Sie sind auf Seite 1von 25

1

A Report On:-






















2

TABLE OF CONTENTS
TABLE OF CONTENTS .............................................................................................. 2
2. IDENTITY AND ACCESS MANAGEMENT SYSTEMS ........................................... 4
2.1 Components of IDAM ................................................................................. 4
2.1.1 Authentication ...................................................................................... 4
2.1.2 Authorization.......................................................................................... 5
2.1.3 User management Life Cycle ............................................................. 5
2.1.4 Central user repositories ...................................................................... 5
2.2 Advantages of employing IDAM systems ................................................ 5
2.3 Organizations employing IDAM systems .................................................. 6
3. ARCHITECTURE OF IDAM SYSTEM ..................................................................... 7
3.1 ARCHITECTURE GOALS ................................................................................ 7
3.2 TECHNICAL PLATFORM ................................................................................ 8
3.2.1 Technical Benefits ................................................................................. 8
3.2.2 Security ................................................................................................... 9
3.2.3 JAAS Based Authentication ................................................................ 9
3.2.4 Transaction Management ................................................................... 9
3.2.5 Persistence ........................................................................................... 10
3.2.6 Reliability & scalability ........................................................................ 10
3.2.7 Performance ........................................................................................ 10
3.2.8 Customization ...................................................................................... 10
3.3 QUALITY ................................................................................................... 11
3.3.1 Reliability ........................................................................................... 11
3.3.2 Portability .......................................................................................... 11
3.3.3 Recoverability .................................................................................. 11
3.3.4 Securability ....................................................................................... 11
3.3.5 Auditability ....................................................................................... 12
3.3.6 Manageability and maintainability .............................................. 12
3.3.7 Response .......................................................................................... 12
3.3.8 Scalability ......................................................................................... 12
3.3.9 Availability ........................................................................................ 12
3.4 ORACLE IDENTITY MANAGER USAGE OVERVIEW .............................. 13
3.4.1 Provision manager ............................................................................ 13
3.4.1 Provision Server ................................................................................ 13
3.4.2 Adapter Factory .............................................................................. 13
3.4.3 Reconciliation Engine ..................................................................... 14
3.4.4 Applications Integration for user life cycle management ....... 14
4 ORACLE IDENTITY MANAGER ARCHITECTURE ............................................... 15
4.1 Identity Manger Architecture .................................................................. 15
4.1.1 Presentation Layer .......................................................................... 15
4.1.2 Business Logic Layer ........................................................................ 16
4.1.3 Data Access Layer .......................................................................... 16
5 ORACLE ACCESS MANAGER ARCHITECTURE ............................................... 17
3

5.1 Access Manager Architecture ................................................................ 17
5.2 Access Manager Components overview ............................................ 18
5.2.1 Identity Server .................................................................................. 20
5.2.2 WebPass ........................................................................................... 20
5.2.3 WebGate ......................................................................................... 21
5.2.4 Access Server ................................................................................... 21
5.2.5 Policy Manager ............................................................................... 21
5.2.6 New Administrator Functionality in Access Manager ............... 22
5.2.7 Oracle Virtual Directory ................................................................. 22
5.2.8 Oracle Internet Directory ................................................................... 22
5.2.9 Oracle HTTP Standalone Web Server ........................................... 23
6. Acronyms and Glossary.................................................................................. 23
7. References ....................................................................................................... 24



























4

1. IDENTITY AND ACCESS MANAGEMENT SYSTEMS
Identity and Access Management systems provide an interface to allow
or simplify access for people, processes and products to identify and
manage the data used in an information system to basically validate users
and grant or deny access rights to data and system resources. The basic
goal of IDAM (Identity and Access Management) is to provide
appropriate access to enterprise resources.
2.1 Components of IDAM
In order to meet the security and compliance requirements for an
organization, there must be an ability to quickly search, identify and verify
the user or process which is accessing the system. By Implementing IDAM
models for a every part of the organization we can reap benefits
monetarily. Also, IDAM systems offer high degree of security which is the
basic requirement of an organization.
IDAM is made up of four main components namely, Authentication,
Authorization, User Management and Central User Repository. The main
objective of IDAM is to provide with the right access to the right people in
order to protect information sources.
2.1.1 Authentication
This area covers the verification of the identity of an internet user i.e.
AUTHENTICATION and to track the interactions of the user with the
computer system i.e. SESSION MANAGEMENT. The most common way to
provide access control and information privacy to user is to use
USERID/PASSWORD authentication. We can track the different sessions of
the users from centralized locations when we implement IDAM systems.
5

