Oracle Entitlements Server 10.1.4.3 Tech Overview · •Установка OES ... ATN ATZ RM AD CM...

Oracle Entitlements Server 10.1.4.3 - Сервер назначений

Обзор возможностей

Игорь Минеев Oracle СНГ

О чем пойдет речь?

• Oracle Access Management Suite

• Почему все так не просто

• Что такое Oracle Entitlements Server?

• Oracle Entitlements Server Security Modules

• Возможности масштабирования

• Установка OES

• Интеграция с другими компонентами Oracle Access

Management Suite

Oracle Identity & Access Management

Access Management

Identity Manager

Role Manager

Identity Admin. Directory Services

Identity&Access Management

Audit & Compliance

Enterprise Manager IdM Pack

Manageability

Access Manager

Adaptive Access Manager

Enterprise Single Sign-On

Identity Federation

Entitlements Server

Web Services Manager

Authentication Service for OS

Internet Directory

Virtual Directory

Область применения

IAM сервис Реализация

Хранение учетных данных OVD (+ OID при необходимости)

Аутентификация OAM + OAAM

Авторизация OES + OAAM

Управление ролями ORM

Распространение учетных данных OIM

Программный интерфейс OPSS

Oracle Access Management Suite 10g

Entitlements Server Adaptive Access Manager

Access Manager Identity Federation

• Управление “назначениями”(entitlements)

• Fine Grained Authorization

• Управление доступом для Web приложений

• Single Sign-On

• SSO для слабосвязанных систем

• Поддержка стандартов (SAML, WS Federation, Liberty)

• Авторизация, основанная на оценке рисков

• Пресечение попыток мошеннических действий в масштабе реального времени

Что такое предоставление прав?

Почему не так все просто?

Сложные

сценарии

• Сложные сценарии

работы, отражающие

требования закона и

корпоративных правил

• Множественные иерархии

• Роли

• Ресурсы

• Действия

• Атрибуты

Логика встроена

в приложения

• Логика безопасности встроена в приложения

• Изменить сложно

• Могут существовать несовместимые политики

• Централизованное управление политиками не возможно

• Может быть затруднен аудит доступа

Различные

технологии

безопасности

• Существующие системы

• Каталоги пользователей

• Web SSO

• Бизнес процессы

• Распространение ID

• Необходима интеграция с

существующими системами

для получения

идентификаторов

пользователей и

дополнительных атрибутов

Entitlements System должна обеспечивать возможность централизованного

управления политиками и распределенного применения политик

Возможные сценарии работы.

Операции

Чтение/Запись

ЧтениеЗапись

Ограниченное чтение

Управляющий

Администратор счетов

Аналитик

Клиент банка

Иерархия ролейБанковское приложение

Ведение счетовФормирование

отчетности

Отчет за

период

Иерархия ресурсов

Итоговый

отчет

Расположение Орг. структура Дата/Время

АтрибутыНе в рабочие

дни

с 9 до 18

Россия

МоскваНовосибирск

Петровское отд.

Руководитель подразделения

Главный бухгалтерАудитор

Кассир

Oracle Entitlements Server


Приложениясобственной разработки

Проверка

прав

Сервисы

Готовые

приложения

Базы данныхEntitlement Data

Каталоги

пользователей

Требование

Разрешить

Запретить

Пользователи

Oracle Entitlements Server (OES) – это решение для управления

“назначениями” (entitlements) с высокой степенью детализации,

обеспечивающие централизованное администрирование политик и их

распределенное применение при работе приложений в различных

архитектурах

Типичные сценарии использования OES

• Динамически изменять интерфейс приложения

• Ограничивать доступ пользователя к интерфейсу приложения при

определенных условиях

Привязать интерфейс

пользователя к ролям

• Обеспечить прозрачную интеграцию с системами веб SSO и

корпоративными системами управления идентификационными

данными

• Разрешить передачу полномочий другим пользователям во время

отсутствия пользователя или в других ситуациях

Разрешить определенным

пользователям доступ к

приложениям

• Создать различные представления общей базы данных о клиентах

для различных организаций

• Закрыть доступ к информации и зарплате работников для всех,

кроме руководителей подразделений

• Показывать кредитную историю только клиентов, находящихся в

том же регионе, что и Call Center

Ограничить доступ к

данным

• Только старшие менеджеры могут совершать сделки по продаже

акций , суммы которых превышают 10 000 000 рублей, менее чем за

пол часа до закрытия биржи

Ограничить

функциональность

приложения

OES обеспечиваетТребования

OES работает в:

