I had a client ask me the other day to help them determine which Oracle SSO products would work best for their environment. Here was my response in weighing OAM (Oracle Access Manager) vs eSSO (Oracle Enterprise Single Sign On):

It was good to speak with you today (even with with cut-outs from being on a train). I have a much better understanding of the environment that you are working with and can more accurately help you wrap a strong solution around what you are looking for.

I have two different scenarios that I believe could accomplish what you are looking for. From what you told me earlier today, the you currently have OID implemented as the user repository for an SSO framework that’s being used today. This sounds to me like you have Oracle Application Servers (OC4J) with the SSO module installed on the various servers they want to protect. This is a good solution for minimal SSO functionality. The direction you would like to move towards though is integrating the users desktop Login (via Active Directory) into all the web and application servers that are currently being protected.

The first, and more obvious solution would be to implement Oracle’s Access Manager. This is an enterprise Web SSO solution that has the ability to allow authentication and authorization via Integrated Windows Authentication (IWA). To sum up it’s functionality, I’ve pulled a quote right from the OAM Common Administration Guide:

“The use of IWA by Oracle Access Manager is seamless. The user won’t notice any difference between a typical authentication and IWA when they log on to their desktop, open an Internet Explorer (IE) browser, request a protected web resource, and complete single sign-on.”

The requirements for this to work are that all the servers to be protected are a Windows 2000 or Windows 2003 server with IIS 5 or 6 for the web server. This can also work on Sun’s Solaris servers with iPlanet Directory servers.

If you are running a mixed environment of Windows and *Nix servers, you can also setup a Windows ISA Server (Internet Security & Acceleration Server) to act as a reverse proxy to all of the resources that are to be protected. That server will then handle all the initial authentication and authorization. From there, additional webgates can be installed on all the other web and application servers to ensure proper security from Intranet access. The session state that was initialized by the IWA will be passed through and accepted by all other protected resources (web servers).

This solution will also provide you with a more enterprise robust SSO framework that can grow along with your company and provide you more services that you can utilize after implementation (self service password resets, workflows, and others).

The other option would be to use Oracles Enterprise Single Sign On (eSSO). This is more of a Password Wallet Manager than a true SSO framework, but will still resolve what it is that you are looking to do. With the eSSO Login Manager installed on the users desktop, it will store all of their passwords in a secure 2-way hash for any supported application that it is setup to remember. This also includes form logins for web pages. The major difference (outside of underlying framework functionality) between OAM and eSSO is that eSSO can be used for non-web based applications as well. The requirements for eSSO are very different that OAM though. eSSO requires the users to have access to the Login Manager via their desktop to work. With OAM, the user can access a protected from any where / any browser that supports cookies. 

For what you are looking to do, I would recommend using Oracle’s Access Manager for your Web SSO solution to integrate with a Windows Desktop logon. Obviously, there are more details to your environment that need to be discussed, and I would also like to refine this solution to provide the greatest amount of value to your needs.

Please let me know when a good time to come in and discuss this with you and your team further so we can move forward on your most immediate needs.

If you have any questions, please feel free to call me.

The SSO module in Oracle Application Server is nice, and works well, but if you’re planning on moving to a larger Identity Management implementation, which every company with over 1,000 employees should, a more enterprise SSO approach is needed. 

.: Adam