You are on page 1of 18

Buyers Guide for an Access and Identity Management Infrastructure

An Oracle White Paper April 2005

Buyers Guide for an Access and Identity Management Infrastructure

Access and Identity Management Infrastructure.......................................... 3 Access Control Checklist............................................................................. 4 Web Single Sign-On (SSO) and Identity Federation........................... 4 Authentication .......................................................................................... 5 Authorization ............................................................................................ 7 Security Administration........................................................................... 7 Scalable and Comprehensive Architecture ........................................... 8 Identity Management Infrastructure Checklist......................................... 8 Multiple Identity Datastores ................................................................... 8 Delegated Administration............................................................................ 9 Self-Service .............................................................................................. 10 Identity Workflow.................................................................................. 11 Password Management.......................................................................... 12 User Management .................................................................................. 12 Group Management............................................................................... 13 Organization Management.................................................................... 14 Web Services Interface .......................................................................... 14 UI Customization and Branding Features .......................................... 15 Provisioning ............................................................................................ 15 Diagnostics .............................................................................................. 16 Auditing & Reporting................................................................................. 16 Auditing ................................................................................................... 16 Reporting ................................................................................................. 17

Buyers Guide for an Access and Identity Management Infrastructure

Page 2

Buyers Guide for an Access and Identity Management Infrastructure

ACCESS AND IDENTITY MANAGEMENT INFRASTRUCTURE

In todays increasingly competitive business environment, more and more leading companies are building new web-based infrastructures to gain the strategic advantages of collaborative networking. Benefits of such infrastructures include:

Increased revenue, by leveraging the Internet for sales and other commerce opportunities Reduced cost, by streamlining supply chains and day-to-day business interactions and processes Improved productivity, by enabling more efficient collaboration and automating cumbersome tasks Better compliance by automating controls necessary and providing proof of compliance with the increased regulatory environment

To facilitate collaboration, companies first need to identify each network user and which resources each user is authorized to access. Some companies have faced this challenge by building security front-ends to applications. These front ends are individually hard-coded with access polices; each utilizes its own data repository to keep track of legitimate user identities. Unfortunately, this architecture soon becomes a liability as a businesss online processes grow in number and complexity. Before long, the network of heterogeneous security front-ends becomes inflexible, ineffective, and expensive to maintain. The solution is to centralize security in the web infrastructure using an identity management and access control system shared by all applications. To help companies achieve the benefits listed above while maintaining the highest level of security, Oracle has developed this Buyers Guide. It provides a checklist of the key features an Identity Management system must have. The checklist that appears on the next several pages provides a description of key items in the following areas:

Access Control Identity Management Infrastructure Auditing & Reporting

Buyers Guide for an Access and Identity Management Infrastructure

Page 3

Access Control Checklist


Web Single Sign-On (SSO) and Identity Federation

Single Sign-on allows a user to leverage their desktop login so that they never have to remember any specific web application passwords. Federated identity allows multiple partner companies to operate independently, but cooperate for business purposes. Multi Domain SSO Solution supports web SSO across heterogeneous web servers spread across multiple DNS domains. Solution supports multi-enterprise web SSO with any external organization that is using SAML or other web service security. Solution supports concept of Identity Federation throughout the enterprise and with external entities. An example of Identity Federation is: Step 1: User logs into Web Access Control environment with his/her AD uid and password. Step 2: User requests access to web application A that uses its own uid that is different from on that is in AD. Step 3: Web Access Control system passes back to web application A its required unique uid on behalf of active user even though system was only presented AD uid.

Multi Enterprise SSO

Multi Application SSO

Buyers Guide for an Access and Identity Management Infrastructure

Page 4

Authentication

Authentication technology has become increasingly sophisticated. Your Identity Management system must be able to authenticate usersensuring that they are who they represent themselves to be. You may need it to support advanced authentication devices such as smartcards.