Entitlements - основы

• PAP(PMA) – Policy Administration Point (Policy

Management Authority)

• Централизованное управление политиками

• PDP – Policy Decision Point

• Оценка запросов в контексте существующих политик

• PEP – Policy Enforcement Point

• Исполнение решений PDP

• PIP – Policy Information Point

• Обеспечение информацией, необходимой для оценки запросов

Общая схема

Administration Server

(PAP)

Security Module

(PDP)

OES Policy

StorePolicy

Administrator

ApplicationSecurity Module

(PDP)

Application

Application

Application

Policy Information Points

PoliciesPolicies

Policy

Enforcement

Point (PEP)

PEP

Архитектура Oracle Entitlements Server

Policy

Database

Business Logic

Manager (BLM)

Administration Server

Admin

Console

Policy Distributor

SSM

Policy LoaderBulk

Policy

To SSMs

Архитектура Oracle Entitlements Server

(PAP)

OES сервер администрирования (PAP)

• Средство для администрирование политик для корпоративных приложений.

• Распространяет политики по Security Modules.

• Обеспечивает генерацию отчетов и моделирование политик

• Имеет возможность делегированного администрирования

• Поддерживает WebLogic Server, Tomcat и WebSphere.

Структура объектов OES• Организации могут представлять

компании, подразделения и

другие бизнес единицы.

• Приложения – программное

обеспечение организации (web

приложения, java …)

Организация

Учетные данные

Организация

Учетные данные

Приложение

Ресурсы Роли Действия Политики

Приложение

Ресурсы Роли Действия Политики

Сис. Админ.

Сис. Админ

Админ Прил

Админ Прил

Роль системного администратора

• Pop-up панель для определения роли администратора.

Роль администратора приложения

• Create

• Modify

• Remove

• Clone

• Move

Политики авторизации

Grant (view, /app/Sales/RevenueReport, /role/Manager) if region = “East”;

Application

Objects

Resources Subjects

Constraint

Boolean

Attributes

Eval Functions

Action

Read

Write

View

…

External

DataIdentity

Store(s)

Authorization RequestAuthorization Response

Effect

Grant

Deny

Delegate

Maps toBased on

Read from

Grant (/role/Executive, /app/Sales/, /sgrp/manager) if level > 5;

Ролевые политики

Application

Objects

ResourcesSubjects Constraint

Boolean

Attributes

Eval Functions

External

DataIdentity

Store(s)

Authorization RequestAuthorization Response

Effect

Grant

Deny

Delegate

Maps to

Based on Read from

Roles

Based on

OES Policy Management

• OES policies grant or deny roles or privileges to users, groups,

or roles subject to a set of constraints

• Policies are scoped to an application or an application resource

• OES policies have the following form:

Effect (Role | Privilege, Resource, Subject) Constraint

• Effect: Grant, Deny, or Delegate

• Role: A specific role to be granted or denied

• Privilege: Resource specific action (get, view, transfer)

• Resource: Protected object (Portlet, EJB, Account …)

• Subject: User, Group, Role

• Constraint: Expression operating on Attributes (Date, Time,

Environment, User, Group, Role, Custom)

