|
Oracle® Identity Management Concepts and Deployment Planning Guide
10g (9.0.4) for Windows or UNIX Part No. B10660-01 |
|
|
|
|
Oracle® Identity Management Concepts and Deployment Planning Guide
10g (9.0.4) for Windows or UNIX Part No. B10660-01 |
|
|
|
|
This chapter introduces concepts that deployment planners must understand to effectively deploy identity management. It provides an overview of the Oracle Identity Management architecture and the provisioning lifecycle of applications and users in the Oracle environment and presents the terms that are commonly used to describe identity management.
This chapter contains the following sections:
Following is a list of some important identity management terms and concepts and their definitions:
Account Provisioning: The process of creating an account for a given application and network identity, and managing the account's entitlements to allow and control its access to the resources managed by the application
Authentication: The process of verifying the identity claimed by an entity based on its credentials
Authorization: The process of establishing a specific entitlement that is consistent with authorization policies
Authorization Policies: Declarations that define entitlements of a security principal and any constraints related to that entitlement
Centralized Assertion Services: Part of the identity management infrastructure that generates identity assertions. OracleAS Single Sign-On is an example of an assertion service that generates identity assertions. OCA is another type of assertion service, because the X.509v3 certificates it generates are indeed assertions about a network entity’s identity and its entitlements.
Entitlements: The actions an entity in a network is allowed to perform and the resources to which it is allowed access
Identity: The set of attributes that uniquely identifies a network entity. A network entity can have many different accounts that it uses to access various applications in the network. These accounts can be identified by these applications by different attributes of this entity. For example, a user can be known in the e-mail service by his or her e-mail ID, whereas that same user can be known in the human resource application by his or her employee number. The global set of such attributes constitutes the identity of the entity.
Identity Administration: The act of managing information associated with the identity of a network entity. The information can be used by the identity management infrastructure itself to determine administrative privileges.
Identity Database: A specialized database service designed to hold and manage identity information
Identity Management Policies: Policies affecting the management of identities in an enterprise which includes naming policies and security policies
Identity Management Realm: A collection of identities and associated policies which is typically used when enterprises want to isolate user populations and enforce different identity management policies for each population
Identity Policy Assertion Services: A process that generates verifiable assertions about the identity of an entity or its authorizations. Network entities present these assertions to other services that the entities access.
Identity Provisioning: The act of establishing the identity of a network entity and the necessary credentials to facilitate authentication of the identity
Policy Decision Services: A process that interprets any applicable entitlement policies associated with the resources to which applications secure and control access. Some applications rely on decision services that are embedded in the application itself, while others depend on centralized decision services.
Security Principals: The subjects of authorization policies, such as users, user groups, and roles. A security principal can be a human or any application entity with an identity in the network and credentials to assert the identity.
These terms are used to describe the identity management concepts included in the next section.
This section describes the fundamental concepts of identity management and contains the following topics:
This section provides a blueprint for administrators of a typical application integrated with Oracle Identity Management. It provides a framework for understanding the roles of the various Oracle Identity Management components and services, and provides a basis for understanding how to engineer secure application deployments in an enterprise environment.
The application integration model is shown in Figure 2-1.
In this model, the following essential services are performed by the identity management infrastructure:
Administration and Provisioning: Provides administration and provisioning services for the identities managed by the identity management infrastructure. In Oracle Identity Management, these services are performed using tools such as Oracle Delegated Administration Services and Oracle Directory Integration and Provisioning.
Policy Decision Services: Although these services are typically performed by the application, such as OracleAS Portal, in Oracle Identity Management, Oracle Internet Directory performs policy decision services for the identity management infrastructure itself.
Identity Policy Assertion Services: In Oracle Identity Management these services are performed by OracleAS Single Sign-On and Oracle Application Server Certificate Authority
Applications deployed against the identity management infrastructure interact with the infrastructure in the following ways:
User Authentication: When a user accesses an application, it validates the user credentials using the services provided by the identity management infrastructure. The authentication and the associated communication to the application is accomplished with the identity policy assertion services. For example, in the case of the Oracle Identity Management infrastructure, this would be validation of the credential, in the form of an encrypted browser cookie, by OracleAS Single Sign-On.