Multiple Directory Support

Ability to connect to multiple directories including LDAP, relational databases and text files in which authentication and authorization data reside. Solution supports following authentication methods, LDAP, certificates, SAML 1.0 and 1.1, smart cards, Kerberos, SecurID, biometrics, and any other COTS or custom security mechanism that has exposed APIs. Example: Access system looks to authenticate active user provided credentials in LDAP A; if not there then looks to LDAP B; if not there looks to LDAP C. Solutions policy enforcement and authoring capabilities are comprehensive and flexible to support the business requirements of the enterprise. Example, resource A is considerer top secret intellectual property so any user trying to access this resource will be prompted for SecurID credentials even though they are authenticated to the Access System already with AD uid and PWD. Solution supports SAML 1.0, SAML 1.1, and plans to support SAML 2.0.

Support for Multiple Authentication Methods

Support for Chained Authentication

Author Complex Authentication Policies

SAML Support

Support for Multiple Web

Solution is not only tied to SAML

Buyers Guide for an Access and Identity Management Infrastructure

Page 5

Services Standards for SSO Authentication and Authorization Create and Accept Sample Compliant Assertions

standard. It is architecturally designed to support web service security standard of choice. The ability to create SAML compliant assertions without writing custom code. Also, the ability to accept SAML complaint assertions from a third party without writing custom code. Support the ability to send and receive assertions to protect either the originating site (the producer) or the receiving site (the consumer, or both. Solution is not dependent on having partner sites required to run same or any access control system other than what comes bundled with basic requirements needed to make business partners SAML ready. Enables user authentication and authorization across business partners and customers. Federation broker translates authentication information from one standard to the next based on the application a user wishes to access. Enables user authentication and authorization across business partners and customers using the WS-Federation standard. Enforces consistent identity-based policies across services-based applications.

Support Push (Post) and Pull (Artifact) Profiles

Easy to Distribute SAML Connector to Business Partners that are not SAML Ready

Support for Federated Identity

Support for WS-Federation

Full integration of Web Services Management with Identity Management

Buyers Guide for an Access and Identity Management Infrastructure

Page 6

Authorization

Authorization refers to the ability to allow application access to appropriate users and the ability to perform complex authorizations against composite user profiles. Ability to Write Complex, Multi-Step Authorization Policies Solution must have the ability to author and enforce complex business resource authorization requirements. Out of the box, the solution must come with ability to set time, IP, and user community restraints on access. Solution should also have the ability to make callouts to external systems for authorization checks. The ability to integration authorization policies into an Identity Management system without having to write code. Authorization policy can make external callouts to a third-party system for validation.

Identity Management System Integration

Third-Party Validations

Security Administration

Access control and authorization can often be an administrative nightmare. The Identity Management solution should make it easy to set up flexible and powerful delegation of administration, separation of duties, and privacy enhancements. Centralized Web-Based Delegated Administration Solution has centralized web GUI based administration of all Access System components and access control policies. Solution deploys delegated administration model that governs the access administrators have in the system.

Buyers Guide for an Access and Identity Management Infrastructure

Page 7

Scalable and Comprehensive Architecture

Your Identity Management system should be designed to seamlessly integrate with existing infrastructures. It should have a scalable architecture to enable your business to incrementally grow its web infrastructure and build upon it. A complete set of APIs and XML web-based services should support emerging new third-party applications and standards, setting the stage for easy growth as your organization matures. Proven Deployments for Multi-million User Accounts This type of granular access control makes it easy to set up flexible and powerful delegation of administration, separation of duties, and privacy enhancements. Each component of the solution architecture must be able to be load balanced. Each component of the solutions architecture must be able to be setup for failover. All solution component communication must be able to be secured via encryption.

Load Balancing

Failover

Secure Communications

Identity Management Infrastructure Checklist


Multiple Identity Datastores

User information may reside in multiple datastores, including multiple directories. The Identity Management system must be able to connect to and unify this disparate data. Ability to Unify Multiple Datastores Ability to connect to multiple directories including LDAP, relational databases and text files. Each of the underlying data stores can be normalized and presented as a single large unified directory with full read-write and user management capabilities.

