1 Introduction to Oracle Identity Management Integration

This chapter introduces Oracle Identity Management integration, its components, structure, and administration tools.

This chapter contains these topics:

• Why Oracle Identity Management Integration?

• Installation Options

• Synchronization, Provisioning, and the Difference Between Them

• Components Involved in Oracle Identity Management Integration

See Also: Appendix D, "Case Study: A Deployment of Oracle Directory Integration and Provisioning" for an example of how you can deploy Oracle Identity Management integration

Why Oracle Identity Management Integration?

Oracle Identity Management enables you to reduce administrative time and costs by integrating your applications and directories—including third-party LDAP directories—with Oracle Internet Directory. It does this by using Oracle Directory Integration and Provisioning. For example, you might need to do the following:

• Keep employee records in Oracle Human Resources consistent with those in Oracle Internet Directory. Directory Integration and Provisioning provides this synchronization through the Oracle Directory Synchronization Service.

• Notify certain LDAP-enabled applications—such as OracleAS Portal—whenever changes are applied to Oracle Internet Directory. The Directory Integration and Provisioning provides this notification through Oracle Provisioning Service.

Throughout the integration process, Oracle Directory Integration and Provisioning ensures that the applications and other directories receive and provide the necessary information in a reliable way.

You can integrate with various directories, including Microsoft Active Directory and SunONE Directory Server. For example, in an Oracle Application Server environment, where access to Oracle components relies on data stored in Oracle Internet Directory, you can still use Microsoft Active Directory as the central enterprise directory. Users of that directory can still access Oracle components because Directory Integration and Provisioning can synchronize the data in Microsoft Active Directory with that in Oracle Internet Directory.

See Also: Chapter 10, "Synchronization with Oracle Human Resources" Chapter 16, "Integration with the Microsoft Active Directory Environment" Chapter 17, "Integration with the Microsoft Windows NT 4.0 Environment" Chapter 18, "Integration withSunONE (iPlanet) Directory Server"

Figure 1-1 shows a sample deployment of Directory Integration and Provisioning.

Figure 1-1 Example of an Oracle Directory Integration and Provisioning Environment

Description of the illustration oidag071.gif

In the example in Figure 1-1, Oracle Internet Directory is synchronized with connected directories by way of the Oracle Directory Synchronization Service. In this example, the connected directories are Oracle Human Resources, SunONE Directory Server, and Microsoft Active Directory. Similarly, changes in Oracle Internet Directory are sent to various applications by using the Oracle Provisioning Service. In this example, the provisioned applications include OracleAS Portal, Oracle Content Management Software Development Kit, Oracle Application Server Wireless, an unspecified provisioned application, and a legacy application.

Installation Options

By default, Oracle Directory Integration and Provisioning is installed as a component of Oracle Internet Directory. However, you can also install Oracle Directory Integration and Provisioning in a standalone installation. You should install a standalone instance of Oracle Directory Integration and Provisioning under the following circumstances:

• When you need Oracle Internet Directory to run on a separate host for performance reasons

• When the applications that you need to provision and synchronize required intensive processing

• You need to run multiple instances of Oracle Directory Integration and Provisioning for high-availability

Synchronization, Provisioning, and the Difference Between Them

Synchronization has to do with directories rather than applications. It ensures the consistency of entries and attributes that reside in both Oracle Internet Directory and other connected directories.

Provisioning has to do with applications. It notifies them of changes to user or group entries or attributes that the application needs to track.

This section contains these topics:

• Synchronization

• Provisioning

• How Synchronization and Provisioning Differ

Synchronization

Synchronization enables you to coordinate changes among Oracle Internet Directory and connected directories. For all directories to both use and provide only the latest data, each directory must be informed of change made in the other connected directories. Synchronization ensures that any change to directory information—including, but not limited to data updated through provisioning—is kept consistent.

Whenever you decide to connect a third-party directory to Oracle Internet Directory, you create a synchronization profile for that specific directory. This profile specifies the format and content of the data to be synchronized between Oracle Internet Directory and the connected directory. To create a synchronization profile, you use the Directory Integration and Provisioning Assistant.

See Also: Part III, "Synchronization in Oracle Identity Management Integration" "The Directory Integration and Provisioning Assistant (dipassistant) Syntax"

Provisioning

Provisioning enables you to ensure that an application is notified of directory changes to, for example, user or group information. Such changes can affect whether the application allows a user access to its processes and which resources can be used.

Use provisioning when you are designing or installing an application that

• Does not maintain a directory

• Is LDAP-enabled

• Can and should allow only authorized users to access its resources

When you install an application that you want to provision, you must create a provisioning integration profile for it by using the Provisioning Subscription Tool.

See Also: Part IV, "Provisioning in Oracle Identity Management" "The Provisioning Subscription Tool (oidprovtool) Syntax"

How Synchronization and Provisioning Differ

Synchronization and provisioning have important operational differences as described in Table 1-1.

