Oracle Identity Management The Total Identity Solution Dan Norris Practice Manager Piocon Technologies, Inc. dnorris@piocon.com Presentation created by Matt Topper
Agenda Who is Dan? What is Identity Management? What are the Components? For each component: What does it do? What are the features? How is it installed? How does it all tie together? Common Deployment Scenarios
Who is Dan? Virgo Scuba Diver (PADI Advanced OW, Nitrox) Over 21, under 35 Oracle DBA & UNIX Admin background Certifiable: OCM, ACE Director, RHCE Consultant, mostly fixing things that are broken Active community participant: RAC SIG, SIG Council, DBA Track Manager, blogger, tweeter ESA Practice Manager at Piocon Technologies 3
Oracle Identity Management Then and Now <Insert Picture Here>
The Original Players Oracle Internet Directory Oracle Delegated Administration Service Oracle Certificate Authority Oracle Single Sign On Oracle Enterprise Single Sign On Oracle Identity Manager Oracle Access Manager Oracle Virtual Directory Oracle Identity Federation Oracle Web Services Manager Oracle Adaptable Access Manager Oracle Role Manager Oracle Authentication Services for Operating Systems
Oracle Internet et Directory What does it do? What are the main features? LDAP v3 Compliant Dynamic Groups Replication Directory Integration Platform Password Policies
Oracle Internet et Directory How is it deployed? Oracle Application Server with OID Oracle Database and Metadata Repository Load Balancer Oracle Application Server with OID Microsoft Active Microsoft Active Directory
Oracle Directory Administration Service What does it do? What are the main features?
Oracle Directory Administration Service How is it deployed? Oracle Application Server with DAS Oracle Application Server with OID Oracle Database and Metadata Repository Load Balancer Load Balancer Oracle Application Server with DAS Oracle Application Server with OID
Oracle OaceSingle gesg Sign-On What does it do? What are the main features?
Oracle Single Sign-On Request Cycle Client PC Send Redirect Login to and Portal Request Return With Password SSO Login Cookie Page Oracle Application Server with SSO Oracle Application Server with OID Oracle Database and Metadata Repository Bind Username Success and Password Database Validate Against Matches Database Table Initial Portal Portal Page Request With No SSO Cookie Page Redirect Returned to to SSO Client Server Browser Oracle Application Server with Portal
Oracle OaceSingle gesg Sign-On How is it deployed? Oracle Application Server with DAS Oracle Application Server with OID Oracle Database and Metadata Repository Load Balancer Load Balancer Oracle Application Server with SSO Oracle Application Server with OID
Oracle Certificate Authority ty What does it do? What are the main features? PKI X.509v3 Certificates Web Based Certificate Management
Oracle Certificate Authority ty How is it deployed? Oracle Application Server with DAS and SSO Oracle Application Server with OID Oracle Database and Metadata Repository Load Balancer Load Balancer Oracle Application Server with Certificate Authority Oracle Application Server with OID
Classic Oracle IdM Deployment e
Oracle Identity Management The New Generation <Insert Picture Here>
New Generation Oracle IdM Oracle Internet Directory Oracle Delegated Administration Service Oracle Certificate Authority Oracle Single Sign On Oracle Enterprise Single Sign On Oracle Identity Manager Oracle Access Manager Oracle Virtual Directory Oracle Identity Federation Oracle Web Services Manager Oracle Adaptable Access Manager Oracle Role Manager Oracle Authentication Services for Operating Systems
Oracle OaceEnterprise tep sesingle gesg Sign On What does it do? What are the main features? Single Sign-On Logon Manager Single Sign-On Password Reset Single Sign-On Authentication Manager Single Sign-On Provisioning Gateway Single Sign-On Kiosk Manager How is it installed?
