfaces to network and computer logons as well as sign-on to applications, enabling users to log in one time with a single password. ESSO-LM handles storage and retrieval of credentials and settings from an external repository such as an LDAP or RDBMS store.

The ESSO-LM administration console interacts with the Logon Manager and facilitates management and administration of ESSO attributes. For details, see the ESSO-LMGlobal Agent Settings Reference Guide.

3.2 Enterprise Single Sign-On Synchronization

ESSO Synchronization is a component of Oracle Enterprise Single Sign-On Suite Logon Manager (ESSO-LM). This feature lets you synchronize credentials between an end user's local store (on a workstation) and a store in a remote SSO repository (file system share, relational database, or directory server). You configure synchronization through the ESSO-LM administration console.

Table 3-1 shows the supported integrations:

Table 3-1 Oracle ESSO Synchronization Manager Integrations

ESSO Synchronization Manager Integrated with Additional Information

Microsoft Active Directory

https://download.oracle.com/docs/cd/E15624_01/logon.11111/SSOAdmin.chm

Microsoft Active Directory Application Mode (ADAM)

https://download.oracle.com/docs/cd/E15624_01/logon.11111/SSOAdmin.chm

LDAP

https://download.oracle.com/docs/cd/E15624_01/logon.11111/SSOAdmin.chm

Database

https://download.oracle.com/docs/cd/E15624_01/logon.11111/SSOAdmin.chm

3.3 Enterprise Single Sign-On Provisioning Gateway

Oracle Enterprise Single Sign-On Suite Provisioning Gateway (ESSO-PG) enables system administrators to directly distribute, reset, remove, or delete user credentials in ESSO-LM without the need for any user involvement.

Here are some examples:

  • An administrator can inject a new user's credentials directly into the user's ESSO-LM account.

  • The administrator can update ESSO-LM simultaneously to reset a password and prevent an application from falling out of synchronization with ESSO-LM.

  • When a user's access to an application is terminated, the administrator can use ESSO-PG to quickly remove the corresponding credentials from the user's ESSO-LM account.

  • When a user leaves the company, the administrator can instantly delete all the user's credentials.

All these operations can be automatically initiated and controlled by industry-leading provisioning systems. ESSO-PG provides an open interface to integrate with other industry-standard or internally-developed provisioning systems, and also provides an interactive interface for administrators to manually provision credentials.

Table 3-2 shows the supported integrations:

Table 3-2 Oracle Enterprise Single Sign-On Suite Provisioning Gateway Integrations

ESSO-PG Integrated with Additional Information

Oracle Identity Manager

https://download.oracle.com/docs/cd/E12472_01/provisioning_gateway/PGWOC.pdf

Oracle Waveset

https://download.oracle.com/docs/cd/E12472_01/provisioning_gateway/EPGSC.pdf

IBM Tivoli Identity Manager

https://download.oracle.com/docs/cd/E12472_01/provisioning_gateway/EPGSC.pdf

Novell Identity Manager

https://download.oracle.com/docs/cd/E15624_01/provisioning.11111/NIMIG.pdf

3.4 Enterprise Single Sign-On Authentication Manager

Oracle Enterprise Single Sign-On Suite Authentication Manager (ESSO-AM), an add-on module to Oracle Enterprise Single Sign-on Logon Manager (ESSO-LM), enables an organization to seamlessly provide a strong authentication bridge to all its applications, including smart cards and Entrust authenticators.

Users can employ different authenticators at different times, and application access can be controlled based upon the authenticator used for all authentication events: initial authentication, re-authentication, and forced authentication.

Table 3-3 shows the supported integrations:

Table 3-3 Oracle Enterprise Single Sign-On Suite Authentication Manager Integrations

ESSO-AM Integrated with Additional Information

Entrust

https://download.oracle.com/docs/cd/E15624_01/authentication.11111/ESAIG.pdf

LDAP

https://download.oracle.com/docs/cd/E12472_01/authentication_manager/ESAIG.pdf

Microsoft Windows

https://download.oracle.com/docs/cd/E12472_01/authentication_manager/ESAIG.pdf

Proximity cards

https://download.oracle.com/docs/cd/E12472_01/authentication_manager/ESAIG.pdf

smart cards

https://download.oracle.com/docs/cd/E12472_01/authentication_manager/ESAIG.pdf

RSA SecurID

https://download.oracle.com/docs/cd/E12472_01/authentication_manager/ESAIG.pdf

3.5 Enterprise Single Sign-On Universal Authentication Manager

Universal Authentication Manager (ESSO-UAM) is a new component of Oracle Enterprise Single Sign-on Suite Plus Release 11.1.1.5.0. ESSO-UAM enables enterprises to implement stronger and easier-to-use authentication methods, including two-factor authentication methods.

ESSO-UAM supports integrations in these areas:

  • Microsoft Windows and Active Directory networks

  • smart cards for logon and authentication

  • proximity cards that a card reader can detect

  • biometric technologies compatible with the BioAPI standard.

For details, see Oracle Enterprise Single Sign-on Suite Plus Release Notes (Release 11.1.1.5.0).