Identity Management and Single Sign-On

Transcription

1 Delivering Oracle Success Identity Management and Single Sign-On Al Lopez RMOUG Training Days February 2012

2 About DBAK Oracle Solution Provider and License Reseller Core Technology and EBS Applications Colorado Owned and Operated Average 15 Years of Oracle Expertise Top 250 Private Companies, 2011 CoBIZ Magazine Emerging Business of the Year, 2008 South Metro Denver Chamber of Commerce 100+ Clients 170+ Implementations, Upgrades, Conversions, Support Projects Oracle Gold Partner OEM Specialized DBAK

3 Agenda Introductions Defining what Single Sign-On is and what it is not Asking audience what they understand as SSO The Perfect SSO Oracle Enterprise Single Sign-On plus (ESSO+) ESSO+ Overview Use Case Software company SSO implementation Questions DBAK

4 Background Desire to improve end user application experience Many applications Different logins Many passwords Prompting for login Different password rules Desire to improve application security processes Password Reset process Password consistency Security Standards based DBAK

5 Oracle Enterprise Single Sign-On Overview DBAK

6 Business Drivers DBAK

7 Oracle ESSO Value Proposition DBAK

8 Business Drivers - Security Bad password management reduces security Weak passwords are easy to guess or hack Strong passwords get written down and are vulnerable Password synchronization results in Keys to the Kingdom Benefits Enforces strongest password policies for all applications Adheres to password change schedules DBAK

9 Business Drivers - ROI Employees lose productivity managing passwords Complex userid s and passwords are hard to remember Employees get locked out of applications resulting in helpdesk calls Benefits Reduce Help Call volume by 80% Provide self service password reset for windows password Manage application password for all other passwords Provide instant hassle free access to applications for users DBAK

10 Business Drivers - Compliance Assure GRC policies are met (compliance) HIPAA 164, PCI, SOX 404, HSPD 12 All compliance initiatives are driven around Assuring only the appropriate people have access to applications Auditing when and by whom that application was accessed Costs Fines Civil Litigation Loss of business/contracts (due to lack of compliance) DBAK

11 What Customers Have Told Us About Enterprise Single Sign-On Our users have too many UserIDs and Passwords Reduces employee productivity Hassle factor when forgotten (call helpdesk) Poor password management creates a security risks Sticky note factor passwords written down in secure places Password synchronization reduces security Need strong passwords to adhere to GRC Achieving enterprise SSO is hard Integrate with the user work flow for seamless instant access Must handle all applications and use cases Bonus if it integrates strong authentication for application access DBAK

12 Why customers choose Oracle ESSO? Oracle Enterprise Single Sign On is a mature proven solution that increases security, reduces costs and increases user productivity Increases Security Enforces complex password rules for all applications Extends strong authentication to application access Proven Solution Two-tier architecture scales to meet the largest enterprises Track record of enabling all applications in an organization Reduces Costs Eliminates password reset helpdesk calls Increases User Productivity Automatic sign in to applications No down time while waiting for password reset process DBAK

13 Enterprise Access Challenges Users have too many passwords Need fast access to shared workstations Need access from anywhere Sign-on Users forget MS Windows passwords Hard to know who has access to what Secure delivery of application credentials to end users Provisioning Provisioning Provisioning Authentication Authentication Authentication Strong authentication is too complex and expensive to deploy DBAK

14 Oracle ESSO Suite Plus Solves Enterprise Access Challenges ESSO Logon Manager ESSO Anywhere ESSO Kiosk Manager ESSO Provisioning Gateway ESSO Logon Manager Provisioning Provisioning Provisioning Sign-On Authentication Authentication Authentication ESSO Password Reset ESSO Universal Authentication Manager ESSO Authentication Manager DBAK

15 ESSO Logon Manager DBAK

16 ESSO to Every Application DBAK

17 ESSO with Strong Authentication Hospital ID Dr.Smith DBAK

18 ESSO Password Reset DBAK

19 ESSO Universal Authentication Manager DBAK

20 ESSO Kiosk Manager DBAK

21 ESSO Provisioning Gateway DBAK

22 ESSO Provisioning Gateway DBAK

23 ESSO Anywhere DBAK

24 ESSO from Anywhere Internet DBAK

25 Account Reconciliation with ESSO LM DBAK

26 ESSO Application Auditing Application Id User Event Date Time SAP Americas GraceA Grace Adams Logon 11/15/2007 8:53am SAP Americas GraceA Grace Adams Logon 11/16/2007 8:28am SAP Americas GraceA Grace Adams Logon 11/17/2007 8:32am SAP Americas GraceA Grace Adams Logon 11/18/2007 8:50am SAP Americas GraceA Grace Adams Logon 11/19/2007 7:45am SAP Americas JohnJ John James Logon 11/22/2007 9:22am SAP Americas JohnJ John James Logon 11/23/2007 9:16am SAP Americas JohnJ John James Logon 11/24/2007 9:07am SAP Americas JohnJ John James Logon 11/25/2007 9:26am DBAK

