Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group PAGE 1
Agenda Introduction PAGE 2 Organization Speakers Security Spectrum Information Security Spectrum Oracle Identity Management Platform Access Control Access Management Framework Oracle Access Management System Architecture Oracle Access Management Integration Architecture Benefits Access Control System Oracle Applications (E-Business) Integration Support Architecture Integration Flow Integration of OID and E-Biz (GUID) Access Gate integration Third-party directories integration (AD) Deployment Topology Best Practices
Introduction PAGE 3
About BIAS Corporation Who We Are PAGE 4 Founded in 2000 Distinguished Oracle Leader Technology Momentum Award Portal Blazer Award Titan Award Red Stack + HW Momentum Awards Excellence in Innovation Award Management Team is Ex-Oracle Location(s): Headquartered in Atlanta; Regional office in Washington D.C.; Offshore Hyderabad and Chennai, India ~250 employees with 10+ years of Oracle experience on average Inc.500 5000 Fastest Growing Private Company in the U.S. for the 5th Time Voted Best Place to work in Atlanta for 2nd year 30 Oracle Specializations spanning the entire stack
Speakers Profile PAGE 5 Kashif Dhatwani Practice Director, Identity Management and Data Security Enterprise and Solution Architect 15+ years of experience in delivering solutions around middleware technologies including Security, SOA, Portal and Custom developed solutions 7+ years with BIAS Corporation and Previously held positions at Oracle and IBM Focused on delivering solutions to provide best practices and industry standards based solution to BIAS customers Leading team of solution and technical architects for delivery of solutions across multiple industries Madan Shah Solution Architect, Identity Management & Data Security 15+ years of experience in middleware technologies 3+ years with BIAS Corporation Solution Architect, Technical Architect Middleware Technologies including Java / J2EE, Portals, Data Security and Identity & access Management Leading Development teams to deliver Solutions for Identity & Access Management and Data Security Oracle Access Management Suite Plus 11g Certified Implementation Specialist and Oracle Database 11g Security Certified Implementation Specialist
BIAS Practice Areas PAGE 6
BIAS Corporation is a recognized leader in Identity & Access Management system assessment, design and implementation. As an Oracle Platinum partner, BIAS Corporation s IDM Practice provides experienced architects who have expertise in assessment of environments, building roadmaps, design systems with deep technical experience and implementing solutions using experienced developers part of BIAS IDM practice. PAGE 7
Security Spectrum PAGE 8
Information Security Spectrum PAGE 9 Identity Management Access Management Mobile Security Data Security Governance Compliance Single Source of Truth Provisioning / Deprovisioning SoD Separation of Duties Access Control Authentication Authorization Single Sign-On Multi-Factor Authentication Security Container Single Sign-On Application Management Protect your data at Rest and in Transit Data Access - Authentication Data Access Fine Grained Control Auditing
Identity Management Portfolio 11gR2 Modern, Innovative & Integrated PAGE 10 Governance Access Directory Mobile Security Oracle Identity Manager (OIM) Oracle Privileged Account Manager (OPAM) Oracle Access Manager (OAM) Oracle Adaptive Access Manager (OAAM) Oracle API Gateway (OEG) Oracle Identity Federation (OIF) Oracle Security Token Services (OSTS) Oracle Entitlement Server (OES) Oracle Enterprise SSO (OeSSO) Oracle Unified Directory (OUD) Oracle Virtual Directory (OVD) Oracle Internet Directory (OID) Oracle Mobile Security Suite (OMSS) Oracle Access Manager (OAM) Oracle Identity Manager (OIM) Platform Security Services
Oracle Database Security Solutions PAGE 11 Advanced Security, Data Masking Audit Vault, Database Firewall Database Vault, Label Security Transparent Data Encryption Network Encryption/Strong Auth Data Masking for Non-Production Database Activity Auditing Database Firewall Monitoring Centralized Audit Data Warehouse Separation of Duties for DBAs Protection Realms & Rules Label Based Access Control Maturity of Database Environment
Access Control PAGE 12
Single User account Single Logon Access Management Framework PAGE 13 Web Applications External (partners, vendors) Web Applications Web Applications Cloud Providers Single User account Single Logon Internal LDAP