Buyers Guide for an Access and Identity Management Infrastructure

Page 8

Delegated Administration

The ability to delegate administration of identity information across corporate boundaries reduces the time and cost associated with Identity Management administration Delegated Identity Administration Capabilities Solution is comprehensive and granular and can map to the most complex of business requirements, including no restriction on the number of levels of delegation. Access and management of identity information that can uniquely be addressed to a specific user or specific user population. Each attribute can have its own distinct access control rule for read and modify. Attribute modification triggers an email notification. User management rules can be written to manage user communities based on both namespace and LDAP filters. Targeted user population attribute management must be dynamically linked to delegated administrators. For example, password/help-desk administrators can only read and modify password attributes for user accounts in their same department. Note this can be done with a LDAP filter so that no static admin management is required. Derived attributes are supported. This enables queries to determine what roles a user has and enables reverse lookup capabilities to see what users are assigned to the role. Example, DirectSubordinates user attributes will have dynamic value of all users that have current user as their direct manger.

Fine-grained Access Control for User Attributes

User Management Flexibility

Dynamic Delegated Administration

Derived Attributes

Buyers Guide for an Access and Identity Management Infrastructure

Page 9

No Coding

All these delegated attribute access control features must be configured out-of-box without having to write any code.

Self-Service

Solution must be flexible enough to meet any web-based self-service requirements including self-registration, password resets, and requesting access to web resources or group membership. Self-managed Attributes Solution provides a web GUI based means for active user to manage their own account information. Each attribute that makes up a users entry in the LDAP directory can be configured for self management. Such attributes that are typically managed by the end user are password, shared secret, mobile phone, home address, and others of similar nature. Other attributes can be added to this list by leveraging a workflow process that allows a user to initiate a change attribute request but a human approver needs to approve the request before the change gets committed. Example user request change to attribute=VPN access user through web GUI. Workflow sends change request to initiators manager if approved request gets sent to VPN admin group if they approve request then users attribute VPN access and user gets dynamically added to LDAP VPN Access group.

Buyers Guide for an Access and Identity Management Infrastructure

Page 10

Identity Workflow

The Identity Management solution should include a workflow engine that delivers an automated way to request and approve identity management changes in large, distributed networks in a manner that supports consistent business rules and processes.

Seamless Workflow Integration

Workflow must be seamlessly engrained in solution so that all operations (self-registration, attribute change, add user, delete user, disable user, add group, delete group, add object, and delete object) can leverage workflow steps without custom code. Optimal solutions are built upon native identity-based workflow as opposed to third-party, pre-integrated, general purpose workflow solutions. Workflows are configured through a centralized web GUI.

Workflow Configuration

Integrated Component of Identity Management Architecture

Workflow is packaged as part of the core solution installation and requires no extra component management i.e. no extra database, hardware, services, or 3rd party software. Active users are dynamically assigned what workflows they have access to within the Identity Management System. Workflow initiation is exposed by Web Services API

Dynamically Assign Workflows

Workflow Initiation

Event API

Workflow agent has open event API that can be used to integrate identity management solution with external databases, applications, and

Buyers Guide for an Access and Identity Management Infrastructure

Page 11

provisioning engines.

Password Management

The Identity Management solution must have a wide range of password management and enforcement functions for increased user productivity, security, and help desk cost savings. Password Policies Password policies must be able to be authored and enforced to meet business enterprise password policy requirements. Solution must provide an automated lost password reset function that leverages a stored shared secret to enable reset. Solution must be able to redirect users based on user community to custom expiration and lockout web pages.

Lost Passwords

Password Expiration and Lockout Redirection

User Management

The Identity Management solution must provide easy user management tools to manage large numbers of digital identities. LDAP User Account Management Solution provides a web GUI based mechanism that enables comprehensive user management features to create, delete, disable, modify, or read, user accounts. Web Services based interface it provided to do identity management.

Web Services

Workflow

Native, identity-based workflow is critical for identity management.

Buyers Guide for an Access and Identity Management Infrastructure

Page 12

Batch Updates

Solution must provide mechanism to accept and process batch updates.

Group Management

Managing and controlling privileges for a group of related peoplerather than handling their needs individuallyyields valuable economies of scale. Delegated Group Management Solution must provide web-GUIbased delegated group management.

Web Services

Solution must provide Web Servicesbased delegated group management.

