Directory Concepts and Architecture, 14 of 15

Oracle Internet Directory and Identity Management

Identity management is the process by which the complete security life cycle for network entities is managed in an organization. Because Oracle Internet Directory is a key element of the Oracle Identity Management infrastructure, it enables you to simplify security management across all applications. To do this, you deploy multiple Oracle components against a shared instance of Oracle Internet Directory and of other Oracle Identity Management components. This requires careful planning to match the Oracle Internet Directory deployment with the security needs of your enterprise.

This section contains these topics:

About Identity Management

Identity management most commonly refers to the management of an organization's application users. Steps in their security life cycle include account creation, suspension, privilege modification, and account deletion. The managed entities may also include devices, processes, applications, or anything else that needs to interact in a networked environment. They may also include users outside of the organization, for example customers, trading partners, or Web services.

Identity management is important to IT deployments because it can reduce administrative costs while at the same time improving security.

The Oracle Identity Management infrastructure enables deployments to manage centrally and securely all enterprise identities and their access to various applications in the enterprise. Identity management comprises these tasks:

Creating enterprise identities and managing shared properties of these identities through a single enterprise-wide console
Creating groups of enterprise identities
Provisioning these identities in various services available in the enterprise. This includes:
- Account creation
- Account suspension
- Account deletion
Managing policies associated with these identities. These include:
- Authorization policies
- Authentication Policies
- Privileges delegated to existing identities

About the Oracle Identity Management Infrastructure

Oracle Identity Management is an integrated infrastructure that Oracle products rely on for distributed security. It is part of the infrastructure of the Oracle Application Server and for other Oracle products as well. Figure 2-9 illustrates the components of the Oracle Identity Management infrastructure and how various Oracle and third-party products rely on it.

Figure 2-9 Oracle Identity Management Infrastructure and Other Components

Text description of oidag097.gif follows

Text description of the illustration oidag097.gif

As shown in Figure 2-9, the Oracle Identity Management infrastructure includes the following components and capabilities:

Oracle Internet Directory, a scalable, robust LDAP Version 3-compliant directory service implemented on the Oracle9i Database Server.
Oracle Directory Integration and Provisioning platform, which permits synchronization between Oracle Internet Directory and other directories and user repositories and automatic provisioning services for Oracle components and applications and, through standard interfaces, third-party applications.
Oracle Delegated Administration Services, which provides trusted proxy-based administration of directory information by users and application administrators.
Oracle Application Server Single Sign-On, which provides single sign-on access to Oracle and third party web applications.
Oracle Application Server Certificate Authority, which generates and publishes X.509 V3 PKI certificates to support strong authentication methods.

While Oracle Identity Management is designed to provide an enterprise infrastructure for Oracle products, it can also serve as a general-purpose identity management solution for user-written and third-party enterprise applications. It provides a robust and scalable enterprise-wide identity management platform for third-party applications, hardware, and network operating systems. Custom applications can leverage Oracle Identity Management through a set of documented and supported services and APIs, for example:

Oracle Internet Directory provides LDAP APIs for C, Java, and PL/SQL, and is compatible with other LDAP SDKs.
Oracle Delegated Administration Services provide a core self-service console that may be customized to support third-party applications. In addition, it provides a number of services for building customized administration interfaces that manipulate directory data.
The Oracle Directory Synchronization Service facilitates the development and deployment of custom solutions for synchronizing Oracle Internet Directory with third-party directories and other user repositories.
The Oracle Directory Provisioning Integration Service enables you to provision third-party applications and integrate the Oracle environment with other provisioning systems.
Oracle Application Server Single Sign-On provides APIs for developing and deploying partner applications that share a single sign-on session with other Oracle Web applications.
JAZN, Oracle's implementation of the JAAS standard, enables applications developed for the Web using Oracle's J2EE environment to leverage the Oracle Identity Management infrastructure for authentication and authorization.

In addition, Oracle works with third-party application vendors to ensure that their applications can leverage Oracle Identity Management out of the box.

See Also:
Oracle Identity Management Concepts and Deployment Planning Guide for more information about the Oracle Identity Management infrastructure

Identity Management Realms

An identity management realm defines an enterprise scope over which certain identity management policies are defined and enforced by the deployment. It comprises:

A well-scoped collection of enterprise identities--for example, all employees in the US domain
A collection of identity management policies associated with these identities. An example of an identity management policy would be to require that all user passwords have at least one alphanumeric character.
A collection of groups--that is, aggregations of identities--that simplifies the setting of the identity management policies

You can define multiple identity management realms within the same Oracle Identity Management infrastructure. This enables you to isolate user populations and enforce a different identity management policy--for example, password policy, naming policy, self-modification policy--in each realm.

Each identity management realm is uniquely named to distinguish it from other realms. It also has a realm-specific administrator with complete administrative control over the realm.

Default Identity Management Realm

For all Oracle components to function, an identity management realm is required. One particular realm, created during installation of Oracle Internet Directory, is called the default identity management realm. It is where Oracle components expect to find users, groups, and associated policies whenever the name of a realm is not specified.

There can be only one default identity management realm in the directory. If a deployment requires multiple identity management realms, then one of them must be chosen as the default.

Identity Management Policies

The Oracle Identity Management infrastructure supports a flexible set of management policies which comprise:

Directory structure and naming policies that enable you to:
- Customize the directory structure in Oracle Internet Directory for your deployment
- Specify where various identities are to be located and how they are uniquely identified
Authentication policies that enable you to specify authentication methods and protocols supported by the Oracle Identity Management infrastructure
Identity management authorizations that enable you to control access to certain privileged services and delegate administration wherever necessary

Note:
In Oracle Internet Directory Release 9.0.2, the equivalent term for "identity management realm" was "subscriber".