|
Oracle® Identity Management Concepts and Deployment Planning Guide
10g Release 2 (10.1.2) B14084-02 |
|
 Previous |
 Next |
|
Oracle® Identity Management Concepts and Deployment Planning Guide
10g Release 2 (10.1.2) B14084-02 |
|
|
Previous |
Next |
This chapter introduces concepts that deployment planners must understand to effectively deploy identity management. It provides an overview of the Oracle Identity Management architecture, the provisioning lifecycle of applications and users in the Oracle environment, and presents the terms that are commonly used to describe identity management.
This chapter contains the following sections:
The following list defines some important identity management terms and concepts:
Authentication: The process of verifying the identity claimed by an entity based on its credentials.
Authorization: The process of establishing a specific entitlement that is consistent with authorization policies.
Authorization policies: Declarations that define entitlements of a security principal and any constraints related to that entitlement.
Centralized assertion services: Part of the identity management infrastructure that generates identity assertions. OracleAS Single Sign-On is an example of an assertion service that generates identity assertions. OracleAS Certificate Authority is another type of assertion service, because the X.509v3 certificates it generates are assertions about a security principal's identity and its entitlements.
Entitlements: The actions an entity in a network is allowed to perform and the resources to which it is allowed access.
Identity: The set of attributes that uniquely identifies a security principal. A security principal can have many different accounts that it uses to access various applications in the network. These accounts can be identified by these applications using different attributes of this entity. For example, a user can be known in the e-mail service by an e-mail ID, whereas that same user can be known in the human resource application by an employee number. The global set of such attributes constitutes the identity of the entity.
Identity administration: The act of managing information associated with the identity of a security principal. The information can be used by the identity management infrastructure itself to determine administrative privileges.
Identity management policies: Policies affecting the management of identities in an enterprise which includes naming policies and security policies.
Identity policy assertion services: A process that generates verifiable assertions about the identity of an entity or its authorizations. Network entities present these assertions to services the entities access.
Metadata repository: An Oracle database used to hold metadata, including identity information.
Policy decision services: A process that interprets any applicable entitlement policies associated with the resources to which applications secure and control access. Some applications rely on decision services that are embedded in the application itself, while others depend on centralized decision services.
Provisioning: The process of providing users with access to applications and other resources that may be available in an enterprise environment. A provisioning-integrated application refers to an application that has registered for provisioning events and registered a provisioning-integration profile in Oracle Internet Directory. Provisioning-integrated applications are notified of applications whenever relevant changes are applied to Oracle Internet Directory.
Realm: A collection of identities and associated policies which is typically used when enterprises want to isolate user populations and enforce different identity management policies for each population.
Security principals: The subjects of authorization policies, such as users, user groups, and roles. A security principal can be a human or any application entity with an identity in the network and credentials to assert the identity.
This section describes the fundamental concepts of identity management and contains the following topics:
This section provides a framework for understanding the roles of various Oracle Identity Management components and services, and provides a basis for understanding how to create secure application deployments in an enterprise environment.
The application integration model is shown in Figure 2-1.
In this model, the following essential services are performed by the identity management infrastructure:
Administration and provisioning: Provides administration and provisioning services for the identities managed by the identity management infrastructure. In Oracle Identity Management, these services are performed using tools such as Oracle Delegated Administration Services and Oracle Directory Integration and Provisioning.
Policy decision services: Oracle Internet Directory performs policy decision services for the identity management infrastructure itself.
Identity policy assertion services: In Oracle Identity Management these services are performed by OracleAS Single Sign-On and OracleAS Certificate Authority
Applications deployed against the identity management infrastructure interact with the infrastructure in the following ways:
User authentication: When a user accesses an application, it validates the user credentials using the services provided by the identity management infrastructure. The authentication and the associated communication to the application is accomplished with the identity policy assertion services. For example, in the case of the Oracle Identity Management infrastructure, this would be validation of the credential, in the form of an encrypted browser cookie, by OracleAS Single Sign-On.
User authorization: Once authenticated, the application must also check if the user has sufficient privileges over resources protected by the application. This check is performed by the application based on identity information managed in the identity management infrastructure. For example, a Java2 Enterprise Edition application uses Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider (OracleAS JAAS Provider) to access user and role information in the Oracle Identity Management infrastructure, after authentication.
This section provides an overview of the user identity and application provisioning flow in the Oracle environment.
The following describes the provisioning flow shown in Figure 2-2:
Deploy the Oracle Identity Management infrastructure using the product's installation and configuration tools.
Define the identity management security policies. These policies determine what data users and applications can access. They are stored as access control lists (ACLs) in Oracle Internet Directory, and are typically managed using Oracle Directory Manager.
The following activities typically take place on an ongoing basis. Each activity can happen in parallel, and in no particular order.
User identities are provisioned in Oracle Internet Directory. These identities can come from multiple sources: human resources applications, user administration tools (such as the Oracle Internet Directory Self-Service Console), synchronization with other directories, or bulk loading tools.
Groups and roles are administered in Oracle Internet Directory. Groups and group memberships can be defined in a number of ways, such as through the Oracle Internet Directory Self-Service Console or through synchronization with another directory service.
Application instances are deployed against the Oracle Identity Management infrastructure. This typically involves an identity management infrastructure administrator first granting access to the application administrator using the Oracle Internet Directory administration tools. The application administrator uses application installation and configuration tools to create the required directory objects and entries to support the application.
User identities, groups and roles, and applications are associated through the process of application provisioning. This can be performed manually using application administration tools or automatically through provisioning integration.
Oracle Identity Management requires a central repository for enterprise users, groups, and services. Business requirements, however, make it difficult to manage a central repository with a centralized set of administrators.
For example, in a business, the administrator of enterprise user management might be different from that of the e-mail service; the administrator of financials may need full control over the privileges of its users; and the OracleAS Portal administrator may need full control over the Web pages for a specific user or a specific group. To meet the needs of these administrators and satisfy their different security requirements, the identity management system needs delegated administration.
With delegated administration, the management of data inside the identity management system can be distributed to many different administrators depending upon their security requirements. This combination of centralized repository and delegated privileges results in a secure and scalable administration in the identity management infrastructure.
Each of the Oracle technology stacks—Oracle Application Server, Oracle Database, Oracle E-Business Suite, and Oracle Collaboration Suite—supports a security model appropriate for its design. Nevertheless, they all use the Oracle Identity Management infrastructure to implement their respective security models and capabilities, as shown in Figure 2-3.
Oracle Application Server supports a J2EE compliant security service called Java Authentication and Authorization Service (JAAS). JAAS can be configured to use the users and roles defined in Oracle Internet Directory.
Similarly, the metadata repository security capabilities—enterprise user and Oracle Label Security—provide a way to take advantage of users and roles defined in Oracle Internet Directory. Both of these platforms facilitate the applications developed using the platforms' respective native security capabilities to transparently leverage the underlying identity management infrastructure.
Oracle E-Business Suite and Oracle Collaboration Suite application stacks are layered over Oracle Database and Oracle Application Server, providing indirect integration with the Oracle Identity Management infrastructure. In addition, these products have independent features that rely on Oracle Identity Management. For example, Oracle Collaboration Suite components, such as Oracle Email and Oracle Voicemail & Fax, use Oracle Internet Directory to manage component-specific user preferences, personal contacts, and address books.
These Oracle technology stacks also use Oracle Directory Integration and Provisioning to automatically provision and de-provision user accounts and privileges. Oracle Delegated Administration Services is used extensively for self-service management of user preferences and personal contacts. In addition, the security management interfaces of these products use the user and group management building blocks called service units.
