Oracle offers several technologies that compliment and extend the functionality available in Oracle Identity Manager, some of which are described in this chapter. Refer to the "Oracle Fusion Middleware Integration Overview" for complete information about the technologies you can integrate with Oracle Identity Manager. Figure 11-1 shows the integration of Oracle Identity Manager with other Oracle components.
This chapter discusses the integration of Oracle Identity Manager with the following Oracle components:
Oracle Access Manager (OAM) protects applications, data, and cloud-based services through a combination of flexible authentication and single sign-on (SSO), identity federation, risk-based authentication, proactive enterprise fraud prevention, and fine-grained authorization.
Web-based SSO provides secure access to multiple applications with one authentication step. When OAM is combined with Oracle Identity Manager, OAM can SSO-enable the Oracle Identity Administration, along with the other Oracle Identity Management components.
Oracle Identity Manager, OAM, and Oracle Adaptive Access Manager (OAAM) share a common set of LDAP attributes, improving efficiency by making it easier to manage workflows and other processes. Integrated password management makes it easy for users to log in to OAM, OAAM, and Oracle Identity Manager, and to manage expired and forgotten passwords.
For integration details, see "Integration Between OIM and OAM" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
OAAM provides sophisticated multifactor authentication and proactive, real-time fraud prevention functionality for Web-based connections. Risk-based authentication is one such capability OAAM provides. The OAAM risk-scoring engine combats identity fraud in real-time by evaluating whether a user should be allowed to authenticate based on the type of transaction being attempted and the probability of fraud occurring. Next, the OAAM risk-scoring engine evaluates how a user answers a series of dynamically generated questions that are created based on a combination of public and private data sources. OAAM then generates a fraud score and the user is either allowed to continue with the transaction or is denied access.When integrated with Oracle Identity Manager, the robust challenge question feature set found in OAAM replaces the more limited set found in Oracle Identity Manager, which handles password validation, storage, and propagation duties.
For information about how password management is achieved when Oracle Identity Manager is integrated with OAM and OAAM, see "Deployment Options for Password Management" in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager.
For integration details, see "Integrating Oracle Access Manager, Oracle Adaptive Access Manager, and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager.
Oracle Identity Analytics (OIA), formerly Sun Role Manager, provides rich identity analytics and dashboards that allow you to monitor, analyze, review, and govern user access in order to mitigate risk, build transparency, and satisfy compliance mandates.
When integrated with Oracle Identity Manager, Oracle Identity Analytics defines the Role-based Access Control (RBAC) framework, the attestation process, and the approach to Segregation of Duties (SoD) policy enforcement, while Oracle Identity Manager serves as the automated provisioning and identity synchronization solution. Rather than assigning individual access entitlements, the RBAC framework allows organizations to assign and unassign roles as a means of controlling user access on various applications.
For integration details in Oracle Identity Analytics, see the Oracle Fusion Middleware System Integrator's Guide for Oracle Identity Analytics.
Oracle Identity Manager is an authoritative source of data for users, accounts, and entitlements. Therefore, in an integrated deployment, OIA needs the following data from Oracle Identity Manager:
Account attributes, including assigned entitlements
The requirements for the data synchronization are:
OIA needs incremental changelog updates for users, accounts, and entitlements from Oracle Identity Manager
OIA needs, on an ad-hoc basis full set of entities, such as users, accounts, and entitlements, from Oracle Identity Manager on an ad hoc basis
Oracle Identity Manager 11g Release 1 (11.1.1) allows the data synchronization with the help of:
APIs to allow OIA to start data collection for a configurable number of entities. In addition, APIs allow OIA to get the status of the data collection.
For information about using Oracle Identity Manager APIs, see Oracle Fusion Middleware Java API Reference for Oracle Identity Manager and "Using APIs" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Stored procedures that perform the data collection from Oracle Identity Manager transactional tables to the staging tables.
This section describes the data collection process with the help of the following topics:
The DataCollectionOperationsIntf API interface provides the following APIs:
void startDataCollection(String sessionID, Map entities): This API starts the data collection process for a single session. The parameters are:
sessionID: A unique string identifying the particular session. This string must be the same in repeated invocations of APIs that form the part of a single data collection session.
entities: A Map that contains all the entities and the since dates for which data collection is to be performed. There are two static entities, user and entitlement. The rest can be resource object names in Oracle Identity Manager. If the entity or resource object name cannot be found, it is ignored and no data collection is performed for the same. The values in the Map are java.util.Date objects that represent a timestamp. If this value is NULL, then complete data for that entity is populated. If the data is non-NULL, then data is populated in the staging tables for entities modified after that date.
