1 Introducing Oracle Access Management
Oracle Access Management provides an enterprise-level security platform, which comprises Oracle Access Manager and many incorporated services including (but not limited to) Identity Federation and Identity Context
The following topics provide a high-level overview of the Oracle Access Management architecture and services:
1.1 Understanding Oracle Access Management Services
Oracle Access Management is a Java, Enterprise Edition (Java EE)-based enterprise-level security application that provides a full range of Web-perimeter security functions and Web single sign-on services including identity context, authentication and authorization; policy administration; testing; logging; auditing; and more.
It leverages shared platform services including session management, Identity Context, risk analytics, and auditing, and provides restricted access to confidential information. Many existing access technologies in the Oracle Identity Management stack converge in the Oracle Access Management stack as illustrated in Figure 1-1.
Figure 1-1 Oracle Access Management Overview
Description of "Figure 1-1 Oracle Access Management Overview"
Oracle Access Management includes these services.
-
Oracle Access Management Access Manager (Access Manager) is described in "Understanding Oracle Access Management Access Manager" and the following parts of this guide.
-
Oracle Access Management Identity Federation (Identity Federation) provides cross-domain single sign-on support using open federation protocol standards such as SAML and OpenID. This Identity Federation service includes a streamlined user interface and administration experience. For more information, see the chapters listed in Managing Oracle Access Management Identity Federation
-
The Adaptive Authentication Service is a One Time Password Authenticator that provides multifactor authentication in addition to the standard user name and password type authentication. It provides a framework for adding a custom second factor authentication processor that accepts a PIN from a user. For more information, see the chapters listed in Managing the Adaptive Authentication Service and Oracle Mobile Authenticator
-
OAuth Services allows organizations to implement the open OAuth 2.0 Web authorization protocol in an Access Manager environment. OAuth Services enables a client to access resources protected by Access Manager that belong to another resource owner. An OAuth client can be an application or service created and controlled by your organization, or it can be an application or service created and controlled by another organization that requires access to resources protected by Access Manager. For more information, see the chapters listed in Managing the Oracle Access Management OAuth Service and OpenIDConnect
-
Identity Context provides context-aware security policy management that enables Administrators to control the level of security imposed in an application delivery environment through security frameworks provided by Oracle Identity Management. For more information, see the chapters listed in Using Identity Context.
1.2 Understanding Oracle Access Management Access Manager
Oracle Access Management Access Manager (Access Manager) is the former (standalone) product named Oracle Access Manager. Access Manager, it provides the Oracle Fusion Middleware single sign-on (SSO) solution. It operates independently or with the Access Manager Authentication Provider.
Access Manager SSO allows users and groups to access multiple applications after authentication, eliminating the need for multiple sign-on requests. To enable SSO, a Web server, Application Server, or any third-party application must be protected by a WebGate that is registered as an agent with Access Manager. Administrators then define authentication and authorization policies to protect the resource. To enforce these authentication policies, the agent acts as a filter for HTTP requests.
Note:
WebGates are agents provided for various Web servers by Oracle as part of the product. Custom access clients, created using the Access Manager SDK, can be used with non-Web applications. Unless explicitly stated, information in this book applies equally to both.
You can also integrate any Web applications currently using Oracle ADF Security and the OPSS SSO Framework with Access Manager. (See Integrating Oracle ADF Applications with Access Manager SSO.) The following sections contain more details on Access Manager.
See Also:
Authentication Basics in Securing Applications with Oracle Platform Security Services
1.2.1 About Components in Access Manager
Access Manager sits on an instance of Oracle WebLogic Server and is part of the Oracle Fusion Middleware Access Management architecture.
Figure 1-2 illustrates the primary Access Manager components and services. The Protocol Compatibility Framework interfaces with OAM WebGates, and custom Access Clients created using the Access Manager Software Developer Kit (SDK).
Note:
This section does not illustrate or discuss all Access Manager components.
Figure 1-2 Access Manager Components and Services
Description of "Figure 1-2 Access Manager Components and Services"
Figure 1-3 illustrates the distribution of Access Manager components.
Figure 1-3 Access Manager Component Distribution
Description of "Figure 1-3 Access Manager Component Distribution"
The Oracle Access Management Console resides on the Oracle WebLogic Administration Server (referred to as AdminServer). WebLogic Managed Servers hosting OAM runtime instances are known as OAM Servers. Information shared between the two includes:
-
Agent and server configuration data
-
Access Manager policies
-
Session data (shared among all OAM Servers)
Policy Manager Console can optionally be deployed on the WebLogic Managed Servers. See Oracle Access Management Console and the Policy Manager Console for details.