User Authorization: Once authenticated, the application must also check if the user has sufficient privileges over resources protected by the application. This is performed by the application based on identity information managed in the identity management infrastructure. For example, a J2EE application uses Oracle Application Server Java Authentication and Authorization Service (OracleAS JAAS Provider) to access user and role information in the Oracle Identity Management infrastructure, after authentication.
This section provides an overview of the user identity and application provisioning flow in the Oracle environment.
Following is a description of the provisioning flow shown in Figure 2-2:
The first step is the deployment of the Oracle Identity Management infrastructure using the product’s installation and configuration tools.
The next step is to define the identity management security policies. These policies determine what data users and applications can access. They are codified as access control lists (ACLs) in Oracle Internet Directory, and are typically managed using Oracle Directory Manager.
The following three activities typically take place on an ongoing basis. Each of these activities can happen in parallel, and in no particular order.
User identities are provisioned in Oracle Internet Directory. These identities can come from multiple sources, including human resources applications, user administration tools (such as the Oracle Internet Directory Self-Service Console), through synchronization with other directories, or through directory bulk loading tools.
Groups and roles are administered in Oracle Internet Directory. Groups and group memberships can be defined in a number of ways, such as through the Oracle Internet Directory Self-Service Console or through synchronization with another directory service.
Application instances are deployed against the Oracle Identity Management infrastructure. This typically involves an identity management infrastructure administrator first granting access to the application administrator using the Oracle Internet Directory administration tools. The application administrator uses application installation and configuration tools to create the required directory objects and entries to support the application.
User identities, groups and roles, and applications are associated through the process of application account provisioning. This can be performed manually using application administration tools or in an automated fashion through provisioning integration.
Oracle Identity Management requires a centralized repository for the enterprise users, groups, and services. Business requirements, however, make it difficult to manage a centralized store with a centralized set of administrators.
For example, in a business, the administrator of enterprise user management might be different from that of the e-mail service; the administrator of financials may need full control over the privileges of its users; and the OracleAS Portal administrator may need full control over the Web pages for a specific user or a specific group. To meet the needs of these various administrators, and satisfy the different security requirements, the identity management system needs delegated administration.
With delegated administration, the management of the data inside the identity management system can be distributed to many different administrators depending upon their security requirements. This combination of centralized repository and delegated privileges results in a secure and scalable administration in the identity management infrastructure.
Each of the Oracle technology stacks—Oracle Application Server, Oracle9i Database Server, Oracle E-Business Suite, and Oracle Collaboration Suite—supports a security model that is appropriate for its design. Nevertheless, they all employ the Oracle Identity Management infrastructure to implement their respective security models and capabilities, as shown in Figure 2-3.
Oracle Application Server supports a J2EE compliant security service called Java Authentication and Authorization Service (JAAS). JAAS can be configured to utilize users and roles defined in Oracle Internet Directory.
Similarly, the database security capabilities—Enterprise User and Oracle Label Security—provide the means to leverage users and roles defined in Oracle Internet Directory. Both of these platforms facilitate the applications developed using the platforms’ respective native security capabilities to transparently leverage the underlying identity management infrastructure.
The Oracle E-Business Suite and Oracle Collaboration Suite application stacks are layered over the Oracle9i Database Server and Oracle Application Server platforms, providing a level of indirect integration with the Oracle Identity Management infrastructure. In addition, these products have independent features that rely upon Oracle Identity Management. For example, Oracle Collaboration Suite components such as Oracle Email and Oracle Voicemail & Fax use Oracle Internet Directory to manage component-specific user preferences, personal contacts, and address books.
These Oracle technology stacks also leverage Oracle Directory Integration and Provisioning to automatically provision and de-provision user accounts and privileges. Oracle Delegated Administration Services is employed extensively for self-service management of user preferences and personal contacts. Also, the security management interfaces of these products leverage the user and group management building blocks called service units.
|
 Copyright © 2003 Oracle Corporation All rights reserved |
|
