Oracle® Identity Management Concepts and Deployment Planning Guide
10g (9.0.4) for Windows or UNIX Part No. B10660-01 |
|
![]() |
![]() |
This chapter introduces identity management, describes components of an identity management system, and provides an overview and objectives of Oracle Identity Management.
This chapter contains the following topics:
Identity management is the process by which various components in an identity management system manage the security life cycle for network entities in an organization, and most commonly refers to the management of an organization’s application users. Steps in the security lifecycle include account creation, suspension, privilege modification, and account deletion.
The network entities managed can include devices, processes, applications, or anything else that interacts in a networked environment. Entities managed by an identity management process can also include users outside of an organization, such as customers, trading partners, or Web services.
By using an identity management system, an enterprise can:
Reduce administration costs through centralized account management and automated tasks
Accelerate application deployment by enabling new applications to leverage the existing infrastructure to provision user accounts and privileges
Improve the user experience by allowing rapid application access to new users
Improve security and usability by centrally managing user passwords and security credentials and customizing applications to leverage centralized authorization and policy information
A complete identity management system includes the following components:
A scalable, secure, and standards-complaint directory service for storing and managing user information
A provisioning framework that can either be linked to the enterprise provisioning system, such as a human resources application, or operated in standalone mode
A directory integration platform that enables the enterprise to connect the identity management directory to legacy or application-specific directories
A system to create and manage public key infrastructure (PKI) certificates
A runtime model for user authentication
A delegated administration model and application that enables the administrator of the identity management system to selectively delegate access rights to an administrator of an individual application, or directly to a user. Security and user interface models that can support various requirements are critical.
Figure 1-1 shows an overview of an identity management system.
Oracle Identity Management is an integrated infrastructure that provides distributed security to Oracle products. Oracle Identity Management is included with Oracle Application Server, as well as Oracle9i Database Server and Oracle Collaboration Suite.
The Oracle Identity Management infrastructure includes the following components:
Oracle Internet Directory: A scalable, robust LDAP V3-compliant directory service implemented on the Oracle9i Database Server
Oracle Directory Integration and Provisioning: A component of Oracle Internet Directory that enables you to:
Synchronize data between Oracle Internet Directory and other connected directories
Send notifications to target applications to reflect changes to a user’s status or information
Develop and deploy your own connectivity agents
Oracle Delegated Administration Services: A component of Oracle Internet Directory that provides trusted proxy-based administration of directory information by users and application administrators
Oracle Application Server Single Sign-On (OracleAS Single Sign-On): Provides single sign-on access to Oracle and third-party Web applications
Oracle Application Server Certificate Authority (OCA): Issues, revokes, renews, and publishes X.509v3 certificates to support PKI-based strong authentication methods
Many different applications, including Oracle E-Business Suite and Oracle Collaboration Suite, can leverage the Oracle Identity Management infrastructure, as shown in Figure 1-2.
While Oracle Identity Management is designed to provide an enterprise infrastructure for Oracle products, it can also serve as a general purpose identity management solution for user-written and third-party enterprise applications.
In addition, third-party application vendors certify with Oracle Identity Management infrastructure to ensure proper operation.
Oracle Identity Management is designed to meet three key architectural objectives:
Oracle Identity Management serves as a shared infrastructure for all Oracle products and technology stacks, including Oracle Application Server, Oracle9i Database Server, Oracle E-Business Suite, and Oracle Collaboration Suite. Accordingly, it is secure, reliable, and scalable, consistent with the core strengths of Oracle products and technologies.
Oracle Identity Management provides a consistent security model among all Oracle products and technology stacks. Oracle Identity Management infrastructure is planned for and deployed only once to support any current or future deployment of any Oracle product.
Oracle Identity Management provides a secure, efficient, and reliable way to leverage and extend your investment in an existing third-party identity management infrastructure
Within a third-party identity management environment, Oracle Identity Management provides a single consistent point of integration for the entire Oracle technology stack, eliminating the need to configure and manage integration of various individual Oracle products with the third-party environment
Using Oracle Directory Integration and Provisioning, Oracle Identity Management leverages current investment in planning and deployment of a third-party enterprise directory. This provides the means to map and inherit major considerations such as directory naming, directory tree structure, schema extensions, access control, and security policies. Established procedures in an existing framework for user enrollment, identity, and account provisioning can be seamlessly incorporated into the corresponding operations of Oracle Identity Management.
If a third-party authentication service is in use, OracleAS Single Sign-On provides the means to integrate with the service and extend a seamless single sign-on experience to users accessing the Oracle environment Certified interoperability solutions exist for leading third-party authentication platforms, and well defined interfaces are available for implementing similar solutions for any new product.
The Oracle Identity Management infrastructure can serve as an enterprise-wide foundation for identity management, to support other Oracle products as well as third-party vendor products deployed in the customer environment.
Oracle Identity Management offers lower ownership costs by streamlining the process of both user and account provisioning for all Oracle and third-party products. It also offers high levels of security, scalability, and functional richness. By supporting industry standards in all relevant interfaces, Oracle Identity Management can be customized and extended for use in many disparate application environments.