This chapter describes the architecture and key functionality of the Identity Governance Framework ArisID API (ArisID API). The ArisID API provides enterprise developers and system architects a library for building identity-enabled applications using multiple identity protocols. The ArisID API enables developers to specify requirements for identity attributes, roles, and search filters by using Client Attribute Requirements Markup Language (CARML).
This chapter contains the following topics:
The Identity Governance Framework (IGF) is an open initiative designed to meet the following goals:
To simplify the development of identity information regardless of where that information is stored.
To simplify the management (also known as governance) of how applications use identity data, in particular, sensitive data.
As part of this initiative, Oracle has contributed key initial specifications and is making them available to the community. These specifications provide a common framework for defining usage policies, attribute requirements, and developer APIs pertaining to the use of identity related information. These enable businesses to ensure full documentation, control, and auditing regarding the use, storage, and propagation of identity-related data across systems and applications.
Organizations need to maintain control and integrity of sensitive personal information about their customers, employees, and partners. Data related to social security numbers, credit card numbers, medical history and more are increasingly under scrutiny by regulations seeking to prevent abuse or theft of such information. Privacy conscious organizations frequently have reacted to these requirements by enforcing overly strict controls and processes that hinder business operations and impact productivity, flexibility, and efficiency. At the opposite end of the spectrum, some organizations do not take the care needed to safeguard this information, potentially putting identity-related data at risk without sufficient oversight and control. The Identity Governance Framework enables a standards-based mechanism for enterprises to establish "contracts" between their applications so that identity related information can be shared securely with confidence that this data will not be abused, compromised, or misplaced. Using this framework, organizations have complete visibility into how identity information is stored, used, and propagated throughout their business. This enables organizations to automate controls to streamline business processes without fear of compromising the confidentiality of sensitive identity related information.
The Identity Governance Framework is an agreed-upon process for specifying how identity-related data is treated when writing applications. This provides developers a standards-based way to easily write applications that use this data so that governing policies can be used to control it. This will result in faster development of privacy aware applications.
IGF enables the decoupling of identity-aware applications from a specific deployment infrastructure. Specifically, using IGF enables developers to defer deciding on how identity related information will be stored and accessed by their application. Developers will not need to worry about whether they should use a SQL database, an LDAP directory, or other system. In the past, developers were forced to write highly specific code, driving technology and vendor lock-in. By using a Client Attribute Requirement Markup Language (CARML) file and declarations, applications will support flexible deployment in a wide range of environments without the need for ongoing specialized developer enhancements. The ArisID API handles the hard work of data retrieval, transformation, and policy-enforcement when it comes to identity-based information.
The Identity Governance Framework ArisID API represents a common core service through which all identity information exchange should be passed. While not an official name, the ArisID API is often referred to as Identity Beans by developers.
The 11g (11.1.1) release of the ArisID API is a subset of the configuration proposed at:
If you have installed Oracle WebLogic Server and Oracle Identity Management, all the necessary jar files for developing applications with this API are already installed on your computer.
Oracle Fusion Middleware Installation Guide for Oracle Identity Management for information about installing Oracle Identity Management.
Oracle Fusion Middleware Installation Guide for Oracle JDeveloper for information about installing JDeveloper and its extensions.
The Identity Governance Framework open source API jar files are as follows:
openliberty.arisId_1.1.jar — Provides the core ArisID API with library functions and providers that can be used to retrieve identity subjects that contain collections of attributes. For more information, see
org.openliberty.arisIdBeans_1.1.jar — Provides the ArisID beans, which provide Java object abstractions on top of the ArisID API. These convert the transactional approach of the ArisID API to an object or bean approach. For more information, see
The ArisID API jar files are as follows:
idxuserrole.jar — Provides the Standard User and Role identity read-only operations. This jar is generated from the standard idxuserrole.xml CARML file. For more information, see Oracle Fusion Middleware Identity Governance Framework IDXUserRole API Reference.
userrole.jar — Provides the User and Role identity read/write operations for updating identity information. For more information, see Oracle Fusion Middleware Identity Governance Framework UserRole API Reference.
arisId-stack-ovd.jar — This jar file is an implementation of the IAttrSvcStack interface with the Oracle Virtualization library to connect to different backends and provide an abstract view of the identity store entities.
The ArisID beans provide the Java APIs required for initialization and accessing CARML interactions. The bean generator generates a set of java files for each entity in the CARML file using Apache Velociy. The CARML file is a declarative document that describes the attribute usage requirements of your application. The ArisID beans are in the jar files idxuserrole.jar and userrole.jar. If the standard ArisID beans do not meet your needs, you can generate new ArisID beans by creating a CARML file and using the bean generator in the Identity Governance Framework ArisID extension to JDeveloper.
The following figure provides a high-level view of the ArisID API architecture.
The Identity Governance Framework ArisID extension supports the basic development process Create > Modify > Test > Deploy. Creation requires starting a new JDeveloper project and creating CARML files. Use the CARML editor to modify the CARML XML files to suit your environment. Testing the application can be done in Oracle WebLogic Server embedded LDAP directory server.
Determine whether the existing ArisID beans meet your application's needs by examining the CARML files idxuserrole.xml (read-only operations) and userrole.xml (read-only and read/write operations). These files are located in DOMAIN_HOME/config/fmwconfig/carml. If you need additional attributes or other customizations, create a new CARML file and generate beans as described in Chapter 3, "Developing Applications".
The identity repository to be used by the ArisID beans must be available. You can use the Oracle WebLogic Server embedded LDAP-based directory server or any LDAP directory supported by 11g Oracle Virtual Directory. The ArisID API is integrated with Oracle Platform Security Services. It automatically connects to the LDAP-based identity store configured in Oracle Platform Security Services. The identity stores supported by Oracle Platform Security Services. For more information about system requirements and certification, see "System Requirements and Certification".
For more information about Oracle Platform Security Services, see Oracle Fusion Middleware Application Security Guide.
If you must use a different identity store from the Oracle Platform Security Services identity store, then set the following system property:
Next, edit the adapters.os_xml file to include the
port and credentials of the directory to be connected to. The
igf.ovd.config.dir property can be set to any other directory containing adapaters.os_xml and other configuration files with the right settings.
Role.MEMBER is a mandatory attribute for the following APIs:
createRole(List<PropertyValue> attrVals, Map<String,Object> appCtxMap)
Role.MEMBER is not included in the input
attrVals list, role creation will fail.
When a CARML file is created a corresponding mapping file is created in the same location. The default mapping file has attribute details specific to Oracle WebLogic Server embedded directory server, which is the Oracle Platform Security Services default identity store. If you are using a default CARML file and the Oracle Platform Security Services identity store, you do not need to configure mapping. The configuration parameters in Oracle Platform Security Services override the parameters in the mapping file.
If you are creating your own CARML file with additional attributes, or if you are using a non-Oracle Platform Security Services identity store, you must edit the mapping file. For more information, see Chapter 3, "Developing Applications".
Refer to the system requirements and certification documentation for information about hardware and software requirements, platforms, databases, and other information. Both of these documents are available on Oracle Technology Network (OTN).
The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:
The certification document covers supported installation types, platforms, operating systems, databases, JDKs, and third-party products: