1 Developing Applications for Oracle Identity Management

Oracle Identity Management provides a shared infrastructure for all Oracle applications. It also provides services and interfaces that facilitate third-party enterprise application development. These interfaces are useful for application developers who need to incorporate identity management into their applications.

This chapter discusses these interfaces and recommends application development best practices in the Oracle Identity Management environment.

There are two types of applications that can be integrated with Oracle Identity Management:

• Existing applications already used in the enterprise. The enterprise might have already invested in such applications and would benefit from their integration with the Oracle Identity Management infrastructure.

• New applications being developed by corporate IT departments or ISVs that are based on the Oracle technology stack

This chapter contains the following topics:

• Benefits of Integrating with Oracle Identity Management

• Oracle Identity Management Services Available for Application Integration

• Integrating Existing Applications with Oracle Identity Management

• Integrating New Applications with Oracle Identity Management

• Oracle Internet Directory Programming: An Overview

1.1 Benefits of Integrating with Oracle Identity Management

Enterprise applications integrating with the Oracle Identity Management infrastructure receive the following benefits:

• Integration facilitates faster application deployment with lower costs: Enterprises (primarily Oracle customers) already using an existing Oracle Identity Management infrastructure can deploy new applications using the self-service console of Oracle Delegated Administration Services. Delegating application administration to users reduces the deployment cost of the application.

• Seamless integration with Oracle applications: Because all Oracle applications rely on the Oracle Identity Management infrastructure, new enterprise applications can use all the features Oracle Identity Management offers.

• Seamless integration with third-party identity management solutions: Because the Oracle Identity Management infrastructure already has built-in capabilities for integrating with third-party identity management solutions, application developers can take advantage of the identity management features.

1.2 Oracle Identity Management Services Available for Application Integration

Custom applications can use Oracle Identity Management through a set of documented and supported services and APIs. For example:

• Oracle Internet Directory provides LDAP APIs for C, Java, and PL/SQL, and is compatible with other LDAP SDKs.

• Oracle Delegated Administration Services provides a core self-service console that can be customized to support third-party applications. In addition, they provide a number of services for building customized administration interfaces that manipulate directory data.

• Oracle Directory Integration Services facilitate the development and deployment of custom solutions for synchronizing Oracle Internet Directory with third-party directories and other user repositories.

• Oracle Provisioning Integration Services provide a mechanism for provisioning third-party applications, as well as a means of integrating the Oracle environment with other provisioning systems.

• OracleAS Single Sign-On provides APIs for developing and deploying partner applications that share a single sign-on session with other Oracle Web applications.

• JAZN is the Oracle implementation of the Java Authentication and Authorization Service (JAAS) Support standard. JAZN allows applications developed for the Web using the Oracle J2EE environment to use the identity management infrastructure for authentication and authorization.

1.3 Integrating Existing Applications with Oracle Identity Management

An enterprise may have already deployed certain applications to perform critical business functions. The Oracle Identity Management infrastructure provides the following services that can be leveraged by the deployment to modify existing applications:

• Automated User Provisioning: The deployment can develop a custom provisioning agent that automates the provisioning of users in the existing application in response to provisioning events in the Oracle Identity Management infrastructure. This agent must be developed using the interfaces of Oracle Provisioning Integration Service.

  
  

  See Also: Oracle Internet Directory Administrator's Guide for more information about developing automated user provisioning

  
  

• User Authentication Services: If the user interface of the existing application is based on HTTP, integrating it with Oracle HTTP Server and protecting its URL using mod_osso will authenticate all incoming user requests using the OracleAS Single Sign-On service.

• Centralized User Profile Management: If the user interface of the existing application is based on HTTP, and it is integrated with OracleAS Single Sign-On for authentication, the application can use the self-service console of Oracle Delegated Administration Services to enable centralized user profile management. The self-service console can be customized by the deployment to address the specific needs of the application.

1.4 Integrating New Applications with Oracle Identity Management

Application developers can use the services provided by the Oracle Identity Management infrastructure more extensively if they are developing a new application or planning a new release of an existing application. Application developers should consider the following integration points:

• User Authentication Services: The application developer has the following options:

  • If the application is based on J2EE, it can use the services provided by the Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider interface.

  • If the application relies on Oracle Application Server Containers for J2EE (OC4J), it can use the services provided by mod_osso to authenticate users and obtain important information about the user in the HTTP headers.

  • If the application is a standalone Web-based application, it can use OracleAS Single Sign-On as a partner application using the OracleAS Single Sign-On APIs.

  • If the application provides an interface that is not Web-based, it can use the Oracle Internet Directory LDAP APIs (available in C, PL/SQL and Java) to authenticate users.

• Centralized Profile Management: The application developer has the following options available:

  • The application developer can model application-specific profiles and user preferences as attributes in Oracle Internet Directory.

  • If the user interface of the application is based on HTTP, and it is integrated with OracleAS Single Sign-On for authentication, the application can leverage the self-service console of Oracle Delegated Administration Services to enable centralized user profile management. The self-service console can be customized by the deployment to address the specific needs of the application.

