The Total Identity Management Solution

8/2/2019 The Total Identity Management Solution

1/44

Oracle Identity Management:

The Total Identity Solution

Matt Toppermtopper(at)itconvergence.com


2/44

AgendaWhat is Identity Management?

What are the Components?

For each component:

What does it do?What are the features?

Where did it come from?

How is it installed?

How does it all tie together?

What common problems does IdM solve?Common Deployment Scenarios


3/44

What is Identity Management?In information systems, identity management or some times referred as identity

management systems is the management of the identity life cycle of entities (subjects orobjects) during which:

1. the identity is established:

1. a name (or number) is connected to the subject or object;2. the identity is re-established: a new or additional name (or number) is connected to

the subject or object;2. the identity is described:

1. one or more attributes which are applicable to this particular subject or object may beassigned to the identity;

2. the identity is newly described: one or more attributes which are applicable to thisparticular subject or object may be changed;

3. the identity is destroyed.From Wikipedia March 2007


4/44

Oracle Identity ManagementThen and Now


5/44

Classic Oracle IdM

Oracle Internet Directory

Oracle Delegate Administration Interface

Oracle Single Sign On

Oracle Certificate Authority


6/44

Oracle Internet DirectoryWhat does it do?

What are the main features?

LDAP v3 CompliantDynamic Groups

Replication

Directory Integration Platform

Password Policies


7/44

Oracle Internet DirectoryHow is it deployed?

Oracle Databaseand Metadata

Repository

OracleApplication

Server with OID

OracleApplication

Server with OID

LoadBalancer

Microsoft ActiveDirectory


8/44

Oracle Directory Administration Service

What does it do?



9/44

Oracle Directory Administration Service

How is it deployed?


Repository

OracleApplication

Server with OID

OracleApplication

Server with OID

LoadBalancer

OracleApplication

Server with DAS

LoadBalancer

OracleApplication

Server with DAS


10/44

Oracle Single Sign-OnWhat does it do?



11/44

Oracle Single Sign-On Request Cycle


Repository

OracleApplication

Server with SSO

OracleApplication

Server with OID

Oracle ApplicationServer with Portal

Client PC

Initial PortalRequest

No SSO Cookie

Redirect toSSO Server

Request Login PageReturn Login PageSend Login and

Password

Bind Usernameand Password

Validate AgainstDatabase Table

Database MatchesBind Success

Redirect to PortalWith SSO Cookie

Portal PageRequest

With SSO Cookie

Page Returnedto Client Browser


12/44

Oracle Single Sign-OnHow is it deployed?


Repository

OracleApplication

Server with OID

OracleApplication

Server with OID

LoadBalancer

OracleApplication

Server with DAS

LoadBalancer

OracleApplication

Server with SSO


13/44

Oracle Certificate AuthorityWhat does it do?



14/44

Oracle Certificate AuthorityHow is it deployed?


Repository

OracleApplication

Server with OID

OracleApplication

Server with OID

LoadBalancer

Oracle ApplicationServer with DAS

and SSO

LoadBalancer

Oracle ApplicationServer with

Certificate Authority


15/44

Classic Oracle IdM Deployment


16/44

New Generation Oracle IdM


Oracle Delegated Administration Service

Oracle Certificate Authority

Oracle Single Sign On

Oracle Enterprise Single Sign On

Oracle Identity Manager

Oracle Access Manager

Oracle Virtual DirectoryOracle Identity Federation

Oracle Web Services Manager

Oracle Adaptable Access Manager

Bridgestream (September 5)


17/44

Oracle Enterprise Single Sign OnWhat does it do?


Single Sign-On Logon Manager

Single Sign-On Password Reset

Single Sign-On Authentication Manager

Single Sign-On Provisioning Gateway

Single Sign-On Kiosk Manager



Passlogix (Partnership, June 2006)


18/44

Oracle Identity ManagerWhat does it do?


