oracleas identity management solving real world problems
TRANSCRIPT
OracleAS Identity ManagementSolving Real World Problems
Web applications are great ...
Inexpensive development
Rapid deployment
Access from anywhere
BUT ….
…but they can be an administrative and usability nightmare!
Business Problem
Many more users of your business system– Anyone with PC has potential access– Not all users are employees or students
partners, suppliers … and hackersManaging users is more complicated
– Authorized users need to access multiple applications– Proliferation of accounts, passwords, privileges
Critical business applications and data are online– Real risk is greater, awareness of risk is also greater– Legal mandates for protection of certain data
IT operational challenges
New employee or student enrollment– Create identity and credentials for the user– Create accounts for all applications he/she needs– Define authorizations
User’s organizational role changes (or user terminated)
– Automate privilege changes in applications– Revoke accounts and authorizations for all applications he/
she had access to– Disable user’s identity and credentials
IT operational challenges, contd.
Manage user authentication securely– Enforce password complexity– Detect and prevent password attacks– Implement efficient procedures for password resets
Deploy a new application– Integrate the application with corporate Portal – Delegate administration– Leverage an existing authentication service– Automate account provisioning for the application– Maintain synch among existing directories such as AD
IT operational challenges, contd.
Support complex deployment scenarios– Deploy many applications and servers securely,
with least privilege– Decentralized IT administration– High availability– Support load balancers, firewalls, HW
accelerators
Oracle’s Solution
Security platform enabled by Oracle Identity Management
Platform components with high assurance
What is Identity Management?
“Identity management is the process by which the complete security lifecycle for users and other entities is managed and controlled for an organization or community of organizations.”
Identity Management Infrastructure
An enterprise directory - Oracle Internet Directory (OID)– Directory of users, groups, applications, roles & policies– Meta-directory platform and connectors - Directory
Synchronization Service (DSS)Access management services
– Single Sign-on (SSO)– Centralized authorization repository (OID)
Provisioning platform - Prov. Integration Service (PIS)– Provisioning policy and account management tools – Provisioning integration platform
Provisioning event propagation, workflow automation
Provisioning connectors
Identity Management Infrastructure
Delegated Administration Services (DAS)– End user self-service tools– Enterprise user, group and role management tools– Application administration delegation tools
Public Key Infrastructure Services– Oracle Certificate Authority (OCA)– Certificate / key archives– Online certificate status
Auditing and security monitoring services – Enterprise audit policy management tools– Central audit log archive and mining tools
Identity Management Benefits
Saves Money– Centralized user management reduces admin cost– Easier to automate and less error prone
Improves Security– By preventing fragmented security
Enhances user experience– Single password and Single Sign-on– Personalization – Delegated Administration and Self-service
4
Oracle Identity Management in Oracle Security Architecture
Oracle Internet Directory
Oracle Certificate Authority
DirectoryIntegrationServices
ProvisioningService
OracleASSSO
Delegated AdministrationServices
3rd Party Directory Service
3rd Party Authentication Service
Oracle 10g RDBMSOracleAS 10gOracleE-Business Suite
JAAS Roles, Component access Controls, Java2 Permissions,…
Enterprise RolesVPDLabel Security, ..
E-Biz Responsibility
OracleCollaboration Suite
File privileges, Secure Mail, Interpersonal Rights granting
OracleAS (9i or 10g)
Oracle Identity Management – Value PropositionAn enterprise infrastructure that leverages Oracle’s
“unbreakable” technology– reliability, scalability, security, performance
Enables deployment of all Oracle products out of the box– AS, DB, OCS, eBiz
A single point of integration for customer’s existing identity management solutions
– Transparent 3rd party integration for OIM enabled products
An open, standards-based infrastructure to accommodate variety of partner solutions and customer deployments
– Accommodate a wide variety of deployments and partner solutions.
