Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

Oracle Spurs Single Sign-On Surge

Venerable technology prepares for rebirth with emergence of cross-domain identity management technologies

Oracle yesterday launched a new suite of single sign-on products, brushing the dust from a largely dormant technology that might see a revival under emerging Web standards.

Oracle announced the general availability of its Oracle Enterprise Single Sign-On Suite, which includes a logon manager, a password reset app, an authentication manager, and a provisioning gateway. The idea is to enable users to log onto Oracle's many applications -- as well as non-Oracle programs -- using a single ID and password.

Single sign-on (SSO) technology has been available for more than a decade, but its adoption has been limited because of difficulties in making it work across disparate vendors and domains, all of which use different methods for managing user identities. SSO works well in closed environments where most of the users are known and registered, but it has encountered trouble in more dynamic environments with less predictable user traffic.

As a result, most gated Websites and application environments still require separate user IDs and passwords, which users tend to lose or forget. About 30 percent of all helpdesk calls require a password reset, at cost of $25 to $50 per call, according to a Gartner study published earlier this year.

The password reset problem is especially acute in environments like Oracle's, where users may log onto half a dozen different apps, sometimes hosted on different servers and operating systems, on a given day. The new Oracle suite is designed to help with that problem, according to Hasan Rizvi, vice president of security and identity management products at Oracle.

SSO tools such as Oracle's can help reduce the password reset problem, analysts say. About 60 percent of companies that deploy SSO see a reduction in helpdesk calls, according to a study conducted in the first half of 2006 by Winmark and RSA Security. Several vendors, including Imprivata and DigitalPersona, have unveiled new SSO tools in the last few months. (See Texas Taps Single Sign-On and Single Sign-on At Your Fingertips.) Industry research firm IDC predicts that the SSO market will grow at an average annual rate of 15.9 percent through 2009.

But the real icebreaker for SSO deployment lies in Web standards that could make it possible to manage user identities across a variety of vendors and domains. Those standards, headed by Secure Access Management Language 2.0, enable enterprises and networks to employ "federated" identity management systems that can talk to each other to authenticate the same user to multiple environments.

Oracle's suite, which supports SAML, could be a stepping stone to more full-blown federated ID management environments that enable users to log onto many apps with the same password, analysts say. But it's better to start out small with SSO, "such as an external integration effort that would enable a common login between Old Navy and Gap's Websites," says Mike Rothman, president and principal analyst at Security Incite, in a recent blog. "It's a hassle to have to deal with both separately, even though the companies are owned by the same parent."

But some observers are still wary of SSO technology, because it raises the stakes in authentication technology. If an attacker successfully steals a user's identity in an SSO environment, he could gain access to many systems, instead of just one, they note.

The Winmark/RSA study notes that of the companies that have deployed SSO, only one in ten is using it in conjunction with strong authentication, such as multifactor technologies. But using SSO without a second factor -- such as a PIN, a token, or a biometric signature -- could leave companies at risk of multiple penetrations from a single password theft, the study notes.

Oracle's Enterprise Single Sign-On Suite is shipping now. Pricing is on a per-user basis and varies with the number of users and the options selected, officials say.

— Tim Wilson, Site Editor, Dark Reading

  • Digital Persona Inc.
  • Imprivata Inc.
  • Oracle Corp. (Nasdaq: ORCL) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Edge-DRsplash-10-edge-articles
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    News
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Commentary
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-31922
    PUBLISHED: 2021-05-14
    An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
    CVE-2021-32051
    PUBLISHED: 2021-05-14
    Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
    CVE-2021-32615
    PUBLISHED: 2021-05-13
    Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
    CVE-2021-33026
    PUBLISHED: 2021-05-13
    The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
    CVE-2021-31876
    PUBLISHED: 2021-05-13
    Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...