Oracle Spurs Single Sign-On Surge

Oracle yesterday launched a new suite of single sign-on products, brushing the dust from a largely dormant technology that might see a revival under emerging Web standards.

Oracle announced the general availability of its Oracle Enterprise Single Sign-On Suite, which includes a logon manager, a password reset app, an authentication manager, and a provisioning gateway. The idea is to enable users to log onto Oracle's many applications -- as well as non-Oracle programs -- using a single ID and password.

Single sign-on (SSO) technology has been available for more than a decade, but its adoption has been limited because of difficulties in making it work across disparate vendors and domains, all of which use different methods for managing user identities. SSO works well in closed environments where most of the users are known and registered, but it has encountered trouble in more dynamic environments with less predictable user traffic.

As a result, most gated Websites and application environments still require separate user IDs and passwords, which users tend to lose or forget. About 30 percent of all helpdesk calls require a password reset, at cost of $25 to $50 per call, according to a Gartner study published earlier this year.

The password reset problem is especially acute in environments like Oracle's, where users may log onto half a dozen different apps, sometimes hosted on different servers and operating systems, on a given day. The new Oracle suite is designed to help with that problem, according to Hasan Rizvi, vice president of security and identity management products at Oracle.

SSO tools such as Oracle's can help reduce the password reset problem, analysts say. About 60 percent of companies that deploy SSO see a reduction in helpdesk calls, according to a study conducted in the first half of 2006 by Winmark and RSA Security. Several vendors, including Imprivata and DigitalPersona, have unveiled new SSO tools in the last few months. (See Texas Taps Single Sign-On and Single Sign-on At Your Fingertips.) Industry research firm IDC predicts that the SSO market will grow at an average annual rate of 15.9 percent through 2009.

But the real icebreaker for SSO deployment lies in Web standards that could make it possible to manage user identities across a variety of vendors and domains. Those standards, headed by Secure Access Management Language 2.0, enable enterprises and networks to employ "federated" identity management systems that can talk to each other to authenticate the same user to multiple environments.

Oracle's suite, which supports SAML, could be a stepping stone to more full-blown federated ID management environments that enable users to log onto many apps with the same password, analysts say. But it's better to start out small with SSO, "such as an external integration effort that would enable a common login between Old Navy and Gap's Websites," says Mike Rothman, president and principal analyst at Security Incite, in a recent blog. "It's a hassle to have to deal with both separately, even though the companies are owned by the same parent."

But some observers are still wary of SSO technology, because it raises the stakes in authentication technology. If an attacker successfully steals a user's identity in an SSO environment, he could gain access to many systems, instead of just one, they note.

The Winmark/RSA study notes that of the companies that have deployed SSO, only one in ten is using it in conjunction with strong authentication, such as multifactor technologies. But using SSO without a second factor -- such as a PIN, a token, or a biometric signature -- could leave companies at risk of multiple penetrations from a single password theft, the study notes.

Oracle's Enterprise Single Sign-On Suite is shipping now. Pricing is on a per-user basis and varies with the number of users and the options selected, officials say.

— Tim Wilson, Site Editor, Dark Reading