Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Oracle Spurs Single Sign-On Surge

Venerable technology prepares for rebirth with emergence of cross-domain identity management technologies

Oracle yesterday launched a new suite of single sign-on products, brushing the dust from a largely dormant technology that might see a revival under emerging Web standards.

Oracle announced the general availability of its Oracle Enterprise Single Sign-On Suite, which includes a logon manager, a password reset app, an authentication manager, and a provisioning gateway. The idea is to enable users to log onto Oracle's many applications -- as well as non-Oracle programs -- using a single ID and password.

Single sign-on (SSO) technology has been available for more than a decade, but its adoption has been limited because of difficulties in making it work across disparate vendors and domains, all of which use different methods for managing user identities. SSO works well in closed environments where most of the users are known and registered, but it has encountered trouble in more dynamic environments with less predictable user traffic.

As a result, most gated Websites and application environments still require separate user IDs and passwords, which users tend to lose or forget. About 30 percent of all helpdesk calls require a password reset, at cost of $25 to $50 per call, according to a Gartner study published earlier this year.

The password reset problem is especially acute in environments like Oracle's, where users may log onto half a dozen different apps, sometimes hosted on different servers and operating systems, on a given day. The new Oracle suite is designed to help with that problem, according to Hasan Rizvi, vice president of security and identity management products at Oracle.

SSO tools such as Oracle's can help reduce the password reset problem, analysts say. About 60 percent of companies that deploy SSO see a reduction in helpdesk calls, according to a study conducted in the first half of 2006 by Winmark and RSA Security. Several vendors, including Imprivata and DigitalPersona, have unveiled new SSO tools in the last few months. (See Texas Taps Single Sign-On and Single Sign-on At Your Fingertips.) Industry research firm IDC predicts that the SSO market will grow at an average annual rate of 15.9 percent through 2009.

But the real icebreaker for SSO deployment lies in Web standards that could make it possible to manage user identities across a variety of vendors and domains. Those standards, headed by Secure Access Management Language 2.0, enable enterprises and networks to employ "federated" identity management systems that can talk to each other to authenticate the same user to multiple environments.

Oracle's suite, which supports SAML, could be a stepping stone to more full-blown federated ID management environments that enable users to log onto many apps with the same password, analysts say. But it's better to start out small with SSO, "such as an external integration effort that would enable a common login between Old Navy and Gap's Websites," says Mike Rothman, president and principal analyst at Security Incite, in a recent blog. "It's a hassle to have to deal with both separately, even though the companies are owned by the same parent."

But some observers are still wary of SSO technology, because it raises the stakes in authentication technology. If an attacker successfully steals a user's identity in an SSO environment, he could gain access to many systems, instead of just one, they note.

The Winmark/RSA study notes that of the companies that have deployed SSO, only one in ten is using it in conjunction with strong authentication, such as multifactor technologies. But using SSO without a second factor -- such as a PIN, a token, or a biometric signature -- could leave companies at risk of multiple penetrations from a single password theft, the study notes.

Oracle's Enterprise Single Sign-On Suite is shipping now. Pricing is on a per-user basis and varies with the number of users and the options selected, officials say.

— Tim Wilson, Site Editor, Dark Reading

  • Digital Persona Inc.
  • Imprivata Inc.
  • Oracle Corp. (Nasdaq: ORCL) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 11/19/2020
    New Proposed DNS Security Features Released
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
    The Yellow Brick Road to Risk Management
    Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: He hits the gong anytime he sees someone click on an email link.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-11-25
    osCommerce has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
    PUBLISHED: 2020-11-25
    GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
    PUBLISHED: 2020-11-25
    Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
    PUBLISHED: 2020-11-25
    A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
    PUBLISHED: 2020-11-25
    An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...