Oracle Identity Management: The Total Identity Solution

Matt Topper mtopper(at)itconvergence.com

Agenda
What is Identity Management? What are the Components?
For each component:
What does it do? What are the features? Where did it come from? How is it installed?

How does it all tie together? What common problems does IdM solve? Common Deployment Scenarios

What is Identity Management?

In information systems, identity management or some times referred as identity management systems is the management of the identity life cycle of entities (subjects or objects) during which: 1. the identity is established: 1. a name (or number) is connected to the subject or object; 2. the identity is re-established: a new or additional name (or number) is connected to the subject or object; 2. the identity is described: 1. one or more attributes which are applicable to this particular subject or object may be assigned to the identity; 2. the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed; 3. the identity is destroyed. From Wikipedia March 2007

Oracle Identity Management Then and Now

Classic Oracle IdM

Oracle Internet Directory Oracle Delegate Administration Interface Oracle Single Sign On Oracle Certificate Authority

Oracle Internet Directory

What does it do? What are the main features?

LDAP v3 Compliant Dynamic Groups Replication Directory Integration Platform Password Policies

Oracle Internet Directory

How is it deployed?
Oracle Application Server with OID Oracle Database and Metadata Repository

Load Balancer

Oracle Application Server with OID

Microsoft Active Directory

Oracle Directory Administration Service

What does it do? What are the main features?

Oracle Directory Administration Service

How is it deployed?
Oracle Application Server with DAS Oracle Application Server with OID Oracle Database and Metadata Repository

Load Balancer

Load Balancer

Oracle Application Server with DAS

Oracle Application Server with OID

Oracle Single Sign-On

What does it do? What are the main features?

Oracle Single Sign-On Request Cycle

Oracle Application Server with SSO Client PC

Redirect to Portal Send Login and RequestLogin Page Return Login Page With SSO Cookie Password

Oracle Application Server with OID

Oracle Database and Metadata Repository

Bind Username Bind Success and Password

Database Against Validate Matches Database Table

Initial Portal Portal Page Request WithSSO Cookie No SSO Cookie Page Returned Redirect to to Client Browser SSO Server

Oracle Application Server with Portal

Oracle Single Sign-On

How is it deployed?
Oracle Application Server with DAS Oracle Application Server with OID Oracle Database and Metadata Repository

Load Balancer

Load Balancer

Oracle Application Server with SSO

Oracle Application Server with OID

Oracle Certificate Authority

What does it do? What are the main features?

Oracle Certificate Authority

How is it deployed?
Oracle Application Server with DAS and SSO Oracle Application Server with OID Oracle Database and Metadata Repository

Load Balancer

Load Balancer

Oracle Application Server with Certificate Authority

Oracle Application Server with OID

Classic Oracle IdM Deployment

New Generation Oracle IdM

Oracle Internet Directory Oracle Delegated Administration Service Oracle Certificate Authority Oracle Single Sign On Oracle Enterprise Single Sign On Oracle Identity Manager Oracle Access Manager Oracle Virtual Directory Oracle Identity Federation Oracle Web Services Manager Oracle Adaptable Access Manager Bridgestream (September 5)

Oracle Enterprise Single Sign On

What does it do? What are the main features?

Single Sign-On Logon Manager Single Sign-On Password Reset Single Sign-On Authentication Manager Single Sign-On Provisioning Gateway Single Sign-On Kiosk Manager How is it installed? Where did it come from? Passlogix (Partnership, June 2006)

Oracle Identity Manager

What does it do? What are the main features?

Provisioning Workflow Compliance Connector Architecture User Self Service Delegated Administration Where did it come from? Thor Xcellerate (Acquisition, November 2005)

Oracle Identity Manager Connector Pack

Connection Interfaces
BMC Remedy CA-ACF2 (Mainframe) CA-Top Secret (Mainframe) Database User Management Database Application Tables IBM RACF IBM i5/OS IBM Lotus Notes / Domino JD Edwards EnterpriseOne Microsoft Active Directory Microsoft Exchange Microsoft Windows 2000

Novell eDirectory Novell GroupWise Oracle eBusiness Suite Oracle Internet Directory PeopleSoft Siebel Enterprise Applications RSA Authentication Manager RSA Clear Trust SAP SAP Enterprise Portal Sun Java System Directory Unix SSH Unix Telnet

Oracle Identity Manger

How is it deployed?
Administration Console
User Self-Service Delegated Administration

Application Server - Server Side Components

Oracle Database and Identity Manager Repository

Connector Targets Custom Application Clients

LDAP JDBC JAVA Web Services Databases Users Mainframe SSH JD Edwards Oracle E-Business Suite Novell Groupwise Microsoft Active Directory Microsoft Exchange Etc.

Design Console
Administration Services Design Services

Remote Managers

Oracle Access Manager

What does it do? What are the main features?

WebGate WebPass Identity Server Access Server Policy Server How is it installed? Where did it come from? Oblix CoreID Access Manager (Acquisition, March 2005)

Oracle Access Manger

How is it deployed?
End Users
Employees Partners Customers Suppliers

WebServer (OHS or ISS) with WebGate or AccessGate

Enterprise Applications

Oracle Database and Identity Metadata Repository

Oracle Access Server

Access Administrators WebPass with Policy Manger

Oracle Virtual Directory

What does it do? What are the main features? How is it installed? Where did it come from?
Octet String VDE (Acquisition, November 2005)

Oracle Virtual Directory

How is it deployed?
Web Applications Oracle Internet Directory

Microsoft Active Directory Oracle Portal Custom Application User Table

Oracle Virtual Directory

Access Manager Custom Web Service New Acquisitions Active Directory

Oracle Identity Federation

What does it do? What are the main features?