String checkStatus(String sessionID): This API checks for the status of the specified data collection session. The API returns the following statuses:
void finalizeSession(String sessionID): This API finalizes the data collection session by truncating the staging tables and other cleanup activities.
Oracle Identity Manager makes user, account, and entitlement data through certain tables to OIA. These are called staging tables, which can be populated on demand by using the APIs in the DataCollectionOperationsIntf interface. The following staging tables can be populated:
staging_users_table: Staging table for user profile attributes
staging_user_extended_props: Staging table for custom user defined fields
staging_entitlements: Staging table for entitlement information
staging_accounts: Staging table for account information
staging_account_attributes: Staging table for account attributes including parent and child form data
The following is the sequence of steps for the data collection:
Invoke startDataCollection() API with the appropriate session ID and entities with since dates. If the since date is NULL, then indicates to Oracle Identity Manager that full data must be populated in the staging tables.
Poll Oracle Identity Manager by running the getDataCollectionStatus() API with the same session ID.
After the getDataCollectionStatus() API returns COMPLETED status, OIA processes can directly read the data from the staging tables.
After data synchronization is complete, run the finalizeDataCollectionSession() API with the same session ID to finalize the data collection session.
If there are any errors in the data collection, then Oracle Identity Manager indicates it with a FAILED status. If this happens, then the data collection session must be restarted. You can restart the data collection session by finalizing the current session using finalizeDataCollectionSession() API and then running startDataCollection() with a new session ID.
Oracle Identity Navigator (OIN) is a browser-based administrative portal designed to act as a launch pad for Oracle Identity Management components. It does not replace the individual component consoles. Rather, it allows you to access the Oracle Identity Management consoles from one site.
When integrated with Oracle Identity Manager, OIN replaces the Oracle Identity Administration as the primary Oracle Identity Manager user interface.
OIN has a product discovery feature that can be used to discover all active J2EE components in a domain, including the Oracle Identity Administration.
For integration details, see "Adding a Component Link to the Product Launcher by Using Product Discovery" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.
If you install Oracle Identity Manager with LDAP, you must install Oracle Virtual Directory (OVD). OVD connects to multiple enterprise directories and consolidates the contents of those directories into a unified view. For example, if your enterprise uses Oracle Internet Directory (OID), iPlanet, and Active Directory, OVD can interface with all three directories and create a consolidated view. Oracle Identity Manager can then use a single connector to access the consolidated LDAP data on OVD. The LDAP Sync Provider (also called the LDAP Provider) connects Oracle Identity Manager and OVD.
When integrated with Oracle Identity Manager, OVD provides the following benefits:
Oracle Identity Manager connector management is simplified - Only a single LDAP connector is needed for multiple directory providers (although, multiple instances may be needed)
LDAP connector reliability is improved - The same connector is used regardless of the underlying LDAP server. OVD handles the data translation that, in the past, required multiple LDAP connectors for multiple LDAP providers
The same identity virtualization capability is provided to all Fusion Middleware applications, reducing the overall footprint of components in the Enterprise
For integration details, see the Oracle Fusion Middleware Installation Guide for Oracle Identity Management, which contains multiple procedures for integrating Oracle Identity Manager and Oracle Virtual Directory in various environments.
Earlier releases of OVD are installed in Blocking IO (BIO) mode. The current release of OVD is installed in Non Blocking IO (NIO) mode by default. However, Oracle Identity Manager is not certified with NIO mode. Therefore, the OVD connection management in Oracle Identity Manager must be modified for working with OVD in NIO mode.
The current release of OVD is also enhanced to include multiple change log support. These enhancements require changes to the OVD Changlog adapter parameters.
See "Creating Adapters in Oracle Virtual Directory" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management for detailed information about creating the OVD adapters for Oracle Identity Manager change log and user management.
The Oracle Identity Manager workflow feature utilizes Oracle Service-Oriented Architecture (SOA) back-end services and management capabilities to provide an interactive environment to request, approve, and manage user access. In order to install Oracle Identity Manager, you also must install Oracle SOA.
Oracle Identity Manager makes use of the following SOA Suite components:
BPEL Process Manager, which provides the end-to-end solution for creating and managing business processes
Human Workflow, which manages the lifecycle of human tasks, including creation, assignment, deadlines, expiration, and notifications
Oracle Business Rules, which allows you to define complex business rules to support request assignment, process selection, and approver resolution
Oracle Web Services Manager, which secures the web service and BPEL processes consumed and invoked by Oracle Identity Manager
For integration details, see "Integration with Oracle SOA Suite" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
The Oracle Identity Manager reporting feature utilizes Oracle Business Intelligence Publisher (BI Publisher) to provide high-fidelity reporting capabilities, allowing you to create, deploy, and use complex reports in a multi-channel environment.
For BI Publisher details, see "Using Reporting Features" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager.