Users Can Login To Kiosk Manager And Access The Credentials From Another User's Locked Session

(Doc ID 2407282.1)

Last updated on JUNE 06, 2018

Applies to:

Oracle Enterprise Single Sign-On Suite Plus - Version 11.1.2.3.1 and later
Information in this document applies to any platform.

Symptoms

Oracle Enterprise Single Sign-On: Logon Manager 11.1.2.3.1 

ACTUAL BEHAVIOR

Users are able to login to Kiosk Manager and access the credentials from another users locked session


EXPECTED BEHAVIOR

Users should not be able to access the credentials or applications from the locked session of another user.

STEPS TO REPRODUCE

  1. User “A” logs into Kiosk Manager GUI with their user ID and password
  2. SSO works as designed.
  3. User “A” locks the session.
  4. User “B” clicks logon without changing the user ID.
  5. SSO prompts for a password and the user ID field is greyed out.
  6. User “B” enters their password
  7. SSO displays an error stating the password is incorrect.
  8. User “B” clicks OK.
  9. SSO prompts for a password and the user ID field is no longer greyed out.
  10. User “B” changes the user ID to their own and enters their password.
  11. SSO accepts this logon.
  12. The desktop comes up and the Lock Session button in the top right displays the name of user “A”.
  13. User “B” opens TAM which displays saved credentials for user “A”.
  14. User “B” opens applications and SSO injects credentials for user “A”.



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms