Is your Single Sign-On (AS-SSO) Server revealing too much information ?

Without going too much into write-up, lets evaluate Oracle’s own implementation of Single Sign-On Server i.e.  (In use by application like OTN, Conference.. )

Server Name & Identity Management Version

If you check screen shot (Oracle’s Login Server i.e., you can figure out that

  • Login server (Single Sign-On Server) is using Oracle Identity Management (
  • This is deployed on server (+ other middle tier in cluster) with enterprise manager console running on port 1810

Oracle SSO Page


Users details from OIDDAS

Now login to Oracle’s DAS (Delegated Administrative Services) using  on top right of page click on Login page , you can login with your OTN (Oracle Technology Network) account or create new account (using yahoo, gmail or any valid email address)

After login; click on Directory tab and from this screen any user could search for details of other user including their email address (Check screenshot) – Useful for spammers or marketing team to target email address directly



Partner Application in SSO Server

To list all Partner Applications registered against check URL 


sso 3


Don’t you think Oracle should hide user details (specially “email address” attribute) from OIDDAS search screen ?

If you are SSO/OIDDAS administrator, What would you do in DAS configuration to hide listing email address or protect other SSO details (leave your views as comments) ?

Stay tuned to find out how to hide above information from users….

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Oracle Gold Partner specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

anouar says January 27, 2009

Can you please, tell me how did you hide those information from users? i didn’t found the article explaining this.

Thank you

Harmeet says May 5, 2010

Does anyone has a solution for this??

Add Your Reply