  • The application can also retrieve user profiles at run time using the Oracle Internet Directory LDAP APIs (available in C, PL/SQL and Java).

• Automated User Provisioning: Application developers should consider the following options:

  • If the user interface of the application is based on HTTP and it is integrated with OracleAS Single Sign-On for authentication, then the application developer can implement automated user provisioning the first time a user accesses the application

  • The application can also be integrated with the Oracle Internet Directory Provisioning Integration Service, which enables it to automatically provision or de-provision user accounts in response to administrative actions, such as adding an identity, modifying the properties of an existing identity, or deleting an existing identity in the Oracle Identity Management infrastructure

See Also: Oracle Identity Management Integration Guide

1.5 Oracle Internet Directory Programming: An Overview

This section introduces you to the Oracle Internet Directory Software Developer's Kit. It provides an overview of how an application can use the kit to integrate with the directory. You are also acquainted with the rest of the directory product suite.

The section contains these topics:

• Programming Languages Supported by the Oracle Internet Directory SDK

• Oracle Internet Directory SDK Components

• Application Development in the Oracle Internet Directory Environment

• Other Components of Oracle Internet Directory

1.5.1 Programming Languages Supported by the Oracle Internet Directory SDK

The SDK is for application developers who use C, C++, and PL/SQL. Java developers must use the JNDI provider from Sun Microsystems to integrate with the directory.

1.5.2 Oracle Internet Directory SDK Components

Oracle Internet Directory Software Developer's Kit 10g Release 2 (10.1.2) consists of the following:

• A C API compliant with LDAP Version 3

• A PL/SQL API contained in a PL/SQL package called DBMS_LDAP

• Sample programs

• Oracle Identity Management Application Developer's Guide (this document)

• Command-line tools

1.5.3 Application Development in the Oracle Internet Directory Environment

This section contains these topics:

• Architecture of a Directory-Enabled Application

• Oracle Internet Directory Interactions During the Application Life Cycle

• Services and APIs for Integrating Applications with Oracle Internet Directory

• Integrating Existing Applications with Oracle Internet Directory

• Integrating New Applications with Oracle Internet Directory

1.5.3.1 Architecture of a Directory-Enabled Application

Most directory-enabled applications are backend programs that simultaneously handle multiple requests from multiple users. Figure 1-1 shows how a directory is used by such applications.

Figure 1-1 A Directory-Enabled Application

Description of "Figure 1-1 A Directory-Enabled Application"

As Figure 1-1 shows, when a user request involves an LDAP-enabled operation, the application processes the request using a smaller set of pre-created directory connections.

1.5.3.2 Oracle Internet Directory Interactions During the Application Life Cycle

Table 1-1 walks you through the directory operations that an application typically performs during its lifecycle.

Table 1-1 Interactions During Application Lifecycle

Point in Application Lifecycle	Logic
Application Installation	Create an application identity in the directory. The application uses this identity to perform most of its LDAP operations. Give the application identity LDAP authorizations by making it part of the correct LDAP groups. These authorizations enable the application to accept user credentials and authenticate them against the directory. The directory can also use application authorizations to proxy for the user when LDAP operations must be performed on the user's behalf.
Application Startup and Bootstrap	The application must retrieve credentials that enable it to authenticate itself to the directory. If the application stores configuration metadata in Oracle Internet Directory, it can retrieve that metadata and initialize other parts of the application. The application can then establish a pool of connections to serve user requests.
Application Runtime	For every end-user request that needs an LDAP operation, the application can: Pick a connection from the pool of LDAP connections. Switch the user to the end-user identity if the LDAP operation needs to be performed with the effective rights of the end-user. Perform the LDAP operation by using either the regular API or the API enhancements described in this chapter. Ensure that the effective user is now the application identity once the LDAP operation is complete. Return the LDAP connection back to the pool of connections.
Application Shutdown	Abandon any outstanding LDAP operations and close all LDAP connections.
Application Deinstallation	Remove the application identity and the LDAP authorizations granted to it.

1.5.3.3 Services and APIs for Integrating Applications with Oracle Internet Directory

Application developers can integrate with Oracle Internet Directory by using the services and APIs listed and described in Table 1-2.

Table 1-2 Services and APIs for Integrating with Oracle Internet Directory

Service/API	Description	More Information
Standard LDAP APIs in C, PL/SQL and Java	These provide basic LDAP operations. The standard LDAP API used in Java is the JNDI API with the LDAP service provider from Sun Microsystems.	Chapter 2, "Developing Applications with Standard LDAP APIs"
Oracle Extensions to Standard C, PL/SQL and Java APIs	These APIs provide programmatic interfaces that model various concepts related to identity management.	Chapter 3, "Developing Applications with Oracle Extensions to the Standard APIs"
Oracle Delegated Administration Services	Oracle Delegated Administration Services consists of a self-service console and administrative interfaces. You can modify the administrative interfaces to support third-party applications.	Chapter 8, "Integrating with Oracle Delegated Administration Services" The chapter about the delegated administration services framework in Oracle Identity Management Guide to Delegated Administration
Oracle Directory Provisioning Integration Service	You can use the Oracle Provisioning Integration System to provision third-party applications and integrate other provisioning systems.	Chapter 6, "Developing Provisioning-Integrated Applications" Oracle Identity Management Integration Guide
Oracle Internet Directory Plug-ins	You can use plug-ins to customize directory behavior in certain deployments.	Chapter 7, "Developing Directory Plug-ins" The chapter about plug-ins in Oracle Internet Directory Administrator's Guide Appendix A, "Java Plug-ins for User Provisioning"

Figure 1-2 shows an application leveraging some of the services illustrated in Table 1-2.

