Oracle Access Management provides an enterprise-level security platform, which comprises Oracle Access Manager and many incorporated services including (but not limited to) Identity Federation and Identity Context
The following topics provide a high-level overview of the Oracle Access Management architecture and services:
Oracle Access Management is a Java, Enterprise Edition (Java EE)-based enterprise-level security application that provides a full range of Web-perimeter security functions and Web single sign-on services including identity context, authentication and authorization; policy administration; testing; logging; auditing; and more.
It leverages shared platform services including session management, Identity Context, risk analytics, and auditing, and provides restricted access to confidential information. Many existing access technologies in the Oracle Identity Management stack converge in the Oracle Access Management stack as illustrated in Figure 1-1.
Figure 1-1 Oracle Access Management Overview
Oracle Access Management includes these services.
Oracle Access Management Access Manager (Access Manager) is described in "Understanding Oracle Access Management Access Manager" and the following parts of this guide.
Oracle Access Management Identity Federation (Identity Federation) provides cross-domain single sign-on support using open federation protocol standards such as SAML and OpenID. This Identity Federation service includes a streamlined user interface and administration experience. For more information, see the chapters listed in Managing Oracle Access Management Identity Federation
The Adaptive Authentication Service is a One Time Password Authenticator that provides multifactor authentication in addition to the standard user name and password type authentication. It provides a framework for adding a custom second factor authentication processor that accepts a PIN from a user. For more information, see the chapters listed in Managing the Adaptive Authentication Service and Oracle Mobile Authenticator
OAuth Services allows organizations to implement the open OAuth 2.0 Web authorization protocol in an Access Manager environment. OAuth Services enables a client to access resources protected by Access Manager that belong to another resource owner. An OAuth client can be an application or service created and controlled by your organization, or it can be an application or service created and controlled by another organization that requires access to resources protected by Access Manager. For more information, see the chapters listed in Managing the Oracle Access Management OAuth Service
Identity Context provides context-aware security policy management that enables Administrators to control the level of security imposed in an application delivery environment through security frameworks provided by Oracle Identity Management. For more information, see the chapters listed in Using Identity Context.
Oracle Access Management Access Manager (Access Manager) is the former (standalone) product named Oracle Access Manager. Access Manager, it provides the Oracle Fusion Middleware single sign-on (SSO) solution. It operates independently or with the Access Manager Authentication Provider.
Access Manager SSO allows users and groups to access multiple applications after authentication, eliminating the need for multiple sign-on requests. To enable SSO, a Web server, Application Server, or any third-party application must be protected by a WebGate that is registered as an agent with Access Manager. Administrators then define authentication and authorization policies to protect the resource. To enforce these authentication policies, the agent acts as a filter for HTTP requests.
WebGates are agents provided for various Web servers by Oracle as part of the product. Custom access clients, created using the Access Manager SDK, can be used with non-Web applications. Unless explicitly stated, information in this book applies equally to both.
You can also integrate any Web applications currently using Oracle ADF Security and the OPSS SSO Framework with Access Manager. (See Integrating Oracle ADF Applications with Access Manager SSO.) The following sections contain more details on Access Manager.
Authentication Basics in Securing Applications with Oracle Platform Security Services
Access Manager sits on an instance of Oracle WebLogic Server and is part of the Oracle Fusion Middleware Access Management architecture.
Figure 1-2 illustrates the primary Access Manager components and services. The Protocol Compatibility Framework interfaces with OAM WebGates, and custom Access Clients created using the Access Manager Software Developer Kit (SDK).
This section does not illustrate or discuss all Access Manager components.
Figure 1-2 Access Manager Components and Services
Figure 1-3 illustrates the distribution of Access Manager components.
Figure 1-3 Access Manager Component Distribution
The Oracle Access Management Console resides on the Oracle WebLogic Administration Server (referred to as AdminServer). WebLogic Managed Servers hosting OAM runtime instances are known as OAM Servers. Information shared between the two includes:
Agent and server configuration data
Access Manager policies
Session data (shared among all OAM Servers)
Policy Manager Console can optionally be deployed on the WebLogic Managed Servers. See Oracle Access Management Console and the Policy Manager Console for details.
Your enterprise may have more than one Oracle Access Manager deployments. Irrespective of the deployment size, the configuration wizard installs various components in a newly created WebLogic Server domain.
Table 1-1 describes the types of deployments in which Access Manager might be installed by your enterprise.
Table 1-1 Access Manager Deployment Types
Ideally a sandbox-type setting where the dependency on the overall deployment is minimal
Typically a smaller shared deployment used for testing
Typically a shared deployment used for testing with a wider audience
Fully shared and available within the enterprise on a daily basis
During initial installation and configuration of Access Manager in your deployment, you create a new WebLogic Server domain (or extend an existing domain). Regardless of the deployment size or type, in a new WebLogic Server domain, the following components are installed using the Oracle Fusion Middleware Configuration Wizard.
WebLogic Administration Server
In an existing WebLogic Server domain, the WebLogic Administration Server is already installed and operational.
Oracle Access Management Console deployed on the WebLogic Administration Server
A WebLogic Managed Server for Oracle Access Management services
Application deployed on the Managed Server
Understanding Oracle WebLogic Server Domains in Understanding Domain Configuration for Oracle WebLogic Server
Once the domain is configured, additional details are defined for OAM Servers, Database Schemas, (optional) WebLogic Managed Servers and clusters, and the following store types:
Policy Store: The default policy store is file-based for development and demonstration purposes, and is not supported in production environments. All policy operations and configurations are performed directly on the database configured as the policy store in production environments.
Identity Store: The default Embedded LDAP data store is set as the primary user identity store for Access Manager.
Keystore: A Java keystore is configured for certificates for Simple or Certificate-based communication between OAM Servers and WebGates during authorization. The keystore bootstrap also occurs on the initial AdminServer startup after running the Configuration Wizard.
Ensure that your environment meets the system requirements such as hardware and software , minimum disk space, memory, required system libraries, packages, or patches before performing any installation.
Refer to the system requirements and certification documentation on Oracle Technology Network (OTN) for information about hardware and software requirements, platforms, databases, and other information.
The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:
The certification document covers supported installation types, platforms, operating systems, databases, JDKs, and third-party products:
Using the Oracle Fusion Middleware Configuration Wizard deploy components for a new domain and perform post-installation tasks.
The following sections contain information and links regarding Access Manager installation and post-installation tasks.
The Oracle Fusion Middleware Supported System Configurations document provides certification information on supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity Management 220.127.116.11.0.
You can access the Oracle Fusion Middleware Supported System Configurations document by searching the Oracle Technology Network (OTN) Web site using the document name, or click the link below.
Using the Oracle Fusion Middleware Configuration Wizard, the following components are deployed for a new domain:
WebLogic Administration Server
Oracle Access Management Console deployed on the WebLogic Administration Server (sometimes referred to as the OAM Administration Server, or simply AdminServer)
A Managed Server for Oracle Access Management
An application deployed on the Managed Server
See About the Oracle Identity and Access Management Installation in Installing and Configuring Oracle Identity and Access Managementfor details on installation.
During initial deployment, the WebLogic Administrator userID and password are set for use when signing in to both the Oracle Access Management and WebLogic Server Administration Console. A different Administrator can be assigned for Oracle Access Management, as described in "About Oracle Access Management Administrators". Administrators can log in and use the Oracle Access Management Console for the post-installation tasks documented in Table 1-2.
Table 1-2 Oracle Access Management Post-Installation Tasks
Enable Access Manager Service
Configure Access Manager settings