Kerry OsborneSenior Oracle Guy

Caveats The opinions expressed are mine …

I’m an old guy

I am biased towards Oracle technology

I have not drunk too much of the Kool-Aid

Why Identity Management?

My Totally Unscientific Survey

~40 companies ~90% public ~40% over $1B

~95% are interested in Identity Management

Why Identity Management?

Users are frustratedSOX is ScaryNeed to Reduce CostsIt’s Complicated

Why Oracle Identity Management?

Oracle Identity

Management

OID

OracleDatabase

Oracle Internet Directory (OID)

v3 compliant LDAP server

Built on Oracle Database Scalable Performant Highly Available

Speaking of eggs Is it better to have all your eggs in one

basket, or not?

Squirrel and Fort Knox

Squirrel and Fort Knox

Squirrel’s Approach He puts nuts in lots of places. They are totally insecure. Therefore, he needs lots of holes. He has lots of nuts. Therefore, he doesn’t care if he loses some.

Fort Knox Approach Put all the gold bullion in one place and lock it down. Can’t afford to loose any. Not enough man power to guard many locations.

Back to the FutureTraditional Database Systems

Usually authenticated by the database

Yielded lots of silos

Usually not directly associated with a person

Two Common Security Models

Every user has his own database account Full access to base tables must be granted Access to ad-hoc tools must be limited Can make use of advanced Oracle features OR

Users log on to a proxy account Better approach generally (see caveat 1.0) Not necessary for user to know the actual account Easier to convert to centralized authentication

Case Study #1

Document Management / Workflow Application

Problem: Build a document management system capable of handling

millions of documents from paper to searchable XML database.

The application should support multiple groupings of users with multiple responsibilities.

Provide a very flexible routing/approval infrastructure.

Case Study #1

Architecture:

Oracle Database using Oracle Text Java application to access the final database Oracle Forms Oracle Workflow

Case Study #1Solution:

Use proxy security model where by all users log on to a common database account. Use OID for authentication Create a table of users Synchronize application users table with OID via triggers No need for password field in users table Create view of users table for Workflow

Case Study #1

App_users

UsernameEmail

Workflow_users

UsernameEmail

Database Trigger

Workflow_users_view

FormsApp Authentication Workflow

OID/SSO

Case Study #2Consolidation of Security Models /

Authentication

Problem: Numerous custom Oracle based applications all with their own

security components makes compliance with government regulations difficult.

Architecture: Numerous applications all accessing Oracle. Each application uses individual database account security

model. The applications use database roles for security. The client uses Oracle’s Internal Controls Management product. The client plans to implement Oracle Financials.

Case Study #2Solution:

Convert custom applications to “Bolt On” applications in Oracle Financials. Provides a common security model Provides auditing capability Provides a common user interface Provides out of the box integration with OID/SSO

Case Study #2

Fin Apps

AppsGLAPXX1XX2…

ResponsibilitesAP ClerkAP Super UserXX1 ClerkXX1 Super User…

XX1

UsersRolesMenusXX2

UsersRolesMenus

UsersGL_User1AP_User1XX1_User1XX1_User2…

OID/SSO

Case Study #3Active Directory Sync / .Net Application

Problem: The users wish to have centralized authentication

This will provide users with access to the application, whether they are defined in AD, OID or the application.

Architecture: .Net application

The application uses the Proxy Security Model with an internal table of application users.

Case Study #3Solution:

Use OID as the central repository Synchronize OID with AD and the Internal Users

Table AD sync accomplished with DIP on timed basis Database users table sync is bi-directional

To OID via database triggers From OID with timed job using function based view (ldap

search)

Case Study #3

Sync

App_users

Ldap$users

via trigger

timed event

IIS

AD

OID/SSO

Oracle SSOPlug In

.net application

Oracle Database

Questions?

www.enkitec.com

Kerry.Osborne@enkitec.com