Oracle Enterprise Single Sign-On Suite is a comprehensive solution for managing enterprise users' password and strong authentication activities for applications that they use for daily productivity, while requiring that they remember only one universal password.
The suite consists of the following components.
Logon Manager provides users with one password to log on to every application on both the company network and the Internet. It works "out-of-the-box" (without programming or additional network infrastructure) with virtually any Windows, Web, proprietary, or host-based application, lowering IT and Help Desk costs without the expense and burden of integration.
Logon Manager is intelligent agent software that works by responding to logon requests on behalf of the user, directly from the desktop. The Agent responds to each software applications logon request by providing the correct credentials (that is, username/ID, password, and other fields) directly and automatically. A strong authentication mechanism controls access to the Agent, ensuring access by only the designated user.
Kiosk Manager, a feature that is configurable from the Administrative Console, provides a group of settings that deliver a secure, easy to use, and easy to administer solution to address the needs of traditional single sign-on in a kiosk environment. Kiosk Manager has a client-side agent that suspends or closes inactive sessions and seamlessly shuts down all applications. This feature integrates with Logon Manager and Universal Authentication Manager to provide user identification to the kiosk with a Windows password or any supported primary authenticator.
Password Reset enables workstation users to reset their own Windows domain passwords without the intervention of administrative or help-desk personnel. It provides end users with an alternative means of authenticating themselves by taking a quiz comprising a series of passphrase questions.
Each question is weighted with point values. As the end user answers the quiz questions, Password Reset keeps a running score. Points are added to the score for each correct response and deducted for each incorrect response. When the end user accumulates sufficient points to meet a preset "confidence level," Password Reset permits the end user to select a new password. If the end user's score does not achieve the required confidence level after all questions have been presented, or if it falls below a preset negative value, the quiz ends and the end user is not permitted to reset the password.
The reset service is available to each end user upon completion of a one-time Enrollment Interview to record passphrase answers. The Administrative Console provides easy configuration of the Enrollment Interview and Reset Quiz, including question text, point values, and confidence-level limits. The console also lets you generate reports of enrollment and reset activity and status.
Provisioning Gateway provides the ability to remotely add, modify, and delete application credentials directly within each user's Logon Manager credential store, eliminating the need for local credential capture and granting the user instant access to the target application. The Provisioning Gateway Management Console is a standalone, browser-based application. See the separate Provisioning Gateway Administrator's Guide for instructions to configure and use this component.
Anywhere provides portable single sign-on (SSO) technology, enabling deployment of Logon Manager and Provisioning Gateway to end users' desktops.
Using the Anywhere Console, the administrator creates a deployment package configured with the Oracle products needed by users of an enterprise, making the package available over a Web server or file share. Users download this deployment package from an HTML interface that is included with the Anywhere package, and which the administrator customizes. Users can then perform installations of the Oracle Enterprise Single Sign-On Suite on their own workstations at the click of a button, with assurance that configurations are correct and ready to run, and without administrator intervention.
Universal Authentication Manager enables enterprises to replace the use of native password logon to Microsoft Windows and Active Directory networks with stronger and easier to use authentication methods. The Universal Authentication Manager system also enhances enterprise security beyond traditional password authentication by providing two-factor authentication methods. Universal Authentication Manager enables users to rapidly and securely enroll credentials that will be used to identify and authenticate them. Universal Authentication Manager offers five built-in and configurable authentication methods: smart cards, passive proximity cards, biometric fingerprint and other biometric technologies, and challenge questions. Native Windows passwords are also supported.
Logon Manager, Password Reset, and Universal Authentication Manager settings are configured through the Administrative Console. Anywhere and Provisioning Gateway have standalone administrative consoles. Each component contains its own Reporting settings.
The Administrative Console incorporates administrative functionality for Logon Manager and Password Reset enables both Agent/Client and server configuration of most options, including:
Easy creation, management, and deployment of:
Application configurations and application configuration lists.
Credential sharing groups.
Password policies.
Bulk-add lists.
Agent configuration settings.
Customized MSIs.
Easy setup and management of synchronizer extensions:
LDAP Directory Servers, including Oracle Directory Server Enterprise Edition, Oracle Internet Directory, Oracle Unified Directory, Oracle Virtual Directory, Tivoli Directory Server, Novell eDirectory, OpenLDAP Directory Server, and Siemens Dirx.
Relational database systems, including Oracle, Microsoft SQL Server, and IBM DB2.
Microsoft Active Directory Server systems (including Application Mode).
File systems.
Easy setup of self-service password reset, including:
Configuring service storage.
Tracking which users have enrolled and/or attempted to reset their passwords.
Creating questions for the Enrollment Interview and assigning their point values for the Reset Quiz.
Customizing the user interface for the Enrollment Interview and Reset Quiz.
Easy configuration and management of users authenticating in kiosk environments.
Easy integration of Reporting with Oracle Business Intelligence Editor to generate reports for every type of event that might occur in the course of regular business operation.
The Administrative Console obsoletes the need for editing configuration files or the registry by hand, with the associated risks of errors such as "fat-fingering" or providing invalid parameters.
The Administrative Console functionality is divided into the areas listed below, with their associated topics.
Task | Console Feature | Related Topics |
---|---|---|
Creating and managing application configurations | Applications | Creating and Using Templates |
Troubleshooting templates | Template Test Manager | Testing Templates |
Creating and managing password generation policies | Password Generation Policies | Setting Password Policies |
Creating and managing passphrase sets | Passphrase Questions | Using Passphrase Sets |
Creating and managing credentials | Credential Sharing Groups
Delegated Credentials |
Creating Credential Sharing Groups |
Creating and managing bulk-add lists | Applications > Bulk-Add tab | Bulk Add Tab (for a Selected Application) |
Creating and testing Agent configuration settings | Global Agent Settings,
Configuration Test Manager |
Configuring the Agent with Global Agent Settings |
Setting up and managing synchronizer extensions | Synchronization | Synchronization |
Setting up and managing repositories | Repository | Repositories |
Generating MSIs | MSI Generator | MSI Generator |
Configuring user authentication in a kiosk environment | Kiosk Manager | Using Kiosk Manager |
Creating the Password Reset service | Password Reset | Reset Service |
Creating and configuring questions for a user-initiated password reset | Password Reset | Enrollment Interview |
Working with the Reset service | Password Reset Service | Configuring Reset Authentication |
Configuring a database for Reporting | Oracle Reporting tool | Oracle Database Configuration Overview |
Integrating Reporting with Oracle Business Intelligence Publisher to create reports | Oracle Reporting tool | Configuring Oracle Business Intelligence Publisher |
The following table describes the commands available on the Administrative Console main menu and the corresponding keyboard and mouse shortcuts.
Menu | Command | Description | Shortcut |
---|---|---|---|
File | New | Start a new configuration | Ctrl+N |
Open | Open | Ctrl+O | |
Merge | Merge current configuration (applications, password generation policies, credential sharing groups) with a configuration file.
Note: If the merged file contains items with the same names as those in the current configuration, the Import/Merge Conflict dialog opens. Select the items to import and click OK. If the imported file contains a set of Global Agent Settings with the same name as an existing set in the current configuration, the imported set is named Copy of existing settings. |
||
Save | Save the current configuration to a file (XML). | Ctrl+S | |
Save As | Save a copy of the current configuration to a different file. | ||
Import | Import configuration from an administrative override object (INI) file or a registration entries (REG) file as a new set of Global Agent Settings.
