Skip Headers
Oracle® Fusion Middleware User's Guide for Oracle Identity Manager
11g Release 1 (11.1.1)

Part Number E14316-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Architecture

The architecture of Oracle Identity Manager provides a number of compelling technical benefits for deploying a provisioning solution as part of the identity and access management architecture.

Oracle Identity Manager platform automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connects users to resources and revokes and restricts unauthorized access to protect sensitive corporate information.

This chapter consists of the following sections:

2.1 Key Features and Benefits

Oracle Identity Manager architecture is flexible and scalable, and provides the following features:

2.1.1 Ease of Deployment

Oracle Identity Manager provides a flexible Deployment Manager utility to assist in the migration of integration and configuration information between environments. The utility exports integration and configuration information as XML files. These files are then imported into the destination environment, which can be staging or production. You can use the XML files to archive configurations and maintain versions, as well as replicate integrations.

The Deployment Manager provides you with the flexibility to select what to import and export. It also helps you to identify data object dependencies during both import and export steps. This flexibility enables you to merge integration work done by multiple people and to ensure the integrity of any migration.

2.1.2 Flexibility and Resilience

You can deploy Oracle Identity Manager in single or multiple server instances. Multiple server instances provide optimal configuration options, supporting geographically dispersed users and resources for increased flexibility, performance, and control. The Java 2 Enterprise Edition (J2EE) application server model of Oracle Identity Manager also provides scalability, fault tolerance, redundancy, failover, and system load balancing. As deployments grow, moving from a single server to a multiserver implementation is a seamless operation.

2.1.3 Maximum Reuse of Existing Infrastructure

To lower cost, minimize complexity, and leverage existing investments, Oracle Identity Manager is built on an open architecture. This allows Oracle Identity Manager to integrate with and leverage existing software and middleware already implemented within the IT infrastructure of an organization. For example, if an implementation requires integrating with an existing customer portal, then the advanced APIs of Oracle Identity Manager offer programmatic access to a comprehensive set of system functions. This allows IT staff to customize any part of its Oracle Identity Manager provisioning implementation to meet the specific needs of the organization.

2.1.4 Extensive User Management

Oracle Identity Manager enables you to define unlimited user organizational hierarchies and roles. It supports inheritance, customizable user ID policy management, password policy management, and user access policies that reflect customers' changing business needs. It also helps you to manage application parameters and entitlements, and to view a history of resource allocations. In addition, it provides delegated administration with comprehensive permission settings for user management.

Oracle Identity Manager contains a Web-based customizable Oracle Identity Manager Self Service that helps you extensively in user management.

2.1.5 Web-Based User Self-Service

Oracle Identity Manager contains a customizable Web-based, user self-service portal. This portal enables management of user information, changing and synchronizing passwords, resetting forgotten passwords, requesting available applications, reviewing and editing available entitlements, and initiating or reacting to workflow tasks.

2.1.6 Modular and Scalable Architecture

Oracle Identity Manager is built on Java EE architecture. The J2EE application server model of Oracle Identity Manager provides scalability, fail over, load-balancing, and Web deployment. It is based on an open, standards-based technology and has a three-tier architecture (the client application, an Oracle Identity Manager supported J2EE-compliant Application Server, and an ANSI SQL-compliant database). Oracle Identity Manager can provision LDAP-enabled and non-LDAP-enabled applications.

Java EE is a standard, robust, scalable, and secure platform that forms the basis for many enterprise applications. Oracle Identity Manager runs on leading Java EE compliant application server platforms, including Oracle WebLogic, to take advantage of the performance and scalability features inherent in these servers. Java EE defines a set of standardized, modular components, provides a complete set of services to those components, and handles many details of the application behavior.

The application server, on which Oracle Identity Manager runs, provides the life-cycle management, security, deployment, and run-time services to the logical components that constitute the Oracle Identity Manager application. These services include:

  • Scalable management of resources through clustering and failover: A cluster in Java EE architecture is defined as a group of two or more Java EE compliant Web or application servers that cooperate with each other through transparent object replication mechanisms to ensure that each server in the group presents the same content. Each server or node in the cluster is identical in configuration and acts as a single virtual server. Any Java EE server in the cluster can handle client requests directed to this virtual server independently, which gives the impression of a single entity hosting the Java EE application in the cluster.

    High availability refers to the capability to ensure that applications hosted in the middle tier remain consistently accessible and operational to the clients. This is achieved through the redundancy of multiple Web and application servers within the cluster, and is implemented by the failover mechanisms of the cluster. If an application component fails to process its task, then the cluster's failover mechanism reroutes the task and any supporting information to a copy of the object on another server to continue the task. Oracle Identity Manager supports a clustered environment. This includes ensuring that the EJBs and the Value Objects used to store data support serialization for the object replication to work.

  • Transaction management through load balancing: Load balancing refers to the capability to optimally partition inbound client processing requests across all the Java EE servers that constitute a cluster based on certain factors, such as capacity, availability, response time, current load, historical performance, and administrative priorities placed on the clustered servers. A load balancer, which can be based on software or hardware, sits between the Internet and the physical server cluster, acting as a virtual server. When each client request arrives, the load balancer decides how the Java EE server satisfies that request.

  • Security management: Oracle Identity Manager architecture relies on the application server for certain security services as part of its overall security infrastructure. In addition, Oracle Identity Manager leverages the Java EE security framework to provide a secure application environment. It also has a flexible permission model to provide control over the various functions within the application

  • Messaging: The basic concept behind messaging is that distributed applications can communicate by using a self-contained package of business data and routing headers. These packages are called messages. While RMI and HTTP rely on a two-way active communication between a client and a server, messaging relies on two or more interested parties communicating asynchronously through a messaging server without waiting for a response. Java Messaging Service (JMS) is a wrapper API incorporated in the J2EE standard as a way to standardize messaging functionality. All standard application servers provide their own JMS server implementations as a part of their service offerings.

2.1.7 Based on Leading Software Development Standards

Oracle Identity Manager incorporates leading industry standards. For example, Oracle Identity Manager components are fully based on a J2EE architecture, so customers can run them from within their standard application server environments. Complete J2EE support results in performance and scalability benefits while aligning with existing customer environments to leverage in-house expertise.

Oracle develops its identity management products on a foundation of current and emerging standards. For example, Oracle is a Management Board member of Liberty Alliance, and incorporates Liberty Alliance developments in its solutions. Oracle participates in the Provisioning Services Technical Committee (PSTC), which operates under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS).

2.1.8 Powerful and Flexible Process Engine

With Oracle Identity Manager, you can create business and provisioning process models in easy-to-use applications. Process models include support for approval workflows and escalations. You can track the progress of each provisioning event, including the current status of the event and error code support. Oracle Identity Manager supports complex, branching, and nested processes with data interchange and dependencies. The process flow is fully customizable and does not require programming.

2.1.9 Built-In Change Management

Oracle Identity Manager enables you to package new processes, import and export existing ones, and move packages from one system to another.

2.2 How Oracle Identity Manager Works: The Tiers of Oracle Identity Manager

Oracle Identity Manager is based on the n-tier J2EE application architecture. Oracle Identity Manager architecture contains the following tiers:

Figure 2-1 illustrates Oracle Identity Manager architecture.

Figure 2-1 Oracle Identity Manager Architecture

Description of Figure 2-1 follows
Description of "Figure 2-1 Oracle Identity Manager Architecture"

2.2.1 Presentation Tier

The Presentation tier consists of two clients, Oracle Identity Manager Administrative and User Console and Oracle Identity Manager Design Console.

Oracle Identity Manager Administrative and User Console is a Web-based thin client that can be accessed from any Web browser. This Web client provides user self-service and delegated administration features that serve most of the users of Oracle Identity Manager.

Oracle Identity Manager Design Console provides the full range of Oracle Identity Manager system configuration and development capabilities, including Form Designer, Workflow Designer, and the Adapter Factory. You can access Oracle Identity Manager Design Console by using a desktop Java client.

Oracle Identity Manager Design Console is implemented as a Java Swing client that communicates directly with the Business Services layer in the application. It also supports a highly sophisticated delegated administration model, guaranteeing that users can only work on those parts of the application configuration for which they are authorized.

See Also:

Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager and Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for details about using Oracle Identity Manager Administrative and User Console and Oracle Identity Manager Design Console

In many enterprises, there is a requirement for the provisioning system to support a custom developed client. Some of the requirements that drive this are:

  • Integration of the client into an existing enterprise portal and adherence to enterprise portal standards

  • Creation of custom flows for user interaction

  • Creation of custom pages built around unique requirements from the provisioning system

To support customization, Oracle Identity Manager exposes the bulk of the necessary functionality via its published public APIs. The client environment for Oracle Identity Manager is customizable via Java APIs.

2.2.2 Business Services Tier

The Business Services Tier is implemented as an Enterprise JavaBeans (EJB) application. The core functionality for Oracle Identity Manager platform is implemented in Java using a highly modular, object-oriented methodology. This makes Oracle Identity Manager flexible and extensible. The Business Services Tier for Oracle Identity Manager includes the following services and capabilities:

  • The Core Services that comprise the core of the business features offered by Oracle Identity Manager, such as the User Management Service, the Policy Management Services, and the Provisioning and Reconciliation Services.

  • The API Services that describe the APIs supported by Oracle Identity Manager that allow custom clients to integrate with Oracle Identity Manager. This includes a rich set of APIs that expose the business functionality of Oracle Identity Manager for use by custom clients, in product customization, and in plug-in and adapter development.

  • The Integration Services based on the Adapter Factory and Connector Framework, which dynamically generates integration code based on the metadata definition of the adapters.

  • The Platform Services that are crucial to the business features offered by Oracle Identity Manager, such as the Request Management Service, the Entity Manager Service, and the Scheduler Service.

2.2.2.1 The API Services

The API Services describe the APIs supported by Oracle Identity Manager that allow custom clients to integrate with Oracle Identity Manager. This includes a rich set of APIs that expose the business functionality of Oracle Identity Manager for use by custom clients, in product customization, and in plug-in and adapter development.

The API Services consist of:

  • SPML APIs: Service Provisioning Markup Language (SPML) is a standard for managing the provisioning and allocation of identity information and system resources within and between organizations. Oracle Identity Manager supports a set of SPML-based Web services that expose identity administration functionality to the clients. The APIs provide support for:

    • Adding, modifying, and deleting identities

    • Adding, modifying, and deleting roles

    • Adding and deleting role memberships

    These APIs support requests coming into Oracle Identity Manager for administration purposes, which is distinct and separate from SPML as the protocol used to integrate with provisioning targets.

  • EJB APIs: Highly granular access to the functionality of the platform is via a set of EJB. These session beans are the basis for functionality implemented in Oracle Identity Manager Web application clients. It is also the interface that custom clients can use to access Oracle Identity Manager capabilities.

2.2.2.2 Integration Services

A scalable and flexible integration architecture is critical for the successful deployment of provisioning solutions. Oracle Identity Manager offers an integration architecture for fast and low-cost deployments.

Oracle Identity Manager integration services provide all the components required to support the development, deployment, and maintenance of connectors. The integration services includes:

2.2.2.2.1 Connector Framework

Oracle Identity Manager connectors are packaged solutions that are used to integrate with target applications for the purposes of managing identities in those applications. Examples of such target applications are Microsoft Active Directory or Oracle E-Business Suite. A connector can be predefined by Oracle for particular target systems or can be custom developed.

Because a predefined connector is designed specifically for the target application, it offers the quickest integration method. These connectors support popular business applications such as Oracle eBusiness Suite, PeopleSoft, Siebel, JD Edward and SAP, as well as technology applications such as Active Directory, Java Directory Server, UNIX, databases, and RSA ClearTrust. Predefined connectors offer the quickest integration alternative because they are designed specifically for the target application. They use integration technologies recommended by target and are preconfigured with application specific attributes.

If predefined connectors does not use integration technologies recommended by target, then a custom connector can be developed. The Adapter Factory tool in Oracle Identity Manager Design Console provides a definitional user interface that facilitates such custom development efforts without coding or scripting.

A connector contains:

  • Multiple connector-specific Oracle Identity Manager entities such as resource objects, data forms, provisioning workflows, and adapters

  • Target-specific Java libraries that provide the underlying functions such as connectivity, authentication and user account management

  • Event triggers that wire provisioning operations to both identity profile changes and policy operations

The connector framework combines all of these components together into a functional connector that is run at appropriate times, either manually based on user interaction or based on system triggering. It defines the various operational triggers, policy triggers, and hooks that allow the connector operation to be tailored to specific requirements.

2.2.2.2.2 Identity Connectors

Connectors are deployed with Oracle Identity Manager, which affects the portability of the connectors across various Oracle Identity Manager releases. The Identity Connector Framework (ICF) decouples the connectors from Oracle Identity Manager. As a result, connectors can be used with any product. Identity connectors are designed to separate the implementation of an application from the dependencies of the system that the application is attempting to connect to.

Identity connectors have the following components:

  • The identity connector framework: Provides a container that separates the connector bundle from the application. The framework provides many common features that developers would otherwise need to implement on their own. For example, the framework can provide connection pooling, buffering, timeouts, and filtering. The identity connector framework is separated into two parts:

    • The API: Applications use the API to call connectors

    • The SPI: Developers can create connectors by implementing the SPI

  • Identity connector bundle: The specific implementation for a given resource target

  • The connector server (optional): Allows an application to remotely run one or more connector bundles that are deployed on another system. Connector servers are available in both Java™ and .NET. The .NET connector server is needed only if you are using .NET connector bundles, whereas the Java connector server is available for connector bundles written in Java.

Figure 2-2 shows the ICF architecture:

Figure 2-2 ICF Architecture

Description of Figure 2-2 follows
Description of "Figure 2-2 ICF Architecture"

Connector SPI

Connector SPI interfaces represent operations supported on a connector. A connector developer can choose to implement one or more operation interfaces for framing target system calls. Extension on existing interfaces or creating new interfaces is not supported. The SPI is broken up into required interfaces, feature-based interfaces, and operation interfaces such as create, update, delete, and search.

  • The required interfaces include the org.identityconnectors.framework.spi.Connector interface and the org.identityconnectors.framework.spi.Configuration interface. These interfaces must be implemented in order for the API to understand which class contains the implementation of the configuration and which contains the implementation of the operations.

  • The feature-based interfaces are the org.identityconnectors.framework.spi.AttributeNormalizer and org.identityconnectors.framework.spi.PoolableConnector interfaces.

  • The operation interfaces determine the features that the connector supports such as create, delete, or search. See Oracle Fusion Middleware Java API Reference for Oracle Identity Manager for details.

For information about developing an identity connector by implementing connector SPI, see "Identity Connector Framework" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

Connector API

The connector API is responsible for presenting a consistent view of a connector regardless of the operations it has implemented. For the convenience of the SPI developer, there are several common features that are provided by default. For most of these features there is no need for the application developer to handle the APIs, only configure them. Following is a list of API features:

  • Provide connection pooling to those connectors that require it and avoid the need for the API to see it, because not all connectors have connections. In addition, if the connector uses connection pooling, it is not the responsibility of the API developer to handle the connections, nor dispose of them during error conditions.

  • Provide timeouts to all operations. The API consumer should only configure the appropriate timeout if the default is unacceptable. Each SPI developer should not have to implement such a common service and, for this reason, it is implemented in the framework.

  • Provide search filtering by way of a simple interface that accepts a large variety of filters. The connector developer only needs to implement whichever filters the resource natively supports. The rest is handled by the framework.

  • Provide search/sync buffering, allowing queries and updates to be handled in chunks if need be. The application need not worry about this, as it is handled within the framework.

  • Provide scripting via Groovy and Boo .NET for connectors. This allows for great flexibility within a connector, because the framework can run scripts both on the connector and on the target resource (if supported).

  • The SPI developer has the ability to choose different implementations of an operation. For instance there are two types of updates. This is hidden from the API consumer because there is no need for the application developer to call two different operations that essentially do the same thing. Instead the framework will figure out which operation the connector supports and make the appropriate calls.

2.2.2.2.3 Adapter Factory

The Adapter Factory is a code-generation tool provided by Oracle Identity Manager. It enables an Oracle Identity Manager application developer to create Java classes, known as adapters.

A resource has an associated provisioning process, which in turn has various tasks associated with it. Each task in turn has an adapter associated to it, which in turn can connect to the target resource to carry out the required operations.

An adapter provides the following benefits:

  • It extends the internal logic and functionality of Oracle Identity Manager.

  • It interfaces with any software resource by connecting to that resource with the help of the API of the resource.

  • It enables the integration between Oracle Identity Manager and an external system.

  • It can be generated without manually writing code.

  • It can be maintained easily because all the definitions for the adapter are stored in a repository. This repository can be edited through a GUI.

  • A user in Oracle Identity Manager can retain the domain knowledge about the integration, while another user can maintain the adapter.

  • It can be modified and upgraded.

The Adapter Factory provides rapid integration with commercial or custom systems. Users can create or modify integrations by using the graphical user interface of the Adapter Factory, without programming or scripting. When connectors are created, Oracle Identity Manager repository maintains the definitions and creates self-documenting views. You use these views to extend, maintain, and upgrade connectors.

See Also:

"Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager" for details about how to define adapters by using the Adapter Factory

2.2.2.2.4 Generic Technology Connector

Predefined Oracle Identity Manager connectors are designed for commonly used target systems such as Microsoft Active Directory and PeopleSoft Enterprise Applications. The architecture of a predefined connector is based on either the APIs that the target system supports or the data repository type and schema in which the target system stores user data.The use of a predefined connector is the recommended integration method when such a connector is available for the target system. However, in some instances you might want to integrate Oracle Identity Manager with a target system that has no corresponding predefined connector. For example, XYZ Travels Inc. owns a custom Web-based application that its customers use to request airline fare quotes. Agents, who are also employees of XYZ Travels, respond to these requests by using the same application. Customers register themselves to create accounts in this application. However, XYZ Travels employees need to have accounts auto-provisioned based on their HR job title. Account management functions, such as create, update, and delete, of the application are available through Java APIs. There is no predefined connector available to integrate the custom application with Oracle Identity Manager. Therefore, you must create the custom connectors that call the Java APIs exposed by the target application.

To integrate Oracle Identity Manager with a target system that has no corresponding predefined connector, you can create a custom connector to link the target system and Oracle Identity Manager. If you do not need the customization features of the Adapter Factory, then you can create the connector by using the Generic Technology Connector (GTC) feature of Oracle Identity Manager.

You can quickly and easily build a basic connector without advanced features and customized behavior by using generic connectivity technologies such as SPML and JDBC. GTC is a wizard that provides an alternative environment for connector development to rapidly create all the necessary functional components that make up a target system connector in Oracle Identity Manager.

The reconciliation and provisioning modules of a generic technology connector are composed of reusable components that you select. Each component performs a specific function during provisioning or reconciliation. These components that constitute a generic technology connector are called providers. Each provider performs a transport, format change, validation, or transformation function on the data that it receives as input. In other words, data items processed by a provider are moved to a new location, validated against specified criteria, or undergo modification in structure or value. Data sets describe data structures arranged in the form of layers, with data flowing from one layer to another during provisioning and reconciliation.

