| Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
| Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
Oracle Identity and Access Management is a product set that allows enterprises to manage and automate the end-to-end lifecycle of user identities, and provides users with secure, fine-grained access to enterprise resources and assets. Oracle introduced the first product in this set, Oracle Internet Directory, in 1999. Since then, Oracle has developed and introduced a number of identity and access management features including directory synchronization, secure directory administration, and a Web single sign-on service, all of which were integrated with the Oracle product stack. In 2005 and 2006, Oracle further enhanced its identity and access management offerings through strategic acquisitions. Oracle has made significant investments in best-of-breed solutions for identity federation, Web access management, delegated identity administration, user identity provisioning and virtual directory technology.
This chapter includes the following topics:
This section provides an introduction to the individual products comprising Oracle Identity and Access Management. The products can be grouped by function into three broad categories:
Directory services, based on the Lightweight Directory Access Protocol (LDAP) are central to an identity and access management strategy. Oracle provides scalable directory and integration technology that meets the requirements of general enterprise deployment, and is also leveraged by other Oracle products in the stack. Oracle Directory Services includes the following components:
Oracle Internet Directory is a scalable, robust LDAP V3-compliant directory service that leverages the scalability, high availability and security features of the Oracle Database. Oracle Internet Directory can serve as the central user repository for identity and access management deployment, simplifying user administration in the Oracle application environment. In can also serve as a highly scalable standards-based directory for the heterogeneous enterprise.
Performance, high availability, and security are some of the outstanding characteristics of Oracle Internet Directory. The Oracle Internet Directory Server employs a multi-process, multi-instance architecture that enables scalability with the number of CPUs, whether deployed on an SMP platform or as nodes in a hardware cluster. This is unique in the industry and a clear differentiation from directories employing single process architectures. Data management is another area where Oracle Internet Directory excels. As user populations grow, so do the challenges associated with configuring pilot installations, rapidly deploying new directory nodes, backing up directory data, and performing on-line bulk provisioning operations. Oracle Internet Directory leverages the data management capabilities of the Oracle Database to support hot backups and parallel load operations. In addition, Oracle Internet Directory provides specialized directory management tools such as high-speed multi-threaded client tools that facilitate on-line bulk user provisioning. Finally, Oracle Internet Directory exploits the security functionality of the Oracle Database, providing secure directory processes and data stores.
Oracle Internet Directory is a key component of the Oracle product stack used in applications such as OracleAS Portal, Oracle E-Business Suite, Oracle Collaboration Suite, and the Oracle Database for services such as user and credential management, e-mail address storage, and name resolution. In addition, Oracle Internet Directory is supported as a directory store for PeopleSoft applications.
Creating a secure application environment often requires integration of existing user identity information that may be scattered across multiple locations and services. Oracle Virtual Directory, formerly known as OctetString Virtual Directory Engine, provides a single, dynamic access point to these data sources through LDAP or XML protocols. It does this by providing a real-time data join and an abstraction layer that exposes a single logical directory, without the need to synchronize or move data from its native location. Oracle Virtual Directory can provide multiple application-specific views of identity data stored in, for example, Oracle Internet Directory, Microsoft Active Directory and Sun Java Systems Directory instances, and can also be used to secure data access to the application-specific sources and enhance high-availability to existing data-sources. These capabilities accelerate the deployment of applications and reduce costs by eliminating the need to consolidate user information before an application can be deployed. Oracle Virtual Directory can constantly adapt those applications to a changing identity landscape as user repositories are added, changed, or removed.
Oracle Virtual Directory facilitates the integration of applications into existing identity infrastructures. Oracle Virtual Directory accomplishes this integration without requiring changes to existing directories or user repositories, allowing enterprises to deploy these services quickly without having to deal with the political issues of data ownership and representation. Oracle Virtual Directory can also be deployed to provide multiple application centric views of directory information optimized for the specific needs of individual applications.
Oracle Directory Integration Platform is a component of Oracle Internet Directory designed to perform directory synchronization and application integration across various directories and compatible Oracle products. Oracle Directory Integration Platform allows applications that rely on Oracle Internet Directory to leverage user data managed in other directories and enterprise user repositories. The synchronization feature enables customers to synchronize data between various directories and Oracle Internet Directory. The application integration feature notifies target applications of changes to a user's status or information. Oracle Directory Integration Platform can also be used to implement a corporate meta-directory, where the entries of several departmental or application-specific directories are stored and managed centrally. Oracle Internet Directory includes agents for out-of-the-box synchronization with Oracle Human Resources, Oracle Database, and third-party LDAP servers, such as Sun Java System Directory Server Microsoft Active Directory, Novell eDirectory, and OpenLDAP.
Access management is the means for controlling user access to enterprise resources. Access management products provide centralized, fine-grained access management for heterogeneous application environments, as well as out-of-the-box integration with Oracle products such as Oracle Portal, Oracle Collaboration Suite, and Oracle E-Business Suite.
Oracle access management products include the following:
Oracle Access Manager, formerly known as Oracle COREid Access and Identity, provides Web-based identity administration, as well as access control to Web applications and resources running in a heterogeneous environments. It provides the user and group management, delegated administration, password management and self-service functions necessary to manage large user populations in complex, directory-centric environments. Access Manager supports all popular authentication methods including browser forms, digital certificates, and smart cards, and integrates seamlessly with most application servers and portals, including OracleAS 10g, BEA WebLogic, IBM WebSphere, Vignette and others. User identities and credentials can be accessed from a number of repositories including Oracle Internet Directory, Microsoft Active Directory and Sun Java System Directory. With Access Manager, user access policies can be defined and enforced with a high degree of granularity through centralized management.
The Access System enables you to protect resources such as URLs and legacy, non-HTTP applications. It uses the information stored by the Identity System to control which users, groups, and organizations can access a resource. It stores information about configuration settings and security policies that control access to resources in a directory server that uses Oracle Access Manager-specific object classes. You can use the same directory to store the Access System configuration settings, access policy data, and user data, or you can store this data on separate directory servers.
The Identity System is a set of applications that provide delegated administration, user self-service, and real-time change management. The Identity System stores information about users, groups, and organizations. For example, you can create, manage, and delete groups in the directory server. You can define a subscription policy for a group, including self-service with no approval needed, subscription with approvals, rule-based subscription, and no subscription allowed.
As more companies move their business processes to the Web, many organizations have a greater need to extend the boundaries of their enterprise to include partner applications. Federated identity management allows companies to operate independently and cooperate for business purposes by enabling cross-domain single sign-on and allowing companies to manage user identities and vouch for them as they access resources managed by another domain.
Oracle Identity Federation, formerly known as COREid Federation, provides a self-contained federation solution that combines the ease of use and portability of a standalone application with a scalable, standards-based proven interoperable architecture. It helps corporations securely link their business partners into a corporate portal or extranet while also increasing their compliance with privacy and security regulations. Identity Federation enables companies to manage multiple partners and choose from industry standard federated protocols. Identity Federation provides built-in integration with customer's identity management infrastructure (Oracle and non-Oracle) to deliver an end-to-end user experience, addressing scenarios like automatic registration, identity mapping, seamless access control navigation, and others.
Oracle Application Server Single Sign-On (OracleAS Single Sign-On) is a component that provides single sign-on access to Oracle and third-party Web applications. OracleAS Single Sign-On enables Web single sign-on for Oracle applications such as Oracle Portal, Oracle Collaboration Suite and Oracle E-Business Suite. It delivers a lightweight authentication solution to Oracle-only environments, supporting basic username and password authentication and X.509 certificate based authentication. OracleAS Single Sign-On supports authentication against user identities and credentials stored in Oracle Internet Directory, with integration to other repositories such as Microsoft Active Directory and Sun Java System Directory though the Oracle Directory Integration Platform.
Oracle Enterprise Single Sign-On Suite (eSSO Suite) is an upcoming product that provides true single sign-on for all the applications and resources in an enterprise, with no modification required to existing applications. It enables seamless retrofitting of strong, multifactor authentication to the desktop and to all legacy applications. eSSO Suite saves users from having to remember and manage multiple passwords and usernames. It also saves helpdesk time and money in responding to user requests to reset forgotten passwords. With the Oracle eSSO Suite, users log on once, and eSSO does the rest, automating every password management function, including logon, password selection, and password change and reset.
Oracle Identity Management is a product set that allows enterprises to manage the end-to-end lifecycle of user identities across all enterprise resources both within and beyond the firewall.
Automating user identity provisioning can reduce IT administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Compliance initiatives focus on the enforcement of corporate policies as well as the demonstration of compliance with these standards. An enterprise identity management solution can provide a mechanism for implementing the user management aspects of a corporate policy, as well as a means to audit users and their access privileges.
The Oracle Identity and Access Management Suite includes the following identity management products:
The Oracle Identity Manager platform automates user identity provisioning and deprovisioning and allows enterprises to manage the end-to-end lifecycle of user identities across all enterprise resources, both within and beyond the firewall. It provides an identity management platform that automates user provisioning, identity administration, and password management, wrapped in a comprehensive workflow engine.
Automating user identity provisioning can reduce IT administration costs and improve security. Provisioning also plays an important role in regulatory compliance. Key features of Oracle Identity Manager include password management, workflow and policy management, identity reconciliation, reporting and auditing, and extensibility through adapters.
Oracle Identity Manager also provides attestation support. Attestation is the process of having users or system managers confirm people's access rights on a periodic basis. Existing Sarbanes-Oxley requirements demand enterprises to perform attestation for all financially significant systems every three to six months. Identity Manager includes a highly flexible attestation solution to help enterprise customers meet these regulatory requirements in a cost-effective and timely manner. By setting up attestation processes in Identity Manager, enterprise customers can automate the process of generation, delivery, review, sign-off, delegation, tracking, and archiving of user access rights reports for reviewers on a scheduled or ad-hoc basis.
Oracle Delegated Administration Services, part of Oracle Internet Directory, provides trusted proxy-based administration of directory information by users and application administrators. Oracle Delegated Administration Services are implemented as a set of pre-defined, Web-based units that are embedded in the administrative interfaces for Oracle products such as OracleAS Portal, Oracle Collaboration Suite, the Oracle Database Security Manager and Oracle E-Business Suite. Included with Oracle Internet Directory is the DAS Self-Service Console, an easy-to-use, Web-based tool built on the Oracle Delegated Administration Services framework. The DAS Self-Service Console allows end users and application administrators to search for and manage data in the directory and provides Oracle Application Server administrators with a means of managing end users in the Oracle environment.
Oracle's Identity and Access Management solution consists of two packages:
Oracle Identity and Access Management Suite, a comprehensive set of best of breed components aimed at addressing the Identity and Access Management requirements of a heterogeneous enterprise
A set of components included as part of the Oracle Application Server infrastructure installation
This section describes these two packages. It contains the following topics:
The Oracle Identity and Access Management Suite includes the following products, which are described in this book:
Oracle Internet Directory
Oracle Virtual Directory
Oracle Access Manager
Oracle Identity Federation
Oracle Identity Manager
In addition, the Oracle Identity and Access Management Suite includes Oracle Security Developer Tools, which provides an API for developing federation and secure Web services applications.
Four of the identity and access management products described in this book are components of the Oracle Application Server infrastructure, which is included with Oracle Application Server, Oracle Database, and Oracle Collaboration Suite. These four products are:
Oracle Internet Directory
Oracle Directory Integration Platform
Oracle Application Server Single Sign-On
Oracle Delegated Administration Services
When you install the Oracle Application Server infrastructure, you can choose to install these components on the same server or on different servers.
|
See Also: The "Installing OracleAS Infrastructure" chapter in Oracle Application Server Installation Guide. |
|
Note: Oracle Internet Directory is included in both the Oracle Identity and Access Management Suite and Oracle Application Server Infrastructure. |
As of Oracle Application Server 10g (10.1.4.0.1), these four products can be managed with Identity Management Grid Control Plug-in, which uses the features of Oracle Enterprise Manager 10g Grid Control.
|
See Also: The "Identity Management Grid Control Plug-in" chapter in Oracle Identity Management Infrastructure Administrator's Guide. |
The Oracle Application Server Infrastructure also includes Oracle Application Server Certificate Authority, which issues, revokes, renews, and publishes X.509v3 certificates to support PKI-based strong authentication methods