Note: If the imported file contains items (applications, policies, groups) with the same names as those in the current configuration, the Import/Merge Conflict dialog appears. |
Perform one of these actions:
Note: Choose Import from HKLM to import Global Agent Settings from the local-machine registry to the Administrative Console as a set named Live. |
|
Export | Export selected applications and all password policies and groups to an entlist.ini file, which is a store of application logons. | Perform one of these actions:
|
|
Exit | Quit the program. |
Menu | Command | Description | Shortcut |
---|---|---|---|
Edit | Delete | Delete the item selected in the left pane. Click Yes to confirm or No to cancel. | Del |
Menu | Command | Description | Shortcut |
---|---|---|---|
Insert | Application | Add a new application configuration; displays the Add Application dialog. | Right-click Applications and select New Windows App, New Web App, or New Host App. |
UAM Policy | Add a new UAM policy; displays the New UAM Policy dialog. | Right-click Policies and select New Policy. | |
Password Generation Policy | Add a new password generation policy; displays the Add Password Policy dialog. | Right-click Password Generation Policy and select New Policy.
Then enter a Policy Name and click OK. |
|
Passphrase Questions | Add a new passphrase set; displays the Add Passphrase Set dialog box. | Right-click Passphrase Questions and select New Passphrase Set.
Then enter a Passphrase Set Name and click OK. |
|
Credential Sharing Group | Add a new credential sharing group; displays the Add Sharing Group dialog. | Right-click Credential Sharing Group and select New Group.
Then:
|
|
Exclusion List | Add a new exclusion list; displays the Add Exclusion List dialog. | Perform one of these actions:
Then enter a name for the list and click OK. |
Menu | Command | Description |
---|---|---|
Tools | Publish to Repository | Opens the Publish to Repository dialog, from which you can select multiple objects to publish simultaneously. |
Export Apps to Agent | Add the application logons in the current Administrative Console session to the list of pre-configured logons for the locally-installed Agent. This option updates the local entlist.ini file, and optionally, the ftulist.ini (first time use) file. | |
Write Global Agent Settings to HKLM | Export Global Agent Settings to local machine registry; displays a confirmation message. | |
Test Global Agent Settings | Launch the Oracle Test Manager to validate that you have configured Global Agent Settings correctly. See Using the Configuration Test Manager for complete procedures for using this tool. | |
Manage Templates | Create, modify, and remove templates for application logons; displays the Manage Templates dialog. | |
Update Applications | Update applications based on templates that have been modified since the application's creation; displays the Update Applications dialog. | |
Modify Configuration | View or edit the configuration (INI) files for the locally-installed Logon Manager Agent. Choose Applist, or open any FTUList, EntList, MfrmList, or other INI file by name. | |
Generate Customized MSI | Launch the Oracle MSI Generator, a wizard-style utility with which you create a custom .MSI file to use for mass deployment to Logon Manager end-users. |
The table below describes the menu structure and available commands of the Password Reset node of the Administrative Console.
Note:
In order for your new settings to take effect, you must click the Submit button at the bottom of each settings tab.Tree Head | Tab | Description |
---|---|---|
Password Reset | Admin Web Service URL | Connect to the administrative Web service.
After you enter a valid URL, the nodes below become available. |
Node | Tab | Description |
---|---|---|
System | Storage | Configure, prioritize, and initialize storage. |
Reset Service | Monitor and configure reset service accounts. |
Node | Tab | Description |
---|---|---|
Settings | Settings | Configure:
|
Password Complexity | Configure:
|
|
Alerts | Configure:
|
|
Logging | Configure:
|
|
Reporting | Configure:
|
|
Enrollment UI | Configure the look and feel of the elements in the Enrollment User Interface, including:
|
|
Reset UI | Configure the look and feel of the elements in the Reset User Interface, including:
|
Node | Tab | Description |
---|---|---|
Questions | System Questions | Create system questions and specify the languages in which they will appear. |
Node | Tab | Description |
---|---|---|
Users | Manage Users | Perform user searches using the criteria you specify on this tab. |
Node | Tab | Description |
---|---|---|
Enrollments | Manage Enrollments | Perform enrollment searches based on specified dates; view, export and delete logs. |
Node | Tab | Description |
---|---|---|
Resets | Manage Resets | Perform reset searches based on specified dates; view, export and delete logs. |