Without going too much into write-up, lets evaluate Oracle’s own implementation of Single Sign-On Server i.e. https://login.oracle.com (In use by application like OTN, Conference.. )
Server Name & Identity Management Version
If you check screen shot (Oracle’s Login Server i.e. https://login.oracle.com), you can figure out that
- Login server (Single Sign-On Server) is using Oracle Identity Management (10.1.4.0.1)
- This is deployed on server rexweb100.oracle.com (+ other middle tier in cluster) with enterprise manager console running on port 1810
Users details from OIDDAS
Now login to Oracle’s DAS (Delegated Administrative Services) using https://login.oracle.com/oiddas on top right of page click on Login page , you can login with your OTN (Oracle Technology Network) account or create new account (using yahoo, gmail or any valid email address)
After login; click on Directory tab and from this screen any user could search for details of other user including their email address (Check screenshot) – Useful for spammers or marketing team to target email address directly
Partner Application in SSO Server
To list all Partner Applications registered against login.oracle.com check URL https://login.oracle.com/sso
Don’t you think Oracle should hide user details (specially “email address” attribute) from OIDDAS search screen ?
If you are SSO/OIDDAS administrator, What would you do in DAS configuration to hide listing email address or protect other SSO details (leave your views as comments) ?
Stay tuned to find out how to hide above information from users….
Related Posts for Security
- URL Firewall in DMZ/Self Service Setup (url_fw.conf)
- Is your Single Sign-On (AS-SSO) Server revealing too much information ?
- Node / Responsibility Trust Level in Oracle Applications (E-Business Suite 11i/R12)