1 Introduction to Oracle Enterprise Single Sign-On Suite

Oracle Enterprise Single Sign-On Suite is a comprehensive solution for managing enterprise users' password and strong authentication activities for applications that they use for daily productivity, while requiring that they remember only one universal password.

1.1 Suite Components

The suite consists of the following components.

1.1.1 Logon Manager

Logon Manager provides users with one password to log on to every application on both the company network and the Internet. It works "out-of-the-box" (without programming or additional network infrastructure) with virtually any Windows, Web, proprietary, or host-based application, lowering IT and Help Desk costs without the expense and burden of integration.

Logon Manager is intelligent agent software that works by responding to logon requests on behalf of the user, directly from the desktop. The Agent responds to each software applications logon request by providing the correct credentials (that is, username/ID, password, and other fields) directly and automatically. A strong authentication mechanism controls access to the Agent, ensuring access by only the designated user.

Kiosk Manager, a feature that is configurable from the Administrative Console, provides a group of settings that deliver a secure, easy to use, and easy to administer solution to address the needs of traditional single sign-on in a kiosk environment. Kiosk Manager has a client-side agent that suspends or closes inactive sessions and seamlessly shuts down all applications. This feature integrates with Logon Manager and Universal Authentication Manager to provide user identification to the kiosk with a Windows password or any supported primary authenticator.

1.1.2 Password Reset

Password Reset enables workstation users to reset their own Windows domain passwords without the intervention of administrative or help-desk personnel. It provides end users with an alternative means of authenticating themselves by taking a quiz comprising a series of passphrase questions.

Each question is weighted with point values. As the end user answers the quiz questions, Password Reset keeps a running score. Points are added to the score for each correct response and deducted for each incorrect response. When the end user accumulates sufficient points to meet a preset "confidence level," Password Reset permits the end user to select a new password. If the end user's score does not achieve the required confidence level after all questions have been presented, or if it falls below a preset negative value, the quiz ends and the end user is not permitted to reset the password.

The reset service is available to each end user upon completion of a one-time Enrollment Interview to record passphrase answers. The Administrative Console provides easy configuration of the Enrollment Interview and Reset Quiz, including question text, point values, and confidence-level limits. The console also lets you generate reports of enrollment and reset activity and status.

1.1.3 Provisioning Gateway

Provisioning Gateway provides the ability to remotely add, modify, and delete application credentials directly within each user's Logon Manager credential store, eliminating the need for local credential capture and granting the user instant access to the target application. The Provisioning Gateway Management Console is a standalone, browser-based application. See the separate Provisioning Gateway Administrator's Guide for instructions to configure and use this component.

1.1.4 Anywhere

Anywhere provides portable single sign-on (SSO) technology, enabling deployment of Logon Manager and Provisioning Gateway to end users' desktops.

Using the Anywhere Console, the administrator creates a deployment package configured with the Oracle products needed by users of an enterprise, making the package available over a Web server or file share. Users download this deployment package from an HTML interface that is included with the Anywhere package, and which the administrator customizes. Users can then perform installations of the Oracle Enterprise Single Sign-On Suite on their own workstations at the click of a button, with assurance that configurations are correct and ready to run, and without administrator intervention.

1.1.5 Universal Authentication Manager

Universal Authentication Manager enables enterprises to replace the use of native password logon to Microsoft Windows and Active Directory networks with stronger and easier to use authentication methods. The Universal Authentication Manager system also enhances enterprise security beyond traditional password authentication by providing two-factor authentication methods. Universal Authentication Manager enables users to rapidly and securely enroll credentials that will be used to identify and authenticate them. Universal Authentication Manager offers five built-in and configurable authentication methods: smart cards, passive proximity cards, biometric fingerprint and other biometric technologies, and challenge questions. Native Windows passwords are also supported.

1.1.6 Reporting

The Oracle Enterprise Single Sign-On Suite components include a configurable Reporting tool. This tool integrates with Oracle Business Intelligence Publisher to produce customized reports for virtually any event that occurs in the course of regular business operation.

1.2 Suite Administration

Logon Manager, Password Reset, and Universal Authentication Manager settings are configured through the Administrative Console. Anywhere and Provisioning Gateway have standalone administrative consoles. Each component contains its own Reporting settings.

1.3 Overview of the Administrative Console

The Administrative Console incorporates administrative functionality for Logon Manager and Password Reset enables both Agent/Client and server configuration of most options, including:

  • Easy creation, management, and deployment of:

    • Application configurations and application configuration lists.

    • Credential sharing groups.

    • Password policies.

    • Bulk-add lists.

    • Agent configuration settings.

    • Customized MSIs.

  • Easy setup and management of synchronizer extensions:

    • LDAP Directory Servers, including Oracle Directory Server Enterprise Edition, Oracle Internet Directory, Oracle Unified Directory, Oracle Virtual Directory, Tivoli Directory Server, Novell eDirectory, OpenLDAP Directory Server, and Siemens Dirx.

    • Relational database systems, including Oracle, Microsoft SQL Server, and IBM DB2.

    • Microsoft Active Directory Server systems (including Application Mode).

    • File systems.

  • Easy setup of self-service password reset, including:

    • Configuring service storage.

    • Tracking which users have enrolled and/or attempted to reset their passwords.

    • Creating questions for the Enrollment Interview and assigning their point values for the Reset Quiz.

    • Customizing the user interface for the Enrollment Interview and Reset Quiz.

  • Easy configuration and management of users authenticating in kiosk environments.

  • Easy integration of Reporting with Oracle Business Intelligence Editor to generate reports for every type of event that might occur in the course of regular business operation.

The Administrative Console obsoletes the need for editing configuration files or the registry by hand, with the associated risks of errors such as "fat-fingering" or providing invalid parameters.

The Administrative Console functionality is divided into the areas listed below, with their associated topics.

Task Console Feature Related Topics
Creating and managing application configurations Applications Creating and Using Templates
Troubleshooting templates Template Test Manager Testing Templates
Creating and managing password generation policies Password Generation Policies Setting Password Policies
Creating and managing passphrase sets Passphrase Questions Using Passphrase Sets
Creating and managing credentials Credential Sharing Groups

Delegated Credentials

 Creating Credential Sharing Groups

Delegated Credentials Tab (for a Selected Application)
Creating and managing bulk-add lists Applications > Bulk-Add tab Bulk Add Tab (for a Selected Application)
Creating and testing Agent configuration settings Global Agent Settings,

Configuration Test Manager

 Configuring the Agent with Global Agent Settings

Using the Configuration Test Manager
Setting up and managing synchronizer extensions Synchronization Synchronization
Setting up and managing repositories Repository Repositories
Generating MSIs MSI Generator MSI Generator
Configuring user authentication in a kiosk environment Kiosk Manager Using Kiosk Manager
Creating the Password Reset service Password Reset Reset Service
Creating and configuring questions for a user-initiated password reset Password Reset Enrollment Interview
Working with the Reset service Password Reset Service Configuring Reset Authentication
Configuring a database for Reporting Oracle Reporting tool Oracle Database Configuration Overview

Microsoft SQL Server Configuration Overview
Integrating Reporting with Oracle Business Intelligence Publisher to create reports Oracle Reporting tool Configuring Oracle Business Intelligence Publisher

1.4 Administrative Console Menu Commands for Logon Manager

The following table describes the commands available on the Administrative Console main menu and the corresponding keyboard and mouse shortcuts.

Administrative Console main menu
Menu Command Description Shortcut
File New Start a new configuration Ctrl+N
  Open Open Ctrl+O
  Merge Merge current configuration (applications, password generation policies, credential sharing groups) with a configuration file.

Note: If the merged file contains items with the same names as those in the current configuration, the Import/Merge Conflict dialog opens. Select the items to import and click OK.

If the imported file contains a set of Global Agent Settings with the same name as an existing set in the current configuration, the imported set is named Copy of existing settings.

  
  Save Save the current configuration to a file (XML). Ctrl+S
  Save As Save a copy of the current configuration to a different file.  
  Import Import configuration from an administrative override object (INI) file or a registration entries (REG) file as a new set of Global Agent Settings.

Note: If the imported file contains items (applications, policies, groups) with the same names as those in the current configuration, the Import/Merge Conflict dialog appears.

 Perform one of these actions:

  • Right-click Applications and choose Import.

  • Press Ctrl+I

Note: Choose Import from HKLM to import Global Agent Settings from the local-machine registry to the Administrative Console as a set named Live.
  Export Export selected applications and all password policies and groups to an entlist.ini file, which is a store of application logons. Perform one of these actions:

  • Right-click Applications and select Export.

  • Press Ctrl+E.
  Exit Quit the program.  