Specific Problems and Solutions
New Student Enrollment
Create user in OID - creates user in Enterprise
– Oracle products recognize identity– Third party (e.g., AD) provisioning via PIS
Improved provisioning support through OIM– Single user in OID– Student System-based provisioning though PIS– Windows (and other third party) integration via
DSS– Automated certificate provisioning with OCA
User’s organizational role changes
Change role and/or remove user from OID– Directly via DAS or indirectly via PIS– Immediately changes user in OIM-aware
applications– Other applications can be synchronized via DSS,
PIS
Dynamic group support in OID
Manage User Authentication SecurelySingle Sign On
– OracleAS SSO for web single sign on– Enterprise User Security for client-server SSO to
database– Multilevel authentication in OracleAS SSO 10g– Windows Native Authentication
Proxy authentication for multi-tier database accessAdvanced password management policies in OID
– Password history, Password hints and reset upon expiry– IP address based lockout policies– Centralizes password management for OIM-based
applications
Manage User Authentication Securely, cont.
External authentication plug-ins for 3rd party LDAPDAS management of account lockout statusDAS Self Service password hint and password resetStandalone database continues to support
customizable password management
Deploy New ApplicationOID/SSO provide authentication and
authorization services which are shared across enterprise
Many hooks to leverage OID/SSO– mod_osso– JAZN– Partner application toolkit– Enterprise users (for database applications)– PIS provides automated account provisioning
DSS, PIS supports synch with existing directories
Deploy New Application, cont.
Direct JAAS integration with 3rd party directory via Loginmodule API
DAS supports delegated administrative model– Can delegate admin authority to components of
overall directory tree– Can delegate admin authority down to the
attribute level
New install/admin model in OracleAS ensures least privilege for instance administration
Windows IntegrationWindows Directory Connector for Oracle Internet
Directory– Pre-packaged solution for Windows directories– Built on Oracle Directory Integration Platform
Windows Native Authentication– “Automatic logon” to AS based on Windows logon– Improves Windows user experience
Windows Authentication and Password Plug-ins– “Referral” of authentication to Windows O/S; password
synchronization not required– Update of Windows passwords from Oracle administration
tools
User Provisioning from Windows
OraclePortal
DelegatedAdministration
Console
OracleE-Business
SuiteRelease 11i
Oracle Internet Directory
Oracle9iAS Single Sign-On
Microsoft ADS
WindowsEnvironment
1 - “Add user”
2 - User created in ADS
3- User synchronized
with OID
4 - User provisioned
in Oracle environment
Improved Admin Privilege Model
Least privilege for install/admin– Separation of install and runtime admin privileges– Privilege to administer one 9iAS instance doesn’t
imply privilege to administer every instance
Allows multiple 9iAS instances to share an infrastructure securely
Greatly improves security for real world deployments
Case Study: Golden Gate University’s Legacy Environment
Operating systems: Solaris, Windows, MPE/ix, Netware, Mac OS, Digital Unix
Hardware platforms: SUN (Sparc), Dell (Intel), HP 3000, Macintosh, DEC Alpha
Databases: Oracle, SQL Server, Access, FoxPro, HP Image
Development: Coldfusion, HTML, Javascript, UniBasicNo common code, data, OS, management process,
customer experience
GGU’s new Web Architecture
JSP Pages/XML/HTML
Application Server / Business Tier
HumanResource Financials Student
Data Mining /Reporting
Portal
Oracle Text Search Oracle Collaboration Suite
LDAP - Oracle OID
Storage Area Network / Physical Data Layer
Oracle 9i Enterprise Edition DBMS
IBM IBMIBM
Migrate legacy apps /File / Print / Messaging
Application Layer
Enterprise Database
Server TierLinux / Solaris
Storage Tier
Summary Key Business Problem
– Address security threats– Manage users efficiently, intelligently
Key Solution Features– Complete security for real world deployments
PervasiveHigh AssuranceCommon across Oracle ComponentsSupports wide range of deployment options
– Identity Management SuiteIntegrated solution for Oracle productsEnterprise scalability, reliability, performance
Summary, cont.
Key Oracle Differentiators– Reputation for reliability, scalability, availabity,
assurance– Oracle offers nearly all the enterprise pieces
App Server, database, apps, collab suiteSecurity and Identity Management is pervasive,
integrated