27 Sample Report DBAK Oracle Confidential Internal Use Only Copyright 2006, Oracle. All rights reserved.

28 ESSO Suite Plus Architecture DBAK

29 What s new in Key Features Silent Credential Capture Eliminates Pop Up boxes for capturing end user application credentials Configurable to not allow users to opt out of Logon Manager Less confusing to end user as they don t do anything different Admin Console Enhancements Automated application template creation that significantly reduces the step needed to enable applications Ability to test configuration setting prior to deploying them Create custom MSI s for deployment in the admin console Ability to use Send Keys for Web Applications Addition of OID & OVD for storage of all components DBAK

30 What s new in detailed view Logon Manager Features Administrative Improvements Simplified Template Creation Template Test Facility Reorganized Global Agent Settings Configuration Wizard for Synchronizers Application Username Exclusions Support for SID Changes in Secondary Auth Applications Response Improvements Field-Based Sharing for Credential Sharing Groups Fall Back to SendKeys when Control IDs aren't Available Ability to Inject Credentials Multiple Times on the Same Form Form Awareness of Logon Loop Grace Period Form-Based Settings for Auto-Submit and Auto- Recognize New Form Types for Logon Success and Failure Screens Silent Credential Capture for Windows, Java, and Web Applications Application Enablement Improvements SendKeys for Web Applications Support Windows 7 Security dialogues Window Title Matching for Mainframe Applications Improved Support for PuTTY Universal Authentication Manager Strong Network Authentication Fingerprints Smart Cards Proximity Cards In the flow user enrollment with grace period Client utility to manage user credentials No Strong Authentication Server to manage Machine and User Policies Allowed Authentication Methods Enrollment Policies; Mandatory, Optional, Grace period Available in offline mode Password Reset Section 508 compliance updates on enrollment wizard Support for credential storage in OID DBAK

31 Oracle ESSO Suite Plus Roadmap Timelines H1 CY2011 CY2012 H2 CY Day (11gR1) 11gR1 PS2 ESSO - LM Admin Console Improvements Improved Application Enablement Simplified Credential Capture ESSO - UAM Biometrics Authentication Policy Improvements ESSO Suite Plus Client Language update Improved Application enablement Improved Agent Diagnostics KM Windows 7 Support UAM Windows 7 Support UAM Roaming Support 12c ESSO Suite Plus Identity Suite Integration Unified Admin Console Universal Provisioning Connector DBAK

32 Use Case Software company SSO Fortune 500 one of 3 top Gaming Software companies in the world Challenges EBS users/employees Multiple Manufacturing, development and distribution divisions Continuously buying new businesses Multi National access to IT systems Multiple Microsoft AD domains Multiple HR systems Performance during medical and insurance benefit enrollment cycle, all users connect during a 4 hours period Desire to eliminate two legacy identity management systems (Novell) Desire to federate all users who were distributed among 12 different business groups Desire to use Oracle HR as user master for all employees Short Project timeline Decision to implement SSO for EBS users was made during the later stages of an Oracle EBS implementation (CRP3) The federation of users implied using a new Identity management system Solution Oracle Access Manager (OAM) IIS Integration with Microsoft s AD domains Integration with EBS Authentication via Kerberos token EBS Interface for User creation and management Microsoft s Forefront Identity Management (FIM) Although Oracle Identity Management (OIM) was a better fit, FIM was used as it required a shorter implementation timeline Couple of the client employees were very familiar with FIM, which also influenced the decision to use FIM Used to federate users from 12 dissimilar systems, also used as the user creation mechanism together with OAM and SOA Oracle Service Oriented Architecture (SOA) Two BPEL processes were used as two way interfaces to extract/import data tofrom Oracle HR and FIM Microsoft s AD and Oracle OID (sync) User and password master repositories DBAK

33 Solution Overview: ESSO Suite Plus EBS AS6 DBAK

34 Oracle Access Manager (OAM) DBAK

35 Questions DBAK

36 Contact Al Lopez Presentation available at: DBAK