An Oracle White Paper Sep Buyer s Guide for Enterprise Single Sign On - PDF

Please download to get full document.

View again

of 22
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Poems

Published:

Views: 7 | Pages: 22

Extension: PDF | Download: 0

Share
Related documents
Description
An Oracle White Paper Sep 2009 Buyer s Guide for Enterprise Single Sign On Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and
Transcript
An Oracle White Paper Sep 2009 Buyer s Guide for Enterprise Single Sign On Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Introduction... 1 Business Drivers for ESSO... 2 Benefits of ESSO... 2 Overview of Oracle ESSO... 3 Solution Overview... 4 Enterprise Single Sign On Checklist... 5 Password Policy Management Auditing Capability Oracle Enterprise Single Sign On Anywhere (ESSO Anywhere) Conclusion... 18 Introduction In a typical heterogeneous enterprise environment, there may be a number of applications running off a multitude of systems and machines a user may have to access on a daily basis. To create a user individually for all these applications takes up time for each system and the assigning of access control can be troublesome and repetitive. Moreover a distributed model means slower response time for helpdesk requests, unnecessary overheads in servicing these requests and inefficiency on the part of the users (user has to sign into multiple domains). This leads to poor user experience, extensive administration costs, lack of security and privacy for the users and lack of interoperability with other business systems as well as with other third party identity/security management solutions. These business challenges drive an enterprise to adopt a better Identity Management and Enterprise Single Sign On (ESSO) solution When evaluating ESSO solutions it is good to keep in mind how to enable a comprehensive solution for managing identity profiles and permissions throughout the entire identity lifecycle, thereby providing aids in regulatory compliance including Sarbanes Oxley and HIPAA, and simplified administration how you can control password policies from a single console. An ESSO solution should help to improve your company's overall security. 1 Business Drivers for ESSO Here are the main business drivers for ESSO in any enterprise: Password Management There is a need within enterprise organizations to simplify the end user experience, to reduce password related help desk costs and enhance security by eliminating poor end user password management. Identity Management There is a greater need for integrated enterprise sign on which is a key requirement for, and often a first step, of a complete enterprise identity management solution. Strong Authentication Extending strong user authentication to enterprise applications is a key requirement of a strong authentication initiative. Compliance Eliminate the hidden end user costs associated with compliance driven initiatives. Extend audit and reporting capabilities to include user sign on data. Benefits of ESSO ESSO offers a number of important benefits to an enterprise: Maximizes productivity Allows users to gain quick and easy access from any location. Eliminates lost or forgotten passwords users have just one password to remember. Lowers user support costs virtually eliminates password related support calls. Securely stores and manages all passwords eliminates the need to manually manage passwords. Improves network security prevents unauthorized users from accessing enterprise applications. Aids in regulatory compliance including Sarbanes Oxley and HIPAA compliance. Simplifies administration enables control of password policies from a single console. Rapid Integration Integrates with an existing Identity Management lifecycle management solution. 2 Overview of Oracle ESSO Enterprise users constantly have the need to access various enterprise applications, whether they are connected to the corporate network, traveling away from the office, roaming between computers or working at a shared workstation. Oracle Enterprise Single Sign on (Oracle ESSO) lets users login to enterprise applications using a single password to access any passwordprotected application on the desktop, network or Internet. User Sign On to Enterprise Applications The basic steps of operation using Oracle ESSO are as follows: User requests access to an enterprise application that can be windows, mainframe, web or Java applications Oracle ESSO Logon Manager Agent intercepts user request on his desktop The ESSO Logon Manager retrieves the user record, and then fills in the appropriate users credentials for the ESSO enabled application. The application specific username and password are sent to the application. User is granted access to the application 3 Oracle ESSO in Action Solution Overview Oracle ESSO supports an extensive list of directories and databases as a central repository for user credentials, application logon templates, password policies, and client settings. Oracle ESSO helps enterprises advance their identity management, compliance and authentication initiatives by simplifying, extending and securing enterprise end user sign on. Here is a list of exclusive features offered by the Oracle ESSO solution: Web based access management SSO: This will include an SSO capability for Webbased applications. With Web based SSO, the user supplies a credential. The Web server validates the password with a central credential server. If a match is found, the user is granted access to the Web based application or system. Desktop/Mainframe/Host Applications access Management SSO: The ESSO solution should provide access to all desktop applications (ex: windows/solaris) Mainframe applications (such as 3270, 5250), and Host applications (example Telnet). Provide users to use multiple emulators and multiple emulator sessions simultaneously. 