Oracle Enterprise Single Sign-On Write-Up

[JaySan]

Enterprise Single Sign-On
Introduction
In today’s connected workplace, securing enterprise information systems has never been as important, or as difficult. It is estimated that attacks on IT systems are costing more than $100 billion a year worldwide. The growing need to comply with industry and financial regulations such as Sarbanes-Oxley, Basel II and HIPAA is also helping security climb steadily up the list of preoccupations for IT Directors and CIOs.
Classically, the problem of IT security has been one of compromise, between the level of security for each system and business imperatives of the user base. The exponential increase in the numbers of applications and systems being accessed by workers has led to proliferation of passwords. This decentralized approach to information security incurs significant costs, owing not only to an increased need for support but also the risk of security breaches and the decreased productivity of users coping with multiple passwords.
E-SSO (Enterprise Single Sign-On) offers a solution to many of these problems, improving security and regulatory compliance while simplifying access for the users and lowering help desk costs,

Some difficulties faced when creating a single sign-on are:
• Internal users and external users may need access to the same information.
• Not all users will be on the same domain.
• Management of groups or roles within an organization across multiple applications.

In order to overcome these issues, an E-SSO offering needs to combine Windows domain security with Forms Based Authentication for all of a companies web applications.

Oracle Identity Management Products

Oracle Identity Manager is a powerful and flexible enterprise identity provisioning and compliance monitoring solution that automates the creation, updating, and removal of users from enterprise systems such as directories, email, databases, and ERP.

Oracle Enterprise Single Sign-On provides users with unified sign-on and authentication across all their enterprise resources, including desktops, client-server, custom and host-based mainframe applications.

Oracle Access Manager delivers critical functionality for access control, single sign-on, and user profile management in the heterogeneous application environment.

Oracle Identity Federation enables cross-domain single sign-on with the industry's only identity federation server that is completely self-contained and ready to run out-of-the box.

Oracle Internet Directory is a robust and scalable LDAP V3-compliant directory service that leverages the high availability capabilities of the Oracle 10g Database platform.

Oracle Virtual Directory provides Internet and industry standard LDAP and XML views of existing enterprise identity information, without synchronizing or moving data from its native locations.

Oracle Web Services Manager is a comprehensive solution for adding policy-driven security and management capabilities to existing or new Web services.


What is Single Sign-On?
Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords. Single sign-on reduces human error, a major component of systems failure and is therefore highly desirable but difficult to implement.




Oracle Identity Management
Oracle Identity Management (IdM) allows enterprises to manage end-to-end lifecycle of user identities across all enterprise resources both within and beyond the firewall. It includes features that allow applications to be deployed faster, automatically eliminate latent access privileges, and apply the most granular protection to enterprise resources. Companies may opt to leverage Oracle’s Identity and Access Management Suite in its entirety or simply to deploy individual components of the suite to meet specific needs. The Suite, a component of Oracle Identity Management, helps improve and simplify security by enabling users to access diverse enterprise applications using a single password.

Once implemented, Oracle IdM Suite enables users to access both Web and non Web-based applications and systems using a single identity. Users can also be automatically provisioned based on a common, secure infrastructure.

Key Features of Oracle Identity and Access Management Suite
 Complex Identity Integration in Heterogeneous Environments
 Breadth and Depth of Solution Capability enable to address entire range of customer needs.
 Value Delivery and Flexibility
 Quality, Performance, and Scalability
 Helps Management Satisfy Control Objectives Under Sarbanes 404 Control
 Deploy and enforce Internal control
 Audit and Reports on Controls
Technical Architecture Standards (Source : Oracle Identity Manager white paper June 2006)
 Ease of Deployment by using flexible Deployment Manager utility which helps in migration and configuration information between environments (SIT,UAT,PRD) through XML files providing flexibility what to import, export
 Flexible and Resilient IdM can be deployed in single or multiple instances by providing optimal configuration and provide fault tolerance, redundancy, fail-over and system load balancing.
 Maximum use of current Infrastructure IdM open architecture enables it to integrate with existing software and middleware exists in organization
 Modular Architecture provides existing and future business needs with simple plug/unplug functionality.
 Built-in Audit and Compliance integrated solution for Audit and compliance with additional efforts & cost
 Standard-Based the foundation for IdM is built using industry best standards and J2EE.