Oracle Access Management System Architecture PAGE 14
Access Management Integration Architecture Cloud Providers PAGE 15 Federation / SSO External (partners, vendors) Authentication / SSO Authentication / SSO Access Gate Webgate On Premise Apps Web Applications Internal Web Applications Web Applications Oracle Access Manager LDAP
Identity Management Overview PAGE 16
Benefits PAGE 17 Centralized Access Management A centralized security enforcement A centralized policy control on application access Single Sign-On Use one (1) set of credentials to access all your applications No need to remember multiple user-ids and passwords Reduced risk to compromise credentials One Time login to your first application Navigate securely to multiple applications Federation Single Sign-On for Third-Party application partners Single Sign-On for Cloud based applications User Repositories Integration with multiple user repositories Support for commonly used LDAPs and Microsoft Active Directory Productivity Increase productivity of employees Maintain compliance standards Capability to self service such as self password management
Oracle e-business Application Single Sign-On PAGE 18
Oracle E-Business and Access Manager Support Architecture PAGE 19 E-Business Suite 12.2.2+ Oracle Access Manager 11.1.2.2 Oracle Identity Management 11.1.1.7 Oracle Web Gate 11.1.2.2 E-Business Suite 12 Oracle Access Manager 11.1.2.2 Oracle Identity Management 11.1.1.7.0 Oracle Access Manager Webgate 11.1.2.2.0 Oracle E-Business Suite Access Gate 1.2.3.4 11.5.10.2 12.2 12.1.3
3. Webgate Intercepts Per OAM policies Integration Architecture PAGE 20 1. User Requests protected resource Oracle E-Business Suite Oracle E-Business Suite 2. User redirected to EBS Access Gate Protected by OAM 8. EBS access gate identifies the EBS user linked to authenticated OID user 4. Webgate connects user to EBS Access Gate To collect credentials WebServer Webgate 7. OAM returns user identifier to EBS access gate E-Business Suite Access Gate 5. User Submits Credentials to OAM Server 6. OAM verifies credentials against user repository Oracle Access Manager Oracle Internet Directory
EBS Access Gate PAGE 21 JAVA EE Application Deployed on WebLogic Domain Oracle Access Manager UID + ORCLGUID Web Gate UID + ORCLGUID FND_USR Link E-Business Suite Instance Database Oracle E-Business Suite AccessGate Oracle Internet Directory Every User record has unique ORCLGUID FND_USR Link
Deployment Topology (Clustered) Oracle E-Business Suite Release 12.2 single sign-on PAGE 22 EBS AccessGate WebGate Oracle Database Load Balancer User Oracle E-Business Suite Release 12.2.2+ Oracle HTTP Server Web Server 1 Web Server 2 Oracle Access Manager Server Oracle Internet Directory OAM Server1 OAM Server 2 Load Balancer OID 1 OID 2
Third-Party LDAP Integration PAGE 23
Third-Party Access Management PAGE 24
Architectural Considerations Key Decisions PAGE 25 Provisioning Unidirectional Provisioning From Oracle Internet Directory to Oracle E-Business Suite only From Oracle E-Business Suite to Oracle Internet Directory only Bi-Directional Provisioning From Oracle Internet Directory to Oracle E-Business Suite From Oracle E-Business Suite to Oracle Internet Directory Corporate User Repositories Microsoft Active Directory LDAPs Databases Authorization EBS responsibilities are managed within EBS Upgrade Existing environment can upgrade from OSSO to OAM Co-Existence Multiple E-Business systems using same Security Framework (Access Manager)
Best Practices PAGE 26 SSO Infrastructure High Availability Disaster Recovery Environment Performance Considerations OAM Detached Credential Collector vs Embedded Credential Collector Multi Factor Authentication and Risk-based Authentications End To End SSL Encrypt all HTTP and LDAP Traffic TLS 1.2/TLS 1.1 Auditing Out of the Box Auditing functionality provided by OAM for User Authentications BI Publisher Reports
Oracle created the OPN Specialized Program to showcase the Oracle partners who have achieved expertise in Oracle product areas and reached specialization status through competency development, business results, expertise and proven success. BIAS is proud to be specialized in 30 areas of Oracle products, which include the following: PAGE 27
Contact Us PAGE 28 Kashif Dhatwani Practice Director - Identity Management & Data Security 770-685-6240 Kashif.Dhatwani@biascorp.com
PAGE 29