Service Providers Identity Providers Principals Standards
SAML (1.0 / 2.0) Liberty ID-FF (1.1 / 1.2) WS-Federation

How is it installed? Where did it come from?

Oblix CoreID Federation (Acquisition, March 2005)

Oracle Identity Federation with Oracle Access Manager

How is it deployed?
End Users
Employees Partners Customers Suppliers

Peer Identity Provider

Oracle Database and Identity Metadata Repository

Oracle Access Manager

Oracle Identity Federation Service Provider and Authentication Module

Oracle Internet Directory

Enterprise Applications

OHS or IIS w/ Web Pass

Oracle Web Services Manager

What does it do? What are the main features?
No Code Changes!!! Gateway vs Agent Gateway Translations SLAs Encryption, Authentication, and Authorization
Encryption Algorithms: AES-128, AES-256, 3-DES Message Digests: MD5, SHA-1 Message Structure: XML / SOAP / WS-Security

Token Profiles: Basic Authentication, X.509, SAML

Where did it come from?

Message Integrity: XML Signature Message Confidentiality: XML Encryption PKI

Oblix CoreSV (Acquisition, March 2005)

Oracle Web Services Manager Gateway

How is it deployed?
End Users
Employees Partners Customers Suppliers

Corporate Web Services OWSM Gateway

REST SOAP HTTP(S) SAML

Administrators Policy Manger and Monitor

Oracle Web Services Manager Agents

How is it deployed?
End Users
Employees Partners Customers Suppliers Agent Agent

Corporate Web Services

REST SOAP HTTP(S) SAML

Agent

Agent

Agent

Agent

Administrators Policy Manger and Monitor

Oracle Adaptive Access Manager

What does it do? What are the main features?
Adaptive Risk Manager and Strong Authenticator Bharosa = Trust Two Factor Authentication Profile based on usage patterns: location, device, workflow View user sessions in real time Force secondary challenges to users Many flexible log-in / authentication tools Bharosa (Acquisition, March 2005)

Where did it come from?

Oracle Adaptive Access Manager

How is it deployed?
Oracle Database OASA OARM

End Users
Employees Partners Customers Suppliers

OARM

Internal Users
Customer Care Application Administrators

How it all ties together

Does provisioning of newhires to apps, directories, etc.; manages occasional changes to user status; one-click de-provisioning; audit logs and reports Oracle Identity Manager
Connectors

Key supplier or benefits partner

Oracle Federation Server Extends SSO across company boundaries Oracle Federation Server

Any App on any Platform

Manages daily user access; SSO to any web-based app; user self service and password resets Oracle Access Manager

Oracle Virtual Directory

Delegation

Business Unit Internal Employees

Delegation

HR System Any single source of truth for users AD OID Real-time proxy for directories and other repositories; an alternative or complement to meta-directories

Field Location 1,000s of External Users

*Courtesy of Oracle Corporation

1,000,000s of Internet Users

What are the major problems being solved?

Oracle Portal Common Deployment Strategy

Microsoft Active Directory

Oracle Application Server with SSO and DAS

DIP Synchronization and External Authorization

Oracle Database and Identity Metadata Repository

Load Balancer Load Balancer

Oracle Application Server with OID

DIP Synchronization

Oracle Portal and Business Intelligence Standard Edition

Oracle Database and Product Metadata Repository

Oracle Business Intelligence Enterprise Edition Common Deployment Strategy with LDAP / OID Only
Oracle BI Server and Presentation Services Session to OID Authentication Oracle Database and Identity Metadata Repository

Load Balancer

Load Balancer

Oracle Application Server with OID

Users Synchronized to SA Tables with DIP

Oracle Business Intelligence Enterprise Edition Common Deployment Strategy with Oracle Access Manager
Oracle AS with WebGate and Presentation Services Plug-In Oracle Access Server

Oracle BI Server and Presentation Services

Load Balancer Load Balancer Using Impersonation Headers Authentication

Oracle Database and Identity Metadata Repository

Oracle Application Server with OID

Users Synchronized to SA Tables

Oracle E-Business Suite Common Deployment Strategy

Oracle Application Server with SSO and DAS Oracle Database and Identity Metadata Repository

Load Balancer

Oracle Application Server with OID DIP Synchronization

Load Balancer

Oracle EBusiness Release 11i

FND_User Applications Database

Oracle eBusiness Suite

eBusiness Suite Release 11.5.8 Single Sign-On Oracle Internet Directory Oracle Access Manager Oracle Identity Manager 11.5.9 11.5.10 12.0

Conclusion
What is Identity Management? What are the Components?
For each component:
What does it do? What are the features? How is it installed? Where did it come from?

How does it all tie together? What common problems does IdM solve? Common Deployment Scenarios

Questions?

Matt Topper mtopper(at)itconvergence.com Or down load the white paper The Total Identity Solution.
(Registration Required)

Save the Date!

April 13 17, 2008 Colorado Convention Center Denver, Colorado

Sign-up for IOUG Today

Join online at www.ioug.org and get immediate access
to:

Member Discounts and Special Offers SELECT Journal Library of Oracle Knowledge (LoOK Member Directory Special Interest Groups Discussion Forums Access to Local and Regional Users Groups 5 Minute Briefing:Oracle Volunteer Opportunities

Oracle Identity Management: The Total Identity Solution

Matt Topper matt@matttopper.com

Legal
The information contained herein should be deemed reliable but not guaranteed. The author has made every attempt to provide current and accurate information. If you have any comments or suggestions, please contact the author at mtopper(at)itconvergence.com. Only IOUG, Collaborate 07, and IT Convergence have been granted permission to reprint and distribute this presentation. Others may request redistribution permission from mtopper(at)itconvergence.com. Copyright 2007, IT Convergence