Table 1-1 Directory Synchronization and Provisioning Integration Distinctions

	Directory Synchronization	Provisioning Integration
The time for action	Application deployment time. Directory synchronization is for connected directories requiring synchronization with Oracle Internet Directory.	Application design time. Provisioning integration is for application designers developing LDAP-enabled applications.
Communication direction	Either one-way or two-way—that is, either from Oracle Internet Directory to connected directories, the reverse, or both	Two way—that is, from Oracle Internet Directory to provisioned applications, and from provisioned applications to Oracle Internet Directory
Type of data	Any data in a directory	Restricted to provisioned users and groups
Examples	Oracle Human Resources SunONE Directory Server Microsoft Active Directory	OracleAS Portal

Components Involved in Oracle Identity Management Integration

This section describes the components involved in Oracle Identity Management integration. It contains these topics:

• Oracle Internet Directory

• Oracle Directory Integration and Provisioning Server

• Oracle Application Server Single Sign-On

Oracle Internet Directory

Oracle Internet Directory is the repository in which Oracle components and third-party applications store and access user identities and credentials. It uses the Oracle directory server to authenticate users by comparing the credentials entered by users with the credentials stored in Oracle Internet Directory. When credentials are stored in a third-party directory and not in Oracle Internet Directory, users can still be authenticated. In this case, Oracle Internet Directory uses an external authentication plug-in that authenticates users against the third-party directory server.

Oracle Directory Integration and Provisioning Server

The Oracle directory integration and provisioning server is the shared server process that provides functionality for the Oracle Directory Synchronization Service and the Oracle Provisioning Service.

What the Oracle Directory Integration and Provisioning Server Does

The directory integration and provisioning server performs these services:

• Oracle Directory Synchronization Service:

  • Scheduling—Processing a synchronization profile based on a predefined schedule

  • Mapping—Executing rules for converting data between connected directories and Oracle Internet Directory

  • Data propagation—Exchanging data with connected directories by using a connector

  • Error handling

• Oracle Provisioning Service:

  • Scheduling—Processing a provisioning profile based on a predefined schedule

  • Event Notification—Notifying an application of a relevant change to the user or group data stored in Oracle Internet Directory

  • Error handling

    
    

    See Also: Chapter 4, "Managing the Oracle Directory Integration and Provisioning Server"

    
    

About the Oracle Directory Synchronization Service

In the Oracle Directory Integration and Provisioning environment, the contents of connected directories are synchronized with Oracle Internet Directory through the Oracle Directory Synchronization Service.

For Oracle Application Server components, Oracle Internet Directory is the central directory for all information, and all other directories are synchronized with it. This synchronization can be:

• One-way: Some connected directories only supply changes to Oracle Internet Directory and do not receive changes from it. This is the case, for example, with Oracle Human Resources, the primary repository and "source of truth" for employee information.

• Two-way: Changes in Oracle Internet Directory can be exported to connected directories, and changes in connected directories can be imported into Oracle Internet Directory.

Certain attributes can be targeted or ignored by the synchronization service. For example, the attribute for the employee badge number in Oracle Human Resources may not be of interest to Oracle Internet Directory, its connected directories or client applications. You might not want to synchronize it. On the other hand, the employee identification number may be of interest to those components, so you might want to synchronize it.

Figure 1-2 shows the interactions between components in the Oracle Directory Synchronization Service in a sample deployment.

Figure 1-2 Interactions of the Oracle Directory Synchronization Service

Description of the illustration oidag069.gif

The central mechanism triggering all such synchronization activities is the Oracle Internet Directory change log. It adds one or more entries for every change to any connected directory, including Oracle Internet Directory. The Oracle Directory Synchronization Service:

• Monitors the change log

• Takes action whenever a change corresponds to one or more synchronization profiles

• Supplies the appropriate change to all other connected directories whose individual profiles correspond to the logged change. Such directories could include, for example, relational databases, Oracle Human Resources, Microsoft Active Directory, or SunONE Directory Server. It supplies these changes using the interface and format required by the connected directory. Synchronization through the Directory Integration and Provisioning connectors ensures that Oracle Internet Directory remains up-to-date with all the information that Oracle Internet Directory clients need.

About the Oracle Provisioning Service

The Oracle Provisioning Service ensures that each provisioned application is notified of changes in, for example, user or group information. To do this, it relies on the information contained in a provisioning integration profile. Each provisioning profile:

• Uniquely identifies the application and organization to which it applies

• Specifies, for example, the users, groups, and operations requiring the application to be notified

The profile must be created when the application is installed, by using the Provisioning Subscription Tool.

See Also: "The Provisioning Subscription Tool (oidprovtool) Syntax" for information about the Provisioning Subscription Tool

When changes in Oracle Internet Directory match what is specified in the provisioning profile of an application, the Oracle Provisioning Service sends the relevant data to that application.

Note: A legacy application—that is, one that was operational before the Oracle Provisioning Service was installed—would not have subscribed in the usual way during installation. To enable such an application to receive provisioning information, a provisioning agent, in addition to the provisioning profile, must be developed. The agent must be able to translate the relevant data from Oracle Internet Directory into the exact format required by the legacy application.

Figure 1-3 shows the interactions between components in an Oracle Provisioning Service environment, including the special case of a provisioning agent for a legacy application.

Figure 1-3 Interactions of the Oracle Provisioning Service

Description of the illustration oidag070.gif

Oracle Application Server Single Sign-On

Oracle Application Server Single Sign-On enables users to access Oracle Web-based components by logging in only once.

Oracle components delegate the login function to the OracleAS Single Sign-On server. When a user first logs into an Oracle component, the component redirects the login to the OracleAS Single Sign-On server. The OracleAS Single Sign-On server authenticates the user by verifying the credentials entered by the user against those stored in Oracle Internet Directory. After authenticating the user, and throughout the rest of the session, the OracleAS Single Sign-On server grants the user access to all the components the user both seeks and is authorized to use.

See Also: Oracle Application Server Single Sign-On Administrator's Guide for information about OracleAS Single Sign-On