The GTC employs a Web-based graphical wizard that displays the data flows being defined within the connector. It stores in metadata all the configuration information about the connector so that it can reload the GTC view of the connector and enable ongoing maintenance of the connector in the same graphical environment. Because the GTC builds the connector by using the standard connector framework, the application developer can access the standard Oracle Identity Manager development environment and make further modifications to the generated connector. However, after the GTC-based connector has been customized in this manner, it can no longer be managed or maintained using the GTC.

See Also:

"Generic Technology Connectors" for detailed information about the functional architecture and features of GTC

2.2.2.2.5 Remote Manager

When your adapter uses Java tasks, you must configure Oracle Identity Manager to find the appropriate Java APIs. The Java APIs are located in JAR files in the Meta Data Store (MDS). Sometimes, instead of directly communicating with the third-party system, Oracle Identity Manager must use an Oracle Identity Manager component that acts like a proxy. This component is known as Remote Manager. The Remote Manager is used for:

  • Invoking nonremotable APIs through Oracle Identity Manager

  • Invoking APIs that do not support Secure Sockets Layer (SSL) over secure connections

The Remote Manager is an Oracle Identity Manager server component that runs on a target system computer. It provides the network and security layer required to integrate with applications that do not have network-aware APIs or do not provide security. It is built as a lightweight Remote Method Invocation (RMI) server. The communication protocol is RMI tunneled through Hypertext Transfer Protocol/Secure (HTTP/S).

The J2EE RMI framework enables the creation of virtually transparent, distributed services and applications. RMI-based applications consist of Java objects making method calls to one another, regardless of their location. This enables one Java object to call methods on another Java object residing on another virtual computer in the same manner in which methods are called on a Java object residing on the same virtual computer.

Figure 2-3 shows an overview of the Remote Manager architecture.

Figure 2-3 Remote Manager Architecture

Description of Figure 2-3 follows
Description of "Figure 2-3 Remote Manager Architecture"

See Also:

"Installing and Configuring a Remote Manager" for information about the Remote Manager and its configuration in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

2.2.2.3 Platform Services

The Platform Services include:

2.2.2.3.1 Request Service

Oracle Identity Manager architecture includes a request service that allows you to configure approval workflows. To deliver this functionality, Oracle Identity Manager uses Oracle Service Oriented Architecture (SOA) Suite.

Oracle SOA Suite enables you to build service-oriented applications and deploy them to your choice of middleware platform. It consists of a number of components, but for the purposes of delivering comprehensive workflow capabilities, Oracle Identity Manager relies on the following components:

  • BPEL Process Manager: Oracle BPEL Process Manager provides a comprehensive solution for creating, deploying, and managing cross-application business processes with both automated and human workflow steps. It also provides audit trails for both completed and running processes, and process history that enables process improvement.

  • Human Request Service: Although the BPEL standard does not cover manual tasks, it supports asynchronous services. Therefore, the Oracle SOA Suite supports the Human Request Service, which is a manual task service, so that manual steps can be included in standard BPEL processes. Oracle Identity Manager Administration and User Console includes a task list that allows users to view and interact with assigned tasks being managed within the Human Request Service.

  • BPEL Designer: The Oracle BPEL Designer is available as a plug-in for JDeveloper and offers a visual design paradigm for creating and deploying BPEL-based processes.

Oracle Identity Manager provides an abstraction service on top of the SOA suite that optimizes and simplifies the interaction of users with the SOA suite. This service includes capabilities to register BPEL composites for use in Oracle Identity Manager, define parameterized variables for use in the BPEL and Human Workflow modules, and APIs that are used by the task list and custom development.

See Also:

"Approval Workflows" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about workflows and BPEL composites.

The Request Service also provides the services used to raise and track requests in Oracle Identity Manager. A request allows a user to ask that an action be taken after obtaining the necessary approvals, and that a tracking record of the entire process and its status be maintained. The request can be for various types of actions that are defined as request types. The request types can be:

  • Creating, modifying, or deleting an entity

  • Enabling or disabling an entity

  • Provisioning a resource to a user or a set of users

  • Adding or removing an identity as a member of a role

The request service supports various types of requests and has the ability to accommodate multiple request types. Oracle Identity Manager provides a number of predefined request types that cover the most common use cases. The request service also provides support for request templates, that allow you to customize the request types for a specific requirement.

The request service defines the flow models by which data provided in a request flows through the various services in Oracle Identity Manager. This includes invoking approval workflows at the correct time, monitoring the status of the workflows, and running the request if approval is received.

Both transaction data and history data for requests is maintained, which supports audit and compliance requirements.

See Also:

"Managing Requests"" for information about creating requests and perform request-related operations in the task list of Oracle Identity Manager Self Service

2.2.2.3.2 Authorization Service

Oracle Identity Manager is a security product and requires a strong level of access control over what users can view and change in the application. To meet this requirement, Oracle Identity Manager lets you define authorization policies that determine at run time whether or not a particular action is allowed. This is controlled by the authorization service that uses Oracle Entitlements Server (OES) embedded within Oracle Identity Manager. OES is an authorization product and enables centralized management of entitlements and authorization policies to granularly determine access to both application components and application business objects.

The OES architecture is made up of two major components. The administration application acts as the policy administration point (PAP) and is used to manage policy, configuration, roles, and entitlements. The second major component is the use of one or more Security Modules (SMs) that are stored in the application container. The SMs evaluate fine-grain access control polices at the policy decision point (PDP) and enforce it at the policy enforcement point (PEP).

Figure 2-4 shows the architecture of OES-based authorization service:

Figure 2-4 OES-Based Authorization Service

Description of Figure 2-4 follows
Description of "Figure 2-4 OES-Based Authorization Service"

Each time a privilege check is requested, the following takes place:

  • Oracle Identity Manager connects to the authorization service to prepare access decision for the operations performed on protected entities.

  • The service then finds and evaluates the policy or policies that apply to the resource.

  • All information required to evaluate a policy is collected by the Security Modules at run time.

  • If the policy references subject by role, all roles are evaluated and the access decision is made.

Oracle Identity Manager provides an abstraction service on top of OES that optimizes and simplifies the definition of policies in Oracle Identity Manager. This service includes a policy definition UI that allows the definition of authorization policies that are feature specific and support fine-grained controls for attributes and functions on entities such as users and roles. For information about the structural components of authorization policies and how to create and manage authorization policies, refer "Creating and Managing Authorization Policies".

2.2.2.3.3 Plug-In Framework

The Plug-in Framework allows customers to easily extend and customize the capabilities of the out-of-the-box Oracle Identity Manager features. The features expose specific plug-in points in the business logic where extensibility can be provided. An interface definition accompanies each such point and is called the plug-in interface. Customers can create code that extends these plug-in interfaces and defines customizations based on their business needs. These plug-ins are deployed and registered with Oracle Identity Manager by using the Plug-in Manager. Oracle Identity Manager then incorporates the plug-ins into the feature processing from that point onward.

Feature developers do not have to keep a track of where the custom implementations are stored and how they are loaded. The plug-in framework supports loading plug-ins from the classpath, from the file system, and from the database.

See Also:

"Developing Plug-ins" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for more information about the plug-in framework

2.2.2.3.4 SoD Engine Framework

An attempt to enforce good compliance practices is through the definition of Segregation of Duties (SoD) policies. SoD is broadly defined as a way of preventing a user from acquiring a conflicting set of entitlements. This conflicting set is also referred to as a toxic combination. An example of a toxic combination is that a person should not have the ability to create and approve the same purchase order. Enterprises often have business application-specific SoD engines that define and enforce SoD policies on the entitlements users have within those business applications. Examples of such SoD engines are OAACG and SAP GRC.

The SoD Engine Framework allows customers to integrate Oracle Identity Manager with their choice of SoD Engine to enable SoD checks at appropriate points in the request and provisioning process. Oracle Identity Manager can send a request for an SoD check to the SoD Engine through the SoD Invocation Library (SIL). SIL provides a common service interface to all supported SoD engines. The common service interface provides an abstraction on the business components within Oracle Identity Manager. As a result, SoD checks do not have to take care of the correct data formats required by the SoD Engine and also the interpretation of the results returned.

SoD checks can be run at various times in the provisioning lifecycle, such as during an access request, during the approval workflow execution, or during the provisioning execution. If a violation is detected, then the request or resource is marked as being in violation, and the approver or administrator is responsible for deciding whether to proceed or not. If violations are detected during request processing, then various approval workflows can be invoked that allow for higher levels of approval.

2.2.2.3.5 Scheduler Service

Business systems frequently make use of scheduling systems, which are configured to run other programs at specified times. Scheduling systems run applications that generate reports, reformat data, or perform audits at regular intervals of time. Scheduling systems often run batch jobs or scheduled jobs that perform routine work automatically at a prescribed time.Scheduling systems are an integral part of any enterprise provisioning solution. Provisioning often involves tasks to be performed in a time-based manner. Some examples are:

  • Running a nightly job to reconcile all changes made directly on a managed application

  • Do escalations of assigned tasks that have not been handled within a specified time period

  • Execute requests at a specific time

Oracle Identity Manager platform includes the Scheduler to provide the scheduling capabilities necessary for enterprise provisioning requirements. This Service is managed as part of Oracle Identity Manager platform and not as an independent product. Figure 2-5 provides an overview of Oracle Identity Manager Scheduler architecture.

Figure 2-5 Oracle Identity Manager Scheduler Architecture

Description of Figure 2-5 follows
Description of "Figure 2-5 Oracle Identity Manager Scheduler Architecture"

Key capabilities provided by the Scheduler service are:

  • The ability to create simple or complex schedules for running thousands of jobs

  • The ability to run the scheduling service as a clustered service to provide the necessary high availability capabilities including fail-over and load balancing

  • The ability to persist the job definitions for management and fail-over support

  • The ability to create, modify, enable, disable, and delete jobs and manage individual job runs by using an administrative UI

  • The ability to run a job in an ad-hoc fashion outside of regularly scheduled runs

  • The ability to manage errors and failures

  • The ability to maintain history of job runs, including statistics and results of these runs

  • The ability to manage the Scheduler service itself

See Also:

  • "Managing Scheduled Tasks" chapter detailed information about the Scheduler service and creating and implementing custom scheduled tasks in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager

2.2.3 The Data Tier

Oracle Identity Manager is driven by data and metadata, which provides flexibility and adaptability to Oracle Identity Manager functionalities. Oracle Identity Manager data tier consists of Oracle Identity Manager repository or database, which manages and stores Oracle Identity Manager data and metadata in an ANSI SQL 92-compliant relational database, and an optional LDAP Identity Store.

This section describes the data tier in the following topics:

2.2.3.1 Oracle Identity Manager Database

Oracle Identity Manager repository is the authoritative store for the Who Has What, When, How, and Why data that is the core value of the identity administration and provisioning system. The data stored in Oracle Identity Manager database falls into the following broad categories:

  • Entity Data: Users, organizations, roles, role memberships, resources, provisioned resources

  • Transactional Data: Requests, approval and provisioning workflow instances, human tasks

  • Audit Data: Request history, user profile history

High Availability

The database provides a scalable and redundant data layer to avoid downtime and performance issues. Reliability, recoverability, timely error detection, and continuous operations are primary characteristics of a highly available solution.

Oracle Identity Manager architecture relies on the corresponding capabilities provided by the Database Management System that is used with the product. These capabilities must:

  • Encompass redundancy across all components

  • Provide protection and tolerance from computer failures, storage failures, human errors, data corruption, lost writes, system hangs or slowdown, and site disasters

  • Recover from outages as quickly and transparently as possible

  • Provide solutions to eliminate or reduce planned downtime

  • Provide consistent high performance

  • Be easy to deploy, manage, and scale

  • Achieve Service Level Agreements (SLAs) at the lowest possible total cost of ownership

A broad range of high availability and business continuity solutions are available. You can find out more about maximizing database availability by using technologies such as Oracle Real Application Clusters (Oracle RAC) and Oracle Data Guard at the following Web site:

http://www.oracle.com/technetwork/database/features/availability/maa-090890.html

Reporting

The rich set of data stored in Oracle Identity Manager repository can be viewed through detailed reports that support management and compliance requirements. Oracle Identity Manager provides support for data reporting through the use of Oracle BI Publisher, which is an enterprise reporting solution and provides a single reporting environment to author, manage, and deliver all of your reports and business documents. Utilizing a set of familiar desktop tools, such as Microsoft Word, Microsoft Excel, or Adobe Acrobat, you can create and maintain report layouts based on data from diverse sources, including Oracle Identity Management products.

Oracle Identity Manager provides a set of standard Oracle BI Publisher report templates. However, you can customize each template to change its look and feel. in addition, you can create your own custom reports by leveraging Oracle Identity Manager database schema.

2.2.3.2 The Metadata Store

The logic underlying Oracle Identity Manager is metadata driven. The structural and behavioral aspects are described by using metadata. Oracle Identity Manager architecture relies on Oracle Metadata Services (MDS) to provide a unified store for metadata. This ensures consistent and reliable access to the metadata for Oracle Identity Manager and for the other Fusion Middleware components that it is built on. The same metadata that is used during the design phase of an application is used at application runtime through the metadata services layer. This ensures consistency through the lifecycle of Oracle Identity Manager. MDS also provides common administrative tooling for the metadata that can be used across various types of metadata stored in the common repository.

Key features and architectural principles of the MDS include:

  • Simplified resource management through a single, unified repository for all artifacts used by various Fusion Middleware components

  • Management of the metadata lifecycle for each artifact as it moves through the various stages of development, testing, staging, and production

  • Sharing and reuse of metadata across components

  • Categorization and reuse of artifacts, encouraging reuse, and promoting consistency

  • Versioning capabilities, which form the basis for various features

  • An upgrade-safe and layered customization mechanism through which metadata and application logic can be tailored per usage of the metadata

  • Advanced caching and assembling techniques coupled with configurable tuning options to optimize performance

Metadata accessed and managed via MDS can be in a file-based repository or a database-based repository. In Oracle Identity Manager architecture, the metadata is in Oracle Identity Manager database to take advantage of some of the advanced performance and availability features that this mode provides.

2.2.3.3 The Identity Store

Oracle Identity Manager 11g Release 1 (11.1.1) provides the ability to integrate an LDAP-based identity store into Oracle Identity Manager architecture. In 9.x releases, Oracle Identity Manager identity store is in Oracle Identity Manager database. Therefore, Oracle Identity Manager integrates with LDAP as a provisioning target, or you can build custom integration between Oracle Identity Manager users and LDAP users. However, in 11g Release 1 (11.1.1), you can connect and manage an LDAP-based identity store directly from Oracle Identity Manager. Using this feature, you can use advanced user management capabilities of Oracle Identity Manager, including request-based creation and management of identities, to manage the identities within the corporate identity store.

In this deployment architecture, user identity information is stored in Oracle Identity Manager database to support the relational functionality necessary for Oracle Identity Manager to function, as well as in the LDAP store. All data is kept in sync transparently without the need for provisioning actions and setting up policies and rules. Identity operations started within Oracle Identity Manager, such as user creation or modification, are run on both the stores in a manner that maintains transactional integrity. In addition, any changes in the LDAP store made outside of Oracle Identity Manager is pulled into Oracle Identity Manager and made available as a part of the identity context.

See Also:

"Integration Between LDAP Identity Store and Oracle Identity Manager" for more information about LDAP store integration and configuration

2.3 System Components

Oracle Identity Manager is built on an enterprise-class, modular architecture that is both open and scalable. Each module plays a critical role in the overall functionality of the system. Figure 2-6 illustrates the system components of Oracle Identity Manager.

Figure 2-6 System Components of Oracle Identity Manager

system components of OIM
Description of "Figure 2-6 System Components of Oracle Identity Manager"

Oracle Identity Manager user interfaces define and administer the provisioning environment. Oracle Identity Manager offers two user interfaces to satisfy both administrator and user requirements:

This section describes the following Oracle Identity Manager components:

Identity Administration

Identity administration includes creation and management of identities in Oracle Identity Manager. Identities include users, organizations, and roles. Identity administration also enables password management and user Oracle Identity Manager Self Service operations. Identity administration is performed by using Oracle Identity Manager Administration and Oracle Identity Manager Self Service Web clients, and the SPML Web service.

Note:

The identity administration tasks include, managing users, managing roles, managing organizations and managing authorization policies, which are explained in detail in this guide.

Provisioning

The provisioning transactions are assembled and modified in the provisioning module. This module maintains the "who" and "what" of provisioning. User profiles, access policies, and resources are defined in the provisioning module, as are business process workflows and business rules.

The Provisioning Server is the run-time engine for Oracle Identity Manager. It runs the provisioning process transactions as defined through Oracle Identity Manager Administration and Oracle Identity Manager Design Console and maintained within the provisioning module.

Audit and Reports

The audit and compliance functions include evaluating a person, organization, system, process, project, or product. This occurs by capturing data generated by the suite's workflow, policy, and reconciliation engines. By combining this data with identity data, an enterprise has all the information it requires to address any identity and to access a related audit inquiry. Audits are performed to ascertain the validity and reliability of information, and also provide an assessment of a system's internal control.

Reporting is the process of generating a formal document, which is created as a result of an audit. The report is subsequently provided to a user, such as an individual, a group of persons, a company, a government, or even the general public, as an assurance service so that the user can make decisions, based on the results of the audit. An enterprise can create reports on both the history and the current state of its provisioning environment. Some captured identity data includes user identity profile history, role membership history, user resource access, and fine-grained entitlement history.

Reconciliation and Bulk Load

The reconciliation engine ensures consistency between the provisioning environment of Oracle Identity Manager and Oracle Identity Manager managed resources within the organization. The reconciliation engine discovers illegal accounts created outside Oracle Identity Manager. The reconciliation engine also synchronizes business roles located inside and outside the provisioning system to ensure consistency.

See Also:

If you want to load a large amount of data from other repositories in your organization into Oracle Identity Manager, then you can use the Bulk Load utility. The Bulk Load utility reduces the downtime in loading the data. In addition, Bulk Load utility import Oracle Identity Manager users, roles, role memberships, and accounts provisioned to users.

See Also:

"Bulk Load Utility" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about Bulk Load utility

Common Services

Various services are grouped together that are shared and used by other Oracle Identity Manager components. These services are:

Workflow and Request Management

Various operations in Oracle Identity Manager cannot be performed directly. Instead, the operations must be requested. The request management service provides a mechanism to create, approve, and manage requests. A request is an entity created by the users or administrators who want to perform a specific action, which requires a discretionary permission to be obtained from someone or some process before the action can be performed. For example, a user can create a request to gain access to a laptop computer, a manager can approve the request and create an open requisition, and an IT resource administrator can approve the request.

The primary goal of a provisioning solution is to manage requests and provision resources. Request service provides an abstraction layer on the Business Process Execution Language (BPEL) 11g workflow engine. Functional components such as request, provisioning, and attestation interacts with the workflow engine for human approvals. Request service caters to the various functional components in Oracle Identity Manager by managing workflow instances and categories, and provides an abstraction layer on BPEL. For information about registering workflows with Oracle Identity Manager, see, Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

Infrastructure and Middleware Integration

The Adapter Factory, Kernel Orchestration mechanism, Context Manager, and Plug-in Framework are designed to eliminate the need for hard-coding integrations with these systems.

For more information about the integration of Oracle Identity Manager with middleware applications, see "Integration Solutions".

Connector Framework

A description of the Connector Framework is provided in the "Integration Services".