2 Introduction to Oracle Access Manager Copyright © 2010, Oracle and/or its affiliates All rights reserved Objectives After completing this lesson, you should be able to: • Explain the salient features of Oracle Access Manager • Explain the key products that comprise the Oracle Access Management Suite • Explain the functional areas for each of the Oracle Access Management products • Explain Oracle Access Manager overall architecture • Explain Oracle Access Manager run-time architecture • Explain the Oracle Access Manager request flow diagram • Identify key Oracle Access Manager 11g new features • Map Oracle Access Manager 10g and 11g terminologies 2-2 Copyright © 2010, Oracle and/or its affiliates All rights reserved Oracle Identity Management Oracle + Sun Combination Identity Administration Identity Manager Access Management* Access Manager Adaptive Access Manager Enterprise Single Sign-On Identity Federation Entitlements Server Directory Services Directory Server EE Internet Directory Virtual Directory Identity & Access Governance Identity Analytics Oracle Platform Security Services Operational Manageability Management Pack for Identity Management *Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet 2-3 Copyright © 2010, Oracle and/or its affiliates All rights reserved Oracle Access Management Suite Plus Entitlements Server Adaptive Access Manager • Risk-based authentication • Real-time fraud prevention • Entitlements management • Fine-grained authorization Access Manager • Web Access Control/Authentication • Single Sign-On Identity Federation • Partner SSO & Identity Federation • Fedlet SP integration OpenSSO STS • Security Token Management • Identity Propagation • Assert Identity 2-6 Copyright © 2010, Oracle and/or its affiliates All rights reserved Salient Features of OAM Oracle Access Manager provides: • Authentication service for Web-based applications • Single sign-on access for applications • Identity assertion service • Session management • Coarse-level authorization protection 2-8 Copyright © 2010, Oracle and/or its affiliates All rights reserved OAM 11g Architecture • Simplified deployment architecture • Built-in backward compatibility • Ease of administration and configuration - 10 Copyright © 2010, Oracle and/or its affiliates All rights reserved Enterprise Deployment Architecture - 11 Copyright © 2010, Oracle and/or its affiliates All rights reserved SSO Login Processing with OAM Agents - 15 Copyright © 2010, Oracle and/or its affiliates All rights reserved Installation and Configuration • Installation process: – OAM 11g is installed by using Oracle Universal Installer (OUI) – The installation process copies all the software bits to the host machine – OUI does not perform product configuration • The configuration process requires the following two steps: – Database schema configuration by using the Repository Creation Utility (RCU) – Product configuration and deployment by using the WebLogic Configuration Wizard - 18 Copyright © 2010, Oracle and/or its affiliates All rights reserved Installation and Configuration • Database schema configuration: – RCU allows customers to choose the product for which they want to create database schema and creates the schema after providing the database details • Product configuration and deployment: – OAM 11g is a J2EE application that deploys into a container – The deployment and configuration is handled by the WebLogic Configuration Wizard – The Configuration Wizard uses configuration templates provided by each product to configure the product – It deploys the product into a new or existing WLS domain - 19 Copyright © 2010, Oracle and/or its affiliates All rights reserved Rich ADF-Based UI • • • - 36 Policy administration and system configuration Operational metrics shown in the same UI Tabbed navigation model Copyright © 2010, Oracle and/or its affiliates All rights reserved Connection Simulator: Access Tester 11g • Customers need a tool to test access to resources – OAM 10g had a server-side Access Tester – OAM 11g provides a tool that can be run anywhere • The new Access Tester simulates an actual WebGate – It simulates resource requests to ensure that policy evaluates correctly – It also uncovers network issues that might impact WebGates or mod_osso agents because it can be run anywhere, including on the Web server host - 37 Copyright © 2010, Oracle and/or its affiliates All rights reserved Access Tester 11g - 38 Copyright © 2010, Oracle and/or its affiliates All rights reserved Key Enhancements in OAM 11g • • • OAM 11g runs on top of WLS 10.3.3 (11g PS 2) It provides simplified installation and configuration It has an upgraded utility for existing OracleAS 10g OSSO deployments – Backward compatibility and support for mixed-release agents – Coexistence and authentication by OAM 11g or OracleAS 10g SSO servers • • • - 39 It has default embedded LDAP as an identity store (user and group) It provides Windows native authentication (WNA) support for both mod_osso- and WebGate-protected applications It is integrated with Oracle Entitlement Server MicroSM to enable database storage of authorization policies Copyright © 2010, Oracle and/or its