Oracle Identity und Access Management

Überblick

Klaus Scherbach
Principal Sales Consultant
BU Identity Management
 This document is for informational purposes. It is not a commitment to
deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release, and
timing of any features or functionality described in this document
remains at the sole discretion of Oracle. This document in any form,
software or printed matter, contains proprietary information that is the
exclusive property of Oracle. This document and information
contained herein may not be disclosed, copied, reproduced or
distributed to anyone outside Oracle without prior written consent of
Oracle. This document is not part of your license agreement nor can
it be incorporated into any contractual agreement with Oracle or its
subsidiaries or affiliates.

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 2

 Agenda

Functional Overview

Oracle Access Management

Oracle Identity Governance

Oracle Directory Services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 3

 Functional Overview

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 4

 Identity und Access Management 11gR2
Modern, Innovative & Integrated

Governance Access Directory

Privileged Accounts Web Single Sign-on LDAP Storage

Access Request Federation Virtual Directory
Roles Based Provisioning Mobile, Social & Cloud Meta Directory
Password Reset Integrated ESSO
Attestation External Authorization
Segregation of Duties WebServices Security
Role Mining Token Services
Fraud Detection

Platform Security Services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 5

 Oracle Access Management

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 6

 Oracle Access Management 11gR2
Functional Blocks (excl. ESSO)

•  Complete
•  Innovative
•  Simplified
•  Scalable
•  Open

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 7

 Oracle Access Management 11gR2
Integration with Identity Governance
Internet Corporate DMZ Corporate Network

Registration Attestation
Self Service Lifecycles

Oracle Identity Governance

depending on AuthN
Optional Redirects

OAM WebGates

Identity Context
Events

Directory Services

Authentication
Authorization Oracle Access Management

Single Sign-On

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 8

 Oracle Access Management 11gR2
Available Services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 9

 Oracle Access Management 11gR2
Identity Context
Enterprise/ Work
Social/ Life Device Web Application Service
Mobile/ Presence
Tier Tier Tier Tier

Smartphone WEB SSO Application Web Services

1. Collect Attributes

Tablet Identity EJBs

Portal
Federation
Databases
Laptop Risk / Adaptive SOA
Authentication
Directories
Server Service Bus

Container
Context
2. Publish, Propagate & Evaluate attributes across Oracle’s Fusion Middleware stack

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 10

 Oracle Access Management 11gR2
Sample Identity Context Attributes
Category Attributes (Sample) Publisher
Client •  Is Firewall Enabled OESSO
•  Is Anti Virus Enabled OAM/ MS
•  Device Fingerprint
•  Location
Risk •  Is Known Device OAAM
•  Is Trusted Device
•  Risk Score
Federation •  Partner ID OAM/ OIF
•  Partner Attributes
Session •  Level of Assurance OAM
•  Session ID
•  Any attribute in the current session
Identity •  Any attribute in the user’s ID Store profile OAM
•  True/False result of a search OVD

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11

 Oracle Access Management 11gR2
Enterprise Single Sign-On (OESSO) Architecture
ESSO Admin Console

ESSO ESSO ESSO

Authentication Password Provisioning
Provisioning System
Manager Reset Gateway
ESSO
Kiosk
Manager
Client PC ESSO
Logon
Manager

•  Only one password to remember

•  For non-web applications
•  Integrated with Oracle Web Access Management
•  More secure and quick compliance

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 12

 Oracle Access Management 11gR2
Entitlement Service Motivation
An adaptable security service infrastructure that more
closely models your business
Better Business Respond faster to changing corporate, regulatory, market
Agility requirements
Reduce time-to-market

Manage security from a single place

Enhanced Security Provides finer control over the protection of all resources
and Compliance Separates security decisions from application logic
Offers robust auditing of events

Centralizes security policy management

Enables reuse and sharing of security services
Increased IT Frees developers up to focus on value-added business
Efficiency logic
Integrates easily with identity and access management

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 13

 Oracle Access Management 11gR2
Entitlement Service Deployment

PEP PEP
PDP PDP

PEP
PIPs 
OES Admin Server
PDP Iden(ty Store 
Policy Store 

PEP

PEP
PDP

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 14

 Oracle Access Management 11gR2
Mobile & Social Deployment Scenario Corporate Network
Internet Corporate DMZ
Authentication, Authorization, SSO
Oracle Access Manager

LDAP
OAM Agent Directory Services
Second
ary Auth
OES PDP enticati
on
Mobile and Social
Oracle Adaptive Access
Manager
OES PDP
Oracle Enterprise
Gateway

Web Services Manager Service Bus

HTTP HTML/ REST Clients Context Aware Authorization SOAP/REST and
and Data Redaction Legacy Web Services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 15

 Oracle Access Management 11gR2
Mobile & Social Web Service Deployment Scenario

First Line Of Shared Services End Point

Defense Layer Security
HTTP, SOAP,
REST, XML,

OWSM JMS
HTTP,
SOAP,
Agent REST,
XML,
JMS
OWSM
OWSM OWSM Agent
Agent* Agent Service Bus
WS-Security,
Basic Auth, WS-Security,
Digest,
Basic Auth, OWSM
X509, UNT,
SAML, Kerberos Digest, Agent*
Sign & Encrypt X509, UNT,
OWSM SAML, Kerberos
Agent* Sign & Encrypt

Extranet DMZ Intranet

Counter External Threat Counter Internal Threats
* - Planned Capabilities
Common Policy Model

