Oracle® Identity Management Concepts and Deployment Planning Guide
10g (9.0.4) for Windows or UNIX Part No. B10660-01 |
|
![]() |
![]() |
In addition to serving as a shared infrastructure for all Oracle applications, Oracle Identity Management also provides certain services and programmatic interfaces that facilitate third-party enterprise application development. These interfaces are useful for application developers who need to incorporate identity management into their applications.
This chapter discusses these interfaces and recommends application development best practices in the Oracle Identity Management environment.
The following two types of applications can be integrated with Oracle Identity Management:
Existing applications already rolled out in the enterprise. The enterprise might have already invested in such applications and would benefit from their integration with the Oracle Identity Management infrastructure.
New applications being developed by corporate IT departments or ISVs that are based on the Oracle technology stack
This chapter contains the following topics:
Oracle Identity Management Services Available for Application Integration
Integrating Existing Applications with Oracle Identity Management
Integrating New Applications with Oracle Identity Management
Enterprise applications integrating with the Oracle Identity Management infrastructure receive the following benefits:
Integration facilitates faster application deployment with lower costs: Deployments (primarily Oracle customers) already using an existing Oracle Identity Management infrastructure can easily deploy the new application. The self-service console of Oracle Delegated Administration Services allows certain aspects of application administration to be delegated to users, which reduces the deployment cost of the application.
Seamless integration with Oracle applications: Since all Oracle applications rely on the Oracle Identity Management infrastructure, integrating natively with it will make the enterprise application more attractive
Seamless integration with third-party identity management solutions: Because Oracle Identity Management infrastructure already has built-in capabilities for integrating with third-party identity management solutions, application developers can leverage this for their applications
Custom applications can leverage Oracle Identity Management through a set of documented and supported services and APIs. For example:
Oracle Internet Directory provides LDAP APIs for C, Java, and PL/SQL, and is compatible with other LDAP SDKs
Oracle Delegated Administration Services provide a core self-service console that can be customized to support third-party applications. In addition, they provide a number of services for building customized administration interfaces that manipulate directory data.
Oracle Directory Integration Services facilitate the development and deployment of custom solutions for synchronizing Oracle Internet Directory with third-party directories and other user repositories
Oracle Provisioning Integration Services provide a mechanism for provisioning third-party applications, as well as a means of integrating the Oracle environment with other provisioning systems
OracleAS Single Sign-On provides APIs for developing and deploying partner applications that share a single sign-on session with other Oracle Web applications
JAZN is the Oracle implementation of the Oracle Application Server Java Authentication and Authorization Service standard that allows applications developed for the Web using the Oracle J2EE environment to leverage the identity management infrastructure for authentication and authorization
An enterprise may have already deployed certain applications to perform critical business functions. The Oracle Identity Management infrastructure provides the following services that can be leveraged by the deployment to modify existing applications:
Automated User Provisioning: The deployment can develop a custom provisioning agent that automates the provisioning of users in the existing application in response to provisioning events in the Oracle Identity Management infrastructure. This agent must be developed using the interfaces of the Provisioning Integration Service.
See Also: Oracle Internet Directory Administrator's Guide for more information about developing automated user provisioning |
User Authentication Services: If the user interface of the existing application is based on HTTP, integrating it with Oracle HTTP Server and protecting its URL using mod_osso
will authenticate all incoming user requests using the OracleAS Single Sign-On service.
Centralized User Profile Management: If the user interface of the existing application is based on HTTP, and it is integrated with OracleAS Single Sign-On for authentication, the application can leverage the self-service console of Oracle Delegated Administration Services to enable centralized user profile management. The self-service console can be customized by the deployment to address the specific needs of the application.
Application developers can leverage the services provided by the Oracle Identity Management infrastructure more extensively if they are developing a new application or planning on a new release of an existing application. Application developers should consider the following integration points:
User Authentication Services: The application developer has the following options:
If the application is based on J2EE, it can use the services provided by the Oracle Application Server Java Authentication and Authorization Service interface
If the application relies on Oracle Application Server Containers for J2EE, it can use the services provided by mod_osso
to authenticate users and obtain important information about the user in the HTTP headers
If the application is a standalone Web-based application, it can leverage OracleAS Single Sign-On as a partner application using the OracleAS Single Sign-On APIs
If the application provides a non-Web-based access interface, it can use the Oracle Internet Directory LDAP APIs (available in C, PL/SQL and Java) to authenticate users
Centralized Profile Management: The application developer has the following options available:
The application developer can model application-specific profiles and user preferences as attributes in Oracle Internet Directory
If the user interface of the application is based on HTTP, and it is integrated with OracleAS Single Sign-On for authentication, the application can leverage the self-service console of Oracle Delegated Administration Services to enable centralized user profile management. The self-service console can be customized by the deployment to address the specific needs of the application.
The application can also retrieve user profiles at runtime using the Oracle Internet Directory LDAP APIs (available in C, PL/SQL and Java)
Automated User Provisioning: Application developers should consider the following options:
If the user interface of the application is based on HTTP and it is integrated with OracleAS Single Sign-On for authentication, then the application developer can implement automated user provisioning the first time a user accesses the application
The application can also be integrated with the Oracle Internet Directory Provisioning Integration Service, which enables it to automatically provision or de-provision user accounts in response to administrative actions, such as adding an identity, modifying the properties of an existing identity, or deleting an existing identity in the Oracle Identity Management infrastructure