|Oracle® Identity Manager Concepts
Part Number E14065-01
This chapter discusses consists of the following sections:
The Oracle Identity Manager architecture is flexible and scalable, and provides the following features:
Oracle Identity Manager provides a flexible Deployment Manager utility to assist in the migration of integration and configuration information between environments. The utility exports integration and configuration information as XML files. These files are then imported into the destination environment, which can be staging or production. You can use the XML files to archive configurations and maintain versions, as well as replicate integrations.
The Deployment Manager provides you with the flexibility to select what to import and export. It also helps you to identify data object dependencies during both import and export steps. This flexibility enables you to merge integration work done by multiple people and to ensure the integrity of any migration.
You can deploy Oracle Identity Manager in single or multiple server instances. Multiple server instances provide optimal configuration options, supporting geographically dispersed users and resources for increased flexibility, performance, and control. The Java 2 Enterprise Edition (J2EE) application server model of Oracle Identity Manager also provides scalability, fault tolerance, redundancy, failover, and system load balancing. As deployments grow, moving from a single server to a multiserver implementation is a seamless operation.
To lower cost, minimize complexity, and leverage existing investments, Oracle Identity Manager is built on an open architecture. This allows Oracle Identity Manager to integrate with and leverage existing software and middleware already implemented within the IT infrastructure of an organization. For example, if an implementation requires integrating with an existing customer portal, then the advanced APIs of Oracle Identity Manager offer programmatic access to a comprehensive set of system functions. This allows IT staff to customize any part of its Oracle Identity Manager provisioning implementation to meet the specific needs of the organization.
Oracle Identity Manager enables you to define unlimited user organizational hierarchies and user groups. It supports inheritance, customizable user ID policy management, password policy management, and user access policies that reflect customers' changing business needs. It also helps you to manage application parameters and entitlements, and to view a history of resource allocations. In addition, it provides delegated administration with comprehensive permission settings for user management.
Oracle Identity Manager contains a Web-based user self-service portal that can be customized. This portal helps you extensively in user management.
Oracle Identity Manager simplifies the change management required in a dynamic organization. Oracle Identity Manager supports abstraction, which separates the execution logic separate from the application of that logic. For example, if you define the logic for a task, then the abstraction layer does not combine the logic with the actual execution of that task.
The abstraction layer allows the execution logic to be changed and refined without affecting logic or definitions that still apply. This also provides an iterative provisioning approach that allows IT to implement a provisioning system to fit existing requirements and to ensure that this system can evolve to meet future business needs. As user needs and business policies evolve, outdated execution logic can be "unplugged" from the provisioning instance for replacement with new execution logic. This provides the most cost-effective mechanism for handling change management and supporting the ongoing evolution of processes and systems for the organization.
Identity management is a key part of any audit and compliance solution. Therefore, auditing and compliance capabilities must be integrated into the core identity management architecture; they should not be add-on utilities for the identity provisioning platform or separate products. Oracle Identity Manager is a fully integrated platform for identity provisioning and identity audit and compliance. An integrated application means that when a resource is brought under its management, the connection can be leveraged for both provisioning and compliance use, avoiding duplication of integration cost.
The audit and compliance features need not be restricted to reporting. With these features, no additional product integration effort is required to enable corrective actions as part of an audit and compliance process. For example, when using the attestation feature of Oracle Identity Manager, a reviewer's reject action can directly trigger the workflow to send notification or deprovision a user. An integrated platform provides easy access to identity and transaction data, enabling an organization to control its auditors without lengthy reporting lag time.
Oracle Identity Manager incorporates leading industry standards. For example, Oracle Identity Manager components are fully based on a J2EE architecture, so customers can run them from within their standard application server environments. Complete J2EE support results in performance and scalability benefits while aligning with existing customer environments to leverage in-house expertise.
Oracle develops its identity management products on a foundation of current and emerging standards. For example, Oracle is a Management Board member of Liberty Alliance, and incorporates Liberty Alliance developments in its solutions. Oracle participates in the Provisioning Services Technical Committee (PSTC), which operates under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS).
Oracle Identity Manager is based on the n-tier J2EE application architecture. Oracle Identity Manager architecture contains the following tiers:
Figure 4-1 illustrates the Oracle Identity Manager architecture.
The Presentation tier consists of two clients, the Oracle Identity Manager Administrative and User Console and the Oracle Identity Manager Design Console.
The Administrative and User Console is a Web-based thin client that can be accessed from any Web browser. This console provides user self-service and delegated administration features that serve most of the provisioning requirements.
The Design Console provides the full range of the Oracle Identity Manager system configuration and development capabilities, including Form Designer, Workflow Designer, and the Adapter Factory. You can access the Design Console by using a desktop Java client.