2.1.2 Authorization
AUTHORIZATION firmly decides that whether the user has the required
permission or access right to a particular resource. IDAM system tests the
user access request against authorization policies of the organization.
Authorization mainly includes user groups to which the user belongs,
access channels and data resources that can be accessed. Certain
complex criteria such as time-based access or some complex business
rules which determine the access permissions that constantly change over
time are also included in authorization.
2.1.3 User management Life Cycle
IDAM describes or defines the rules for administrative functions like
password resetting, identity creation, identity deletion and privileges
management. This component basically manages the entire user life-
cycle starting from identity creation to final de-provisioning from accounts
database. Hence it is a basic requirement to install an integrated
workflow system that can take care of user management activities.
2.1.4 Central user repositories
We can store and pass on identity information from a single commanding
source to other IT services and can also provide verification on demand
by implementing IDAM systems in an organization. That is this component
of IDAM presents a logical view of the identities and their relationships to
various other systems. This shows a logical view of existing stored
information that can be physically or virtually maintained depending on
the increase in the number of identities.
2.2 Advantages of employing IDAM systems
6

When the organization is able to protect the data which is either
created, processed or used by it, the business value of the
organization is likely to improve.
IDAM systems provide the kind of dependability and accessibility to
user access control that is of vital importance to most e-business
sites these days.
IDAM systems provide the capability to open up only a part of the
organizations information sites to customers, vendors, and partners
hence it provides an effective information exchange that can be
made suitable to a particular user group.
By the use of IDAM systems, one can enable new users to obtain
vital information from applications so that they can achieve a
particular goal and at the same time allow the organization to keep
a check on the access rights as their roles require.
IDAM basically eases IT management in organizations to reduce the
overall effort of IT administration and hence the productivity of
each employee is increased over a period of time.

2.3 Organizations employing IDAM systems
IDAM systems involve either stages or organizational units to provide
access controls that helps to identify any ambiguity in control points.
Hence these IDAM systems provide an approach that can be measured
over time and hence it enables IT expansion in growing organizations. By
expansion of IT management we can enhance the overall ROI for
business.
The main organizations which employ IDAM systems to rapidly search ,
identify and verify that who is accessing the system are:
7

Online banking
Service delivery
Retail sites
Defense information systems
Telecommunication industries
3. ARCHITECTURE OF IDAM SYSTEM
The Architecture describes the high-level conceptual elements that are
part of the solution and the ways in which they interact.
Identity management solution for Typical IDAM system is based on Oracle
IDM Suite. The identity Management solution to be deployed for Typical
IDAM will consist of the following major components.


Figure 1- Architecture of IDAM system


3.1 ARCHITECTURE GOALS
8

Foundation builds of th e Identity and Access Manager
infrastructure for Typical IDAM system.
Set up Internal consolidated directory as the trusted source
(contains data of Typical employees, non-employees from SAP
HR data system).
Password synchronization and reverse password synchronization
with Active Directory.
Self-service capabilities for end-users such as:
o Raising application access request.
o Change password.
Approval workflows for access requests raised by the user for
each application.
Approval workflows for access requests rose for the third party
user for each application.
Integrate eSSO Provisioning gateway with Identity Manager.
3.2 TECHNICAL PLATFORM
3.2.1 Technical Benefits
Ease of Deployment: Deployment Manager assists in the migration of
integration and configuration between environments.
Flexible and Resilient: Oracle Identity Manager can be deployed in
single or multiple server instances. Multiple server instances provide
optimal configuration options, fault tolerance, redundancy, fail-over
and system load balancing.
Modular Architecture: Oracle Identity Manager is made up of
abstraction layers, which allows the execution logic to be changed
and refined without affecting logic or definitions that still apply.
Built-in Audit and Compliance: Oracle Identity Manager is a fully
integrated platform for identity provisioning and identity audit and
compliance.
9


3.2.2 Security
Oracle Identity Manager enforces internal security policies and eliminates
potential security threats from rogue, expired and unauthorized accounts
and privileges. When users change roles within an organization, it is often
the case that they have the wrong accounts and access rights in
applications and systems due to inadequate user maintenance.
Frequently users who have left an organization weeks or months earlier still
have accounts and access to applications and systems. Finally, users
authenticate to applications using different strength passwords with
different password rules (e.g. frequency of password change).

3.2.3 JAAS Based Authentication
Oracle Identity Manager relies on the J2EE framework to secure access to
the EJB exposed APIs using the JAAS (Java Authentication and
Authorization Services) service. Using this, Oracle Identity Manager ensures
that only authenticated users are able to access the API methods that
expose Oracle Identity Manager Functionality.

