Without going too much into write-up, lets evaluate Oracle’s own implementation of Single Sign-On Server i.e. https://login.oracle.com (In use by application like OTN, Conference.. )
Server Name & Identity Management Version
If you check screen shot (Oracle’s Login Server i.e. https://login.oracle.com), you can figure out that
Users details from OIDDAS
Now login to Oracle’s DAS (Delegated Administrative Services) using https://login.oracle.com/oiddas on top right of page click on Login page , you can login with your OTN (Oracle Technology Network) account or create new account (using yahoo, gmail or any valid email address)
After login; click on Directory tab and from this screen any user could search for details of other user including their email address (Check screenshot) – Useful for spammers or marketing team to target email address directly
Partner Application in SSO Server
To list all Partner Applications registered against login.oracle.com check URL https://login.oracle.com/sso
Don’t you think Oracle should hide user details (specially “email address” attribute) from OIDDAS search screen ?
If you are SSO/OIDDAS administrator, What would you do in DAS configuration to hide listing email address or protect other SSO details (leave your views as comments) ?
Stay tuned to find out how to hide above information from users….
Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.