|Oracle® Fusion Middleware Integration Guide for Oracle Identity Management
11g Release 1 (11.1.1)
Part Number E10031-01
This chapter introduces Oracle Identity Management integration, its components, structure, and administration tools.
This chapter contains these topics:
See Also:Appendix D, "Case Study: A Deployment of Oracle Directory Integration Platform" for an example of how you can deploy Oracle Identity Management integration
Oracle Identity Management enables you to reduce administrative time and costs by integrating your applications and directories—including third-party LDAP directories—with Oracle Internet Directory. It does this by using Oracle Directory Integration Platform. For example, you might need to do the following:
Keep employee records in Oracle Human Resources consistent with those in Oracle Internet Directory. Oracle Directory Integration Platform provides this synchronization through the Oracle Directory Synchronization Service.
Notify certain LDAP-enabled applications—such as Oracle Application Server Portal (Oracle Portal)—whenever changes are applied to Oracle Internet Directory. The Oracle Directory Integration Platform provides this notification through its Oracle Directory Integration Platform Provisioning Service.
Throughout the integration process, Oracle Directory Integration Platform ensures that the applications and other directories receive and provide the necessary information in a reliable way.
You can integrate with various directories, including Microsoft Active Directory and Microsoft Active Directory Lightweight Directory Service (AD LDS), which was previously known as Active Directory Application Mode or ADAM; Sun Java System Directory Server; Novell eDirectory; IBM Tivoli Directory Server; and OpenLDAP. For example, in an Oracle Fusion Middleware environment, where access to Oracle components relies on data stored in Oracle Internet Directory, you can still use Microsoft Active Directory as the central enterprise directory. Users of that directory can still access Oracle components because Oracle Directory Integration Platform can synchronize the data in Microsoft Active Directory with that in Oracle Internet Directory.
By default, Oracle Directory Integration Platform is installed as part of Oracle Directory Services. However, you can also install Oracle Directory Integration Platform in a standalone installation—without the other Oracle Directory Services components. You should install a standalone instance of Oracle Directory Integration Platform under the following circumstances:
You need Oracle Directory Integration Platform to be installed in a different application server instance.
The applications that you need to provision and synchronize require intensive processing.
You need to run multiple instances of Oracle Directory Integration Platform for high availability.
Note:Synchronization and Replication are not synonymous. Replication is used for data handling between directories of the same vendor.
This section contains these topics:
Synchronization enables you to coordinate changes among Oracle Internet Directory and connected directories. For all directories to both use and provide only the latest data, each directory must be informed of changes made in the other connected directories. Synchronization ensures that changes to directory information—including, but not limited to data updated through provisioning—is kept consistent.
Whenever you decide to connect a third-party directory to Oracle Internet Directory, you create a synchronization profile for that specific directory. This profile specifies the format and content of the data to be synchronized between Oracle Internet Directory and the connected directory. To create a synchronization profile, you can use the
manageSyncProfiles utility or Oracle Enterprise Manager Fusion Middleware Control.
Provisioning enables you to ensure that an application is notified of directory changes to, for example, user or group information. Such changes can affect whether the application allows a user access to its processes and determines which resources can be used.
Use provisioning when you are designing or installing an application has the following requirements:
Does not maintain a directory
Can and should allow only authorized users to access its resources
When you install an application that you want to provision, you must create a provisioning integration profile for it by using the
Synchronization and provisioning have important operational differences, as described in Table 1-1.
Table 1-1 Directory Synchronization and Provisioning Integration Distinctions
|Consideration||Directory Synchronization||Provisioning Integration|
The time for action
Application deployment time. Directory synchronization is for connected directories requiring synchronization with Oracle Internet Directory.
Application design time. Provisioning integration is for application designers developing LDAP-enabled applications.
Either one-way or two-way—that is, either from Oracle Internet Directory to connected directories, the reverse, or both
Either one-way or two-way—that is, either from Oracle Internet Directory to applications, the reverse, or both
Type of data
Any data in a directory
Restricted to provisioned users and groups
Oracle Human Resources
Sun Java System Directory Server
Microsoft Active Directory
IBM Tivoli Directory Server
This section describes the components involved in Oracle Identity Management integration. It contains these topics:
Oracle Internet Directory is the repository in which Oracle components and third-party applications store and access user identities and credentials. It uses the Oracle directory server to authenticate users by comparing the credentials entered by users with the credentials stored in Oracle Internet Directory. When credentials are stored in a third-party directory and not in Oracle Internet Directory, users can still be authenticated. In this case, Oracle Internet Directory uses an external authentication plug-in that authenticates users against the third-party directory server.
The Oracle Directory Integration Platform is a J2EE application that enables you to synchronize data between different repositories and Oracle Internet Directory. Oracle Directory Integration Platform includes services and interfaces that allow you to develop synchronization solutions with other enterprise repositories. It can also be used to provide Oracle Internet Directory interoperability with third party metadirectory solutions.
Figure 1-1 shows an example of an Oracle Directory Integration Platform environment:
In the example in Figure 1-1, Oracle Internet Directory is synchronized with connected directories using Oracle Directory Integration Platform's Synchronization Enterprise JavaBeans (EJB) and the Quartz Scheduler. Similarly, changes in Oracle Internet Directory are sent to various repositories using Oracle Directory Integration Platform's Provisioning Enterprise JavaBeans (EJB) and the Quartz Scheduler.
The Oracle Directory Integration Platform Server performs the following services:
Oracle Directory Integration Platform Synchronization Service:
Scheduling—Processing a synchronization profile based on a predefined schedule
Mapping—Executing rules for converting data between connected directories and Oracle Internet Directory
Data propagation—Exchanging data with connected directories by using a connector
Oracle Directory Integration Platform Provisioning Service:
Scheduling—Processing a provisioning profile based on a predefined schedule
Event Notification—Notifying an application of a relevant change to the user or group data stored in Oracle Internet Directory
In the Oracle Directory Integration Platform environment, the contents of connected directories are synchronized with Oracle Internet Directory through the Oracle Directory Integration Platform Synchronization Service, which includes Synchronization Enterprise JavaBeans (EJB) and the Quartz Scheduler.
One-way: Some connected directories only supply changes to Oracle Internet Directory and do not receive changes from it. This is the case, for example, with Oracle Human Resources, the primary repository and basis for comparison for employee information.
Certain attributes can be targeted or ignored by the synchronization service. For example, the attribute for the employee badge number in Oracle Human Resources may not be of interest to Oracle Internet Directory, its connected directories or client applications. You might not want to synchronize them. On the other hand, the employee identification number may be of interest to those components, so you might want to synchronize them.
Figure 1-2 shows the interactions among components in the Oracle Directory Synchronization Service in a sample deployment.
The central mechanism triggering all such synchronization activities is the Oracle Internet Directory change log. It adds one or more entries for every change to any connected directory, including Oracle Internet Directory. The Oracle Directory Synchronization Service:
Monitors the change log.
Takes action whenever a change corresponds to one or more synchronization profiles.
Supplies the appropriate change to all other connected directories whose individual profiles correspond to the logged change. Such directories could include, for example, relational databases, Oracle Human Resources, Microsoft Active Directory, Sun Java System Directory Server, Novell eDirectory, IBM Tivoli Directory Server, or OpenLDAP. The Oracle Directory Synchronization Service supplies these changes using the interface and format required by the connected directory. Synchronization through the Oracle Directory Integration Platform connectors ensures that Oracle Internet Directory remains up-to-date with all the information that Oracle Internet Directory clients need.
The Oracle Directory Integration Platform Provisioning Service, which includes Provisioning Enterprise JavaBeans (EJB) and the Quartz Scheduler, ensures that each provisioned application is notified of changes in, for example, user or group information. To do this, it relies on the information contained in a provisioning integration profile. Each provisioning profile:
Uniquely identifies the application and organization to which it applies
Specifies, for example, the users, groups, and operations requiring the application to be notified
When changes in Oracle Internet Directory match what is specified in the provisioning profile of an application, the Oracle Directory Integration Platform Service sends the relevant data to that application.
Note:A legacy application—that is, one that was operational before the Oracle Directory Integration Platform Service was installed—would not have subscribed in the usual way during installation. To enable such an application to receive provisioning information, a provisioning agent, in addition to the provisioning profile, must be developed. The agent must be able to translate the relevant data from Oracle Internet Directory into the exact format required by the legacy application.
Figure 1-3 shows the interactions among components in an Oracle Directory Integration Platform Service environment, including the special case of a provisioning agent for a legacy application.
Oracle components delegate the login function to the OracleAS Single Sign-On Server. When a user first logs in to an Oracle component, the component redirects the login to the OracleAS Single Sign-On Server. The OracleAS Single Sign-On Server authenticates the user by verifying the credentials entered by the user against those stored in Oracle Internet Directory. After authenticating the user, and throughout the rest of the session, the OracleAS Single Sign-On Server grants the user access to all the components the user both seeks and is authorized to use.
Note:Oracle Directory Integration Platform 11g Release 1 (11.1.1) interoperates with and supports Oracle Application Server Single Sign-On 10g Release 10.1.4.3.0 and higher.
See Also:Oracle Fusion Middleware Administrator's Guide for Oracle Single Sign-On for information about OracleAS Single Sign-On Server