Provisioning

Workflow

Compliance

Connector Architecture

User Self Service

Delegated Administration


Thor Xcellerate (Acquisition, November 2005)


19/44

Oracle Identity Manager Connector Pack

Connection Interfaces

BMC Remedy

CA-ACF2 (Mainframe)

CA-Top Secret (Mainframe)

Database User Management

Database Application Tables

IBM RACF

IBM i5/OS

IBM Lotus Notes / Domino

JD Edwards EnterpriseOne

Microsoft Active Directory

Microsoft Exchange

Microsoft Windows 2000

Novell eDirectory

Novell GroupWise

Oracle eBusiness Suite


PeopleSoft

Siebel Enterprise Applications

RSA Authentication Manager

RSA Clear Trust

SAPSAP Enterprise Portal

Sun Java System Directory

Unix SSH

Unix Telnet


20/44

Oracle Identity MangerHow is it deployed?

Oracle Databaseand Identity

Manager Repository

Application Server- Server SideComponents

Remote Managers

LDAPJDBCJAVA

Web ServicesDatabases UsersMainframe

SSHJD Edwards

Oracle E-Business SuiteNovell Groupwise

MicrosoftActive Directory

Microsoft ExchangeEtc.

ConnectorTargets

AdministrationConsole

User Self-ServiceDelegated Administration

CustomApplication Clients

Design ConsoleAdministration Services

Design Services


21/44

Oracle Access ManagerWhat does it do?


WebGate

WebPass

Identity Server

Access Server

Policy Server



Oblix CoreID Access Manager (Acquisition, March 2005)


22/44

Oracle Access MangerHow is it deployed?

Oracle Database

and IdentityMetadata

Repository

EnterpriseApplications

WebPass withPolicy Manger

End UsersEmployees

Partners

CustomersSuppliers

WebServer (OHS orISS) with WebGate

or AccessGate

AccessAdministrators

Oracle AccessServer


23/44

Oracle Virtual DirectoryWhat does it do?


How is it installed?Where did it come from?

Octet String VDE (Acquisition, November 2005)


24/44

Oracle Virtual DirectoryHow is it deployed?

CustomApplicationUser Table

Web Applications

Access Manager

Oracle VirtualDirectory

Oracle Portal

Oracle InternetDirectory


CustomWeb Service

New Acquisitions

Active Directory


25/44

Oracle Identity FederationWhat does it do?

What are the main features?Service Providers

Identity ProvidersPrincipals

Standards

SAML (1.0 / 2.0)

Liberty ID-FF (1.1 / 1.2)

WS-Federation


Where did it come from?Oblix CoreID Federation (Acquisition, March 2005)


26/44

Oracle Identity Federation

with Oracle Access ManagerHow is it deployed?


Metadata

Repository

Oracle Access

Manager

End UsersEmployees

Partners

CustomersSuppliers

Peer IdentityProvider

Oracle IdentityFederation

Service Providerand Authentication

Module

OHS or IIS w/Web Pass

Oracle InternetDirectory

EnterpriseApplications


27/44

Oracle Web Services ManagerWhat does it do?


No Code Changes!!!

Gateway vs Agent

Gateway TranslationsSLAs

Encryption, Authentication, and Authorization Encryption Algorithms: AES-128, AES-256, 3-DES

Message Digests: MD5, SHA-1

Message Structure: XML / SOAP / WS-Security

Token Profiles: Basic Authentication, X.509, SAML Message Integrity: XML Signature

Message Confidentiality: XML Encryption

PKI


Oblix CoreSV (Acquisition, March 2005)


28/44

Oracle Web Services Manager Gateway

How is it deployed?

Policy Manger andMonitor

End UsersEmployees

Partners

CustomersSuppliers OWSM Gateway

Administrators

Corporate WebServices

REST

SOAP

HTTP(S)SAML


29/44

Oracle Web Services Manager Agents

How is it deployed?

Policy Manger andMonitor

End UsersEmployees

Partners

CustomersSuppliers

Administrators

Corporate WebServices

REST

SOAP

HTTP(S)SAML

Agent

Agent

Agent

Agent

Agent

Agent


30/44

Oracle Adaptive Access ManagerWhat does it do?


Adaptive Risk Manager and Strong Authenticator

Bharosa = Trust

Two Factor AuthenticationProfile based on usage patterns: location, device, workflow

View user sessions in real time

Force secondary challenges to users

Many flexible log-in / authentication tools


Bharosa (Acquisition, March 2005)


31/44

Oracle Adaptive Access Manager

How is it deployed?

