Without going too much into write-up, lets evaluate Oracle’s own implementation of Single Sign-On Server i.e.  https://login.oracle.com  (In use by application like OTN, Conference.. )

Server Name & Identity Management Version

If you check screen shot (Oracle’s Login Server i.e. https://login.oracle.com), you can figure out that

  • Login server (Single Sign-On Server) is using Oracle Identity Management (
  • This is deployed on server rexweb100.oracle.com (+ other middle tier in cluster) with enterprise manager console running on port 1810

Oracle SSO Page


Users details from OIDDAS

Now login to Oracle’s DAS (Delegated Administrative Services) using https://login.oracle.com/oiddas  on top right of page click on Login page , you can login with your OTN (Oracle Technology Network) account or create new account (using yahoo, gmail or any valid email address)

After login; click on Directory tab and from this screen any user could search for details of other user including their email address (Check screenshot) – Useful for spammers or marketing team to target email address directly



Partner Application in SSO Server

To list all Partner Applications registered against login.oracle.com check URL https://login.oracle.com/sso 


sso 3


Don’t you think Oracle should hide user details (specially “email address” attribute) from OIDDAS search screen ?

If you are SSO/OIDDAS administrator, What would you do in DAS configuration to hide listing email address or protect other SSO details (leave your views as comments) ?

Stay tuned to find out how to hide above information from users….