Posted on March 25, 2013 by Marc Boorshtein
“Doubt that the sun doth move, doubt truth to be a liar, but never doubt the need for SSO in your Fusion Middleware deployment” – paraphrased from Hamlet Act II, Scene II.
Okay, so I might have taken some creative license with the real quote. The point, however, is that no matter what part of the Oracle applications stack you are deploying, it’s important to leave room in your budget for SSO both for licensing (OAM, OVD, etc.) and for consulting services. These parts of a project are often overlooked until someone realizes one of two things:
These things happen just as the sun rises every morning and truth could never be a liar on nearly every project I've worked. It’s rare that enterprises have a clearly defined Identity and Access Management strategy. This leads to either, as one of my colleagues once put it, SSO being a “line item” on a contract or SSO being totally forgotten.
One might ask “Why do I need SSO for a Fusion Middleware deployment? I only need to authenticate Weblogic.” Weblogic compartmentalizes web applications so, depending on how your environment is setup, you may need to login to every different area of your application. This means that if you use a task flow from BPM in your Webcenter portal you must authenticate to BPM even though you are already authenticated to Webcenter.
It’s much easier to build in a budget for OAM up front than to try to bolt it on after the fact. I've seen many projects fail not because of a poor implementation but because of missteps around SSO. The login page is the FIRST thing users see (or maybe they don't see anything!). It just has to work. Buyers are generally not looking to buy SSO and an after-the-fact discussion becomes a distraction to solving the business issues at hand.
In my next blog, I'll be talking about what we could learn from Hamlet on Active Directory.