4 Supports user needs to both logons and password change for desktop applications and allows administrators to add mainframe/desktop applications and configure them and easily deploy them to users. Java Applications & Applets access Management SSO: Provide users access to AWT and Swing and standalone Java Applications and Applets Credential Synchronization: Provide a way to replicate the user's credentials (example username, password) automatically across all applications and resources. Event Logging: Provide ESSO administrator s logs and report on application usage. Provide network administrators comprehensive reports on password related activity, showing who used passwords, what applications they accessed, where, and when. Enterprise class Scalability: The Oracle ESSO solution is unique in its ability to scale to service the needs of enterprises of all sizes. Faster Deployments, Updates and Rollback: The Oracle ESSO suite Plus (ESSO Suite Plus) is an extension to Oracle ESSO that provides the advantage of eliminating traditional software installation allowing system administrators to simply host the ESSO product online for users to download. Users will download and run ESSO with a simple click of a button from a host website or a network file share. This offers true ESSO portability and also reaching a wider set of audience in an Organization like remote, mobile and temporary users, including partners, outsourcers, contractors and other non employees. Enterprise Single Sign On Checklist This section presents a baseline list of requirements for an ESSO solution. In each of the tables presented, the left column describes a requirement, and the right column describes how the Oracle ESSO Solution meets that requirement. Enterprise Single Sign On Allows user to log on to networks, applications, and Web sites using a single password. The same password lets users access enterprise applications 5 Windows Application SSO Pre configured for Microsoft Office, Adobe Acrobat Reader, FrontRange Goldmine, Interact Act!, PKZip, and many more types Web based application SSO Pre configured for accessing web applications on Microsoft Internet Explorer. Also provides Support for Web pages including form based and popup sign ons. Java Application and Applets Desktop SSO Supports Java Runtime Environment (JRE) version 1.3 or later 6 Host/Mainframe Supports AS/400 application Single sign on (5250), OS/390 (3270), and Unix (Telnet) Pre configured for most emulators including: Attachmate Extra!, G&R Glink, Hummingbird HostExplorer, IBM Pcom and Host On Demand, NetManage Rumba, ScanPak Aviva, WRQ Reflection, Zephyr Passport, and many more Supports multi screen logon/password change scenarios Supports multiple emulators simultaneously. Credential Sharing Facilitates multiple enterprise applications sharing the same credentials for the user Password Reset Provides self service (GINA or Browser) or assisted password resets for users 7 Provisioning to Desktop and Facilitates a way to Enterprise Resources provision users to ESSO desktop applications with the out of the box connector for Oracle Identity Manager This enables user provisioning to enterprise resources and enable ESSO for applications in the enterprise. Supports bulk import of user accounts. Strong Multi factor User Authentication Provides multiple authentication modes for the user, including Windows login, LDAP, PKI, smart card, biometric or token based authentication. User Access Modes Provides multiple ways for the users to access enterprise applications, including desktop, offline, kiosk, or shared workstation 8 Support for Offline or Disconnected Users Oracle ESSO was designed to support all user work modes; Connected, Disconnected, Stand Alone, Roaming, Mobile and Kiosk. As a result, Oracle ESSO is not directly dependent on a server in order to provide enterprise SSO. Supports Offline/Disconnected usage by keeping a locally cached encrypted copy of the user credentials on the local workstation. This local copy automatically synchronized at a record level when the user regains connectivity to the designated repository. The ability to enable the off line cache is fully controllable by the administrator centrally. You can control these settings globally, by group/role or user and by specific machine in order to achieve the use cases desired by your organization. 9 Enterprise Directory Integration Fully supports roaming users, defined as users who move from workstation to workstation. Oracle ESSO can support this by either taking advantage of Windows Roaming profiles to supply the user with their SSO configuration and SSO credentials or preferably to utilize our Synchronization Support to use an existing Directory Server or a Network File Server to provide each user with access to their unique credential repository from virtually any workstation with connectivity to the Server. Supports the following directories for synchronization; SunOne Directory, Novell NDS edirectory, Microsoft Active Directory, virtually any other LDAP v2 or v3 directory or any available Network File Server. 10 Encryption Support Protects each user s credential store using one of several selectable encryption algorithms. By default, Oracle ESSO uses the Microsoft CAPI supplied Triple DES (3DES) symmetric key encryption algorithm to secure all user credentials locally on the desktop and to remote directories or network drives. MS CAPI 3DES is certified to meet FIPS requirements. Oracle ESSO also includes MS CAPI AES 256 bit (FIPS 140 1), RC4, Blowfish 448, and Cobra 128 as administratively selectable algorithms. Each credential is only decrypted on an as needed basis and is never stored or cached in the clear. Oracle ESSO uses cryptography to confirm user authentication and to secure storage of user credential data. 11 Administrative Console The Oracle ESSO Administrative Console is a GUI based, wizard driven configuration. It allows administrators to configure all of the Oracle ESSO agent settings. Configuring all application specific settings for single sign on Extending the schema for the directory Managing, adding and updating ESSO specific configuration settings across Updating Oracle ESSO application configuration templates Generating and publishing application templates to the LDAP/directory. 12 Authentication Allows for a variety of Primary/Front End Authentication methods as it ships with authenticators for Windows Logon, Windows Active Directory/Domain Logon, LDAP, PKI Systems, Smartcards and Biometrics. The authenticator allows users to prove their identity, whether through a Windows Domain Password, biometric or smart card. The authenticator takes the user s proof and passes it to the authentication service. The authentication service validates the credentials provided by the authenticator against either its own store, or a system authentication Service such as a Windows domain or a PKI. Directory Synchronization We synchronize with the directory based on intelligent activity, adding a logon, password change, starting up, logging off, a configurable timer, etc. Some companies synchronize data based on a fixed time interval, which can allow for data to get out of sync if it is changed, and for synchronization to occur from numerous machines when none is necessary. 13 Directory Schema Extension Oracle uses an effective class schema extension, which leaves your base schema intact as delivered by your directory vendor and creates a self contained configuration object using our own object classes. Conversely, some companies make a base schema extension, which modifies your base schema, specifically the user object and appends SSO data to it. This causes you problems during directory upgrades, and directory replication (user object is always replicated). Password Policy Management Password Policy Management allows administrators to define a default global password policy, application specific password policies, as well as subscribing several applications to one password policy. 14 Password Management Oracle ESSO can recognize a password expiration/password change request, and either prompt the user to compose a new password (forcing the user to comply with the password policy) or automatically (and transparently) generate a random password that complies with password policies set by an administrator on behalf of the end user. Additionally, Oracle ESSO has the ability to monitor the age of a stored password and at a preconfigured time interval (30 or 60 days for example) initiate the password change process at the local application level. Additionally, with Oracle ESSO, the administrator can specify: Maximum/minimum password lengths Maximum repetition of a character Number of times a character can be adjacent to itself Allow numeric characters Maximum/minimum occurrence of numeric characters Allow numeric to start password Allow numeric to end password Allow special characters (specify the characters to allow and exclude) Maximum/minimum occurrence of special characters Alpha usage (none, upper, lower, upper and lower) 15 Auditing Capability Oracle ESSO can log all SSO system events; including credential use, credential changes, global credential events, Oracle ESSO events, and Oracle ESSO feature use. Oracle ESSO can also log specified fields. Events can be logged locally or to any external destination. These destinations can include a directory, an SNMP service, a Windows server (for viewing via the Windows Event log), or even a local XML log file for simplified parsing and reporting fields that administrators specify. Credential Use Events Support for Logons, manual password changes, automatic password changes Credential Change Events Global Credential Events Add credentials, delete credentials, change credentials, copy credentials, etc. Backup, restore, synchronize, etc. Platform Events Startup, shutdown, etc System Events Logon Manager, Settings, Help, About, etc. Application name, Application username, Application third field, Date, Time, etc 16 The Oracle ESSO simplifies the creation of audit reports from the event logging data provided by Oracle esso Logon Manager. Additionally, from the Oracle ESSO Administrative Console, the administrator can initiate a ESSO Usage report against the data stored in the central repository to export a report containing the credential usage information by user so that you can easily and quickly see which users have credentials for which applications and identify their usage and last change. Once logged, all ESSO events are permanently stored and become part of the overall audit record of computer use and policy control. Oracle Enterprise Single Sign On Anywhere (ESSO Anywhere) Oracle ESSO Anywhere simplifies ESSO deployments for system administrators while also extending the benefits of Enterprise Single Sign On to users who are remote and mobile. For organizations that have users who need access to ESSO from anywhere at any time, ESSO Suite Plus provides the ability to click and run ESSO on demand from anywhere. Unlike any other product on the market, ESSO Suite Plus does not require a traditional installation to achieve ubiquitous ESSO access. Centralized Deployment Option Provides one deployment package for all the ESSO software. Click and Run ESSO Users will download and run ESSO with a simple click of a button from a hosted website or a network file share. Auto Updates and Rollback The deployment packages can be version controlled hence offers easy updates and rollback. Updates can be set as required or on an optional basis. Forced updates can be set against a minimum version of the deployment package. Can also specify how frequently to check for updates such as every time the ESSO client is started, or on a weekly or monthly basis. 17 Conclusion Oracle Enterprise Single Sign On (ESSO) provides a way for a user in an enterprise the ability to access all applications through a single authentication event and do self service password management as well. Since Enterprise single sign on (ESSO) systems are designed to minimize a user typing in their credentials to sign onto multiple applications, the ESSO solution automatically logs the users in, acts as password filler and avoids the user the need to know his password. This works well even when enterprises have to deal with different types of users for their enterprise applications like Suppliers Contractors, Resellers, Distributors, Agents and Joint Development partners. In addition to providing a single, secure sign on to all enterprise applications, an ESSO solution enables strong authentication, improves compliance and accelerates cost savings resulting in high ROI for enterprises. The Oracle ESSO Anywhere installation strategy speeds deployments by eliminating the need to perform system integration tests before deploying the software and then relying on desktop refresh or scheduled push procedures for installation. This helps avoid traditional installation problems, such as the need for administrative rights on the destination computer. In addition, it allows software updates and rollbacks to be applied automatically and managed from a central location. The Oracle ESSO Suite is a proven solution that works with most enterprise applications without a lengthy and complex implementation effort. The Oracle ESSO Suite delivers huge usability improvements for end users, indirect cost savings from decreased employee downtime, and high ROI through direct savings in helpdesk costs, while providing vastly improved security for all the applications in the enterprise. 18 Buyer s Guide for Enterprise Single Sign On Sep 2009 Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA U.S.A. Worldwide Inquiries: Phone: Fax: oracle.com Copyright 2009, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, includin
Recommended
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x