OES Access Policy

• OES Access policy is used to grant or deny privileges to resources in the

application to specific users, groups, or roles

• Example access policies

• Grant the “view” privilege for the application reports if the user is a BankManager and

are in the same business unit as the report

Grant (view, //app/Reports, //group/UnitManagers) if

Reports.BusinessUnit=user.BusinessUnit

• Grant the transfer privilege on the account if the user is in the list of account owners and

the request is below the account limit

Grant (transfer, //app/account, everyone)

if user IN account.owners AND transferrequest <= transferlimit

• Return entitlements information (e.g. account transfer limit) as part of entitlements

decision

Grant (transfer, //app/account, everyone)

if user IN account.owners AND (REPORT_AS(transferlimit))

OES Role Policy

• OES role policy is used to dynamically determine role membership

• Role policies are always scoped to a resource or set of resources

• Example role policies

• Grant the role “BankManager” for the resource “AccountReports”

to everyone whose job title is “BankManager”

Grant (//role/BankManagers, //app/AccountReports, everyone)

if (User.JobTitle=BankManager)

• Deny the “Analyst” role to anyone who has the “Trader” role in the “Brokerage”

application

Deny (//role/Analyst, //app/Brokerage, //role/Trader)

• Temporarily delegate John’s “Approver” role in the “AcctsPayable” application to

members of John’s group while John is on vacation

Delegate(//role/Approver, //app/AcctsPayable, //grp/JReports, John)

if (date > 08/01/06) and (date < 08/10/06)

OES – проверка (моделирование )

политик

• Administrators can verify

policy correctness before

writing an application.

• Lets administrators try out

various entitlement

scenarios without involving

development teams.

• Reduces testing and set-up

costs.

OES Архитектура – SCM

Service Control

Manager

Admin

Server

SSM

SCM

SSM

Admin Server SCM & SSM Configuration ID

Configuration ID

Fu

ncti

on

al

Se

para

tio

nEnrollment data

Policy Data &

Configuration

SSM Configuration

SSM Conf ID

SSM Conf ID

Ad

min

istr

ati

on

Ex

tern

al

Ap

plic

ati

on

SCM

SSM

BLM

Security Module Pluggable Framework

OES Security Module

Authentication

Framework API

Authorization Role Mapping Auditing Cred Mapping

Entitlements

Identity

Directories

Entitlements Secure

Audit Logs

External

Application

• Integrate with LDAP,

RDBMS, Custom

Identity Stores

• Leverage multiple

stores

simultaneously

• Assert identity from

SSO or custom

tokens

• Establishes JAAS

Subject

• Provide Grant/Deny

decisions based

upon policies

• Integrate external

entitlement attribute

data from LDAP,

RDBMS, SDO

• Dynamically map

users to Roles based

upon policy

• Log messages

generated by

framework events

• Write to everything

from log4j to secured

filesystems and

RDBMS

• Describe custom

handlers for various

events

• Translate

credentials into

custom formats

• Helps propagate

identity across

disparate

systems

Распределенная конфигурация

Централизованная конфигурация

Centralized PDP Embedded PDP

Security Module Configurations

Java API / RMI

.Net API

SOAP API

XACML 2.0

Oracle DB (with VPD)

SharePoint (MOSS)

WebLogic Server, Tomcat, Websphere

Plain Old Java Object (POJO)

Oracle Service Bus

Documentum Client/Content Server

SMs are kept synchronized with central policy store

•Handle “push” from Admin Server

•Retrieve policy upon startup

• SMs maintain local persistent caches of relevant policy

• SMs maintain local caches of attribute and policy decisions

Security Module

ATN ATZ RM AD CM

Security Module

ATN ATZ RM AD CM

Custom

Standardized enterprise data sources can be easily integrated into

OES policy decision points by an administrator.