3.2.4 Transaction Management
An important requirement for the Oracle Identity Manager application to
operate is for the backend database to be XA-compliant. This requires XA
support to be turned on at the database level. This is important for the
application server to properly manage transactions that involve not just
database connections but also message delivery and receipt. In XA
functionality, the transaction manager uses XA resource instances to
prepare and coordinate each transaction branch and then to commit or
roll back all transaction branches appropriately.
10


3.2.5 Persistence
Oracle Identity Manager has a custom persistence layer that has been
built on the JDBC framework to manage persistence of the data to the
database. This custom implementation is optimized to deal with the
complexity of the data involved in the provisioning transactions in an
optimal manner above and beyond what container managed
persistence and generic persistence mechanisms can support.

3.2.6 Reliability & scalability
Oracle Identity Manager is reliable with consistency of application and
transactions. When a user connects to the system to process a specific
request, the system is guaranteed to provide the expected results or a
reasonable response. Oracle identity manager has the built-in ability to
accept additional users in accordance with growth in business without
rewriting or redesigning systems.

3.2.7 Performance
Speedy response times and efficient navigation.

3.2.8 Customization
Being based on the Struts framework, Oracle identity manager supports a
great deal of configurability and customization.

11

3.3 QUALITY
3.3.1 Reliability
The system will be reliable, i.e., when a user connects to the IDAM system to
process a specific request, the system will be guaranteed to provide the
expected results or a reasonable response. In order to make the system
reliable Typical IDAM system will be designed into OS clustered environment.
All web servers, OVD component will be with load balancer mode,
Application servers will be on OS clustered mode. Please refer to the
deployment Architecture details.
3.3.2 Portability
The Typical IDAM enterprise system is portable to various platforms as the
business grows and when bigger and more efficient hardware platforms are
needed. Oracle Identity Manager is portable to most of the environments.
3.3.3 Recoverability
The system is able to recoverable from failures with minimal downtime. At a
basic level it is the average time required to repair a failed system or the
database. Database recoverability directly relates to the quality of the
backup strategy in place for Typical.
Oracle Identity Manager is deployed in Typical clustered environment so if
one of node goes down the other node is up neglecting the downtime.
3.3.4 Securability
Data is vital to a business and will be protected from hackers in best possible
manner. Oracle advanced security option provides encryption of data via
the network. Oracle Identity Manager enforces internal security policies and
eliminates potential security threats from rogue, expired and unauthorized
accounts and privileges.
12

3.3.5 Auditability
Auditability of data refers to the ability to retrieve sufficient information with
respect to the creation of data, such as who created the data, why the data
was created, who modified the data, when it was modified. Oracle Identity
Manager reports on both the history and the current state of the Typical user
provisioning environment.
3.3.6 Manageability and maintainability
Typical IDAM system will be tuned to suit the organizational needs.
3.3.7 Response
Time from a user's perspective is the time taken for the system to respond to a
request. Oracle Identity Manager provides high response time.
3.3.8 Scalability
Typical IDAM system is reliable and has capability to accept additional users
request with growth in business with horizontal hardware scaling for web
servers and application servers. As of now Application servers will be OS
clustered and Web servers/LDAP component will configured with load
balancing mode.
3.3.9 Availability
In order to make the system highly available Typical IDAM system will be
designed into clustered environment. All web servers, OVD component will be
with load balancer mode, Application servers will be on OS clustered mode.



13

3.4 ORACLE IDENTITY MANAGER USAGE OVERVIEW
Oracle Identity Manager is built on an enterprise-class, modular architecture
that is both open and scalable. Each module plays a critical role in the overall
functionality of the system.
Oracle Identity Manager User Interfaces define and administer the
provisioning environment. Oracle Identity Manager offers two feature-rich
user interfaces to satisfy both administrator and user requirements:
Powerful Java-based Design Console for developers and system
administrators.
Web-based Administration Console for identity administrators and
end users.
3.4.1 Provision manager
Provision Manager is where provisioning transactions are assembled and
modified. User profiles, access policies and resources are defined through the
Provision Manager, as are business process workflow and business rules.
3.4.1 Provision Server
Provision Server is Oracle Identity Managers run-time engine, which executes
the provision process transactions as defined through the Design Console and
maintained within the Provision Manager.
3.4.2 Adapter Factory
Adapter Factory builds and maintains the integrations between Oracle
Identity Manager and managed systems and applications. The Adapter
Factory allows administrators and subject matter experts to work at a higher
level of abstraction by mapping the Oracle Identity Manager provisioning
process directly to the target applications configuration requirements. Once
mapped, the Adapter Factory will generate the necessary integration code.
14