1.2.2 Understanding Access Manager Deployments
Your enterprise may have more than one Oracle Access Manager deployments. Irrespective of the deployment size, the configuration wizard installs various components in a newly created WebLogic Server domain.
Table 1-1 describes the types of deployments in which Access Manager might be installed by your enterprise.
Table 1-1 Access Manager Deployment Types
Deployment Type | Description |
---|---|
Development Deployment |
Ideally a sandbox-type setting where the dependency on the overall deployment is minimal |
QA Deployment |
Typically a smaller shared deployment used for testing |
Pre-production Deployment |
Typically a shared deployment used for testing with a wider audience |
Production Deployment |
Fully shared and available within the enterprise on a daily basis |
During initial installation and configuration of Access Manager in your deployment, you create a new WebLogic Server domain (or extend an existing domain). Regardless of the deployment size or type, in a new WebLogic Server domain, the following components are installed using the Oracle Fusion Middleware Configuration Wizard.
-
WebLogic Administration Server
Note:
In an existing WebLogic Server domain, the WebLogic Administration Server is already installed and operational.
-
Oracle Access Management Console deployed on the WebLogic Administration Server
-
A WebLogic Managed Server for Oracle Access Management services
-
Application deployed on the Managed Server
See Also:
Understanding Oracle WebLogic Server Domains in Understanding Domain Configuration for Oracle WebLogic Server
Once the domain is configured, additional details are defined for OAM Servers, Database Schemas, (optional) WebLogic Managed Servers and clusters, and the following store types:
-
Policy Store: The default policy store is file-based for development and demonstration purposes, and is not supported in production environments. All policy operations and configurations are performed directly on the database configured as the policy store in production environments.
See Also:
-
Identity Store: The default Embedded LDAP data store is set as the primary user identity store for Access Manager.
See Also:
-
Keystore: A Java keystore is configured for certificates for Simple or Certificate-based communication between OAM Servers and WebGates during authorization. The keystore bootstrap also occurs on the initial AdminServer startup after running the Configuration Wizard.
See Also:
1.3 System Requirements and Certification
Ensure that your environment meets the system requirements such as hardware and software , minimum disk space, memory, required system libraries, packages, or patches before performing any installation.
Refer to the system requirements and certification documentation on Oracle Technology Network (OTN) for information about hardware and software requirements, platforms, databases, and other information.
The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html
The certification document covers supported installation types, platforms, operating systems, databases, JDKs, and third-party products:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
1.4 Understanding Oracle Access Management Installation
Using the Oracle Fusion Middleware Configuration Wizard deploy components for a new domain and perform post-installation tasks.
The following sections contain information and links regarding Access Manager installation and post-installation tasks.
1.4.1 About Oracle Access Management Installation
The Oracle Fusion Middleware Supported System Configurations document provides certification information on supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity Management 12.2.1.3.0.
You can access the Oracle Fusion Middleware Supported System Configurations document by searching the Oracle Technology Network (OTN) Web site using the document name, or click the link below.
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
Using the Oracle Fusion Middleware Configuration Wizard, the following components are deployed for a new domain:
-
WebLogic Administration Server
-
Oracle Access Management Console deployed on the WebLogic Administration Server (sometimes referred to as the OAM Administration Server, or simply AdminServer)
-
A Managed Server for Oracle Access Management
-
An application deployed on the Managed Server
See About the Oracle Identity and Access Management Installation in Installing and Configuring Oracle Identity and Access Managementfor details on installation.
1.4.2 About Oracle Access Management Post-Installation Tasks
During initial deployment, the WebLogic Administrator userID and password are set for use when signing in to both the Oracle Access Management and WebLogic Server Administration Console. A different Administrator can be assigned for Oracle Access Management, as described in "About Oracle Access Management Administrators". Administrators can log in and use the Oracle Access Management Console for the post-installation tasks documented in Table 1-2.
Table 1-2 Oracle Access Management Post-Installation Tasks
Service | Requirements |
---|---|
Access Manager |
Enable Access Manager Service Register:
Configure:
Configure Access Manager settings |
Identity Federation |
|