Integrating Enterprise Data Sources Making Policy Decisions On Current Business Information

• Relational Databases

• LDAP Directories

• Custom Sources

PDP

LDAP

RDBMS• Caching framework ensures performance

for latency-sensitive decision points

• Data sources can be added or changed in

minutes by an administrator

• Non-standard data sources can also be

incorporated manually

Security Module

ATN ATZ RM AD CM

• OES Developer Tools

• OES Java API

• Automatic resource generation

• JSP tag library

• C# Client library

• ASP .NET tag library

OES and Developers Policy Decisions and Enforcement

Extensibility, Customization

• Extensibility points:

• Open provider interface to implement custom logic for all security services

• Support for custom plug-ins

• Policy evaluation functions

• Custom attribute retrievers

• Management API to implement custom management applications

• Ability to customize Entitlement Management UI

• Customization is used by practically every deployed customer. Most popular

extensions are

• Custom attribute retrievers and evaluation functions

• Custom Authentication providers

• Custom Audit providers

• Custom management applications

OES and Java Application (Centralized)

• OES provides powerful PDP Proxy

client for standalone PDP functions

• PDP Proxy handles decision caching,

logging and failover across SOAP and

RMI Security Modules

• Make authorization decisions using

shared policy across different

applications

RMI-SM or WS-SM

Policy

Cache

Java Application

Identity

Directory

Decision

Cache

PDP

Proxy

Security Module

ATN ATZ RM AD CM

Java Application

OES and Java Application (Embedded)

• Changing from Centralized to

Embedded is a simple configuration

change.

• No code changes required in

application.

Java-SM

Policy

CacheIdentity

Directory

Decision

Cache

PDP

Proxy

Security Module

ATN ATZ RM AD CM

OES and Oracle RDBMS

Oracle-SM

Oracle Server

With VPD

DB Storage

Policy

Cache

Java

Stored

Procedure

OES

Plug-in

LOGON

trigger

grant(select, //DB/University/Engineering/Students, John)

report_as(“Apply_Where”, “course_id=CS100 or course_id=CS200”)

“select * from courses;”

user context

user, resource, sql action

“where course_id = …”

protected results

Policy Sync From

Admin Server

Security Module

ATN ATZ RM AD CM

OES and .NET

• Externalize security for .NET based

applications

• OES ships with C# client for

standalone PDP functions

• Authenticate against Active Directory

(or ADAM)

• Make authorization decisions using

shared policy across different

applications

Web Services-SM

Policy

Cache

.NET Application

OES C#

Client

Active

Directory

Security Module

ATN ATZ RM AD CM

OES and SharePoint• OES protects

• Web Sites

• Web Pages

• Web Parts

• List Items

• Custom page content

• Any ASP page

• Standalone SM supported- may be shared by multiple SharePoint servers

• Resource discovery of existing SharePoint assets

Server Host

.NET SharePoint 2007

Web PageWeb Page

WS-SM

OES Custom

HTTP Module

Web Page

Web PartsWeb PartsWeb Parts

OES

Control

Entitlements

Entitlements

Security Module

ATN ATZ RM AD CM

Поддержка жизненного циклаEvolve Security Policy Without Changing Applications

Администраторы и

контролирующие

органы

Администраторы приложений

DeveloperOracle

Entitlements

Server

РазработчикиОфицер

безопасности

<Insert Picture Here>

Massive Scalability Case

Study

Oracle Entitlements Server (OES)Case Study

Retail Banking Customer Requirements

• Ability to model complex set of business policies

• Ability to support big user population with complex set of

entitlements

• Ability to support complex infrastructure with multiple

functional components

• Ability to support multiple environments (.NET, Web

Services)