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 16

 Oracle Access Management 11gR2
Sample Security Token Service Scenario

Trust

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 17

 Oracle Identity Governance

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 18

 Oracle Identity Governance 11gR2
Overview

Connectors
Provision De-Provision
Grant User Access Monitor User Access

Privileged Role Check-in/ Identity IT Audit Rogue Reporting &

Access
Account Lifecycle Checkout Certifications Monitoring Detection & Privileged
Request
Request Management Reconciliation Access
Monitoring
Roles Ownership, Risk &
Access Catalog  Audit
Entitlements Objectives
Accounts Catalog
Glossaries Management

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 19

 Oracle Identity Governance 11gR2
Shopping Cart Simplicity

Compare & Receipt

Browse Select Track Confirmation

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 20

 Oracle Identity Governance 11gR2
Role Lifecycle Management

Role Definition Top-Down

Role Governance
Approach
Role
Modeling
Role
Audit, Analytics
Role
Mining Bottom-Up
Approach

Change Mgmt Role Audit Governance

•  Role Change Approvals •  Role –Entitlement Mapping •  Role Definition Attestation
•  Role Versioning History •  Role Membership Attestation
•  Rollbacks & Comparison •  Role Membership History •  Role Consolidation
•  Role Change Impact Analysis •  Approvals History •  Role Mining
•  Rule Management •  Role Ownership History

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 21

 Oracle Identity Governance 11gR2
Risk Based Certification

Applications
Identity Warehouse
Risk Factors
Identity Data
Sources

DB
Roles Certification Entitlements Provisioning Resources Policy
History Events Violations
Mainframe

Risk Aggregation

Low Risk User High Risk User

Bulk Certify Cert360

Approve

Reject
Focused
Sign-off

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Oracle Confidential 22
 Oracle Identity Governance 11gR2
Connectors

•  Common Connectors for all Cloud Applications

Governance needs
•  Supports multiple target versions Access
and multiple instances of a target Request
Identity
Enterprise Applications

simultaneously Access
Certification
Connector
Framework
Identity
Privileged Connectors
•  Flexible deployment options – Access Directories

local and remote deployment

Databases
•  Extensible – Administrators can
extend the capabilities without coding
Custom Applications
and Mainframes

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 23

 Oracle Identity Governance 11gR2
Privileged Account Management (OPAM)

Threats
  Increased Online Threat
  Costly Insider Fraud
76% Data Stolen From
Servers
Compliance 86% Hacking Involve
  Tougher Regulations
Stolen Credentials
  Greater Focus on Risk
  Stronger Governance 48% Caused by Insiders
17% Involved Privilege
Motivation Misuse
  Social Media
  Cloud Computing
  Mobile Access
2011 Data Breach Investigations Report

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 24

 Oracle Identity Governance 11gR2
Privileged Account Management (OPAM) Functions
•  Secure vault to centrally manage passwords for privileged and shared accounts
•  Targets include
•  Databases
•  Operating Systems
•  LDAP Directories
•  Oracle FMW applications
•  GUI, REST Services and CLI for users and administrators
•  Automatic password change using Identity Connector Framework (ICF)
•  Policy based password check-out and check-in
•  Customizable audit reports through BI Publisher and real time status
•  Extension to Identity Governance – OIM and OIA integration for complete
governance

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 25

 Oracle Identity Governance 11gR2
Privileged Account Management Checkout Password Screen

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 26

 Oracle Identity Governance 11gR2
DB User Management, DB Vault und OPAM

Service Description Supported by

Use Existing Enterprise LDAP Passwords for End-User Passwords EUS

Map Database Roles to Enterprise Roles EUS

Privileged user access control to limit access to application data DB Vault

Multi-factor authorization for enforcing enterprise security policies DB Vault

Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM

Manage DB Vault Privileged Accounts Passwords like user_manager, sec_admin OPAM

Manage non-Oracle database passwords OPAM

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 27

 Oracle Directory Services

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 28

 Directory Server EE (ODSEE)
Former Sun Microsystems Enterprise Directory

Directory Proxy Identity Synchronization

Load-balancing, for Windows
Identity data, password, and
High-availability, group synchronization
Data Distribution between Microsoft Active
Directory Server Directory and Directory
Server
Scalable
Secure
Evaluate performance Replication
Provisioning
Tune performance 4+ Billion Identities Managed Manage multiple instances
“Namefinder” – white pages from central location
Deployment Tooling Web Based Service Management

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 29

 Directory Server EE
Components and Deployment
Applications
50 – 250

Access Layer Data Management

• Proxy
• Load-balancing
• Distribution
DSRK – Directory Server Resource Kit
• Security
ISW – Identity Synchronization for Windows

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 30

 Oracle Internet Directory (OID)
Oracle Enterprise Directory HA Options
OID Cluster OID Cluster + RAC

Single Node

OID Cluster
+ RAC
+ Replication

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 31

 Oracle Internet Directory
Directory Integration Platform (DIP)
•  Oracle Internet Directory
•  Central repository for identities & support for external authentication
•  Directory Integration Platform
•  Executes a set of connectors for synchronization
•  Connector support for:
•  MS AD, AD LDS, ODSEE, OUD, Novell eDirectory, IBM Tivoli, OpenLDAP and custom agents
•  DIP Profiles
•  Templates for data mapping / transformation

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 32

 Oracle Virtual Directory (OVD)
Working Principle

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 33

 Oracle Unified Directory (OUD)
Introduction

Extreme Scale •  Scale to 10’s of Billions

•  Convergence of directories

•  Integrated with ODSM for

configuration and Enterprise
Next Generation Manager

•  Inter-operable with all certified

ODSEE ISV software
Integrated and •  Integrated with ODS+
Interoperable Optimized for cloud, mobile and
social

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 34

 Oracle Unified Directory
Components and HA Options

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 35

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 36
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 37
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 38