Business Benefits

Increased Security
 Define and enforce security, administrative, and access control policies consistently across enterprise applications
 Centralized and integrated across heterogeneous environments

Efficient Regulatory Compliance  Reporting and auditing capabilities to cope with stringent regulatory requirements, such as Sarbanes-Oxley, 21 CFR Part 11, etc.
 Audit events across entire enterprise
 Access control managed per attribute
 Common policy management across applications

Lower Operational Cost
 Reduced operational costs through user self-service
 Efficient management of large user populations
 Reduced administration cost through the consolidation and
automation of user management operations.
 Consolidating access points through an Access Control solution reduces the number of places in the enterprise where each user’s identity has to be managed.
 Enterprise SSO solutions help to further consolidate the number of channels via which a user accesses enterprise systems and applications.

Advantages for Oracle Portal Users
 Oracle Identity Management enables Portal customers to:
 Support single sign-on of portal users to enterprise applications
 Provide rich user administration and self-service seamlessly integrated into the portal environment
 Manage enterprise portal and application users centrally
 Automatically provision and de-provision enterprise portal users
 Allow their portal users to access federated applications
 Make their portals available to partner access
 Portal users can transparently access applications of federation partners (such as travel agencies, employee benefits providers, etc.)
 Applications secured by Oracle Identity Management can be made accessible to partners through federation
 No need to manage these users locally
 No re-engineering of applications required
 Users have single sign-on to all applications accessed through their portal
 Administrators have a single point of control for authentication and authorization
 Oracle access management is pre-integrated with Portal and other Oracle applications and offers out-of-the-box integration with other enterprise applications, portals and application servers
 ESSO increases enterprise security by enforcing application password policy
 It automatically creates and changes application passwords, reducing the need for users to write down their passwords.
 Additional benefits of increased user satisfaction and productivity, regulatory compliance, and reduced helpdesk costs (analysts estimate over 30% of helpdesk calls are for password resets) are experienced by organisations that have successfully implemented E-SSO.

Potential Business Benefits
 Increased Security

 Efficient Regulatory Compliance

 Lower Admin/Development Cost

 Improved Business Responsiveness

 Better End-User Experience

 Centralizing Application Control

 Lower Operational Cost


Potential ROI
 In the area of password management alone, IdM may deliver significant saving for Oracle customers. Two recent industry whitepapers identify clients with respective savings of US$750,000 and US$8.4 million annually, delivered via increased efficiencies from using Oracle’s password management solutions. (In the latter case, reducing the number of password resets by more than 35,000 per month on average.)
Source: “Customer Priorities in a Competitive Identity and Access Management Marketplace” white paper by Butlergroup

 It is estimated that an organization with 10,000 users could save approximately $588, per user, per year, totaling almost $5.9 million in annual savings.

Source : “Reducing Costs and Improving Productivity with an Identity Management Suite” A White Paper by The Radicati Group, Inc. May 2006



APPENDIX - I

ROI Model – Oracle Identity Management
Source: “Reducing Costs and Improving Productivity with an Identity Management Suite” A White Paper by The Radicati Group, Inc. May 2006)

Based on ongoing research and customer surveys conducted by The Radicati Group, the main benefits of implementing Identity Management consist of:
 Reduced costs
 Improved efficiencies
 New revenue opportunities

For example, an enterprise can realize internal cost savings by allowing for employee self provisioning and through efficiencies from reducing the number of help desk calls. On the customer-facing front, an Identity Management solution can result in improved customer satisfaction and new revenue opportunities. Lastly, partnership relationships can be improved by securely providing partners with access to private sales, marketing and product data.

One example that we will explore in more detail is a fairly standard scenario that we have encountered on numerous occasions. This example relates to the cost savings and efficiencies that can be realized by implementing a Full Suite Identity Management solution for internal operations. For example, within a typical enterprise the following tasks are performed by Administrators, Help Desk Staff, and End Users:

 Administrator time consumed by User adds, modifications and deletions.
 Help desk time consumed by password maintenance and provisioning requests.
 End user time consumed by password inputs, and account modifications.

Based on the number of hours spent per annum on these activities, an Identity Management solution can yield significant time savings. The following page shows a more detailed ROI example; we assume that a typical organization faces the following fully burdened costs per hour:

 Administrator: $60/hr
 Help Desk Staff: $30/hr
 End User: $35/hr

Table 1, details these savings for a 10,000 user organization1. Figures listed are hours per user, per year.


Depending on the size of an organization, cost savings can be substantial. Using this model, we believe a Full Suite Identity Management solution can save a 10,000 user organization $588, per user, per year (Table 2), totaling almost $5.9 million in annual savings.





1 We assume a net annual growth rate of 7%, a 16% annual rate of modifications, and an annual turnover rate of 6%.




Additionally, besides realizing a greater ROI, Full Suite Identity Management solutions are also less costly to implement and easier to maintain. As discussed earlier a company implementing a Full Suite solution should expect to realize additional benefits, including a streamlined deployment and integration process, improved administration capabilities and increased security.



Author : Sanjay Kumar