• Ability to support high load

Use Cases

• Run time use cases

• Login, view list of accounts and

available services

• View Account details and

available services

• Transfer to account

Login HostWLS

Details Host.NET

ApplicationWebService on

WLS

Users

and

Accounts

Database

• Administration use cases

• Create sub-user

• Grant sub-user access to

some services and set

transfer limit

• Designate user as

Administrator by CSR

Requirements - User Base

• User can be Primary or Sub-User. Primary User can be

Administrator. Administrator may have Sub-Users

• 1-to-1 mapping between Primary Users and Customers

• Customer/Primary User may have multiple accounts

Primary Users 24,000,000

Administrators 1,000,000

Number of Sub-Users per Administrator 0-150

Average number of Sub-Users per Administrator

5

Total Users (approximate) 30,000,000

Requirements - Accounts and Entitlements

• Customer may have many accounts

• Customer is associated with one of 5 segments and one of 9 banks

• Account may be one of 6 types

• User may be enrolled into one of 3 services

• Sub-User has access to subset of services available to Admin

• Sub-User transfer limit is defined by Admin

• User transfer limit is defined Daily limit and segment specific limit

Max number of accounts per customer 1000

Average number of accounts per customer 2.43

Total Accounts (approximate) 60,000,000

Requirements - Complex Policies

• Run Time Policies (simplified examples)

• Transfer between accounts is granted if accounts are in good status, amount doesn’t

exceed transfer limit, and transfer is allowed for both accounts.

• Transfer of less then $4,000 is not allowed from Home Equity accounts in certain states

• Transfer is denied to particular account type

• Transfer is allowed only from particular account types for particular banks

• Wire Services is available only if user is enrolled into Wire Service, has access to

account, account is of certain type, and in good standing

• Administration Policies (simplified examples)

• Only Admin can grant services and define transfer limits for sub-users

• Admin can grant services and define transfer limits only for his/her own sub-user

• Admin can grant only services he/she has

• Only CSR can designate a Primary User as an Admin

Performance Requirements

• Throughput

Number of accounts per

customer

90%

customers

10%

customers

Average

Mean number of accounts < 250ms < 2sec < 250ms

Max number of accounts < 1sec < 10 sec < 1 sec

Transaction Peak Busy Hour Peak Busy Minute

Login/List of Accounts 400,000 (111 tps) 9,000 (150 tps)

Accounts Details 114,286 (32 tps) 2,571 (43 tps)

Transfer 57,143 (16 tps) 1,286 (21 tps)

Sustain for 4 hours Sustain for 10 min

• Login latency – contributed by entitlement processing

Database Server

Testing Approach - Site InfrastructureLoad Runner Agent

Login

Host

Ethernet Switch

OES DB

Users

Entitlements

Accounts DB

Accounts

Customers

OES

Admin

Server

Login

Host

Details

Host

App

Host

App

Host

Login

Host

Login

Host

Details

Host

App

Host

App

Host

Ethernet Switch

Load Runner Agent

Block 2Block 1

• 1Block – 2 Login

Hosts, 1 Details Host,

2 MMS Hosts

• Increasing number of

blocks we can linearly

increase

performance of

test site

Generating Test Data

• List of users (30,000,000) was generated using US Census Bureau data on

most frequent first and last names.

• Program was written to generate user, customer, account, entitlement

records in accordance with the required distribution.

Users 30,000,000

Administrators 999,588

Sub-Users 5,009,181

Customers 24,990,819

Accounts 60,630,229

Customers with 10 accounts or more 649,690

Customers with 20 accounts or more 489,946

Customers with 100 accounts or more 244



Results in a Glance• Test Hardware vs. Production hardware

Host Test Production

Login Sun Fire V440, 4 CPUs,

1.2GHz, 8GB RAM

Sun Fire v1280, 8 CPUs,

24GB RAM

Details Sun Fire V440, 4 CPUs,

1.2GHz, 8GB RAM

HP Proliant DL580, 8 CPUs,

3GHz, 8GB RAM

Application Sun Fire V440, 4 CPUs,

1.2GHz, 8GB RAM

Sun Fire V440, 4 CPUs,

1.2GHz, 8GB RAM

• Throughput: met Peak Busy Hour requirement with 106 Logins/sec

• Latency: OES added just 41ms to Login with total Login latency of 213ms

Test Results – Total Latency

• Latency increase at Peak Busy Minute indicates system is loaded to

capacity

• Adding hardware will “flatten” the line.

