Crac|e Access Manager

: What |s S|ng|e S|gn Cn?

A: Slngle Slgn-Cn allows users Lo slgn on once Lo a proLecLed appllcaLlon and galn access Lo Lhe
oLher proLecLed resources wlLhln Lhe same domaln deflned wlLh same auLhenLlcaLlon level.

: What |s mu|t| doma|n S|ng|e S|gn-Cn?
A: MulLl uomaln SSC glves users Lhe ablllLy Lo access more Lhan one proLecLed resource (u8L
and AppllcaLlons), whlch are scaLLered across mulLlple domalns wlLh one Llme auLhenLlcaLlon.

. What |s prov|s|on|ng
Provisioning is a process that grants users, groups appropriate access rights. It
involves creation of user(if not already in system), granting or revoking rights to
access resource(application, system, database )

: Lxp|a|n the f|ow when a user requests for an app||cat|on protected by Crac|e Access
Manager?
A: 1he followlng sLeps descrlbes Lhe flow when a user makes a requesL Lo access a resource
proLecLed by Lhe Cracle Access Manager.
-user requesLs for a resource Lhrough a web browser.
-1he WebgaLe lnLercepLs Lhe requesLs and checks wlLh Lhe Access Server wheLher Lhe
resource ls proLecLed or noL.
-lf Lhe resource ls noL proLecLed, Lhen Lhe user wlll be shown Lhe requesLed resource.
-lf Lhe resource ls proLecLed, Lhen Access Server wlll check wlLh pollcy manager Lhe
auLhenLlcaLlon scheme conflgured for LhaL resource.
-user wlll be prompLed Lo enLer Lhelr credenLlals as per Lhe auLh scheme deflned for Lhe
resource.
-WebgaLe wlll send Lhe credenLlals Lo Lhe Access Server Lo check lL agalnsL Lhe backend (LuA
server).
-upon successful auLhenLlcaLlon, Access server checks wheLher Lhe user ls auLhorlzed Lo
access Lhe resource or noL.
-lf Lhe user ls auLhorlzed, Lhen Lhe Access Server wlll creaLe Lhe sesslon ld and passes lL Lo Lhe
webgaLe. An CbSSCCookle ls creaLed and wlll be senL Lo Lhe user browser and Lhe user wlll be
shown Lhe requesLed resource.
-lf Lhe user ls noL auLhorlzed, Lhen an error page (lf lLs deflned ln pollcy domaln) wlll be shown
Lo Lhe user.

: Lxp|a|n the |ntegrat|on and arch|tecture of CAM-CAAM |ntegrat|on?
A: uslng Lhese producLs ln comblnaLlon wlll allow you flne conLrol over Lhe auLhenLlcaLlon
process and full capablllLles of pre-/posL- auLhenLlcaLlon checklng agalnsL AdapLlve 8lsk
Manager models.
1he CAAM's ASA-CAM lnLegraLlon lnvolves Lwo Cracle Access Manager AccessCaLes: one for
fronLlng Lhe Web server (a LradlLlonal WebCaLe) Lo AdapLlve SLrong AuLhenLlcaLor and one for
Lhe embedded AccessCaLe. 1he access server Suk Lo be lnsLalled and conflgureAccessCaLe
Lool Lo be run. 1he ASA bharosa flles Lo updaLed wlLh ASuk locaLlon. An appllcaLlon Lo be
proLecLed uslng ASA auLhenLlcaLlon scheme and Lo be LesLed for ASA landlng page for logln.
Pere ls how Lhe flow goes:
1. user requesLs for a resource.
2. WebgaLe acLlng ln Lhe fronL end for ASA appllcaLlon wlll lnLercepL Lhe requesL and wlll
redlrecL Lo Lhe ASA appllcaLlon.
3. 1he user enLer credenLlals and Lhe Access Suk seLup ln Lhe ASA appllcaLlon wlll conLacL Lhe
Access gaLe whlch lnLurn conLacLs Lhe access server for valldaLlng Lhe credenLlals.
4. upon successful auLhenLlcaLlon, access server wlll generaLe obSSCCookle and wlll forwards
lL Lo Lhe browser.
3. 1hen Lhe user wlll be shown Lhe requesLed resource.
1here are dlfferenL Lypes of lnLegraLlon
8as|c Integrat|on:
leaLures: AuLhenLlcaLlon schemes, devlce flngerprlnLlng, rlsk analysls, and Lhe knowledge-
based AuLhenLlcaLlon (k8A) challenge mechanlsm k8A ls Lhe only challenge mechanlsm
avallable ln Lhls lnLegraLlon. Llbrarles and conflguraLlon lnLerface for dlfferenL flows (challenge,
reglsLraLlon, and so on). Many of Lhe logln securlLy use cases avallable from CAAM
Advanced Integrat|on:
leaLures:AuLhenLlcaLlon schemes, devlce flngerprlnLlng, rlsk analysls, k8A challenge
mechanlsms. Advanced feaLures and exLenslblllLy such as C1 Anywhere, challenge processor
framework, shared llbrary framework, and secure self-servlce password managemenL flows.
CAAM can also be lnLegraLed wlLh Lhlrd parLy slngle slgn-on producLs vla sysLems lnLegraLors lf
requlred.

Advanced Us|ng 1A
leaLures: AuLhenLlcaLlon schemes, devlce flngerprlnLlng, rlsk analysls, k8A challenge
mechanlsms, and addlLlonal advanced securlLy access feaLures, such as sLep up auLhenLlcaLlon
Advanced feaLures and exLenslblllLy such as C1 Anywhere, challenge processor framework,
shared llbrary framework, and secure self-servlce password managemenL flows. CAAM can
also be lnLegraLed wlLh Lhlrd parLy slngle slgn-on producLs vla sysLems lnLegraLors lf requlred

LDA
: What |s an |dent|ty?
A: An ldenLlLy ls a plece of lnformaLlon used Lo ldenLlfy an enLlLy wheLher lL ls a user or group
eLc.,.

: What |s an ob[ect c|ass and the|r d|fferent types?
A: An ob[ecL class speclfles seL of aLLrlbuLes LhaL are used Lo deflne an ob[ecL.
-SLrucLural. lndlcaLes Lhe aLLrlbuLes LhaL Lhe enLry may have and where each enLry may occur
ln Lhe ul1. A SLrucLural ob[ecL class deflnes Lhe backbone of an LuA enLry. An enLry
references a SLrucLural ob[ecL class as Lhe basls for lLs requlred and opLlonal aLLrlbuLes. Lg,
lneLorgperson, organlzaLlonalunlL eLc., SLrucLural class deflnes Lhe ldenlLy of an ob[ecL and
Auxlllary ob[ecL class ls used Lo add aLLrlbuLes. An enLry musL conLaln one sLrucLual and many
auxlllary ob[ecL classes.
-Auxlllary. lndlcaLes Lhe aLLrlbuLes LhaL Lhe enLry may have. Auxlllary ob[ecL classes allow
addlLlonal aLLrlbuLes Lo be "mlxed" wlLh a SLrucLural ob[ecL class. lor example, you can add
lneLCrgerson as your sLrucLural ob[ecL class and assoclaLe lL wlLh Lhe Lab ln Lhe user Manager
appllcaLlon. ?ou could Lhen add Auxlllary ob[ecL classes wlLh speclal aLLrlbuLes for varlous
Lypes of people, such cusLomers, parLners, and so on.
-AbsLracL. lndlcaLes a "parLlal" speclflcaLlon ln Lhe ob[ecL class hlerarchy, only sLrucLural and
auxlllary subclasses may appear as enLrles ln Lhe dlrecLory.

: What |s DN and kDN?
A: A un ls Lhe LuA enLry LhaL unlquely ldenLlfles and descrlbes Lhe enLry ln LuA server.
cn=!ones,dc=oracle,dc=com ls Lhe un of user !ones and 8un ls cn=!ones.

: now do you def|ne Ident|ty Management & Access Management?
A: ldenLlLy ManagemenL enables cusLomers Lo manage end-Lo-end llfecycle of user ldenLlLles
across all enLerprlse resources securely. Access ManagemenL provldes web access
managemenL lncludlng auLhenLlcaLlon, flne gralned auLhorlzaLlon, federaLlon and proacLlve
onllne fraud prevenLlon.

:What are var|ous doma|ns that fa|| under |dent|ty management?
A: ldenLlLy ManagemenL, Access ManagemenL, ulrecLory ManagemenL. Cracle roducLs LhaL
fall under ldenLlLy ManagemenL are Cracle ldenLlLy Manager and Cracle 8ole Manager. Cracle
producLs LhaL fall under Access ManagemenL are Cracle Access Manager, Cracle LnLlLlemenL
Server, Cracle AdapLlve Access Manager, Cracle ldenLlLy federaLlon and LnLerprlse Slngle Slgn-
Cn. Cracle producLs LhaL fall under ulrecLory ManagemenL are Clu and Cvu.



Ident|ty Management
What are the benef|ts of Ident|ty Management?
CenLrallzed audlLlng and reporLlng - know who dld whaL and reporL on sysLem usage.
8educe l1 operaLlng cosLs - lmmedlaLe reLurn on lnvesLmenL ls reallzed by ellmlnaLlng Lhe use
of paper forms, phone calls and walL Llme for new accounL generaLlon and enabllng user self
servlce and password managemenL.
Mlnlmlze SecurlLy 8lsk - ConLrol access Lo Lhe neLwork and lnsLanLaneously updaLe accounLs
ln a complex enLerprlse envlronmenL lncludlng: layoffs, acqulslLlons, parLner changes,
Lemporary and conLracL workers.
lmproved quallLy of l1 servlces
Legal compllance - Many governmenL mandaLes requlre secure conLrol of access.

How does Identity Management (IDM) work?
The process involves creating user accounts that are able to be modified, disabled or deleted.
Delegated workflows, rules and policies are applied to the users account.

A user profile will tell the company: who they are, what they are entitled to do, when they are
allowed to perform specific functions, where they are allowed to perform functions from and
why they have been granted permissions.

How are Identity Management Solutions Implemented?
Step One: Inventory and assess current investments and processes. Clean and consolidate
identity data stores. Create virtual identities for enterprise users.

Step Two: Design and deploy identity infrastructure components. Create identity provisioning
and deploy password management, user self-service, and regulatory compliance.

Step Three: Deliver applications and services. Access management deployed to a clean
environment. Leverage federated identity for improving supply chain and employee
efficiencies.