Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Oracle Spurs Single Sign-On Surge

Venerable technology prepares for rebirth with emergence of cross-domain identity management technologies

Oracle yesterday launched a new suite of single sign-on products, brushing the dust from a largely dormant technology that might see a revival under emerging Web standards.

Oracle announced the general availability of its Oracle Enterprise Single Sign-On Suite, which includes a logon manager, a password reset app, an authentication manager, and a provisioning gateway. The idea is to enable users to log onto Oracle's many applications -- as well as non-Oracle programs -- using a single ID and password.

Single sign-on (SSO) technology has been available for more than a decade, but its adoption has been limited because of difficulties in making it work across disparate vendors and domains, all of which use different methods for managing user identities. SSO works well in closed environments where most of the users are known and registered, but it has encountered trouble in more dynamic environments with less predictable user traffic.

As a result, most gated Websites and application environments still require separate user IDs and passwords, which users tend to lose or forget. About 30 percent of all helpdesk calls require a password reset, at cost of $25 to $50 per call, according to a Gartner study published earlier this year.

The password reset problem is especially acute in environments like Oracle's, where users may log onto half a dozen different apps, sometimes hosted on different servers and operating systems, on a given day. The new Oracle suite is designed to help with that problem, according to Hasan Rizvi, vice president of security and identity management products at Oracle.

SSO tools such as Oracle's can help reduce the password reset problem, analysts say. About 60 percent of companies that deploy SSO see a reduction in helpdesk calls, according to a study conducted in the first half of 2006 by Winmark and RSA Security. Several vendors, including Imprivata and DigitalPersona, have unveiled new SSO tools in the last few months. (See Texas Taps Single Sign-On and Single Sign-on At Your Fingertips.) Industry research firm IDC predicts that the SSO market will grow at an average annual rate of 15.9 percent through 2009.

But the real icebreaker for SSO deployment lies in Web standards that could make it possible to manage user identities across a variety of vendors and domains. Those standards, headed by Secure Access Management Language 2.0, enable enterprises and networks to employ "federated" identity management systems that can talk to each other to authenticate the same user to multiple environments.

Oracle's suite, which supports SAML, could be a stepping stone to more full-blown federated ID management environments that enable users to log onto many apps with the same password, analysts say. But it's better to start out small with SSO, "such as an external integration effort that would enable a common login between Old Navy and Gap's Websites," says Mike Rothman, president and principal analyst at Security Incite, in a recent blog. "It's a hassle to have to deal with both separately, even though the companies are owned by the same parent."

But some observers are still wary of SSO technology, because it raises the stakes in authentication technology. If an attacker successfully steals a user's identity in an SSO environment, he could gain access to many systems, instead of just one, they note.

The Winmark/RSA study notes that of the companies that have deployed SSO, only one in ten is using it in conjunction with strong authentication, such as multifactor technologies. But using SSO without a second factor -- such as a PIN, a token, or a biometric signature -- could leave companies at risk of multiple penetrations from a single password theft, the study notes.

Oracle's Enterprise Single Sign-On Suite is shipping now. Pricing is on a per-user basis and varies with the number of users and the options selected, officials say.

— Tim Wilson, Site Editor, Dark Reading

  • Digital Persona Inc.
  • Imprivata Inc.
  • Oracle Corp. (Nasdaq: ORCL) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-05
    The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
    PUBLISHED: 2021-05-05
    The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
    PUBLISHED: 2021-05-05
    The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
    PUBLISHED: 2021-05-05
    The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
    PUBLISHED: 2021-05-05
    The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...