Delivering Oracle Success Identity Management and Single Sign-On Al Lopez RMOUG Training Days February 2012
About DBAK Oracle Solution Provider and License Reseller Core Technology and EBS Applications Colorado Owned and Operated Average 15 Years of Oracle Expertise Top 250 Private Companies, 2011 CoBIZ Magazine Emerging Business of the Year, 2008 South Metro Denver Chamber of Commerce 100+ Clients 170+ Implementations, Upgrades, Conversions, Support Projects Oracle Gold Partner OEM Specialized DBAK 2012 2
Agenda Introductions Defining what Single Sign-On is and what it is not Asking audience what they understand as SSO The Perfect SSO Oracle Enterprise Single Sign-On plus (ESSO+) ESSO+ Overview Use Case Software company SSO implementation Questions DBAK 2012 3
Background Desire to improve end user application experience Many applications Different logins Many passwords Prompting for login Different password rules Desire to improve application security processes Password Reset process Password consistency Security Standards based DBAK 2012 4
Oracle Enterprise Single Sign-On Overview DBAK 2012 5
Business Drivers DBAK 2012 6
Oracle ESSO Value Proposition DBAK 2012 7
Business Drivers - Security Bad password management reduces security Weak passwords are easy to guess or hack Strong passwords get written down and are vulnerable Password synchronization results in Keys to the Kingdom Benefits Enforces strongest password policies for all applications Adheres to password change schedules DBAK 2012 8
Business Drivers - ROI Employees lose productivity managing passwords Complex userid s and passwords are hard to remember Employees get locked out of applications resulting in helpdesk calls Benefits Reduce Help Call volume by 80% Provide self service password reset for windows password Manage application password for all other passwords Provide instant hassle free access to applications for users DBAK 2012 9
Business Drivers - Compliance Assure GRC policies are met (compliance) HIPAA 164, PCI, SOX 404, HSPD 12 All compliance initiatives are driven around Assuring only the appropriate people have access to applications Auditing when and by whom that application was accessed Costs Fines Civil Litigation Loss of business/contracts (due to lack of compliance) DBAK 2012 10
What Customers Have Told Us About Enterprise Single Sign-On Our users have too many UserIDs and Passwords Reduces employee productivity Hassle factor when forgotten (call helpdesk) Poor password management creates a security risks Sticky note factor passwords written down in secure places Password synchronization reduces security Need strong passwords to adhere to GRC Achieving enterprise SSO is hard Integrate with the user work flow for seamless instant access Must handle all applications and use cases Bonus if it integrates strong authentication for application access DBAK 2012 11
Why customers choose Oracle ESSO? Oracle Enterprise Single Sign On is a mature proven solution that increases security, reduces costs and increases user productivity Increases Security Enforces complex password rules for all applications Extends strong authentication to application access Proven Solution Two-tier architecture scales to meet the largest enterprises Track record of enabling all applications in an organization Reduces Costs Eliminates password reset helpdesk calls Increases User Productivity Automatic sign in to applications No down time while waiting for password reset process DBAK 2012 12
Enterprise Access Challenges Users have too many passwords Need fast access to shared workstations Need access from anywhere Sign-on Users forget MS Windows passwords Hard to know who has access to what Secure delivery of application credentials to end users Provisioning Provisioning Provisioning Authentication Authentication Authentication Strong authentication is too complex and expensive to deploy DBAK 2012 13
Oracle ESSO Suite Plus Solves Enterprise Access Challenges ESSO Logon Manager ESSO Anywhere ESSO Kiosk Manager ESSO Provisioning Gateway ESSO Logon Manager Provisioning Provisioning Provisioning Sign-On Authentication Authentication Authentication ESSO Password Reset ESSO Universal Authentication Manager ESSO Authentication Manager DBAK 2012 14
ESSO Logon Manager DBAK 2012 15
ESSO to Every Application DBAK 2012 16
ESSO with Strong Authentication Hospital ID Dr.Smith 18273849 DBAK 2012 17
ESSO Password Reset DBAK 2012 18
ESSO Universal Authentication Manager DBAK 2012 19
ESSO Kiosk Manager DBAK 2012 20
ESSO Provisioning Gateway DBAK 2012 21
ESSO Provisioning Gateway DBAK 2012 22
ESSO Anywhere DBAK 2012 23
ESSO from Anywhere Internet DBAK 2012 24
Account Reconciliation with ESSO LM DBAK 2012 25
ESSO Application Auditing Application Id User Event Date Time SAP Americas GraceA Grace Adams Logon 11/15/2007 8:53am SAP Americas GraceA Grace Adams Logon 11/16/2007 8:28am SAP Americas GraceA Grace Adams Logon 11/17/2007 8:32am SAP Americas GraceA Grace Adams Logon 11/18/2007 8:50am SAP Americas GraceA Grace Adams Logon 11/19/2007 7:45am SAP Americas JohnJ John James Logon 11/22/2007 9:22am SAP Americas JohnJ John James Logon 11/23/2007 9:16am SAP Americas JohnJ John James Logon 11/24/2007 9:07am SAP Americas JohnJ John James Logon 11/25/2007 9:26am DBAK 2012 26
Sample Report DBAK 2012 27 Oracle Confidential Internal Use Only Copyright 2006, Oracle. All rights reserved.
ESSO Suite Plus Architecture DBAK 2012 28
What s new in 11.1.1.5.0 Key Features Silent Credential Capture Eliminates Pop Up boxes for capturing end user application credentials Configurable to not allow users to opt out of Logon Manager Less confusing to end user as they don t do anything different Admin Console Enhancements Automated application template creation that significantly reduces the step needed to enable applications Ability to test configuration setting prior to deploying them Create custom MSI s for deployment in the admin console Ability to use Send Keys for Web Applications Addition of OID & OVD for storage of all components DBAK 2012 29
What s new in 11.1.1.5.0 detailed view Logon Manager Features Administrative Improvements Simplified Template Creation Template Test Facility Reorganized Global Agent Settings Configuration Wizard for Synchronizers Application Username Exclusions Support for SID Changes in Secondary Auth Applications Response Improvements Field-Based Sharing for Credential Sharing Groups Fall Back to SendKeys when Control IDs aren't Available Ability to Inject Credentials Multiple Times on the Same Form Form Awareness of Logon Loop Grace Period Form-Based Settings for Auto-Submit and Auto- Recognize New Form Types for Logon Success and Failure Screens Silent Credential Capture for Windows, Java, and Web Applications Application Enablement Improvements SendKeys for Web Applications Support Windows 7 Security dialogues Window Title Matching for Mainframe Applications Improved Support for PuTTY Universal Authentication Manager Strong Network Authentication Fingerprints Smart Cards Proximity Cards In the flow user enrollment with grace period Client utility to manage user credentials No Strong Authentication Server to manage Machine and User Policies Allowed Authentication Methods Enrollment Policies; Mandatory, Optional, Grace period Available in offline mode Password Reset Section 508 compliance updates on enrollment wizard Support for credential storage in OID DBAK 2012 30
Oracle ESSO Suite Plus Roadmap Timelines H1 CY2011 CY2012 H2 CY2011 100 Day (11gR1) 11gR1 PS2 ESSO - LM Admin Console Improvements Improved Application Enablement Simplified Credential Capture ESSO - UAM Biometrics Authentication Policy Improvements ESSO Suite Plus Client Language update Improved Application enablement Improved Agent Diagnostics KM Windows 7 Support UAM Windows 7 Support UAM Roaming Support 12c ESSO Suite Plus Identity Suite Integration Unified Admin Console Universal Provisioning Connector DBAK 2012 31
Use Case Software company SSO Fortune 500 one of 3 top Gaming Software companies in the world Challenges 9000 + EBS users/employees Multiple Manufacturing, development and distribution divisions Continuously buying new businesses Multi National access to IT systems Multiple Microsoft AD domains Multiple HR systems Performance during medical and insurance benefit enrollment cycle, all 9000+ users connect during a 4 hours period Desire to eliminate two legacy identity management systems (Novell) Desire to federate all 9000+ users who were distributed among 12 different business groups Desire to use Oracle HR as user master for all 9000+ employees Short Project timeline Decision to implement SSO for EBS users was made during the later stages of an Oracle EBS implementation (CRP3) The federation of users implied using a new Identity management system Solution Oracle Access Manager (OAM) IIS Integration with Microsoft s AD domains Integration with EBS Authentication via Kerberos token EBS Interface for User creation and management Microsoft s Forefront Identity Management (FIM) Although Oracle Identity Management (OIM) was a better fit, FIM was used as it required a shorter implementation timeline Couple of the client employees were very familiar with FIM, which also influenced the decision to use FIM Used to federate users from 12 dissimilar systems, also used as the user creation mechanism together with OAM and SOA Oracle Service Oriented Architecture (SOA) Two BPEL processes were used as two way interfaces to extract/import data tofrom Oracle HR and FIM Microsoft s AD and Oracle OID (sync) User and password master repositories DBAK 2012 32
Solution Overview: ESSO Suite Plus EBS AS6 DBAK 2012 33
Oracle Access Manager (OAM) DBAK 2012 34
Questions DBAK 2012 35
Contact Al Lopez 720.475-8600 alopez@dbaknow.com Presentation available at: www.dbaknow.com/downloads www.dbaknow.com DBAK 2012 36