• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Is your Single Sign-On (AS-SSO) Server revealing too much information ?

    Posted by "" in "security, sso" on 2008-08-31

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    Without going too much into write-up, lets evaluate Oracle’s own implementation of Single Sign-On Server i.e.  https://login.oracle.com  (In use by application like OTN, Conference.. )

    Server Name & Identity Management Version

    If you check screen shot (Oracle’s Login Server i.e. https://login.oracle.com), you can figure out that

    • Login server (Single Sign-On Server) is using Oracle Identity Management (10.1.4.0.1)
    • This is deployed on server rexweb100.oracle.com (+ other middle tier in cluster) with enterprise manager console running on port 1810

    Oracle SSO Page

    .

    Users details from OIDDAS

    Now login to Oracle’s DAS (Delegated Administrative Services) using https://login.oracle.com/oiddas  on top right of page click on Login page , you can login with your OTN (Oracle Technology Network) account or create new account (using yahoo, gmail or any valid email address)

    After login; click on Directory tab and from this screen any user could search for details of other user including their email address (Check screenshot) – Useful for spammers or marketing team to target email address directly

    SSO 4

    .

    Partner Application in SSO Server

    To list all Partner Applications registered against login.oracle.com check URL https://login.oracle.com/sso 

    SSO 2

    sso 3

    .

    Don’t you think Oracle should hide user details (specially “email address” attribute) from OIDDAS search screen ?

    If you are SSO/OIDDAS administrator, What would you do in DAS configuration to hide listing email address or protect other SSO details (leave your views as comments) ?

    Stay tuned to find out how to hide above information from users….

    Related Posts for Security


    1. URL Firewall in DMZ/Self Service Setup (url_fw.conf)
    2. Is your Single Sign-On (AS-SSO) Server revealing too much information ?
    3. Node / Responsibility Trust Level in Oracle Applications (E-Business Suite 11i/R12)

    2 Responses to “Is your Single Sign-On (AS-SSO) Server revealing too much information ?”

    1. anouar says:

      Hello,
      Can you please, tell me how did you hide those information from users? i didn’t found the article explaining this.

      Thank you

    2. Harmeet says:

      Does anyone has a solution for this??

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP