You are on page 1of 45

An Oracle White Paper June 2009

Oracle Identity Management 11gR1

Oracle White Paper—Oracle Identity Management 11gR1

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Oracle White Paper—Oracle Identity Management 11gR1

Introduction to Oracle Fusion Middleware 11g ............................................................ 1
 Purpose and Scope................................................................................................. 2
 Oracle Identity Management Overview........................................................................ 3
 Oracle Identity Management Business Benefits ..................................................... 3
 Introducing Oracle Identity Management 11gR1 ......................................................... 5
 Oracle Identity Management 11gR1 Key Functionality ........................................... 5
 Oracle Identity Management 11gR1 Components ....................................................... 6
 Oracle Identity Manager.......................................................................................... 6
 Oracle Role Manager .............................................................................................. 8
 Oracle Access Manager.......................................................................................... 9
 Oracle Web Services Manager ............................................................................. 12
 Oracle Identity Federation..................................................................................... 14
 Oracle Enterprise Single Sign-On ......................................................................... 16
 Oracle Entitlements Server ................................................................................... 16
 Oracle Adaptive Access Manager......................................................................... 18
 Oracle Directory Services ..................................................................................... 19
 Oracle Platform Security Services ........................................................................ 24
 Identity Governance Framework and ArisID ......................................................... 28
 Oracle Management Pack for Identity Management............................................. 29
 Oracle IM 11gR1 Components Release Table ..................................................... 29
 Oracle IM 11gR1 Components Integration............................................................ 30
 Oracle Identity Management and Other Oracle Technologies................................... 34
 Oracle Identity Management and Oracle Information Rights Management .......... 34
 Oracle Identity Management and Enterprise Governance .................................... 36
 Oracle Identity Management and Oracle Database .............................................. 37
 Looking Into the Future .............................................................................................. 38
 Role Management................................................................................................. 38
 Identity as a Service.............................................................................................. 39
 Identity and Access Management Analytics ......................................................... 40
 Conclusion ................................................................................................................. 40

Oracle White Paper—Oracle Identity Management 11gR1

Introduction to Oracle Fusion Middleware 11g
Oracle Fusion Middleware (OFM) 11g provides a unified, standards-based infrastructure allowing customers to develop, deploy, and manage enterprise applications. OFM 11g extends Oracleʼs vision of delivering a complete, integrated, hot-pluggable, and best-ofbreed middleware suite based on Oracle WebLogic Server, the industryʼs leading application server. OFM 11g enables a new level of agility and adaptability in enterprise applications by delivering on the promise of service-oriented architectures (SOA). OFM 11g provides developers and business users with a declarative toolset to design and roll out enterprise applications; a business process platform to orchestrate and monitor applications at runtime; and an enterprise portal allowing easy user interaction and secure access to corporate and business partnersʼ resources. In addition, OFM 11g enhances middleware services in terms of enterprise performance management, business intelligence, content management, and identity management (the subject of this document). OFM 11g greatly increases the efficiency of modern data centers by extending the capabilities of application grids. OFM 11g leverages the benefits of new hardware technologies such as 64-bit architectures, multi-core processors, and resource virtualization to provide high-performance, pooled Internet services (commonly known as “cloud computing”) that are easier to deploy, integrate, and manage. Finally, OFM 11g relies on Oracle Enterprise Manager (EM) to provide a complete management solution in a single console. Oracle EM automatically discovers all OFM components and their interdependencies and provides industry best practices built into dashboards for systems, services, and compliance.


from development to deployment to full-blown production. This document also describes how Oracle Identity Management extends information-centric environments. and governance. consolidation. and automation.Oracle White Paper—Oracle Identity Management 11gR1 Purpose and Scope This document focuses on Oracle Identity Management 11gR1. Oracle Identity Management 11gR1 ensures the integrity of large application grids by enabling new levels of security and completeness to address the protection of enterprise resources and the management of the processes acting on those resources. Oracle Fusion Middleware 11g extends Oracle Identity Management to provide a unified. This document is mainly intended for a line-of-business and Information Technology (IT) audience. Oracle Identity Management 11gR1 provides enhanced efficiency through a higher level of integration. provision resources to users. It presents Oracleʼs identity and access management offering available with the first release of Oracle Fusion Middleware 11g (11gR1). 2 . risk management. and increased effectiveness in terms of application-centric security. We conclude this document by providing some insight into future innovations within Oracle Identity Management. Oracle Identity Management 11gR1 supports the full life cycle of enterprise applications. integrated security platform designed to manage user identities and entitlements. and Oracle Database security. secure access to corporate resources. and how Oracle Identity Management integrates with third-party platforms. and support extensive audit and compliance reporting requirements across enterprise applications. enterprise governance.

web applications and web services access control. Oracle’s ability to anticipate and meet customer demand through a savvy combination of key acquisitions and organic growth has turned the company’s identity and access management offering into the IAM market leader. In other words. thus promoting development agility and lowering maintenance costs. The various components making up Oracle IM are designed to work together to satisfy each identity management and access control requirement met throughout a business transaction. user provisioning and compliance. Oracle Identity Management Overview In just a few years Oracle has established itself as the foremost identity and access management (IAM) vendor by providing an integrated. audit and reports. independently from enterprise applications. aggressive strategy around what it refers to as application-centric identity. customer relationship management (Oracle’s Siebel). Oracle IM’s application-centric approach allows customers to clearly separate business logic from security and resource management. fraud detection. and Oracle Business Intelligence. Integrated: Oracle IM components can be deployed separately or together as an integrated suite of identity services. Risk. Forrester Research. highly scalable directory and identity virtualization services to maximize operational efficiency and ensure the highest levels of performance and availability. and Compliance platform to provide an enterprise-wide governance solution. multifactor authentication and risk management. strong. Oracle Identity Management Business Benefits Oracle Identity Management (IM) allows enterprises to manage the end-to-end life cycle of user identities across enterprise resources both within and beyond the firewall. Oracle WebCenter.” Andras Cser. Oracle IM integrates with Oracle’s Governance. Oracle’s strategy for identity and access management revolves around the following four tenets: Complete: Oracle IM provides a comprehensive set of market-leading components including identity administration and role management. All Oracle IM components leverage the product suite’s best-in-class. Oracle IM components integrate seamlessly with Oracle applications such as human capital management (Oracle’s PeopleSoft). as well as other Oracle Fusion Middleware components such as Oracle SOA. Oracle IM leverages and integrates with Oracle Database 3 .Oracle White Paper—Oracle Identity Management 11gR1 “Oracle has established itself as the IAM [Identity and Access Management] market leader due to its solid technology base across the IAM landscape and its compelling. single sign-on and federated identities. performance management (Oracle’s Hyperion). application-centric product portfolio unmatched by its competitors. Inc.

XML standards for federation (e. can choose the best-in-class Oracle IM component to meet their specific requirements and integrate that component with the rest of their existing identity management portfolio.. including operating systems. Java-based service providers) and third-party packaged applications (e. makes them market-leading. Microsoft . web servers. Enterprise Management. Oracle Identity Management is an integral part of Oracle Fusion Middleware. mission-critical applications (e. directory servers. best-of-breed products. Hot-Pluggable: Oracle IM’s standards-based suite of products is designed to support heterogeneous. application servers.g. the components of the suite deliver functional depth and sophistication that.g. Oracle IM’s application-centric approach provides extensions to Oracle Information Rights Management. and hot-pluggability. especially those looking for advanced capabilities to support their application grid. and SOA 4 ..g. closing the gap between identity management and content management. integration. multiple-vendor development and runtime environments. Security Services Markup Language – SAML and WS-Federation) allow Oracle IM components to support both in-house.. thus providing extreme scalability and lower cost of ownership.Oracle White Paper—Oracle Identity Management 11gR1 through its own directory and identity virtualization services. and database management systems. Figure 1: Oracle Fusion Middleware 11gR1 Components Best-Of-Breed: In addition to Oracle IM’s level of completeness. It leverages Oracle Fusion Middleware’s services such as Business Intelligence. even taken individually. For example. thus optimizing past and future IT investments. or they can deploy the best-of-breed Oracle IM suite to take advantage of its enhanced integration. Finally. Customers.NET-based accounting or project management systems).

and third-party security providers. 5 . and take remediation actions). audit and compliance. Streamlined release synchronization and technology uptake between the various products making up Oracle IM. Oracle IM 11gR1 is a first substantial step in this direction (please refer to the Oracle IM 11gR1 Components Release Table section provided later in this document). wizards to guide users through rapid deployment tasks. Introducing Oracle Identity Management 11gR1 Oracle Identity Management 11gR1 is characterized from its predecessor (10g) by the following: • Establishment of Oracle IM 11gR1 as a security development platform (see the Oracle Platform Security Services and Identity Governance Framework and ArisID sections later in this document). access management. directory services. Enhanced integration between Oracle IM’s components and other Oracle Fusion Middleware components.g. manageability. • • • • Oracle Identity Management 11gR1 Key Functionality Oracle IM 11gR1 provides a comprehensive set of functionality as shown in Figure 2: Identity administration. Oracle IM 11gR1 becomes Oracle Fusion applications’ de facto security infrastructure.Oracle White Paper—Oracle Identity Management 11gR1 and Process Management. Oracle applications.. and it provides security services to multiple Oracle Fusion Middleware components and Oracle Fusion applications. multi-level actionable dashboards for business users to analyze compliance and risk indicators. Figure 2: Oracle IM 11gR1 Functional Areas Each Oracle Identity Management functional area is described in the following sections of this document. Enhanced functionality allowing easier environment deployments (e.

and customer. When.Oracle White Paper—Oracle Identity Management 11gR1 Oracle Identity Management 11gR1 Components Oracle IM 11gR1’s areas of functionality presented in the previous section are implemented by multiple components described in this document. Figure 3: Oracle Identity Manager OIM is used both in enterprise-user-centric (intranet) environments. In extranet environments.g. OIM’s superior scalability allows enterprises to support millions of customers / partners accessing the company’s resources using traditional clients (e. 6 .com/technology/products/id_mgmt/ to download Oracle IM 11gR1’s component products’ information). Oracle E-Business iSupplier or Oracle EBusiness iRecruitment.and partnercentric (extranet) environments. Oracle Identity Manager Oracle Identity Manager (OIM) typically answers the question "Who has access to What. In this case. OIM is a fully integrated platform for identity provisioning and administration as well as identity audit and compliance. How. Details for each product are provided in dedicated technical white papers (please visit oracle. thus improving a company’s ability to address increasing compliance and privacy regulations through centralized management of external users and partners.. browsers) or smart phones. for example Oracle’s PeopleSoft Enterprise Customer Relationship Management. from initial on-boarding to final de-provisioning of an identity. and Why?". OIM provides centralized on-boarding and a combined selfregistration interface to multiple enterprise applications. OIM is designed to administer user access privileges across a company's resources throughout the entire identity management life cycle.

Approval and request management: With OIM. whether it’s proprietary or based on open standards. OIM can present customizable challenge questions to enable self-service identity verification and password retrieval. automating IT processes and enforcing security and compliance requirements such as segregation of duties. peers. Enterprise Edition (Java EE) application that can be deployed in singleor multiple-server instances. Integration and Adapter Factory: OIM integrates with any application or resource through highly configurable. OIM’s functional layers include: Identity and role administration: OIM offers a comprehensive range of user identity and role life cycle administration features. The approval workflows are highly configurable to accommodate multiple approval processes and stakeholders. account request and approval processes can be automated to meet your organization’s needs. OIM can synchronize or map passwords across managed resources and enforce differences in password policies among these resources. In addition. In intranet and extranet deployments.Oracle White Paper—Oracle Identity Management 11gR1 OIM is a Java Platform. Policy-based management of entitlements allows multiple request and approval processes to be implemented and refined over time in parallel. OIM provides 7 . User identities can be managed centrally by delegated administrators or through user self-administration. OIM’s Active Directory (AD) Connector can intercept a password change at the AD server and subsequently propagate it to other managed resources in accordance with policies. administrators. or users themselves can initiate requests for access to resources and track the status of their requests through web applications and email notifications. Password management: If a user forgets her password. Oracle provides a growing library of pre-configured connectors to popular applications and user repositories. reducing the total cost of implementation. if an enterprise uses Microsoft Windows’ desktop-based password reset feature. OIM connectors enable out-of-the-box integration and can be further modified using the Adapter Factory to work with each enterprise’s unique integration requirements (please see the Oracle IM 11gR1 Components Integration section later in this document for more information on OIM integration with Oracle Role Manager (ORM) and third-party environments). If OIM detects any changes to user access privileges effected outside of its control. agentless interface technology. Each connector supports a wide range of identity management functions and uses the most appropriate method of integration recommended for the target resource. it can immediately take corrective action such as undo the change or notify an administrator. Policy-based entitlement management: OIM’s policy engine controls fine-grained entitlements across managed applications. OIM provides continuous monitoring of accounts created outside its control (“rogue accounts”) or accounts without a valid user (“orphan accounts”). Audit and compliance: Identity reconciliation refers to the process by which OIM controls the resources under its management.

and business and organizational relationships. delivery. Figure 4: Oracle Role Manager ORM provides a web-based user interface for role administration and management where users can create and modify roles. ORM enables business users to define user access by abstracting resources and entitlements as roles. ensuring appropriate access and preventing security holes and compliance violations.Oracle White Paper—Oracle Identity Management 11gR1 comprehensive auditing and reporting on the state of the provisioning environment to cope with stringent regulatory requirements such as Sarbanes-Oxley. Gramm-Leach-Bliley. 8 . Oracle Role Manager Oracle Role Manager (ORM) provides a comprehensive feature set for enterprise role life cycle management. role membership is dynamically recalculated. ORM provides a flexible and configurable user interface that allows users to model complex organizational data and relationships that can be used within role membership policies. is a key part of Sarbanes-Oxley compliance. Additionally. ORM is the authoritative source for enterprise roles in Oracle IM’s suite of products. Attestation. and HIPAA. Built upon a scalable Java EE architecture. also referred to as re-certification. define role membership according to business policy and map roles to resources. OIM offers a best-in-class attestation feature that can be deployed quickly to enable an enterprise-wide attestation process that features automated report generation. Role membership policies defined in ORM utilize organization and relationship data to drive role membership and ultimately access to resources. As business events occur and the organization changes. and notification.

” ORM provides a powerful role engine that uses your business policies and traverses the relationships between users and organizations to derive accurate. Serving as the central source of information for roles. polyarchy-enabled role engine: To properly reflect organizational reality and to maintain data integrity among interdependent hierarchies. this process identifies patterns in existing entitlements and user memberships to suggest roles that can be exported and managed within ORM. portals. single sign-on (SSO). Role delegation: By providing delegated administration of roles. databases. entitlements. and Oracle Directory Integration Platform (DIP) for user synchronization (OID and DIP are 9 . and web services (for more detail on this. including modifying role definitions. and standards-based federated SSO solutions to ensure maximum flexibility and a well-integrated. overlapping hierarchies or “polyarchies. Oracle Access Manager leverages Oracle Directory Services including Oracle Internet Directory (OID) for the persistence and management of user information. As shown in Figure 5. and mappings. real-time role membership. OAM provides authentication and SSO services in the web tier and integrates with applications and data providers by asserting authenticated identities to application access control systems. memberships. and the relationships between them to discover candidate IT roles. and identity assertion. please see the OAM and OES Integration section later in this document). OAM integrates with a broad array of authentication mechanisms. Context-aware. comprehensive web access control solution. ORM enables business users to easily delegate access and privileges (a function normally centralized in IT departments) without violating existing business policy. the ORM webbased user interface provides for the full administration of those roles. As mined roles become managed roles within ORM.Oracle White Paper—Oracle Identity Management 11gR1 ORM’s functional layers include: Enterprise role management and role mining: ORM’s tools for role mining take existing enterprise data about users. you need an organizational model that maps the intersection of multiple. third-party web servers and application servers. policy driven services for authentication. These complex relationships become a powerful store of data that role engineers can use to define policies for roles. Authoritative role and entitlement repository: ORM aggregates and manages contextual business information such as organizational relationships into a comprehensive role repository. Oracle Access Manager Oracle Access Manager (OAM) provides centralized. OAM complements its own coarse-grained authorization and attribute assertion capabilities by integrating with Oracle Entitlements Server to provide fine-grained authorization and entitlements to applications. these complex relationships supply authoritative data about “who should have what entitlements” to enterprise and identity management systems. Often referred to as the “bottom up” approach to role engineering.

OAM provides access to a specific resource (e. X.. check for a pre-existing authentication. Based on these credentials. OAM first checks whether the application is protected. Policy Manager.g. Identity administration: As shown in Figure 5. password management and self-service. validate credentials. when a browser user attempts to access an application. Oracle Access Manager can also leverage any other type of third-party user directory platform. smart cards. and out-of-the-box web server plug-ins called WebGates (or AccessGates for integration with application servers. simple username / password. a basic user and an administrator authorized to the same web application may have access to different levels of functionality through a personalized web page based on their role’s attributes. and user 10 . and other enterprise resources) work together to intercept access requests to resources. packaged applications. Figure 5: Oracle Access Manager OAM’s functional layers include: Authentication: OAM's Access Server.. If it is. For example. Typically. OAM enforces its security policies to authenticate the user against a user store and creates a session ticket (in the form of an HTTP (browser) cookie) enabling single sign-on or repeated access to the same application without re-logging. and authenticate users. following successful authentication.). etc. Access control: OAM allows coarse-grained authorization to resources based on user roles and access policies. Single Sign-On: Typically.Oracle White Paper—Oracle Identity Management 11gR1 described later in this document).509 certificates. OAM (through a WebGate or AccessGate) challenges the user for credentials (e. a web page) based on the authenticated user’s role.g. OAM provides a light-weight identity administration service including user and group management.

OAM is able to make calls to containermanaged applications in order to invoke authentication events that are enforced by OAM. Thanks to its tight integration with Oracle Platform Security Services or OPSS (see the Oracle Platform Security Services section later in this document). Typically. Oracle’s Siebel. It provides pre-built agents to protect. application servers. The application makes the decision to authenticate by calling OPSS for log-in. portals. Oracle’s PeopleSoft. Compliance reporting: OAM includes unified and centralized audit reporting for all OAM components. email systems. and Oracle E-Business Suite).Oracle White Paper—Oracle Identity Management 11gR1 synchronization. An OAM WebGate installed in Oracle HTTP Server (OHS) intercepts the request and communicates with OAM’s Policy Server to authenticate the request. These features improve an organization's ability to meet common governmental and industry regulations. Figure 6: OAM Securing Container-Managed Applications 11 . access. and single sign-on events. as shown in Figure 6. OAM generates a session ticket (HTTP cookie used as an SSO token). and relational databases. In Oracle Identity Management 11gR1. particularly in extranet environments. Oracle Identity Manager (described earlier) is recommended for more extensive identity administration services. OAM’s identity assertion provider extracts identity information from the SSO token (or from an optional HTTP header). with all operations stored and correlated in a secure database for analysis. successful or failed authentications. and manage all popular third-party web servers. a browser client attempts to access an application running in WebLogic Server. Following successful authentication. user directories. OAM comes with pre-built reports and the ability to create custom reports through Oracle Business Intelligence Publisher in order to provide greater visibility and reporting on common events such as user access attempts. OAM becomes the web access and single sign-on solution of choice for Oracle Fusion Middleware components and Oracle Fusion applications. Support for enterprise applications: OAM integrates with existing e-business infrastructures (such as SAP.

Typically. Oracle WebCenter’s remote portlets. Figure 7: Oracle Web Services Manager OWSM 11gR1 includes a policy manager and interceptors or enforcement points (also known as agents).Oracle White Paper—Oracle Identity Management 11gR1 This is just one example of OAM’s integration with OPSS. • OWSM 11gR1 is installed as part of Oracle SOA 11gR1 and Oracle WebCenter 11gR1. In this case. Agents can be on the service requester side (client) and/or the service provider side (endpoint server). OWSM is designed to protect access to multiple types of resources: • • Standards-compliant web services (Java EE. Microsoft . OWSM 11gR1 is the runtime policy governance component for the Oracle SOA Governance solution.).NET. Oracle Web Services Manager Oracle Web Services Manager (OWSM) is to web services what Oracle Access Manager is to web applications. In addition. etc. Service-oriented architecture (SOA) composites including Business Process Execution Language (BPEL) and enterprise service bus (ESB) processes. Both policy manager and agents run on Oracle WebLogic Server. Please refer to the OAM technical white paper for more examples. it provides production assurance for deployed SOA artifacts through policy-based security and participates at various stages of the closed-loop life cycle control. a 12 . PL/SQL.

OWSM 11gR1 doesn’t include its own user interface but benefits from the advantages of using the runtime monitoring and integration capabilities of Oracle EM. In addition to security policies.509 certificates) in WS-Security headers for authentication and authorization purposes). WS-Policy (an XML framework that describes the capabilities and constraints of a web service. in particular WS-Security (SOAP security extensions that provide message-level confidentiality. e. web services monitoring is now part of the larger monitoring of a whole enterprise application (OWSM agents provide Oracle EM with the monitoring information it requires). and WS-SecurityPolicy (which defines a set of security policy assertions used in the context of the WS-Policy framework). OWSM also leverages OPSS for identity propagation (ability to read and set javax. In addition. data integrity. As a result. credentials store.g. An OWSM gateway performs the same enforcement functions in the DMZ as an OWSM agent.Subject).). In addition.auth. X. Tight integration with Oracle Platform Security Services (OPSS): OWSM 11gR1 leverages OPSS’s log-in module infrastructure for authentication and makes it possible to plug in custom log-in modules.g. OWSM sets a Fusion security context for consumption by Fusion applications.. 13 . Oracle Enterprise Manager (EM) for monitoring: Unlike OWSM 10g. Following successful authentication. and management policies (see Figure 7). OWSM’s strict compliance with industry standards allows the publication of security requirements in the Web Service Definition Language (WSDL) file that describes each web service. In Oracle Fusion Middleware 11gR1.Oracle White Paper—Oracle Identity Management 11gR1 request made to a web service is intercepted by an OWSM agent which enforces security policies defined in the OWSM policy manager. reliable messaging (RM). key store and certificate OWSM’s policy model is the security lynchpin for Oracle Fusion Middleware 11gR1’s web-services-based components. and profiles that specify how to insert different types of binary and XML security tokens (e. etc. required security tokens. OWSM 11gR1 is integrated with Oracle JDeveloper to provide declarative policy attachment at development time (see Figure 7). Perimeter security: OWSM 11gR1 leverages OWSM 10g’s gateway as a security proxy (OWSM 11g will have its own gateway in a post-11gR1 release). WLS policies are provided by WLS and a subset of WLS web services policies interoperate with OWSM policies. OWSM 11gR1 integrates with market-leading XML appliances providing perimeter security and intrusion detection. and auditing (see more detail on Java subject in the OPSS section later in this document).. OWSM 11gR1 supports Message Transmission Optimization Mechanism (MTOM). OWSM’s functional layers include: Industry-standards-compliant policy management: OWSM 11gR1’s policy manager is based on web services security industry standards. you can provide security and management policy enforcement of WebLogic Server (WLS) web services based on the Java API for XML Web Services (JAX-WS) using either OWSM or WLS web services policy types. encryption algorithms.

14 . Federation: SAML facilitates identity management (e.g. SAML is an open framework for sharing security information on the Internet through XML documents. OIF servers can be also configured to support specific loaddistribution algorithms and remove configured servers from service if particular machines go down. which multiple servers can access. Oracle Identity Federation (OIF) 11gR1 is a standalone federation server that bundles all the required components necessary for deployment. including a Java EE container (Oracle WebLogic Server) and a web server (Oracle HTTP Server (OHS)). OIF allows customers to set up a system with shared database instances (to store session data). OIF is designed to support mission-critical applications through load balancing and failover. Proprietary web single sign-on (SSO): SAML provides a standard way to implement SSO within a single domain or across multiple domains. described above). account linking when a single user is known to multiple web sites under different identities).Oracle White Paper—Oracle Identity Management 11gR1 Oracle Identity Federation Identity federation is required when there is a need for single sign-on beyond a single Internet domain (this requirement is met by Oracle Access Manager.. Figure 8: Oracle Identity Federation The most widely accepted industry standard for identity federation is the Security Assertion Markup Language (SAML). SAML was designed to address the following: Limitations of web browser cookies to a single domain: SAML provides a standard way to transfer cookie information across multiple Internet domains.

OIF 11gR1 introduces support for Microsoft Windows CardSpace (CardSpace provides a user’s digital identity in information “cards”. Certificate validation support: OIF provides a certificate validation store to support X. OIF supports the following protocols: SAML 1. monitoring: Audit (integration with Oracle Platform Security Services’ common audit framework (CAF) and Oracle Business Intelligence Publisher).). mentioned earlier in this document). for example.. and federated sign-out. Audit. Administrators can sign and encrypt outgoing SAML assertions as well as validate and authenticate messages received from trusted providers.g. It enables you to manage trusted certificate authorities (CA) and certificate revocation lists (CRL) in an easy-to-use administration console. fully supported by Oracle Web Services Manager.0. support for privacy by hiding identity and attribute information. 15 . OIF can authenticate users against a user directory or a database. In addition. and logging integrated with Oracle Fusion Middleware and Oracle Identity Management. monitoring (Oracle EM). Acting as a service provider. Liberty Alliance ID-FF 1. As a federation represents account linking between a user and two providers (the identity provider and the service provider). 1.Oracle White Paper—Oracle Identity Management 11gR1 Web services security: SAML provides a standard security token (a SAML assertion) that can be used with standard web services security frameworks (e. OIF’s functional layers include: Multiple Federation Protocols Support: OIF participated in vendor-neutral conformance events and has achieved Liberty Alliance certification for Liberty ID-FF and SAML 2.1 and 1. WS-Security. Identity propagation: SAML provides a standard way to represent a security token that can be passed across the multiple steps of a business process or transaction. OIF provides simplified programmatic interfaces to allow customers to directly integrate with specific applications or homegrown solutions. If a supported authentication or authorization system is already deployed.0. This use of SAML is particularly relevant to web services security. Acting as an identity provider.0. the two providers agree to identify an individual using the data contained in the federation contract.2. thus requiring no additional operational footprint. and 2. WS-Federation (WS-Federation enables brokering of trust and security token exchange. an OIF identity provider can challenge a user for login via the CardSpace protocol and then return a SAML assertion based on the CardSpace authentication and claims). from browser to portal to networks of web services.509 certificates for digital signatures and encryption. OIF can leverage it to authenticate users and create authentication (SAML) assertions to be passed on to partner applications. logging.1. OIF communicates with a supported authentication or authorization system to determine the access privileges of authenticated users by locating the attributes of the user from the data repository. Bulk account set up and provisioning: OIF includes a tool that enables administrators to bulk load user federation records. Support for heterogeneous architectures: OIF seamlessly integrates with third-party identity and access management solutions.

Authentication Manager: Enforces security policies and ensures regulatory compliance by allowing organizations to use a combination of tokens. policies. and report on the entitlement policies that affect them. and roles. Provisioning Gateway: Improves operational efficiencies by enabling organizations to directly distribute single log-in credentials to the Logon Manager based on provisioning instructions from Oracle Identity Manager. smart cards. Password reset: Reduces helpdesk costs and improves user experience by enabling strong password management for Microsoft Windows through secure. Oracle Entitlements Server Oracle Entitlements Server (OES) is a Java EE-based. Oracle eSSO’s functional layers include: Logon Manager: Strengthens security and improves user productivity by enabling end users to securely use a single log-in credential to all web-based. OES offers a sophisticated delegated administration model that allows multiple organizations and application stakeholders to create. the Administration Server and Security Modules. Enterprise JavaBeans. OES is made up of two major components. biometrics. self-service interfaces. OES secures access to application resources and software components (such as URLs.and thin-client applications with no modification required to existing applications. users don’t have to remember and manage multiple passwords thus saving helpdesk time in responding to user requests for resetting forgotten passwords. organizations. unifies. The Administration Server acts as the policy administration point (PAP) and is used to manage configurations. Kiosk Manager: Enhances user productivity and strengthens enterprise security by allowing users to securely access enterprise applications even at multi-user kiosks and distributed workstations. fine-grained authorization engine that externalizes. and Java Server Pages) as well as arbitrary business objects (such as customer accounts or patient records in a database). applications. and legacy applications. Security Modules evaluate fine-grained access control policies at the policy decision point (PDP) and enforce them at the policy enforcement point (PEP). OES enforces authorization at runtime through one or more Security Modules. and passwords for strong authentication throughout the enterprise. modify.Oracle White Paper—Oracle Identity Management 11gR1 Oracle Enterprise Single Sign-On Oracle Enterprise Single Sign-On (eSSO) is a desktop-based suite of products providing unified authentication and single sign-on to thick. flexible. With Oracle eSSO. client-server. and simplifies the management of complex entitlement policies. OES provides a centralized administration point for complex entitlement policies across a diverse range of business and IT systems. OES’s unique architecture allows Security Modules to be combined as a single 16 .

Features of policy distribution include: ability to update policies in Security Modules without interrupting 17 . fully delegated administration with flexible role mapping of users. The Security Modules are also the integration point for user identities and access to external attributes that may be incorporated into policies. A typical OES policy could be as follows: “Grant the ‘Get’ action for ‘AccountReports’ to anyone who is in the user group ‘BankManagers’.Oracle White Paper—Oracle Identity Management 11gR1 policy decision point and policy enforcement point that runs in process with an application to vastly increase the performance and reduce latency of runtime authorization decisions. OES’s functional layers include: Policy administration: Support for massive policy stores with thousands of resources and policies. Figure 9: Oracle Entitlements Server OES policies specify which users. These information sources can be relational databases. This distribution provides a transactional mechanism to ensure each Security Module has just the policy it needs. fully programmable administrative interface for custom administrative needs. OES’s administration model is protected by OES itself. or any other source of data. web-based interface that runs on popular Java EE containers.” Through a unique. allowing those roles to be dynamically resolved at runtime. Policy distribution: OES’s Administration Server handles the task of publishing policies to the individual Security Modules protecting applications and services. more granular access control decisions. partitioning features for large numbers of organizations and applications. flexible architecture. identity directories. Security Modules include attribute retrievers to return information dynamically during policy evaluations from policy information points (PIP). and/or roles can access application resources. web services. OES can also evaluate specialized attributes to make further. groups.

sophisticated protocol which handles interrupted distribution scenarios. personal identification numbers (PIN). Adaptive Strong Authenticator (ASA) provides multifactor authentication and protection mechanisms for sensitive information such as passwords. identities (users. and IBM WebSphere. Support for multiple platforms: OES runs on many popular Java EE containers such as Oracle WebLogic Server. Reports are available as simple text files for consumption by downstream business intelligence or reporting tools. Security Modules operate in a disconnected mode with no runtime dependency on OES. and unique authentication strengthening. Figure 10: Oracle Adaptive Access Manager OAAM consists of two primary components that together create one of the most powerful and flexible weapons in the war against fraud. roles) and even permissions. security questions. Oracle Adaptive Access Manager Oracle Adaptive Access Manager (OAAM) provides protection for businesses and their customers through real-time fraud prevention. Policy repositories can be managed against Oracle Database. multifactor authentication. groups. Microsoft SQL Server. Policy reports can be generated for specific application resources (e. Enterprise JavaBeans). database columns.g. simple architectural requirements for policy distribution without forsaking security and integrity of policies in-flight. Sybase. and IBM DB2. Tomcat. Policy reporting: OES provides an ad-hoc query facility to help policy administrators understand how users and roles map to permissions and entitlements. intelligent push technology that only pushes the policies needed by a Security Module.Oracle White Paper—Oracle Identity Management 11gR1 applications. tokens. account numbers 18 .

Behavior profiling: ARM dynamically identifies high-risk situations by learning. assess their usefulness at preventing fraud. Fraud intelligence: Security policies need to be able to adjust to new requirements without needing to bring down a production system. test-run specific rules. Fraud investigation and forensics: ARM provides real time and offline risk analysis tools to simplify investigation and auditing. and proactive actions to prevent fraud at critical log-in and transaction checkpoints.509 certificates. one-time passwords. device fingerprints. ASA includes a server component and a suite of web-based virtual authentication devices that secure sensitive user authentication information and protect against malware attacks such as key loggers and mouse-click loggers as well as man-in-the-middle attacks.Oracle White Paper—Oracle Identity Management 11gR1 and other credentials. and maintaining what a normal behavior is for users and devices. In this way. and track the difference in system behavior as a result of policy change before fraud occurs. Risk analysis: ARM evaluates risk by analyzing contextual data from a variety of sources. By looking at various risk factors simultaneously. refreshing. smartcards. including web SSO forms. Adaptive Risk Manager (ARM) provides real-time and offline risk analysis. OAAM’s functional layers include: Authentication security: ASA provides a solution for strengthening any authentication scheme. and Oracle Virtual Directory (OVD) to provide identity aggregation and transformation without data copying. ARM can store the relative risk level at any time and take steps to proactively prevent fraud and alert investigators. Oracle Directory Services Oracle Directory Services (ODS) include Oracle Internet Directory (OID) to handle data storage and directory synchronization services. X. knowledge-based authentication. fraud prevention can adapt to the changing behavior of users without manual intervention. transactional data. and user directory and database authentication. geolocation. 19 . biometrics. and third-party data feeds. including user profiles. OAAM gives security administrators the ability to experiment with different security policies. Internet Protocol (IP) addresses. Reporting can be done using Oracle Business Intelligence Publisher.

search. High availability: OID is designed to enable continuous service availability at the OID server process level and at the data storage level. the ability to run multiple LDAP server processes on a single OID server node provides vertical scalability by increasing the number of server process per hardware node. and information security. LDAP-based multi-master replication with 20 . OID is predicated on the Lightweight Directory Access Protocol (LDAP).” Based on robust and field-proven Oracle Database replication technology. In addition. thus providing LDAP directory services with an unsurpassed level of scalability. access privileges (for authorization). an Internet standard designed to organize directory information and to allow communication of client applications with directories for look-up. and retrieval operations. high-availability. and profile information. Multi-master replication between OID servers ensures that if any of the servers in the replicated environment goes down. OID’s functional layers include: Scalability: The LDAP servers running on an OID server node are multithreaded to use database connection pooling in order to prevent running into resource limitations as the number of simultaneous LDAP client connections increases. this ensures full availability even in the event of hardware failure. and horizontal scalability by distributing server processes over clustered hardware nodes. Oracle Fusion applications and in-house enterprise applications with a standard mechanism for storing and accessing identity data such as user credentials (for authentication). OID is implemented on top of Oracle Database technology. any other server can act as the “master.Oracle White Paper—Oracle Identity Management 11gR1 Figure 11: Oracle Directory Services Oracle Internet Directory Oracle Internet Directory (OID) 11gR1 provides Oracle Fusion Middleware components.

DIP enables OID to be interoperable with third-party meta-directory solutions. and setting up and configuring LDAP replication. and. Microsoft Active Directory and Active Directory Lightweight Directory Services (LDS). Wizards guide users through the process of profile creation and graphical attribute-mapping between third-party directories and OID. such as Sun Java System Directory Server. In addition. Oracle Database. Oracle Business Intelligence Publisher is used for audit report generation. OpenLDAP. sizing and tuning OID. Enhanced diagnostics (now built into all of Oracle Fusion Middleware components) make use of execution context identifiers (ECID) attached to directory operations. with a wide variety of out-ofthe-box and customizable reports. mentioned above).Oracle White Paper—Oracle Identity Management 11gR1 any number of nodes is an additional option with OID 11gR1. as well as connectors for synchronizing information with third-party LDAP servers. 21 . and very granular filtering and partitioning options. Oracle EM provides management and monitoring of OID distributed processes and their performance including host characteristics as well as end-to-end network layer security (SSL) configuration. ODSM provides OID (and OVD) administrators with an easy-to-use administration tool including deployment accelerators for creating new users. DIP includes connectors for out-of-the-box synchronization with Oracle E-Business Human Resources. In addition. Directory integration platform: OID includes a directory integration platform (DIP). schema creation and modification. new with 11gR1. Based on Oracle’s Application Development Framework (ADF). Information security: OID administrators can define their directory service environment in order to provide different levels of access to the directory information based on how a given user was authenticated (both password and certificate-based authentication are natively supported). Novell eDirectory. ODSM supports administrative tasks such as LDAP data browsing. LDAP replication provides more flexible deployment topologies with very little overhead. and audit management. DIP is managed and monitored using Oracle EM. Enhanced usability and diagnostics: OID 11gR1 delivers superior usability with Oracle Directory Services Manager (ODSM). Integrated management and monitoring: OID 11gR1 administration and monitoring have been streamlined around two complementary components: Oracle Enterprise Manager (EM) 11g Fusion Middleware Control and Oracle Directory Services Manager (ODSM. and management of directory data security. IBM Tivoli. a set of services enabling customers to synchronize data between various third-party data sources and OID targets. This allows an administrator to trace an operation such as a failed user log-in through the entire environment starting with the web server all the way down to OID and finally the database. OID supports two unique database security features: Oracle Database Vault (enforcing separation of duty for database administrators) and Oracle Transparent Encryption (automatically encrypts data when it is written to disk and decrypts it when it is read back to the authorized user). OID 11gR1 offers attribute-level encryption.

Novell eDirectory. Oracle Virtual Directory One of the identity management challenges enterprises are facing is the lack of a single source for identity data and the proliferation of identity stores including directories and databases. 22 . customer and partner data in customer relationship management systems. and the Oracle Directory Services Manager (ODSM). Support for Database Enterprise User Security (EUS): The combination of EUS (as part of Database Advanced Security) and OID (or OVD) forms the centerpiece of the Oracle Database enterprise user security strategy. and PL/SQL for client integration with OID’s functionality. Extensibility and client-side development: Oracle provides the Oracle Internet Directory SDK intended for application developers using Java. In many cases. and OpenLDAP. For more information on this. C. this role is left to the persistence systems used for that purpose. the authentication services for operating systems functionality uses Pluggable Authentication Modules (PAM) which are standard operating system modules available on most Unix and Linux distributions designed to support externalized authentication. Oracle Virtual Directory (OVD) is designed to provide real-time identity aggregation and transformation without data copying or data synchronization. and additional LDAP directories. such as OID). user accounts.Oracle White Paper—Oracle Identity Management 11gR1 External authentication: OID’s external authentication functionality enables seamless authentication against third-party directories. sudo authorization policies. Enterprises have employee information in various repositories such as human resources databases and/or Microsoft Active Directory. Since OVD enables applications to access existing authoritative identity data sources without copying. and enforce enterprise-wide strong passwords across server platforms. such as Microsoft Active Directory. simplify user migration. OVD includes two primary components: the OVD Server to which applications connect. SUN Java System Directory Server. C++. thus simplifying user and resource provisioning and accelerating application deployment. as described in the previous section). this can completely remove the need to synchronize sensitive password information into OID. and ensure strong default security between network endpoints. please see the Oracle Identity Management and Oracle Database section later in this document) Authentication services for operating systems: This functionality leverages OID to enable enterprises to centralize Unix and Linux authentication. a web-based administration user interface for server configuration (also used by OID. In addition to OID. and automation tools that configure both PAM and OID components. it reduces the need for application-specific user stores and data synchronization. OVD provides a single standard interface to access identity data no matter where it resides while hiding the complexity of the underlying data infrastructure (OVD does not store information.

23 . Enhanced usability: As mentioned in the previous section. and a web service but applications want to treat it as a single entry. it is able to create application-specific views of data. Data transformation and application-specific views: OVD not only virtually unifies data. OVD 11gR1 leverages Oracle Directory Services Manager (ODSM) which provides enhanced usability for administrators. the data must be made accessible via an LDAP interface. The simplest way to make OVD highly available is to add multiple nodes and then use roundrobin DNS or load-balancers to route requests properly. availability and manageability: OVD can route requests to different sources based on name or user ID ranges.” LDAP interface for non-LDAP data: Many applications including the various Oracle IM components described in this document and Oracle Database use LDAP to access identity information. This maximizes the benefits of database and account security while eliminating the potential problems caused by trying to copy existing identity data into multiple repositories. attribute names and values. a user’s identity information is stored in a database. The database can use OVD to allow this data to be stored in a third-party LDAP directory. A split profile is one where the user identity data is divided between two or more sources. This reduces the number of passwords that a person needs to remember and can eliminate the need to have a provisioning product update individual databases.Oracle White Paper—Oracle Identity Management 11gR1 OVD’s functional layers include: Single interface for identity: OVD provides a join adapter allowing support for split profiles. For example. In addition. For example. structures. Enterprise scalability. Many of these transformations are possible with configuration. customers can do their own business-logic-driven transformations using OVD’s Java plug-in API. As a result. OVD can also leverage additional Oracle technology such as Oracle TimesTen or Oracle Coherence to further reduce latency and improve scalability. it can also transform data (for example change ORCL to Oracle) and provide application-specific views. OVD contains adapters that allow LDAP-enabled applications to leverage database or web-service data directly without the need to copy the data into another LDAP server. Because OVD is stateless and supports data transformations. to leverage data in a database or a web service. OVD can be deployed either centrally or geographically dispersed depending upon application requirements. an LDAP server. The join adapter uses a join rule (similar to a SQL join condition) to virtually link the data together into a “super-entry. Database account and role management centralization: Oracle Database supports centralizing accounts and roles in an enterprise directory. This means that different applications (all accessing the same OVD server) can appear to be accessing completely different data schemas. OVD can expose Oracle’s PeopleSoft or Oracle’s Siebel Universal Customer Master (UCM) data as LDAP for applications to access.

Enterprise Edition (Java EE) applications. identity management. Standard Edition (Java SE) and Java Platform. provided by Oracle Platform Security Services (described in this section) and the Identity Governance Framework and ArisID (described in the next section). systems and security administrators can access OPSS services for configuration purposes through Oracle Enterprise Manager Fusion Middleware Control or command line tools. When the application is deployed to the runtime environment. portable. At development time. but they face challenges in implementing security in the various layers of multi-tiered web applications.Oracle White Paper—Oracle Identity Management 11gR1 Oracle Platform Security Services One of the key benefits and differentiators of Oracle Identity Management 11gR1 is enhanced support for application development. and integrated applications benefit from the same. Oracle Platform Security Services (OPSS) provides enterprise product development teams. Thanks to OPSS. portable framework that runs on Oracle WebLogic Server. OPSS is the security foundation for Oracle Fusion Middleware: all Oracle Fusion Middleware 11g components and Oracle Fusion applications “consume” OPSS’s services. Companies understand the necessity of including security as part of the development process. enterprise-grade security framework for Java Platform. OPSS services can be directly invoked from the development environment (Oracle JDeveloper) through wizards. Figure 12: Oracle Platform Security Services OPSS is a self-contained. in-house-developed applications. integrated. OPSS insulates developers from the intricacies of tasks not directly related to application development by providing an abstraction layer in the form of standards-based application programming interfaces (API). systems integrators. third-party applications. uniform security. 24 . and audit services across the enterprise. and independent software vendors with a standards-based.

It also provides resource-based authorization for the environment. WS-Security. database systems. OPSS leverages OSDT for SSL configuration and Oracle Wallet (used by Oracle Identity Management products. Administrators can use OPSS to deploy large enterprise applications with a small. Oracle SOA. XML encryption. OSDT is used in many Oracle products including Oracle applications and Oracle Fusion Middleware components. OPSS provides out-of-the-box support for (1) applications using WebLogic Server’s internal security and SSPI. a set of Java-based cryptographic libraries supporting XML signature. 25 . • OPSS also includes Oracle Security Developer Tools (OSDT).0. Java Platform. SSPI is a set of APIs designed to implement pluggable security providers in order to support multiple types of security services. OPSS includes Oracle Fusion Middleware’s security framework (formerly referred to as Java Platform Security (JPS) or JAZN). In addition. such as custom authentication or a particular role mapping. and JDeveloper/ADF integration (application security life cycle support). such as Oracle Entitlements Server and Oracle Access Manager.4 as a JAAS-compatible authentication and authorization service working with XML-based and Oracle Internet Directory providers. these services are consumed by Security Services Provider Interface (SSPI). and Java Authorization Contract for Containers (JACC). such as Oracle ADF. • SSPI provides Java EE container security in permission-based (JACC) mode and in resourcebased (non-JACC) mode. and Oracle Web Services Manager. Oracle WebCenter. Java Authorization and Authentication Services (JAAS). and Oracle Database). XML Key Management Specification (XKMS). JPS was first released with Oracle Application Server 9. Enterprise Edition (Java EE). and (2) applications using JPS. In 11gR1. SAML. such as LDAP servers. uniform set of tools and administer all security in them. User and Role API. OPSS simplifies the maintenance of application security because it allows the modification of security configuration without changing the application code. Oracle EM. thus allowing customers to choose their security model. Developers can use OPSS APIs to build security features for all types of applications and integrate them with other security artifacts. Oracle Fusion Middleware Audit Framework. which becomes part of OPSS as well. and other non-XML standards such as Secure / Multipurpose Internet Mail Extensions (S/MIME) and Online Certificate Status Protocol (OCSP). OPSS includes Oracle WebLogic Server's internal security services used by BEA-heritage products such as Oracle Entitlements Server. and custom security components. JPS has been expanded to include the following services (described later in this section): Credential Store Framework (CSF).Oracle White Paper—Oracle Identity Management 11gR1 OPSS complies with the following standards: role-based-access-control (RBAC).

OPSS supports role hierarchy. and CORBA Common Secure Interoperability version 2 (CSIv2) identity assertion. Authorization: OPSS provides a Java policy provider that supports code-based and subject-based authorization. Unlike Java EE’s logical roles. an ADF task flow) and entitlement sets (authorized actions 26 . light-weight SSO is provided by a SAML-based solution using WebLogic Server’s SAML Credential Mapping Provider. OPSS authentication providers enable identity propagation across multiple components in a domain through subjects (see the Oracle IM 11gR1 Components Integration section). SAML assertions. The Authentication provider that WebLogic Server installs uses an embedded LDAP server. and database systems to host data for enterprise applications. Authentication providers include the Default Authenticator. external LDAP stores.. Identity Assertion: The WebLogic Identity Assertion providers support certificate authentication using X. Note: A subject is a grouping of related security information that includes a collection of principals such as a name (“John Doe”). For small environments that don’t need to be integrated with an enterprise SSO solution such as OAM. SPNEGO tokens.auth.g. Single sign-on (SSO): Authentication providers can use different types of systems to store security certificates. together with (optional) security-related attributes (credentials) such as passwords or cryptographic keys. an email address (“jd@oracle. The Java class javax.Oracle White Paper—Oracle Identity Management 11gR1 Figure 13: Oracle Platform Security Services Architecture OPSS’s functional layers include: Authentication: OPSS uses WebLogic Server authentication providers.Subject represents a subject and an instance of this class is created and populated with principals when authentication succeeds. OPSS also provides an advanced policy model that includes elements such as resource types (e. components that validate user credentials or system processes based on a user name-password combination or a digital certificate. Oracle Fusion Middleware 11g also supports perimeter authentication and SSO through Oracle Access Manager (OAM).com”). OPSS supports application roles (logical roles specific to an application).

The Oracle Fusion Middleware audit framework provides out-of-the-box customizable analytical reporting capabilities within Oracle Business Intelligence Publisher. OPSS is integrated with Oracle JDeveloper. edit authorization policies. and during authorization when determining what actions the subject can perform. an administrator uses FMWControl to manage the application’s security policies. OPSS’s security stores are virtualized through Oracle Virtual Directory (OVD).. In any non-trivial 27 . or change audit policies. Post deployment. Role mapping: OPSS supports the mapping of application roles to enterprise groups in the domain Policy Store.. The User and Role API frees the application developer from the intricacies of particular identity sources. Typically a developer deploys her application to a WebLogic Server domain embedded in JDeveloper. The Policy Store is the repository of application and system policies. Audit: OPSS provides a common audit framework for Oracle Fusion Middleware products. OPSS is integrated with FMWControl to allow application security policies and credentials migration to be configured during application deployment. This mechanism allows users in enterprise groups to access application resources as specified by application roles. OPSS provides the Credential Store Framework (CSF). OPSS also provides a policy management API allowing programmatic control over authorization policies. Using Oracle EM Fusion Middleware Control or WebLogic Scripting Tool (WLST). The Credential Store is the repository of domain credentials. read. The developer can then deploy the application to a remote WebLogic Server domain using Oracle Enterprise Manager Fusion Middleware Control (FMWControl). a set of APIs that applications can use to create. or editing the permissions granted to an application role. no matter the kind of domain policy repository employed (file-based or LDAPbased). Application life cycle support: OPSS provides support for all the phases of an application’s life cycle. Customers using OPSS automatically get the benefit of audit without writing a single line of audit-related code. Execution Context Identifier (ECID) or user ID) across multiple components. which allows an application designer to model security into the application when building Oracle ADF task flows.g. e. the administrator can manage an application’s authorization policies. Credentials are used during authentication when principals are populated in subjects. Oracle JDeveloper also provides an authorization editor that allows developers to create authorization policies for ADF taskflows and pages without writing a single line of code. data can be analyzed on multiple dimensions (e. Security stores: The Identity Store is the repository of enterprise users and groups. User and role: OPSS’s User and Role API framework allows applications to access identity information (users and roles) in a uniform and portable manner regardless of the particular underlying identity repository. OPSS uses one logical store to keep both policies and credentials. All such changes are transparent to the application and do not require any application code change. update.Oracle White Paper—Oracle Identity Management 11gR1 on a given resource instance) allowing complex authorization policies to be conveniently defined and managed. including mapping application roles to enterprise groups and users.g. and manage credentials securely.

enforce. an application normally goes from development to a staging (or test) environment before being put in full-blown production. Oracle has created the Identity Governance Framework (IGF) project. 28 . the first incarnation of the IGF project is ArisID Identity Beans. and propagated between applications. attributes and entitlements) is used. audit policies configured in a test domain can be exported into the target production domain. IGF allows application developers to build applications that access identity-related data from a wide range of sources. ArisID is designed for developers to access identity information using a single API. Identity Governance Framework and ArisID As mentioned in the previous section.g. The application developer uses the CARML API to both declare the attribute data needed for the application and the operations needed to support the application (the CARML API uses SAML and SOAP-based protocols to communicate with attribute services). and audit policies concerning the use of identity-related data. For example. IGF is designed to help enterprises control how identity-related information (e. stored. Attribute service: a web service that reads the CARML file in order to configure “views” of one or more attribute authorities that meet the requested data requirements of the application specified in the CARML document. developers will still be inclined to map the User and Role API to business objects. ArisID enables access and management of identity information stored in different types of repositories accessed using different protocols. ArisID implements the IGF specification and in particular it enables developers to create their own virtual identity database while retaining the ability to interconnect with enterprise identity services. and administrators and deployers to define.Oracle White Paper—Oracle Identity Management 11gR1 application scenario. To simplify this development process. CARML indicates the required and optional attributes. now hosted by the Liberty Alliance (www. OPSS leverages its User and Role API to provide developers with relatively simple methods to manage identities.. OPSS supports this model by providing migration tools that move security policies from a test domain into a production domain. However. • • In 11gR1. and indexes the application will use when deployed (CARML is to an application what WSDL is to a web service).projectliberty. Attribute Authority Policy Markup Language (AAPML): An Extensible Access Control Markup Language (XACML) profile designed to allow attribute authorities to specify conditions under which information under management may be used (and possibly modified) by other applications. IGF’s functional layers include: • Client Attributes Markup Language (CARML): A specification built by the developer during the development process.

The next release of Oracle Management Pack for Identity Management will additionally leverage Oracle Fusion Middleware Control 11gR1 to provide monitoring capabilities for Oracle IM 11gR1. one of the salient features of Oracle Identity Management 11gR1 is to optimize release synchronization between the various components making up the suite. and connectivity. Oracle Management Pack for Identity Management Oracle Management Pack for Identity Management leverages Oracle Enterprise Manager's broad set of capabilities in configuration management.0.0 10.1. performance In this way.0 29 .0 11. Please visit www.4. The OVD Provider for ArisID is a library that enables OVD to provide identity services to an application using the ArisID API.3. and service-level management to control end-to-end Oracle Access Manager. Oracle IM 11gR1 Components Release Table As mentioned at the beginning of this document.1. COMPONENT DESCRIPTION COMPONENT RELEASE NUMBER Oracle Identity Manager Oracle Role Manager Oracle Access Manager Oracle Web Services Manager Oracle Information Rights Management Oracle Identity Federation Oracle Enterprise Single Sign-On Oracle Entitlements Server 9.0 10.1.0 10.1.4. protocol transformation. Oracle Identity Manager and Oracle Identity Federation 10g environments.5.1.1. The Oracle Virtual Directory (OVD) Provider for ArisID is an example of an ArisID provider.0 11.2.3.Oracle White Paper—Oracle Identity Management 11gR1 ArisID uses a declarative.1.1. It summarizes the release number for each component making up Oracle Identity Management 11gR1.3. OVD plus the OVD Provider library for ArisID and the ArisID API library comprise a complete set of libraries that can be used by applications to access identity services. multi-function API that depends on providers to do the work of data mapping.4.0 10. The following table shows a first substantial step in that direction.1.html to download a developer preview of ArisID.

0 11. The former emphasizes end-to-end identity management and provisioning while the latter focuses on role life cycle management.0.1.0 11.1.1. Figure 14: OIM and ORM Integration OIM extracts user attributes including role and relationship data from ORM.0 10.4.0 30 .1. This seamless integration uses role membership and policy to automate and enforce user access to information. A comprehensive.1. OIM and ORM Integration OIM and ORM complement each other to ensure that provisioning events are based on roles.1.1. Figure 14 describes how the two systems work together.Oracle White Paper—Oracle Identity Management 11gR1 Oracle Adaptive Access Manager Oracle Internet Directory Oracle Virtual Directory Oracle Platform Security Services Oracle Identity Governance Framework and ArisID Oracle Management Pack for Identity Management 10.1.0 Oracle IM 11gR1 Components Integration This section focuses on how Oracle IM’s various components work together (as well as with third-party environments) to provide integrated security across web transactions.5.2. time-stamped audit trail is maintained of all user provisioning activities.0

. etc. The integration library (installed both on OIM and ORM) transfers the user's information from OIM to ORM together with entitlement data. 4.Oracle White Paper—Oracle Identity Management 11gR1 applications and systems. Figure 15: OIM Support for SPML As shown in Figure 15.” OIM takes enterprise role information from ORM and begins provisioning or deprovisioning user access based on role membership information. Using user and entitlement data from OIM. This role information is then sent to OIM through the integration library. LDAP. assign role.). create user. 2. etc. thus enabling rapid integration across heterogeneous environments. OIM provides a wealth of provisioning connectors to target applications. SPML defines interoperable management of provisioning services objects (PSO). which listens for SPML 31 . 3. these role engineers then assign users and entitlements to roles. ORM becomes authoritative for which users get which entitlements based on role membership. etc. A PSO represents information on a target resource. or identity.) to a provisioning service provider (PSP) such as OIM. In addition. OIM pulls information from identity sources (enterprise applications. providing an end-to-end RBAC solution for identity management deployments. Role engineers create enterprise roles (such as business roles and IT roles) in ORM. directories. As role events continue to occur in ORM. OIM implements the industrystandard Service Provisioning Markup Language (SPML) to help organizations provide user access to resources without custom connectors. Essentially. 1. Microsoft AD. OIM and Third-Party Environments Integration As mentioned previously in the Oracle Identity Manager section. The integration ensures that provisioning events are based on roles. OIM and ORM provide an enterprise RBAC solution for identity management. a requesting authority (RA) issues an SPML request (e.g. Together. these role changes are communicated to OIM through the integration library. for example a provider would represent as an object each account that the provider manages. OIM also pulls entitlement data from resources (e.g. communicating the message of “who should have what.) and creates a new user.

Upon successful authentication. 5. locally authenticates the user and redirects the user to the target resource. 32 . 2. At the service provider. OAM sets an SSO cookie and asserts the authenticated identity to the federation service (OIF). new in Oracle Identity Management 11gR1. Authorization Integration OAM and OIF Integration 1. Oracle Access Manager. and sends the (signed and encrypted) SAML assertion to a service provider. 4. Oracle Adaptive Access Manager. Identity Assertion. Authorization Integration Figure 16 shows how Oracle Identity Federation. and Oracle Entitlements Server work together across the web. A user requests access to a protected resource. and data tiers. OIF generates an authentication ticket (a SAML assertion) based on the information provided by OAM. The provisioning service target (PST) consumes the SPML requests it receives from the PSP.Oracle White Paper—Oracle Identity Management 11gR1 requests and processes them. OIF (or any other SAML-compliant security system) consumes the SAML assertion produced in step 4. Authentication. Identity assertion directly relies on the integration of Oracle Access Manager with WebLogic Server (the identity asserter is provided by the latter). Figure 16: Authentication. application. OIF intercepts the request and redirects it to OAM for authentication. Identity Assertion. 3. OAM challenges the user for credentials.

2. OAM and OES Integration 1. 6. 4. OAM intercepts the request and challenges the user for credentials. and executes a dynamic role evaluation. 5. OES retrieves information about the trusted subject. The OWSM client agent inserts the necessary security information in the SOAP message header (for example a signed SAML assertion or a simple username / password token). For instance. Upon successful authentication. either an OWSM server agent or a web-services-standardscompliant security system intercepts the incoming message and consumes the standardsbased security information provided in the SOAP message header to enable authorized access to the remote web service. OAM intercepts the request and challenges the user for credentials. The OWSM client agent sends the SOAP request to the remote web service. OES check the application authorization policy against the subject and role. OAM asserts the authenticated user’s identity and passes an authorization request to OES. consider an expense approval service. A user accesses a protected web resource. Entitlements within the service gateway can detect this by looking inside the message structure and using contextual information to deny access. and security context. A web service may be selectively entitled to certain types of users based upon the contents of the messages being sent to the service itself. resource request. For example. A user requests access to a protected portal resource. OAM sets a session cookie and authorizes the user to access the requested resource. based on the asserted identity information provided by OAM. An OWSM client agent intercepts the request before it leaves the portal. 3. OAM sets an SSO cookie and asserts the authenticated identity to the portal application. the policy may define 33 . 3.Oracle White Paper—Oracle Identity Management 11gR1 OAM and OWSM Integration 1. 2. and enforces the fine-grained resource access. 4. At the remote web service site. The portal application sends a web service request (SOAP) to a remote web service on the original requester’s behalf. A rogue employee may attempt to hijack the service to get a bogus expense report approved by invoking the back-end services. 5. OES and OWSM Integration OES provides fine-grained entitlement abilities to OWSM. Upon successful authentication of the user.

The latter requirement is met by Oracle Information Rights Management (IRM). email inboxes. Copies of these documents will be stored in one or multiple places. in addition to securing access to applications. In other words. user directories. content management systems. and Oracle Database. OES can then take the message information and its own policies into account and provide a grant or deny response back to OWSM. The following sections describe how Oracle Identity Management integrates with Oracle Information Rights Management. application servers). Oracle IRM extends the perimeter security provided by Oracle IM. in the course of his work. web servers. etc. Risk. and mobile devices. Oracle Identity Management and Oracle Information Rights Management Oracle Identity Management is an application-centric platform primarily operating on application containers (web portals. For example you store “John Doe” as a member of “Sales” once. OWSM can then enforce that decision. partners. or modify documents such as spreadsheets. As a result. in addition to being application-centric. and possibly customers of a company. In addition. read. Documents and emails may “live” in access-controlled repositories such as file system folders. John Doe will create. you can then define what applications John Doe may access based on his role (salesperson) and entitlements (what actions he can perform on a specific application). laptops. 34 . such as Oracle Internet Directory. Oracle’s Governance. Typically. OWSM can delegate a service access decision to OES by passing down the identity of the user and contextual parameters that tell OES how to unpack data from the message itself when making an entitlement decision. and Compliance (GRC) platform. an identity and access management solution also needs to be information-centric. and file and database systems. As shown in Figure 17. are the central “engine room” of identity management. Oracle Identity Management and Other Oracle Technologies Oracle Identity Management is at the intersection of several complementary Oracle technologies. presentations. an identity and access management solution needs to be able to secure the contents produced by the employees. and will possibly be distributed to many people within and outside the enterprise firewall. not multiple times for each application.Oracle White Paper—Oracle Identity Management 11gR1 that the approval service should be denied to the user if the expense report identity is contained in a list of pending reports for the user. and collaborative workspaces but copies of these documents go out to “work” every day on thousands of desktops. The simplest action of clicking on a file obtained online causes a copy of that file to be downloaded to your desktop from where it can be easily and untraceably redistributed anywhere.

all the user sees is cipher text with a plain text header informing her that she must install the Oracle IRM Desktop to access this file.Oracle White Paper—Oracle Identity Management 11gR1 Oracle IRM safeguards information directly. which includes: • • • wrapping the file within industry-standard encryption. The author shares the sealed document through email. emails. Oracle Virtual Directory (OVD) to synchronize IRM users and groups from existing enterprise LDAP and non-LDAP directories.. It uses encryption to shrink the access control perimeter down to the actual units of digital information. etc. the author seals the document. digitally signing the file to detect and prevent tampering.. and web pages. AES 256. Using tools integrated into the Windows desktop or supported applications. based on the receiver’s entitlements). Oracle refers to the process of protecting digital documents as “sealing”. including indelible URL hyperlinks into each sealed file that point back to the customeroperated Oracle IRM Server on which the decryption keys and access rights are stored. e.g. Typically. The receiver clicks on the document sent by the author. Because the file is sealed. the Oracle IRM process goes as follows: • • An author creates a document or an email on her desktop or laptop. the document is unsealed and ready to be used (i. • • Figure 17: Oracle Information Rights Management Process Oracle IRM leverages the following Oracle IM components: • • Oracle Identity Manager (OIM) to centrally provision IRM users and entitlements. instant messaging.. read or modified. file transfer. documents.e. If she already has the Oracle IRM Desktop (the most common scenario). e. 35 .g.

Oracle Identity Management and Enterprise Governance Oracle’s Governance. 36 . thus minimizing the risk of fraud and ensuring regulatory compliance. especially within critical business applications such as enterprise resource planning. and Compliance (GRC) platform integrates business intelligence. Oracle’s Siebel. remediate. and Oracle Access Manager are part of the multiple products making up Oracle GRC’s infrastructure controls. and enforce enterprise resource planning SOD policies. Oracle Role Manager.Oracle White Paper—Oracle Identity Management 11gR1 • Oracle Enterprise Single Sign-On (eSSO) for desktop single sign-on and additional support for strong authentication. Complementing Oracle Identity Management’s application-centric focus with the informationcentric approach of Oracle Information Rights Management is unique to Oracle’s offering and a major competitive differentiator. and Oracle’s Hyperion. process management. Enterprise resource planning roles and responsibilities are effectively segregated. Oracle Application Access Controls Governor. and supply chain management systems. Oracle Identity Manager. and automated controls enforcement to enable sustainable risk and compliance management. a key product in the Oracle GRC platform. Oracle Application Access Controls Governor also provides a comprehensive library of real-world. as well as non-Oracle enterprise resource planning environments. Figure 18: Oracle GRC and Oracle IM Synergy Segregation of duties (SOD) is a key principle of internal control and often the most difficult and costly to achieve. Risk. With Oracle IM 11gR1. allows customers to manage. customer relationship management. best-practice SOD controls for Oracle E-Business Suite and Oracle’s PeopleSoft applications and is easily extensible to support other platforms including Oracle’s JD Edwards.

end-users benefit because they have fewer passwords to remember. organizations can now use virtualization capabilities to manage database-user identities and their privileged roles across diverse identity stores without having to migrate or synchronize the data. enabling organizations to centrally manage database-user identities through their existing corporate directories such as Oracle Internet Directory. Additionally EUS can use LDAP passwords if client applications are using username/password authentication. In addition. Microsoft Active Directory and Sun Java System Directory Server. Leveraging EUS simplifies compliance because there are fewer accounts to audit. This allows customers to use their existing provisioning workflow to create the proper accounts and role-based privileges for users who need to access the database. as mentioned previously in this document. Finally. Please see Oracle Directory Services and DB Enterprise User Security Deployment Options on the Oracle Technology Network web site for more information. customers can use Oracle Identity Manager to manage access to the database by building provisioning workflows to the enterprise directory to control access to the database. Because of compliance challenges. There are still many cases (in particular for reporting and custom applications built with Oracle Application Express) where local database accounts are used for access. Typically. a feature of Oracle Database. EUS allows the database to map both database usernames to LDAP users and database roles to LDAP groups. Oracle Identity Management provides a competitively distinctive solution leveraging Oracle Database's Enterprise User Security (EUS) feature. Oracle Internet Directory supports two unique database security features: Oracle Database Vault (enforcing separation of duty for database administrators) and Oracle Transparent Encryption. Users may access these databases for administrative functions.Oracle White Paper—Oracle Identity Management 11gR1 Oracle Identity Manager integrates with Oracle Application Access Controls Governor by performing real-time SOD validation prior to provisioning Oracle E-Business Suite roles and responsibilities to Oracle E-Business. local database accounts are harder to manage. with Oracle Database. It improves security because there are fewer systems to update when people change status. Oracle Identity Management and Oracle Database One of the key differentiators of Oracle’s identity management offering is its ability to provide customers greater flexibility and choice by integrating Enterprise User Security (EUS). which often results in expensive help desk calls when users forget their login credentials. Thanks to the integration of OVD with EUS. with Oracle Virtual Directory (OVD). Oracle Virtual Directory can use its unique identity virtualization capabilities so that Microsoft Active Directory (or Sun’s directory) can be used to store the required database EUS metadata and user/role mappings. 37 . Many organizations have dozens if not hundreds of Oracle databases. Additionally.

Even if someone gets unauthorized access to the database. deployers. Such evolution revolves around three main axes: role management. and Oracle Virtual Directory are essential to deploying applications with embedded security. Oracle Entitlements Server. they can’t read the data. In addition. It prevents identity data from being accessed or manipulated outside of the OID protocol listener(s). Business users then must be provided with the right tools and the right level of information to manage these roles. an application administrator must find a way to ensure that these application-specific roles are properly managed and exposed within the enterprise. Encrypting data is a very simple way to prevent identity theft because the data can only be accessed through approved accounts. In terms of identity management. Future releases of Oracle Identity Management will leverage its service-based architecture to enhance Oracle’s overall identity and access management offering. This can be a potential back door for either changing passwords or unauthorized access to sensitive data. as well as third-party applications running in Oracle environments. Products that use flat-file directory storage can often be modified by simply updating the proper file with a text editor. access management components such as Oracle Access Manager. from development to deployment and administration in a full-blown production environment. Transparent Data Encryption is the Oracle Database feature that encrypts the data within the database. To an application developer. Looking Into the Future This section provides general information about the evolution of Oracle Identity Management after the 11gR1 release. and business users is the concept of role. At runtime. Oracle Database Vault and Oracle Transparent Data Encryption allow Oracle to provide the only directory services with complete security from storage to the client. Oracle Identity Management 11gR1 provides the security foundation for Oracle Fusion Middleware and Oracle Fusion applications. and identity and access management analytics. one of Oracle Identity Management 11gR1’s key goals is to enhance security services throughout the full application life cycle. With the introduction of Oracle Platform Security Services and Identity Governance Framework. administrators. a compliance manager or an auditor must be able to define policies around these roles to enforce additional 38 . identity as a service. Role Management As we mentioned at the beginning of this document. however. central to enterprise application developers.Oracle White Paper—Oracle Identity Management 11gR1 Oracle Database Vault provides a unique capability for directory storage. a role may identify a set of application privileges associated with a functional area. Only OID with Oracle Database Vault can prevent this type of access. and finally.

Going forward. As shown in Figure 19. Oracle Identity Management 11gR1 provides a comprehensive set of identity services and addresses the problem of scattered identity information by providing a unique level of virtualization (Oracle Virtual Directory) that allows the reconciliation of disparate sources of identity information. An efficient role engine must exist for the purpose of role resolution needed by applications. including a unified home page for approval. enhanced administration interface for all the provided identity management services. Oracle Identity Management 11gR1 provides several tools to help developers and administrators manage roles using Oracle Platform Security Services. Figure 19: Identity as a Service Going forward.Oracle White Paper—Oracle Identity Management 11gR1 compliance measures to further control the underlying business processes. Identity as a Service Identity and role administration has traditionally been a set of highly duplicated features across enterprise applications (so-called “silo” approach). and Oracle Role Manager. provisioning. attestation. Oracle Entitlements Server. Oracle will provide an even tighter integration and unified view of the various Oracle IM components specifically dealing with roles in order to address role management at every step of the application life cycle from development to production. Enterprise infrastructures tend to be built and maintained around individual systems. role and organization administration. thus getting closer to realizing the ultimate goal of “identity as a service. and identity and role information is scattered across many repositories. as well as more user-centric functionality such as self-registration and password management. Oracle Identity Management will provide an even more centralized.” 39 .

Prevention of potential fraudulent behaviors through risk analysis. Oracle provides the latest enhancements to Oracle Identity Management. As part of Oracle Fusion Middleware 11gR1. and other key identity-enabled components in Oracle Fusion Middleware and Oracle Fusion Applications. consolidation. Oracle Identity Management 11gR1 provides enhanced efficiency through a higher level of integration. the industry’s leading application server. Oracle Identity Management 11gR1 ensures the integrity of large application grids by enabling new levels of security and completeness to address the protection of enterprise resources and the management of processes (both human and automated) acting on those resources. Presentation of key identity and security information for business users and auditors through actionable dashboards and reports. integrated. and best-of-breed middleware suite based on Oracle WebLogic Server. Oracle Information Rights Management. • • • The ultimate goal is to provide a consolidated framework for audit and correlation. To this effect.Oracle White Paper—Oracle Identity Management 11gR1 Identity and Access Management Analytics Compliance has become an integral part of the business requirements for identity and access management customers. exposure to security risks. and automation. Oracle Identity Management will offer additional functionality allowing administrators to analyze identity services in a holistic manner using business intelligence technologies and leveraging the wealth of information controlled by Oracle Identity Manager. which paves the way for better reporting and analytics capability. In addition. inside and outside Oracle Identity Management. Oracle Identity Management 11gR1 introduces a common Oracle Fusion Middleware audit framework as part of Oracle Platform Security Services. Going forward. hot-pluggable. Oracle Identity Management 11gR1 leverages Oracle Business Intelligence extensively for publishing reports on audited data. Typically. Oracle Role Manager. and increased effectiveness in terms of application- 40 . and compliance. Reduced cost to implement compliance-related requirements by gathering and correlating information from various identity sources. Oracle fulfills its vision of delivering a complete. not only for Oracle products but for nonOracle identity information sources as well. Conclusion With the introduction of Oracle Fusion Middleware 11gR1. approaches and solutions to help predict the impact that identity and access management have on costs. future Oracle Identity Management analytics will provide the following: • A set of methodologies.

Oracle White Paper—Oracle Identity Management 11gR1 centric security. and governance. from development to deployment to full-blown production. Oracle Identity Management 11gR1 supports the full life cycle of an application. 41 . risk management.

Worldwide Inquiries: Phone: +1. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. CA 94065 U. electronic or mechanical. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. This document is provided for information purposes only and Oracle Corporation World Headquarters 500 Oracle Parkway Redwood 0109 the contents hereof are subject to change without notice. nor subject to any other warranties or conditions.650.506. . All rights reserved. without our prior written permission.506.7200 oracle. Other names may be trademarks of their respective owners.7000 Fax: +1.650. for any purpose.S.Oracle Identity Management Suite 11gR1 June 2009 Author: Marc Chanliau Copyright © 2009. This document may not be reproduced or transmitted in any form or by any means. Oracle and/or its affiliates. This document is not warranted to be error-free. whether expressed orally or implied in law. including implied warranties and conditions of merchantability or fitness for a particular purpose.A.