Oracle Database

End UsersEmployees

PartnersCustomersSuppliers

OASA OARM

OARMInternal Users

Customer CareApplication Administrators


32/44

How it all ties together

HR System

OracleIdentity

Manager

Business Unit

FieldLocation

Internal

Employees

Key supplier orbenefits partner

Delegation

Oracle

AccessManager

OracleVirtual

Directory

Delegation

Does provisioning of new-hires to apps, directories,etc.; manages occasionalchanges to user status;

one-click de-provisioning;audit logs and reports

Manages daily useraccess; SSO to anyweb-based app; user

self service andpassword resets

Real-time proxy for directoriesand other repositories; an

alternative or complement tometa-directories

Extends SSO acrosscompany boundaries

Any App onany Platform

OracleFederation

Server

Oracle

FederationServer

ADOID

1,000s of

ExternalUsers

1,000,000s ofInternet Users

Any single source

of truth for users

Connectors

*Courtesy of OracleCorporation


33/44

What are the majorproblems being solved?


34/44

Oracle PortalCommon Deployment Strategy


MetadataRepository

Oracle

ApplicationServer with OID

OracleApplication

Server with SSOand DAS

LoadBalancer

LoadBalancer

Oracle Portal andBusiness

IntelligenceStandard Edition

Oracle Database

and ProductMetadataRe ositor

DIP

Synchronization


DIPSynchronization

and External

Authorization


35/44

Oracle Business Intelligence EnterpriseEdition Common Deployment Strategy

with LDAP / OID Only


MetadataRepository

Oracle

ApplicationServer with OID

Oracle BI Serverand Presentation

Services

LoadBalancer

UsersSynchronized toSA Tables with

DIP

Session to OIDAuthentication

LoadBalancer


36/44

Oracle Business Intelligence EnterpriseEdition Common Deployment Strategy

with Oracle Access Manager


MetadataRepository

OracleApplication

Server with OID

Oracle BI Serverand Presentation

Services

LoadBalancer

Users

Synchronized toSA Tables

Using ImpersonationHeaders Authentication

Oracle AS withWebGate andPresentation

Services Plug-In

Oracle AccessServer

LoadBalancer


37/44

Oracle E-Business SuiteCommon Deployment Strategy


MetadataRepository

OracleApplication

Server with OID

OracleApplication

Server with SSOand DAS

LoadBalancer

Load

Balancer

Oracle E-Business

Release 11i

FND_User

ApplicationsDatabase

DIPSynchronization


38/44

Oracle eBusiness Suite

eBusiness Suite Release

11.5.8 11.5.9 11.5.10 12.0

Single Sign-On


Oracle Access Manager

Oracle Identity Manager


39/44

ConclusionWhat is Identity Management?

What are the Components?

For each component:

What does it do?

What are the features?



How does it all tie together?

What common problems does IdM solve?

Common Deployment Scenarios


40/44

Questions?

Matt Toppermtopper(at)itconvergence.com

Or down load the white paper The Total Identity Solution.(Registration Required)
mailto:[email protected]://www.itconvergence.com/portal/page?_pageid=33,67416&_dad=portal&_schema=PORTAL&3098454A97376254E0409340CBB0155F=1http://www.itconvergence.com/portal/page?_pageid=33,67416&_dad=portal&_schema=PORTAL&3098454A97376254E0409340CBB0155F=1mailto:[email protected]


41/44

Save the Date!

April 13 17, 2008

Colorado Convention CenterDenver, Colorado


42/44

Sign-up for IOUG Today

Join online at www.ioug.org and get immediate accessto:

Member Discounts and Special Offers

SELECT Journal

Library of Oracle Knowledge (LoOK

Member Directory

Special Interest Groups

Discussion Forums

Access to Local and Regional Users Groups

5 Minute Briefing:OracleVolunteer Opportunities


43/44

Oracle Identity Management:

The Total Identity Solution

Matt [email protected]


44/44

Legal

The information contained herein should be deemedreliable but not guaranteed. The author has madeevery attempt to provide current and accurate

information. If you have any comments or suggestions,please contact the author atmtopper(at)itconvergence.com.

Only IOUG, Collaborate 07, and IT Convergence have

been granted permission to reprint and distribute thispresentation. Others may request redistributionpermission from mtopper(at)itconvergence.com.

Copyright 2007, IT Convergence

The Total Identity Management Solution

Documents

Transcript of The Total Identity Management Solution