affiliates All rights reserved Key Enhancements in OAM 11g • • • Per-agent shared secret key increases security and performance by moving cookie encryption and decryption to the agent The Access Tester 11g replaces the Access Tester 10g Session Management: – WebGate maximum user session timeout is now supported by a WebGate through the host cookie – WebGate idle session timeout is now supported by using inmemory states through the Oracle Coherence-based session management engine • • - 41 Support for Common Audit Framework Certificate importer for simple or certificate-based communication with WebGates Copyright © 2010, Oracle and/or its affiliates All rights reserved Oracle Access Manager 11g Comparison with Oracle Access Manager 10g Feature OAM 10g OAM 11g Developed language C++ Java EE Deployment Stand-alone server Deployed in container Authentication to LDAP LDAP defined system-wide LDAP defined in authentication scheme Available agents WebGates Mod_osso and WebGates Session management Stateless sessions in a cookie Stateful sessions at a centralized server Application integration OAM configuration tool UI or command-line remote registration tool Identity administration OAM Identity Server Identity agnostic (OIM 11g by default) Policy model Open (default allow) Closed (default deny) Delegated administration No delegated administration Audit rules within the policy domain Use Common Audit Framework Hierarchical policies: Ordering important Independent policies (no inheritance model): Ordering irrelevant - 42 Copyright © 2010, Oracle and/or its affiliates All rights reserved Oracle Access Manager 11g Comparison with Oracle Access Manager 10g Feature OAM 10g OAM 11g Policy store LDAP OES MicroSM (RDBMS) Configuration store LDAP File based (XML) Secret key One global shared secret key per OAM One per-agent secret key shared between WebGate and OAM server Responses (AuthN & AuthZ) Success, Failure, Inconclusive Success, Failure Header, Cookie Header, Cookie, Session Policies ( AuthZ) AuthZ expressions No AuthZ expressions Policies ( AuthN) Time-based, IP-based and user-based conditions AuthN scheme-based rule: No conditions specified Resources Resource prefixes No resource prefixes Cookies Domain-based ObSSOCookie Host-based OAMAuthnCookie Authentication to LDAP LDAP defined system-wide LDAP defined in authentication scheme Credential collection Collects credentials at the WebGate Collects credentials at the run-time server - 43 Copyright © 2010, Oracle and/or its affiliates All rights reserved Oracle Access Manager 11g Policy Object Comparison - 46 OAM 10g OAM 11g Policy Domain Application Domain Resource Types Resource Types (same) Host Identifiers Host Identifiers (same) Authentication Schemes Authentication Schemes (same) Authentication Plugi-ns Authentication Modules Resources Resources (same) Authentication Rule Authentication Policy Authorization Rule Constraint Authorization Expression Authorization Policy Actions Responses Directory Profiles Identity Stores Policy Store Policy Provider Copyright © 2010, Oracle and/or its affiliates All rights reserved Product Component Mapping - 47 OAM 10g OAM 11g Access server OAM server Identity server N/A WebPass N/A Access system console Policy manager OAM administration console Identity system console N/A Copyright © 2010, Oracle and/or its affiliates All rights reserved Summary In this lesson, you should have learned how to: • Explain the salient features of Oracle Access Manager • Explain the key products that comprise the Oracle Access Management Suite • Explain the functional areas for each of the Oracle Access Management products • Explain Oracle Access Manager overall architecture • Explain Oracle Access Manager run-time architecture • Explain the Oracle Access Manager request flow diagram • Identify key Oracle Access Manager 11g new features • Map Oracle Access Manager 10g and 11g terminologies - 48 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz OAM 11g is a pure J2EE application running on top of Oracle WebLogic Server a True b False - 49 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz The policy and configuration store for OAM 11g is the database a True b False - 50 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz Cookie-replay attacks are now harder to implement due to a A stronger SSL encryption algorithm b Default SSL certificate-based communication between agents and the server c A shared secret key per WebGate d All of the above - 51 Copyright © 2010, Oracle and/or its affiliates All rights reserved Quiz Session management in OAM 11g is handled by a Oracle WebLogic Server JVM b Oracle Coherence c Oracle GoldenGate d Flash Memory - 52 Copyright © 2010, Oracle and/or its affiliates All rights reserved Practice Overview: Viewing New Features Viewlet This practice covers the following topics: • Mod_osso agent registration with the OAM 11g server • WebGate 11g registration with the OAM 11g server • AuthZ constraints example: Identity constraint • AuthN schemes: Step up AuthN • Session management: Search and terminate sessions • Agent and server monitoring - 53 Copyright © 2010, Oracle and/or its affiliates All rights reserved