Dynamic Groups

Solution must support dynamic group management for LDAP Directories that support dynamic groups. It needs to add dynamic group management functionality to LDAP Directories that only support static groups. Solution must support nested groups (groups of groups)

Nested Groups

Workflows

Solution must support workflowbased subscription to groups. It must also provide workflow-based group attribute management. Solution must manage LDAP Directory groups with no coding.

No Coding

Batch Updates

Solution must provide a mechanism to accept and process batch updates.

Buyers Guide for an Access and Identity Management Infrastructure

Page 13

Organization Management

Organization management manages generic directory objects and information relating to entire external organization (such as partners or suppliers) or internal business units. LDAP Generic Object Management Solution provides a web GUI-based method of managing any LDAP generic object. This is basically any object in LDAP that is not a user or group. Examples of generic object management are building locations, printers, help desks, departments. Solution provides a Web Service to manage generic objects

Web Services

Workflow

Integrated workflow is required for comprehensive generic object management

Batch Updates

Solution must provide a mechanism to accept and process batch updates

Web Services Interface

Performing administrative tasks through Web Services allows existing help desk and other applications that consume or manage identity or group information to access the Identity Management solution to process user and group updates or queries Web Services-based API Solution must provide a mechanism to do all administrative tasks through a Web Service.

Buyers Guide for an Access and Identity Management Infrastructure

Page 14

UI Customization and Branding Features

By being able to customize the user interface of the Identity Management solution, you can extend your brand and provide different user communities their own customized look and feel. Customizable Solution user interface is completely customizable through standardsbased XSLT style sheets.

Extensibility

Solution allows each independent piece of identity functionality to be separately invoked as URL for insertion into a portal or existing web resources. Solution allows different user communities to have different user interface capabilities and look-andfeel.

Flexible

Provisioning

User provisioning often starts with the employee system of record usually an HR system. Provisioning from the HR system into other applications and backend systems must be seamless and require little to no integration.. Provisioning Engine Solution provides user provisioning so that total end to end user and group account management is provided. Bi-directional synchronization is critical. Ability to synchronize passwords across systems and update related changes in multiple datastores.

Metadirectory Functionality

Support for Additional Technologies

Ability to support other identity management technologies such as smart cards.

Buyers Guide for an Access and Identity Management Infrastructure

Page 15

Diagnostics

By auditing the internal processes of the Identity Management solutions, system problems can be resolved quickly Rapid Problem Resolution Allows rapid resolution of system problems or failure through audit of internal processes.

Auditing & Reporting


Auditing

Auditing is important for monitoring events and web services and critical to demonstrate compliance with regulatory and governance requirements. Audit to a Centralized and Redundant Location Solution stores all web access and identity logs in one location and provides redundant backup of logs.

Ability to Centralize Audit Logs

Solution stores all web access and identity logs in one location.

Log Any Event that Happens

Solution can be configured to lag any access or identity event that takes place.

Customize Audit Logs

Solutions audit log formats can be customized to meet the requirements of external reporting/monitoring/dashboard systems like those offered by Oracle Reports, Crystal Reports, ArcSight, HP, and Tivoli. Solutions audit logs can be sent to database or flat file.

Log to a Database or Flat File

Buyers Guide for an Access and Identity Management Infrastructure

Page 16

Use SNMP Traps

Solutions auditable events support SNMP polling and trapping with network management stations like HP Open View. This provides the highest level of security and flexibility.

Auditing Web Services

Monitoring Web Services

Collect data as policies are executed and deliver automatic notifications when Quality of Services level thresholds are exceeded.

Reporting

Security reporting helps ensure the integrity of your security system and compliance requirements. Pre-built Security Reports Solution includes reports on authentication statistics, authorization statistics, failed authorizations, group history, password changes, and more. Solution delivers reports demonstrating proof of compliance through an end-to-end framework for capturing identity and security operational logs.

Proof of Compliance

Buyers Guide for an Access and Identity Management Infrastructure

Page 17

Buyers Guide for an Access and Identity Management Infrastructure April 2005 Author: Wynn White Contributing Authors: Rick Caccia Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2005, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.