3.4.3 Reconciliation Engine
Reconciliation Engine ensures consistency between Oracle Identity Manager
provisioning environment and Oracle Identity Manager managed resources
within the enterprise. The Reconciliation Engine discovers illegal accounts
created outside of Oracle Identity Manager. Reconciliation Engine will also
synchronize business rules located inside and outside the provisioning system
to ensure consistency.
3.4.4 Applications Integration for user life cycle management
The Target Applications to be integrated with OIM for user lifecycle
management will be integrated by following methods:
Out-of-Box connectors - IDM provides default connectors for
standard applications.
DB based connectors connectors that management accounts
directly on application backend.
API based connector - these connectors use target application
API for account management.

15

4 ORACLE IDENTITY MANAGER ARCHITECTURE
4.1 Identity Manger Architecture
The architecture of Identity manager can be defined as shown below:

Figure 2 Oracle Identity Manager architecture

The layers of this architecture are described below.
4.1.1 Presentation Layer
The presentation layer consists of two clients
1. The Administrative and End-User Console is a web-based thin client
that can be accessed from any web browser. The A&EU Console
provides user self-service and delegated administration features
that serve the bulk of the user base of the provisioning system.
2. The Design Console is a feature-rich, sophisticated client accessed
using a desktop java client as an admin activity. The Design
16

Console provides the full range of Xellerates system configuration
and development capabilities including form designer, workflow
designer, adapter factory and the deployment utility for automated
change management.
4.1.2 Business Logic Layer
The business logic layer for Xellerate is implemented as an EJB application.
Xellerate runs on leading J2EE compliant application server platforms,
leveraging the J2EE services provided by these industry-leading
application servers to deliver a high-performance, fault tolerant enterprise
application.
The core functionality for the Xellerate platform is implemented in Java
using a highly modular, object-oriented methodology. This makes the
application extremely flexible and extensible.
4.1.3 Data Access Layer
J2EE contains several technologies for manipulating and interacting with
transactional resources like Databases, based on JDBC, JTA and JTS. The
Xellerate architecture leverages the following J2EE services:
Database Connection Pooling.

Integration with JNDI Lookup of Data Sources in the JNDI
Namespace.

XA Compliance.

Batch Updates.
17

5 ORACLE ACCESS MANAGER ARCHITECTURE
Oracle Access Manager helps enterprises create greater levels of business
agility, ensure seamless business partner integration, and enable
regulatory compliance. Through an innovative, integrated architecture
Oracle Access Manager uniquely combines identity management and
access control services to provide centralized authentication, policy-
based authorizations, and auditing with rich identity administration
functionality such as delegated administration and workflows. Protecting
resources at the point of access and delegating authentication and
authorization decisions to a central authority, Oracle Access Manager
helps secure web, J2EE, and enterprise applications.
5.1 Access Manager Architecture
The architecture of Access manager can be defined as shown below:


Figure 3 Oracle Access Manager architecture

18

When a user tries to access a protected enterprise resource, the
WebGate and the Access Server execute the following sequence of
steps:
1. The WebGate intercepts the user request and checks with the
Access Server whether the resource being accessed is protected.
2. If the resource is protected, the WebGate challenges the user for
credentials and forwards those credentials to the Access Server for
validation.
3. The Access Server validates the submitted user credentials against
the backend directory server.
4. The result of this validation is sent back to the WebGate. If the
authentication is successful, the WebGate sets a cookie in the users
browser and checks with the Access Server whether the user has
permissions to access the protected resource.
5. The Access Server fetches the policies from the directory and
evaluates whether the user has access to the protected resource.
The result is sent back to the WebGate.
6. If the user is authorized, he gets access to the secured resource
5.2 Access Manager Components overview
Below diagram depicts the flow between Access Manager Components.
19

Web
Browser
(Client)
Landing
Page after
Successful
Login
Web Gate
Access Server Identity Server
Web Server (e.g. OHS)
WebGate Policy Manager WebPass
Browser
client(management)
LDAP Server
Oracle Virtual Directory
Target
Application
Web Gate
After SSO Login and
click on Application Link

Figure 4 Flow diagram between access manager's components




This is an architectural diagram showing how Oracle Access Manager
Components communicate with Oracle Application Server middle-tier
components.
On the Oracle Access Manager side, there are the following:
A special browser client for management: Communicates with the
Oracle Access Manager Web server.
20

Oracle Access Manager Web server (Oracle HTTP Server, for
example) has WebGate, Policy Manager, and WebPass installed.
WebGate communicates with Access Server. Policy Manager
communicates with the LDAP server (such as Oracle Internet
Directory). WebPass communicates with Identity Server.
Access Server: Communicates with WebGate, the LDAP server,
each Application instance in the middle-tier, and Web Server
middle tier.
Identity Server: Communicates with WebPass and the LDAP server.

5.2.1 Identity Server
The Identity Server manages identity information about users, groups,
organizations, and other objects. The Identity Server performs three main
functions:
1. Reads the user data from OVD and writes the data on to OID server
across a network connection.

2. Stores user information on a directory server and keeps the directory
current.

3. Processes all requests related to user, group, and organization
identification.

5.2.2 WebPass
WebPass is a web server plug-in that passes information back and forth
between the web server and the Identity Server over the Oracle Identity
Protocol (formerly Netpoint or COREid Identity Protocol). Hence, WebPass
21

is the presentation tier of the Identity System. By default, WebPass renders
its content as HTML so that it can be accessed through a browser.

5.2.3 WebGate
WebGate is an out-of-the-box access client for enforcing access policy
on HTTP-based resources; hence it is the Access Systems web Policy
Enforcement Point or PEP. The WebGate client runs as a plug-in or module
on top of most popular web servers, and intercepts HTTP requests for web
resources and forwards them to the Access Server where access control
policies are applied. WebGates are optimized to work on web server
environments, as are streamlined for the HTTP protocol, and understand
URLs, session cookies, HTTP redirects, secure sessions (HTTPS); and also
implement policy caches that improve WebGates performance and
allow for scalability in highly trafficked sites.

5.2.4 Access Server
Access Server is a standalone software server that enforces access
policies on web and non-web resources, so it is the Access Systems Policy
Decision Point or PDP. The Access Server can be deployed in a single
instance, or as part of a clustered implementation to support load
balancing and failover. Load-balancing and failover of the Access Server
is built in and does not require the deployment of external load-balancers.
The Access Server provides dynamic policy evaluation as users access
resources, as well as authentication, authorization, and auditing services.

5.2.5 Policy Manager
Policy Manager is a browser-based graphical tool for configuring
resources to be protected and well as creating and managing access
22

policies, so it is the Access Systems Policy Management Authority or PMA
The Policy Manager provides the login interface for the Access System,
communicates with the directory server to manage policy data, and
communicates with the Access Server over the Oracle Access Protocol to
update the Access Server cache when policies are modified.

5.2.6 New Administrator Functionality in Access Manager
Once the user is authenticated by the Access Manager, based on the
user role (e.g. administrator or non-administrator), appropriate links on
landing page will be displayed. For an administrator user, an additional
link Administrator will be displayed.
Thus, the administrator will have the authority to add a new application,
edit and delete an existing application link on the landing page. This will
help the administrator to perform all these tasks through the landing page
itself, rather than adding, editing or deleting from the database.

5.2.7 Oracle Virtual Directory
Oracle Virtual Directory provides Internet and industry-standard LDAP view
of existing enterprise identity information, without synchronizing or moving
data from its native locations.

5.2.8 Oracle Internet Directory
Oracle Internet Directory is an LDAP v3 directory that leverages the
scalability, high availability and security features of the Oracle Database.
Oracle Internet Directory serves as the central user repository for Oracle
Identity Management, simplifying user administration in the Oracle
environment and providing a standards-based application directory for
23

the heterogeneous enterprise. Additionally, Oracle Directory
Synchronization allows Oracle Identity Management to seamlessly
integrate with other directories and enterprise user repositories, allowing
users to leverage identity information wherever it resides.

5.2.9 Oracle HTTP Standalone Web Server
The Oracle HTTP server is a simple Web HTTPD server (Web listener). It is
based on the Apache Web Server provided by the Apache Group.
Oracle Access Manager will be installed on the Oracle HTTP Web server.






6. Acronyms and Glossary
IDAM
Identity And Access Management
AD
Active Directory
LDAP
Lightweight Directory Access
Protocol
OVD
Oracle Virtual Directory
24

OID
Oracle Internet Directory
AM
Access Manager
JDBC
Java Database Connectivity
HTTP
Hyper Text Transfer Protocol
JTA
Java Transaction Api
JTS
Java Transaction Service






7. References

Figure - 1 Referred Oracle IDAM Architecture
document
Figure-2 Referred oracle indentity
management document
Figure-3 Referred oracle access manager
document
Figure-4 Referred Oracle access manager
document
25