Latency (sec)- Customers with mean number of accounts

0.00

0.20

0.40

0.60

0.80

1.00

1.20

1.40

0:00 0:14 0:28 0:43 0:57 1:12 1:26 1:40 1:55 2:09 2:24 2:38 2:52 3:07 3:21 3:36 3:50 4:04 4:19

Hour:Min

Logins Details Transfer Choose Account for Transfer

PBM

Test Results - Scalability of a Block

• Dashed lines indicate 1 Block, Solid lines indicate 2 Blocks

• Throughput of the system can be “linearly” increased by increasing

number of blocks

Transactions per Second

0

20

40

60

80

100

120

140

160

0:00 0:14 0:28 0:43 0:57 1:12 1:26 1:40 1:55 2:09 2:24 2:38 2:52 3:07 3:21 3:36 3:50 4:04 4:19

Hour:Min

Logins Details Transfer Logins-1 Details-1

High Availability - Runtime• Security Module/PDP continues to provide security services even if external components it relies

on (such as authentication database, for example) become unavailable.

• Failover for authentication sources

• Failover for entitlement sources (attribute retrievers)

• Failover for Credential Mapper sources

• For data replication between data sources we recommend to use vendor specific approach or

use solutions like Oracle RAC

• Runtime independence of SM/PDP from Admin Server

Application Environment

Authentication

Providers

Security Framework

Role

Providers

Authorization

Providers

Auditing

Providers

Credential

Providers

Security Module

Back-up

Authentication

Source

Primary

Authentication

Source

Source specific

replication

Back-up

Entitlements

Source

Primary

Entitlements

Source

Source specific

replication

High Availability – Management Time

• OES continues to provide policy modification and distribution

functionality even if external components it relies on (such as Admin

Server, for example) become unavailable

• Support for primary and secondary Admin Server

• Support for primary and secondary Admin Policy Store

• Support for Oracle RAC

• Support for transactional management operations

• Support for transactional policy distribution

High Availability – Management Time

RDBMS specific

replication

New York LondonTokyo

SSM


Primary

Admin Server

Primary

OES DB

OES Administrator

SSM


SSM


Secondary

OES DB

OES AdministratorOES Administrator

Secondary

Admin Server

High Availability – Management TimeNew York LondonTokyo

SSM


Primary

Admin Server

Primary

ALES DB

ALES Administrator

SSM


SSM


Secondary

ALES DB

ALES AdministratorALES Administrator

Secondary

Admin Server

Устанавливаем OES…

Oracle Weblogic

Server 10.3

OES Admin

Oracle DB

Webservice

SSM

.Net SSMOracle SSM

Default SCM deployed

during OES Admin

Installation

Устанавливаем OES…

Устанавливаем OES SM…

Настраиваем OES SM…(Authentication

Provider)

Настраиваем OES SM…(Credential

Mapping Provider)

Настраиваем OES SM…(Attribute Retriever)

OES : Oracle SM

• The primary method of enforcing protection is through a “where” SQL clause.

• Protection is limited to “select”, “update” and “delete” SQL statements

• OES policy can give a “deny”, which will prevent the execution of the underlying query

• OES policy can give an unrestricted allow, which will allow execution without any restrictions

• Using “report_as” clause, OES policy can generate a “where” clause predicate which can be used as a restriction. For e.g. if OES generates predicate “DEPT = 101”:• Original query: Select * from orders

• New query: Select * from orders where DEPT=101”

OES : Oracle SM

• WebService SSM will act as PDP

• Oracle-SSM is implemented by a Oracle Java Stored Procedure (JSP) which forwards Authorization requests to WebService SSM (JSP is functionally similar to PL/SQL stored procedures, but is written in Java)

• Supporting Java Libraries: Following 3rd party modules are loaded into Oracle schema to support OES Java Stored Procedure

• saaj.jar

• jaxrpc.jar

• wsdl4j.jar

• log4j.jar

• commons-logging.jar

• commons-discovery-0.2.jar

• axis.jar

• ssmwsClientStub.jar

• FGACIdentityAsserter (Identity Asserter provider)

• This provider will allow Oracle-SSM to rely on Oracle DB to authenticate users.