Figure 1-2 An Application Leveraging APIs and Services

As Figure 1-2 shows, the application integrates with Oracle Internet Directory as follows:

• Using PL/SQL, C, or Java APIs, it performs LDAP operations directly against the directory.

• In some cases, it directs users to self-service features of Oracle Delegated Administration Services.

• It is notified of changes to entries for users or groups in Oracle Internet Directory. The Oracle Directory Provisioning Integration Service provides this notification.

1.5.3.4 Integrating Existing Applications with Oracle Internet Directory

Your enterprise may already have deployed applications that you may have wanted to integrate with the Oracle identity management infrastructure. You can still integrate these applications using the services presented in Table 1-3.

Table 1-3 Services for Modifying Existing Applications

Service	Description	More Information
Automated User Provisioning	You can develop an agent that automatically provisions users when provisioning events occur in the Oracle identity management infrastructure. You use interfaces of the Oracle Directory Provisioning Integration Service to develop this agent.	Chapter 6, "Developing Provisioning-Integrated Applications"
User Authentication Services	If your user interface is based on HTTP, you can integrate it with the Oracle HTTP Server. This enables you to use mod_osso and OracleAS Single Sign-On to protect the application URL.	Oracle Application Server Single Sign-On Administrator's Guide
Centralized User Profile Management	If your user interface is based on HTTP and is integrated with OracleAS Single Sign-On, you can use the Oracle Internet Directory Self-Service Console to manage user profiles centrally. You can tailor the console to the needs of your application.	Chapter 8, "Integrating with Oracle Delegated Administration Services" The chapter about the delegated administration services framework in Oracle Identity Management Guide to Delegated Administration

1.5.3.5 Integrating New Applications with Oracle Internet Directory

If you are developing a new application or planning a new release of an existing application, you have many directory integration options at your disposal. Table 1-4 lists and describes these.

Table 1-4 Application Integration Points

Integration Point	Available Options	More Information
User Authentication Services	If your application is based on J2EE, it can use the JAZN interface to authenticate users. If it relies on OC4J, it can use mod_osso for the same purpose. The second option enables the application to obtain information about the user from HTTP headers. If your application is Web based and standalone, it can still integrate with OracleAS Single Sign-On, then it can still leverage Oracle Application Server Single Sign-On by becoming a partner application using the single sign-on APIs. Finally, if the application provides a non-Web user interface, it can use the Oracle Internet Directory LDAP APIs to integrate users.	Oracle Application Server Containers for J2EE User's Guide Oracle Application Server Single Sign-On Administrator's Guide Part II, "Oracle Internet Directory Programming Reference". This section is devoted to the various LDAP APIs.
User Authorization Services	If your application is based on J2EE, it can use the JAZN interface to implement and enforce user authorizations for application resources. The application can define authorizations as groups in Oracle Internet Directory and can then check the authorizations of a user by checking his or her group membership. It can use the Oracle Internet Directory LDAP APIs for this purpose.	Oracle Application Server Containers for J2EE User's Guide Part II, "Oracle Internet Directory Programming Reference". This section is devoted to the various LDAP APIs.
Centralized Profile Management	You can define application-specific profiles and user preferences as attributes in Oracle Internet Directory. If your user interface is based on HTTP and is integrated with OracleAS Single Sign-On, you can use the Oracle Internet Directory Self-Service Console to manage user profiles centrally. You can tailor the console to the needs of your application. Additionally, you can use the Oracle Internet Directory LDAP APIs to retrieve user profiles at runtime.	The chapter about deployment considerations in Oracle Internet Directory Administrator's Guide Chapter 8, "Integrating with Oracle Delegated Administration Services" Oracle Identity Management Guide to Delegated Administration Part II of this guide, which is devoted to the various LDAP APIs
Automated User Provisioning	If your user interface is based on HTTP and it is integrated with OracleAS Single Sign-On, you can implement automated user provisioning the very first time a user accesses the application. You use the Oracle Directory Provisioning Integration Service to integrate the application with the Oracle identity management infrastructure. Once integrated, the application can provision or deprovision user accounts automatically when an administrator adds, modifies, or deletes an identity.	Chapter 6, "Developing Provisioning-Integrated Applications"

1.5.4 Other Components of Oracle Internet Directory

The SDK is just one component in the directory suite. Here are the others:

• Oracle directory server, LDAP Version 3

• Oracle directory replication server

• Oracle Directory Manager, a Java-based graphical user interface

• Oracle Internet Directory bulk tools

• Oracle Internet Directory Administrator's Guide