How is it deployed? Oracle esso Password Reset Oracle esso Suite Management Console Oracle esso Provisioning Gateway Oracle Identity Manager (OIM) Password Directory, Domain, Database Windows Web Sites PKI Biometrics Token/ Smart card Oracle esso Authentication Manager Oracle esso Logon Manager Oracle esso Kiosk Manager Mainframes (OS390, AS400) Java Extranet & Portal User Auth User s Desktop Application Sign-On
Oracle OaceIdentity ttymanager age What does it do? What are the main features? Provisioning Workflow Attestation User Self Service Connector Architecture Delegated Administration
Oracle Identity Manager Connector Pack Connection Interfaces BMC Remedy CA-ACF2 (Mainframe) CA-Top Secret (Mainframe) Database User Management Database Application Tables IBM RACF IBM i5/os IBM Lotus Notes / Domino JD Edwards EnterpriseOne Microsoft Active Directory Microsoft Exchange Microsoft Windows 2000 Novell edirectory Novell GroupWise Oracle ebusiness Suite Oracle Internet Directory PeopleSoft Siebel Enterprise Applications RSA Authentication Manager RSA Clear Trust SAP SAP Enterprise Portal Sun Java System Directory Unix SSH Unix Telnet
Oracle Identity ty Manger How is it deployed? Application Server and did Identity - Server Side Components Oracle Database Manager Repository Administration Console User Self-Service Delegated Administration Custom Application Clients (API and Web Services) Design Console Administration Services Design Services Remote Managers Connector Targets LDAP JDBC JAVA Web Services Databases Users Mainframe SSH JD Edwards Oracle E-Business Suite Novell Groupwise Microsoft Active Directory Microsoft Exchange Etc.
Oracle Access Manager age What does it do? What are the main features? WebGate WebPass Identity Server Access Server Policy Server How is it installed?
Oracle Access Manger How is it deployed?
Oracle Virtual Directory What does it do? What are the main features? How is it installed?
Oracle Virtual Directory How is it deployed? Oracle Internet Directory Web Applications Microsoft Active Directory Oracle Database Oracle Virtual Directory Custom Application User Table Access Manager Custom Web Service New Acquisitions Active Directory
Oracle Identity ty Federation What does it do? What are the main features? Service Providers Identity Providers Principals Standards SAML (1.0 / 2.0) Liberty ID-FF (1.1 / 1.2) WS-Federation How is it installed?
Oracle Identity Federation with Oracle Access Manager How is it deployed? Browser Web server authn_subjectdn COREid Authn plugin Access Webgate Server authz_attribute attribute Authz plugin [with http(s) client] Client Certificate HTTPS SOAP/ HTTPS SERVICE PROVIDER Attribute Service SAML Requester Federation Server SAMLP/ SOAP/ HTTP(S) IDENTITY PROVIDER Federation Servere SAML Responder LDAP Directory
Oracle Web Services Manager age What does it do? What are the main features? No Code Changes!!! Gateway vs Agent Gateway Translations SLAs Encryption, Authentication, and Authorization Encryption Algorithms: AES-128, AES-256, 3-DES Message Digests: MD5, SHA-1 Message Structure: XML / SOAP / WS-Security Token Profiles: Basic Authentication, X.509, SAML Message Integrity: XML Signature Message Confidentiality: XML Encryption PKI
Oracle Web Services Manager Gateway How is it deployed? Clients Web services Policy Enforcement Points (PEP) Gateway Oracle WSM server Policy manager components Management Console Monitor Database
Oracle Web Services Manager Agents How is it deployed? Clients Web services Policy Enforcement Points (PEP) Agent Agent Agent Agent Agent Agent Oracle WSM server components Policy manager Management Console Monitor Database
Oracle Adaptive Access Manager age What does it do? What are the main features? Adaptive Risk Manager and Strong Authenticator Multi-Factor Authentication (Something you have, Something you know, Something you are) Profile based on usage patterns: location, device, workflow View user sessions in real time Force secondary challenges to users Many flexible log-in / authentication tools Offline Mode
Challenge
Oracle Adaptive Access Manager age How is it deployed?
Oracle OaceRole oemanager age What does it do?
The Evolution of Identity Management In The Beginning There Was Manual Provisioning User The The Cat Helpdesk Who Makes Guy The Rules The Boss The IT Dude Applications He routs the request He creates the account He decides who has to approve He approves the request But The Process Was Hard To Control land daudit..