Because both the Administrative and User Console and the Design Console are highly dynamic, the Dynamic Presentation Logic tier guides the content displayed on these interfaces. In case of the Administrative and User Console, there is a clear separation between the Presentation and Presentation Logic tier. No such boundary exists in the Design Console.
The second tier implements the business logic that resides in Java Data Objects. These objects are managed by the supported J2EE application server (JBoss Application Server, BEA WebLogic Server, IBM WebSphere Application Server, and Oracle Application Server). The Java Data Objects implement the business logic of the Oracle Identity Manager application; however, they are not exposed to any methods from the outside world. To access the business functionality of Oracle Identity Manager, you can use the API layer in the J2EE infrastructure, which provides the lookup and communication mechanism.
The Business Logic tier is implemented as an Enterprise JavaBeans (EJB) application. Oracle Identity Manager runs on leading J2EE-compliant application server platforms, leveraging the J2EE services provided by these application servers to deliver a high-performance, fault-tolerant organization application. The following are the components of the Business Logic tier.
The application server on which Oracle Identity Manager runs provides life cycle management, security, deployment, and run-time services to the logical components that constitute Oracle Identity Manager. These services include:
Scalable management of resources
Client Interfaces and Business Logic Implementation
The core functionality of the Oracle Identity Manager platform is implemented in Java by using a highly modular, object-oriented methodology. This includes the various engines that comprise the Oracle Identity Manager platform: Workflow Engine, Request Engine, User Management Engine, Rule Engine, Reconciliation Engine, Audit Engine, Attestation Engine, and Reporting Engine. It also includes the integration tier based on the Adapter Factory, which dynamically generates integration code based on the metadata definition of the adapters. An adapter is the code that you can create and manage to enable Oracle Identity Manager to communicate with any IT Resource by connecting to the application programming interface (API) of that resource.
You can access the functionality of the platform through a set of EJB. These session beans can be divided into two types:
The API layer provides access to high-level functionality in Oracle Identity Manager. It is the basis for the functionality implemented in the Oracle Identity Manager Administrative and User Console. It is also the interface that custom clients can use to access Oracle Identity Manager functionality.
J2EE contains several technologies for manipulating and interacting with transactional resources, such as databases that are based on Java Database Connectivity (JDBC), Java Trasaction API (JTA), and Java Transaction Service (JTS). The Oracle Identity Manager architecture leverages the following J2EE services:
Database connection pooling
Integration with Java Naming and Directory Interface (JNDI) that is lookup of DataSources in the JNDI namespace
The system administrator can manage data sources in the same manner in which all standard J2EE applications in the organization are managed. Oracle Identity Manager can use these data sources to communicate with the database tier.
The Back-End System Integration tier is divided into the Oracle Identity Manager database and the Remote Manager.
The database tier consists of the Oracle Identity Manager repository, which manages and stores Oracle Identity Manager metadata in an ANSI SQL 92-compliant relational database. All data is stored in the Oracle Identity Manager repository.
The Remote Manager is an Oracle Identity Manager server component that runs on a target system computer. It provides the network and security layer required to integrate with applications that do not have network-aware APIs or do not provide security. It is built as a lightweight Remote Method Invocation (RMI) server. The communication protocol is RMI tunneled through Hypertext Transfer Protocol/Secure (HTTP/S).
The J2EE RMI framework enables the creation of virtually transparent, distributed services and applications. RMI-based applications consist of Java objects making method calls to one another, regardless of their location. This enables one Java object to call methods on another Java object residing on another virtual computer in the same manner in which methods are called on a Java object residing on the same virtual computer.
Oracle Identity Manager is built on an enterprise-class, modular architecture that is both open and scalable. Each module plays a critical role in the overall functionality of the system. Figure 4-2 illustrates the system components of Oracle Identity Manager.
Oracle Identity Manager user interfaces define and administer the provisioning environment. Oracle Identity Manager offers two user interfaces to satisfy both administrator and user requirements:
Powerful Java-based Design Console for developers and system administrators
Web-based Administration Console for identity administrators and end users
The Provisioning Manager is where provisioning transactions are assembled and modified. The Provisioning Manager maintains the "who" and "what" of provisioning. User profiles, access policies, and resources are defined through the Provisioning Manager, as are business process workflows and business rules.
The Provisioning Server is the run-time engine for Oracle Identity Manager. It runs the provisioning process transactions as defined through the Design Console and maintained within the Provisioning Manager.
The Adapter Factory builds and maintains the integrations between Oracle Identity Manager and managed systems and applications. The Adapter Factory is designed to eliminate the need for hard-coding integrations with these systems.
For more information about the Adapter Factory, see "Integration Solutions".
The reconciliation engine ensures consistency between the provisioning environment of Oracle Identity Manager and Oracle Identity Manager managed resources within the organization. The reconciliation engine discovers illegal accounts created outside Oracle Identity Manager. The reconciliation engine also synchronizes business rules located inside and outside the provisioning system to ensure consistency.