OES : Oracle SM – архитектура

Oracle-SM

Oracle Server

With VPD

DB Storage

Policy

Cache

Java

Stored

Procedure

OES

Plug-in

LOGON

trigger

grant(select, //DB/University/Engineering/Students, John)

report_as(“Apply_Where”, “course_id=CS100 or course_id=CS200”)

“select * from courses;”

user context

user, resource, sql action

“where course_id = …”

protected results

Policy Sync From

Admin Server

Security Module

ATN ATZ RM AD CM

OES - Oracle SM

select * from sales where ORDER >

10005

select app-root-node/<Oracle-SID>/<db-schema-name>/sales

OES Priv. name OES Resource name

db-user

//user/<identity-dir>/db-user

OES user name

• Need for Mapping

• Fit Oracle users, schema, table etc. into OES policy model

• Allow sharing of users with other applications

sqlplus client Oracle-DB

User Login

OES Login Trigger Webservice-ssm

Call Trigger

Authenticate with

webservice-ssm

FGACIdentityAsserter

Call

IdentityAsserter

User

Authenticated

OES : Oracle SM – аутентификация

OES : Oracle SM – авторизация

sqlplus client Oracle-DB

select * from table

OES JSP plug-in Webservice-ssm (ARME)

Call FGAC plug-inMap request to OES

format and make WS

isAccess() call

Evaluate OES policy

queries and insert

constraints (from

report_as())

Return constraint

as a SQL “where”