The Evolution of Identity Management Then We Added Provisioning Tool.. User The The Cat Helpdesk Who Makes Guy The Rules The Boss The IT Dude Applications Provisioning helps with self service & administration Rules and polices are constantly changing Resolving policies into WHO is not trivial Provisioning helps with automation & audit But Provisioning i i Tools Are Not Business Smart..
The Evolution of Identity Management Enterprise Role Management Completes The Puzzle User The The Cat Helpdesk Who Makes Guy The Rules The Boss The IT Dude Applications Provisioning helps with self service & administration Provisioning helps with automation & audit Role Management helps Role Management define who should have helps define who has access to what to do what
Oracle OaceRole oemanager age What are the main features? Role Management Role Mining Hierarchy Management Polyarchy / Relationship Management Reporting, Audit and Compliance
Oracle Authentication t Services for Operating Systems What does it do? What are the main features? Centrally Manage Users, Passwords, Certificates, and Sudo Central Audit Logs SSL Integration All major Unix systems Migration Utilities How is it installed?
Oracle Authentication Services for Operating Systems How is it deployed?
How it all ties together Does provisioning of newhires to apps, directories, etc.; manages occasional changes to user status; one-click de-provisioning; audit logs and reports HR System Oracle Role Manager Any single source of truth for users Oracle Identity Manager Connectors Any App on any Platform Oracle Virtual Directory AD OID Real-time proxy for directories and other repositories; an alternative or complement to meta-directories Manages daily user access; SSO to any web-based app; user self service and password resets Oracle Adaptive Access Manager Oracle Access Manager Delegation Business Unit 1,000,000 s of Internet t Users Key supplier or benefits partner Oracle Federation Server Extends SSO across company boundaries Oracle Federation Server Internal Employees Delegation Field Location 1,000 s of External Users
Oracle Identity Management Deployment Scenarios <Insert Picture Here>
Oracle Portal Common Deployment Strategy Oracle Application Server with SSO and DAS DIP Synchronization and External Authorization Microsoft Active Directory Oracle Database and Identity Metadata Repository Load Balancer Load Balancer Oracle Application Server with OID DIP Synchronization Oracle Portal and Business Intelligence Standard Edition Oracle Database and Product Metadata Repository
Oracle Business Intelligence Enterprise Edition Common Deployment Strategy t with LDAP / OID Only Oracle BI Server and Presentation Services Session to OID Authentication Oracle Database and Identity Metadata Repository Load Balancer Load Balancer Oracle Application Server with OID Users Synchronized to SA Tables with DIP
Oracle Business Intelligence Enterprise Edition Common Deployment Strategy t with Oracle Access Manager Load Balancer Oracle AS with WebGate and Presentation Services Plug-In Oracle BI Server and Presentation Services Oracle Access Server Oracle Database and Identity Metadata Repository Using Impersonation Headers Authentication Load Balancer Oracle Application Server with OID Users Synchronized to SA Tables
Oracle E-Business Suite Common Deployment Strategyt Oracle Application Server with SSO and DAS Oracle Database and Identity Metadata Repository Load Balancer Load Balancer Oracle Application Server with OID DIP Synchronization Oracle E- Business Release 11i FND_User Applications Database
Oracle ebusiness ess Suite ebusiness Suite Release 11.5.8 11.5.9 11.5.10 12.0 Single Sign-On Oracle Internet Directory Oracle Access Manager Oracle Identity Manager
Conclusion What is Identity Management? What are the Components? For each component: What does it do? What are the features? How is it installed? How does it all tie together? th What common problems does IdM solve? Common Deployment Scenarios
50
Oracle Identity Management The Total Identity Solution Dan Norris Practice Manager Piocon Technologies, Inc. dnorris@piocon.com Presentation created by Matt Topper
Legal The information contained herein should be deemed reliable but not guaranteed. The author has made every attempt to provide current and accurate information. If you have any comments or suggestions, please contact the author at: dnorris@piocon.com You may request redistribution permission from dnorris@piocon.com. Copyright 2008, Piocon Technologies 52