Menu Command Description Shortcut
Edit Delete Delete the item selected in the left pane. Click Yes to confirm or No to cancel. Del

Menu Command Description Shortcut
Insert Application Add a new application configuration; displays the Add Application dialog. Right-click Applications and select New Windows App, New Web App, or New Host App.
UAM Policy Add a new UAM policy; displays the New UAM Policy dialog. Right-click Policies and select New Policy.
Password Generation Policy Add a new password generation policy; displays the Add Password Policy dialog. Right-click Password Generation Policy and select New Policy.

Then enter a Policy Name and click OK.
Passphrase Questions Add a new passphrase set; displays the Add Passphrase Set dialog box. Right-click Passphrase Questions and select New Passphrase Set.

Then enter a Passphrase Set Name and click OK.
Credential Sharing Group Add a new credential sharing group; displays the Add Sharing Group dialog. Right-click Credential Sharing Group and select New Group.

Then:

  • Enter a Group Name and click OK.

  • Enter a Policy Name and click OK.
Exclusion List Add a new exclusion list; displays the Add Exclusion List dialog. Perform one of these actions:

  • Select the Exclusions node in the left pane, and click Add at the bottom of the right pane.

  • Right-click the Exclusions node, and select New List from the contextual menu.

  • Select the Exclusions node and right-click in the empty space in the right pane.

Then enter a name for the list and click OK.

Menu Command Description
Repository Extend Schema Connect to synchronization repository and create a new synchronization schema (for LDAP and database sync support). Displays the Connect to Repository dialog.
Initialize UAM Storage Create static repository containers in which to store Universal Authentication Manager data.
Use Short Names Check or uncheck to toggle between displaying and hiding user credential containers in the repository.
Show User Credential Containers Check or uncheck to toggle between displaying and hiding Logon Manager user credential containers in the Repository window tree view.

Menu Command Description
Tools Publish to Repository Opens the Publish to Repository dialog, from which you can select multiple objects to publish simultaneously.
Export Apps to Agent Add the application logons in the current Administrative Console session to the list of pre-configured logons for the locally-installed Agent. This option updates the local entlist.ini file, and optionally, the ftulist.ini (first time use) file.
Write Global Agent Settings to HKLM Export Global Agent Settings to local machine registry; displays a confirmation message.
Test Global Agent Settings Launch the Oracle Test Manager to validate that you have configured Global Agent Settings correctly. See Using the Configuration Test Manager for complete procedures for using this tool.
Manage Templates Create, modify, and remove templates for application logons; displays the Manage Templates dialog.
Update Applications Update applications based on templates that have been modified since the application's creation; displays the Update Applications dialog.
Modify Configuration View or edit the configuration (INI) files for the locally-installed Logon Manager Agent. Choose Applist, or open any FTUList, EntList, MfrmList, or other INI file by name.
Generate Customized MSI Launch the Oracle MSI Generator, a wizard-style utility with which you create a custom .MSI file to use for mass deployment to Logon Manager end-users.

1.5 Administrative Console Menu Commands for Password Reset

The table below describes the menu structure and available commands of the Password Reset node of the Administrative Console.

Note:

In order for your new settings to take effect, you must click the Submit button at the bottom of each settings tab.
Password Reset main menu
Tree Head Tab Description
Password Reset Admin Web Service URL Connect to the administrative Web service.

After you enter a valid URL, the nodes below become available.

Node Tab Description
System Storage Configure, prioritize, and initialize storage.
Reset Service Monitor and configure reset service accounts.

Node Tab Description
Settings Settings Configure:

  • Authentication thresholds.

  • Reset lockout.

  • Forced enrollment.

  • User Emails.

  • Reset experience.
Password Complexity Configure:

  • Length and repetition constraints.

  • Allowed alphabetic characters.

  • Allowed numeric characters.

  • Allowed special characters.
Alerts Configure:

  • E-mail settings.

  • Alert conditions.
Logging Configure:

  • Syslog enabling.

  • Event filters.
Reporting Configure:

  • Reporting settings.

  • Database settings.
Enrollment UI Configure the look and feel of the elements in the Enrollment User Interface, including:

  • Logos.

  • Fonts.

  • Background, border, and foreground colors.
Reset UI Configure the look and feel of the elements in the Reset User Interface, including:

  • Logos.

  • Fonts.

  • Background, border, and foreground colors.

Node Tab Description
Questions System Questions Create system questions and specify the languages in which they will appear.

Node Tab Description
Users Manage Users Perform user searches using the criteria you specify on this tab.

Node Tab Description
Enrollments Manage Enrollments Perform enrollment searches based on specified dates; view, export and delete logs.

Node Tab Description
Resets Manage Resets Perform reset searches based on specified dates; view, export and delete logs.