Oracle Identity und Access Management Überblick Klaus Scherbach Principal Sales Consultant BU Identity Management
This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. 2
Agenda Functional Overview Oracle Access Management Oracle Identity Governance Oracle Directory Services 3
Functional Overview 4
Identity und Access Management 11gR2 Modern, Innovative & Integrated Governance Privileged Accounts Access Request Roles Based Provisioning Password Reset Attestation Segregation of Duties Role Mining Access Web Single Sign-on Federation Mobile, Social & Cloud Integrated ESSO External Authorization WebServices Security Token Services Fraud Detection Directory LDAP Storage Virtual Directory Meta Directory Platform Security Services 5
Oracle Access Management 6
Oracle Access Management 11gR2 Functional Blocks (excl. ESSO) Complete Innovative Simplified Scalable Open 7
Oracle Access Management 11gR2 Integration with Identity Governance Internet Corporate DMZ Registration Self Service Corporate Network Attestation Lifecycles Oracle Identity Governance Optional Redirects depending on AuthN Events OAM WebGates Identity Context Directory Services Authentication Authorization Single Sign-On Oracle Access Management 8
Oracle Access Management 11gR2 Available Services 9
Oracle Access Management 11gR2 Identity Context Enterprise/ Work Social/ Life Mobile/ Presence Device Tier Web Tier Application Tier Service Tier Smartphone WEB SSO Application Web Services 1. Collect Attributes Context Tablet Laptop Server Identity Federation Risk / Adaptive Authentication Portal SOA Service Bus Container EJBs Databases Directories 2. Publish, Propagate & Evaluate attributes across Oracle s Fusion Middleware stack 10
Oracle Access Management 11gR2 Sample Identity Context Attributes Category Attributes (Sample) Publisher Client Is Firewall Enabled Is Anti Virus Enabled Device Fingerprint Location Risk Is Known Device Is Trusted Device Risk Score Federation Partner ID Partner Attributes Session Level of Assurance Session ID Any attribute in the current session Identity Any attribute in the user s ID Store profile True/False result of a search OESSO OAM/ MS OAAM OAM/ OIF OAM OAM OVD 11
Oracle Access Management 11gR2 Enterprise Single Sign-On (OESSO) Architecture ESSO Admin Console ESSO Authentication Manager ESSO Kiosk Manager ESSO Password Reset ESSO Provisioning Gateway Provisioning System Client PC ESSO Logon Manager Only one password to remember For non-web applications Integrated with Oracle Web Access Management More secure and quick compliance 12
Oracle Access Management 11gR2 Entitlement Service Motivation Better Business Agility Enhanced Security and Compliance Increased IT Efficiency An adaptable security service infrastructure that more closely models your business Respond faster to changing corporate, regulatory, market requirements Reduce time-to-market Manage security from a single place Provides finer control over the protection of all resources Separates security decisions from application logic Offers robust auditing of events Centralizes security policy management Enables reuse and sharing of security services Frees developers up to focus on value-added business logic Integrates easily with identity and access management 13
Oracle Access Management 11gR2 Entitlement Service Deployment PEP PDP PEP PDP PEP PDP OES Admin Server PIPs Iden(ty Store Policy Store PEP PEP PDP 14
Oracle Access Management 11gR2 Mobile & Social Deployment Scenario Internet Corporate DMZ Corporate Network Authentication, Authorization, SSO Oracle Access Manager LDAP OAM Agent OES PDP Mobile and Social Secondary Authentication Directory Services Oracle Enterprise Gateway OES PDP Oracle Adaptive Access Manager HTTP HTML/ REST Clients Context Aware Authorization and Data Redaction Web Services Manager Service Bus SOAP/REST and Legacy Web Services 15
Oracle Access Management 11gR2 Mobile & Social Web Service Deployment Scenario OWSM Agent HTTP, SOAP, REST, XML, JMS First Line Of Defense Shared Services Layer HTTP, SOAP, REST, XML, JMS End Point Security OWSM Agent* OWSM Agent Service Bus OWSM Agent OWSM Agent* WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt OWSM Agent* Extranet Counter External Threat DMZ Intranet Counter Internal Threats * - Planned Capabilities Common Policy Model 16
Oracle Access Management 11gR2 Sample Security Token Service Scenario Trust 17
Oracle Identity Governance 18
Oracle Identity Governance 11gR2 Overview Provision Grant User Access Connectors De-Provision Monitor User Access Access Request Privileged Account Request Role Lifecycle Management Check-in/ Checkout Identity Certifications IT Audit Monitoring Rogue Detection & Reconciliation Reporting & Privileged Access Monitoring Roles Entitlements Access Catalog Ownership, Risk & Audit Objectives Accounts Glossaries Catalog Management 19
Oracle Identity Governance 11gR2 Shopping Cart Simplicity Browse Compare & Select Track Receipt Confirmation 20
Oracle Identity Governance 11gR2 Role Lifecycle Management Role Definition Role Modeling Role Mining Top-Down Approach Bottom-Up Approach Role Governance Role Audit, Analytics Change Mgmt Role Change Approvals Role Versioning Rollbacks & Comparison Role Change Impact Analysis Rule Management Role Audit Role Entitlement Mapping History Role Membership History Approvals History Role Ownership History Governance Role Definition Attestation Role Membership Attestation Role Consolidation Role Mining 21
Oracle Identity Governance 11gR2 Risk Based Certification Applications Identity Warehouse Risk Factors Identity Data Sources DB Mainframe Roles Certification History Entitlements Provisioning Events Resources Policy Violations Risk Aggregation Low Risk User High Risk User Bulk Certify Cert360 Approve Reject Focused Sign-off Oracle Confidential 22
Oracle Identity Governance 11gR2 Connectors Common Connectors for all Governance needs Cloud Applications Supports multiple target versions and multiple instances of a target simultaneously Flexible deployment options local and remote deployment Access Request Access Certification Privileged Access Identity Connector Framework Identity Connectors Enterprise Applications Directories Extensible Administrators can extend the capabilities without coding Databases Custom Applications and Mainframes 23
Oracle Identity Governance 11gR2 Privileged Account Management (OPAM) Threats Increased Online Threat Costly Insider Fraud Compliance Tougher Regulations Greater Focus on Risk Stronger Governance Motivation 76% Data Stolen From Servers 86% Hacking Involve Stolen Credentials 48% Caused by Insiders 17% Involved Privilege Misuse Social Media Cloud Computing Mobile Access 2011 Data Breach Investigations Report 24
Oracle Identity Governance 11gR2 Privileged Account Management (OPAM) Functions Secure vault to centrally manage passwords for privileged and shared accounts Targets include Databases Operating Systems LDAP Directories Oracle FMW applications GUI, REST Services and CLI for users and administrators Automatic password change using Identity Connector Framework (ICF) Policy based password check-out and check-in Customizable audit reports through BI Publisher and real time status Extension to Identity Governance OIM and OIA integration for complete governance 25
Oracle Identity Governance 11gR2 Privileged Account Management Checkout Password Screen 26
Oracle Identity Governance 11gR2 DB User Management, DB Vault und OPAM Service Description Supported by Use Existing Enterprise LDAP Passwords for End-User Passwords Map Database Roles to Enterprise Roles Privileged user access control to limit access to application data Multi-factor authorization for enforcing enterprise security policies Manage SYS/SYSTEM and other DB Privileged Accounts Passwords Manage DB Vault Privileged Accounts Passwords like user_manager, sec_admin Manage non-oracle database passwords EUS EUS DB Vault DB Vault OPAM OPAM OPAM 27
Oracle Directory Services 28
Directory Server EE (ODSEE) Former Sun Microsystems Enterprise Directory Directory Proxy Load-balancing, High-availability, Data Distribution Evaluate performance Tune performance Namefinder white pages Deployment Tooling Directory Server Scalable Secure Replication 4+ Billion Identities Managed Identity Synchronization for Windows Identity data, password, and group synchronization between Microsoft Active Directory and Directory Server Provisioning Manage multiple instances from central location Web Based Service Management 29
Directory Server EE Components and Deployment 50 250 Applications Access Layer Proxy Load-balancing Distribution Security Data Management DSRK Directory Server Resource Kit ISW Identity Synchronization for Windows 30
Oracle Internet Directory (OID) Oracle Enterprise Directory HA Options OID Cluster OID Cluster + RAC Single Node OID Cluster + RAC + Replication 31
Oracle Internet Directory Directory Integration Platform (DIP) Oracle Internet Directory Central repository for identities & support for external authentication Directory Integration Platform Executes a set of connectors for synchronization Connector support for: MS AD, AD LDS, ODSEE, OUD, Novell edirectory, IBM Tivoli, OpenLDAP and custom agents DIP Profiles Templates for data mapping / transformation 32
Oracle Virtual Directory (OVD) Working Principle 33
Oracle Unified Directory (OUD) Introduction Extreme Scale Next Generation Integrated and Interoperable Scale to 10 s of Billions Convergence of directories Integrated with ODSM for configuration and Enterprise Manager Inter-operable with all certified ODSEE ISV software Integrated with ODS+ Optimized for cloud, mobile and social 34
Oracle Unified Directory Components and HA Options 35
36
37
38