predicate

Return results

using OES

predicate


DEMO


Oracle Access Management

Functional Architecture

Oracle Access Management Functional Capabilities

Authentication

Security

Authentication Single Sign-On ID Assertion Authorization

WS SecurityFraud Detection EntitlementsID Federation Data Security

Functional Architecture

• Authentication & SSO

• Policy driven user authentication

• Challenge schemes, credential collection/validation

• SSO and session management

• Cross domain SSO, federated identity management

• Identity Assertion

• Provides authenticated identities to applications, portals, and web services

• Entitlements & Authorization

• Enforcing granular access in application environments

• Enforce data level security

Oracle Access Management Functional Architecture

Web Tier Application Tier Data Tier

Oracle Access

Manager

Federation

Service

Oracle

Entitlements

Server

Oracle

Entitlements

Server

Oracle Adaptive

Access Manager

Authentication &

SSO

Identity

Assertion

Oracle Adaptive

Access Manager

Federation

Service

Entitlements &

Authorization

Web Tier

Oracle Access Manager Applications

Authentication

Oracle Access Management OAM and Application Integration

Single Sign-On

1. Check URL Access

2. Challenge for Credentials

3. Validate Credentials

4. Set Session Cookie

5. Authorize URL Access

6. Assert Authenticated Identity

ID Assertion

HTTP Header Variables

Windows Users

JAAS Subject

Oracle Access Manager Oracle Entitlements Server

Authentication

Authorization

Oracle Access Management OAM and OES, Part I

Single Sign-On

Entitlements

ID Assertion

3. Validate Credentials


7. Fine-grained Resource

Access

1. Check URL Access

2. Challenge for Credentials

4. Set Session Cookie

5. Authorize URL Access


Authorization

Oracle Access Management OAM and OES, Part II

Entitlements

7. Retrieve Trusted Subject,

Resource Request, &

Security ContextID Assertion

8. Dynamic Role Evaluation

9. Retrieve Additional Attributes

10. Check Application Authorization

Policy Against Subject/Roles +

Resource/Action

11. Enforce Fine Grained

Resource Access



Oracle Access Management OAM and OES, Part III

Entitlements

7. Retrieve Subject, Security

Context, Data RequestID Assertion


9. Retrieve Additional Attributes

10. Check Data Access Policy


Data Access

Data Security

12. Redact Data From

Application/End User


Oracle Access Management OAAM and OES, Part I


6. User/Session ID

Authentication

SecurityFraud Detection


Resource Request, &

Security Context

Authorization

Entitlements

8. Evaluate Context Data and

Compute Risk Score

9. Return Risk Score Attribute

To OES


Application Access Policy

with Risk Obligations

Oracle Adaptive

Access Manager

Oracle Adaptive

Access Manager

Oracle Access Management OAAM and OES, Part II


6. User/Session ID

Authentication

SecurityFraud Detection

Authorization

Entitlements

8. Evaluate Context Data and

Compute Risk Score

Oracle Adaptive

Access Manager

Oracle Adaptive

Access Manager

9. Present Knowledge-Based

Authentication Challenge

or OTP

10. Recalculate Risk Score Based on

Secondary Challenge

7. Resource Request

12. Enforce Fine

Grained Policy

11. Return New Risk Score

Attribute To OES

Oracle Access Management OAAM and OAM

Authentication

Security

Fraud Detection

Oracle Access Manager

Authentication

4. Authenticate with

Virtual AuthN Device

1. Check URL Access



ID Assertion

2. Evaluate Risk

3. Generate and Return Virtual

AuthN Device

5. Validate Credentials, Set SSO Cookie, Assert Identity 6. Evaluate Real Time Transaction Data

7. Calculate Risk for

Transaction 1, Set Alert

8. Calculate Risk for Transaction

2, Block Transaction

9. Calculate Risk for Transaction

3, Set Secondary Knowledge-

Based Authentication or One

Time Pin

Oracle Access Management OAM and OIF

Oracle Access Manager Identity Provider

Authentication

Single Sign-On

Federation

ServicesFederation

Services

Service Provider

1. User Requests Protected

Resource, OIF Redirects to

OAM for Authentication

2. Challenges User,

Authenticates

Credentials

3. Set SSO Cookie,

Asserts Authenticated

Identity to Federation

Service

4. IdP Generates Authentication

Assertion, Sends

Signed/Encrypted Assertion

to Service Provider

5. SP Consumes Authentication

Assertion, Locally

Authenticates User,

Redirects to Protected

Resource


Authorization

Oracle Access Management OES and OWSM

Entitlements


Service Request


4. Retrieve Message Context

5. Check Application

Authorization Policy

Against Subject/Roles +

Resource/Action6. Provide service access

decision to OWSM

WS Security

1. User invokes secured web service

Oracle Web Services

Manager

7. Enforce Fine Grained Service

Access

Oracle Access Management OAM and OWSM

Oracle Web Services ManagerOracle Access Manager

Authentication

Single Sign-On

WS Security

1. Challenges User,

Authenticates

Credentials

2. Set SSO Cookie,

Asserts Authenticated

Identity to Portal

3. Portal Invokes Remote

Web Service on User’s

Behalf

4. PEP Intercepts

Request and Checks

for SSO Cookie

5. SSO Cookie Verified by

OAM, Service Access

Allowed


DEMO

Интеграция OAM+OAAM+OES

Интеграция OAM+OAAM+OES

if ( security.authorize( request.getHeader("UserId"), "mybank/customer/phone", "view" ) )

out.print(session.getAttribute("phone"));

else

out.print("(***) ***-****");

JSP tags

OES security = (OES) session.getAttribute("security");

boolean canTransfer = security.authorize( request.getHeader("UserId"), "mybank/transfer",

"transfer" );

if ( canTransfer )

{Here you can move money between your accounts. Please note that you are allowed up to six (6)

transfers per month. Transfers to Home Equity Lines of Credit may be subject to additional

regulations.}

else {We're sorry, but you are unable to perform transfers between accounts. Please contact a <a

href="www.oracle.com">Customer Representative</a> for additional information or questions.}

if ( !canTransfer ) out.print("disabled=true");

Oracle Entitlements Server 10.1.4.3 Tech Overview · •Установка OES ... ATN ATZ RM AD CM...

Documents

Transcript of Oracle Entitlements Server 10.1.4.3 Tech Overview · •Установка OES ... ATN ATZ RM AD CM...