<Insert Picture Here>
Oracle Access Manager 11g Overview
Dmitry Nefedkin
Oracle ISV Migration Center FMW Consultant
2
ISV Migration Center Team
• Who we Are ISV Migration Center Team is a team of senior technical consultants based in
Eastern and Central Europe and represents Oracle's technical investment for partners.
• Mission Statement Enable partners to rapidly and successfully adopt and implement Oracle
latest technology
• What do we Offer Whether you are selling Oracle technology, building business solutions,
including hosted Internet solutions or providing system integration and implementation services
for Oracle technology, IMC Team can help you succeed.
• How can we assist We offer a wide range of free services for partners such as one2one
assistance, webinars, seminars and hands-on workshops.
ISV Migration Center blog: http://blogs.oracle.com/imc
Contacts:
Ruxandra Radulescu, ISV Migration Center Manager, EE&CIS
<Insert Picture Here>
Agenda
• Oracle Identity Management - The Big Picture
• Oracle Access Manager 11g architecture
• OAM 11g Installation & Deployment
• Session Management
• Authentication Engine
• Managing Authorization Policies
• OAM 11g Patchset 1 new features overview
• Getting more information
Oracle Identity Management CapabilitiesComplete, Innovative and Integrated
IdentityAdministration
AccessManagement
DirectoryServices
• Password Management
• Self-Service Request & Approval
• Roles based User Provisioning
• Analytics, Policy Monitoring
• Risk-based Access Certification
• Single Sign-On & Federation
• Web Services Security
• Authentication & Fraud Prevention
• Authorization & Entitlements
• Access from Mobile Devices
• LDAP Storage
• Virtualized Identity Access
• LDAP Synchronization
• Next Generation (Java) Directory
Platform Security Services
• Identity Services for Developers
Oracle Platform Security Services
Access ManagementIdentity Administration Directory Services
Access Manager
Adaptive Access Manager
Enterprise Single Sign-On
Identity Federation
Entitlements Server
Identity Manager
Directory Server EE
Internet Directory
Virtual Directory
Universal Directory
Identity Analytics
Management Pack For Identity Management
Operational Manageability
Identity & Access Governance
Oracle Identity Management
<Insert Picture Here>
Agenda
• Oracle Identity Management - The Big Picture
• Oracle Access Manager 11g architecture
• OAM 11g Installation & Deployment
• Session Management
• Authentication Engine
• Managing Authorization Policies
• OAM 11g Patchset 1 new features overview
• Getting more information
Access Manager Suite 11g Architecture - The Big Picture
Oracle WebLogic Server
Authentication & SSO
IdentityFederation Security Token Service
Fraud Prevention Authorization & Entitlements
Shared Services for Access (SSA)
TokenProcessing SessionManagement
TrustManagement PasswordPolicy PasswordReset DelegatedAdmin
Shared Services for Identity (SSI)
Oracle Platform Security Services
AuthN Services IdentityServices AuthZServices CredentialStoreCommonAudit
FrameworkKeyStoreServices SSLConfiguration
Domain ManagementDeployment Management
Post Install Configuration
OAM Architecture
Protocol Compatibility Framework
OAM Server
Authorization Service
Oracle Platform Security Services
Single Sign-On Engine
Token Processing
Authentication Engine
Session Management
OAM Server
SSO log-in processing with OAM agents
SSO log-in processing with OAM agents
SSO log-in processing with OAM agents
OAM 11g R1 Deployment Architecture
• Isolated runtime and
admin server
• Configuration and policy
propagation
• User sessions shared
across all runtime servers
WebLogic Administration Server
WebLogic Admin Console
OAM 11g Admin
Console
OAM 11g Runtime Server
Shared Information
WebLogic Managed Server(s)
1. Policies
2. Configuration
3. User SessionsFMW Control
<Insert Picture Here>
Agenda
• Oracle Identity Management - The Big Picture
• Oracle Access Manager 11g architecture
• OAM 11g Installation & Deployment
• Session Management
• Authentication Engine
• Managing Authorization Policies
• OAM 11g Patchset 1 new features overview
• Getting more information
Installation & Configuration
• Installation process
• OAM 11g installs using Oracle Universal Installer (OUI)
• The installation process copies all the software bits to the host
machine
• OUI does not perform product configuration
• Configuration process requires 2 steps
• Database schema configuration using Repository Creation Utility
(RCU)
• Product configuration and deployment using WebLogic Configuration
Wizard
OAM 11g Installation & Configuration
• Database schema configuration:
• RCU allows customers to choose the product for which they want
to create database schema and creates the schema after
providing the database details.
• Product configuration and deployment:
• OAM 11g is a J2EE application that deploys into a container.
• The deployment and configuration is handled by the WebLogic
Configuration Wizard.
• The Configuration Wizard uses configuration templates provided
by each product to configure the product.
• It deploys the product into a new or existing WLS domain.
Validating a Successful Installation and Configuration
• Oracle WebLogic Server administration console
• http://<host>:<AdminServer_Port>/console
• Go to Deployments and verify that the oam_admin and oam_server
applications are in Active state
• Oracle Enterprise Manager Fusion Middleware Control
• http://<host>:<AdminServer_Port>/em
• Check to make sure the status of the OAM server is up
• Oracle Access Manager administration console
• http://<host>:<AdminServer_Port>/oamconsole
• Make sure you can view the System and Policy Configuration tabs
Validating a Successful Installation and ConfigurationOracle WebLogic Server Administration Console
Validating a Successful Installation and Configuration Oracle Access Manager Administration Console
Validating a Successful Installation and Configuration Oracle Enterprise Manager Fusion Middleware Control
<Insert Picture Here>
Agenda
• Oracle Identity Management - The Big Picture
• Oracle Access Manager 11g architecture
• OAM 11g Installation & Deployment
• Session Management
• Authentication Engine
• Managing Authorization Policies
• OAM 11g Patchset 1 new features overview
• Getting more information
Session Management
• Session management:
• Manages the life cycle requirements of a user session and notification of
session events to enable global logout
• Tracks active user sessions by using a high-performance distributed
cache
• Can limit the number of concurrent sessions a user can have at one time
• Performs out-of-band session termination
(Prevents unauthorized access to systems when a user has been
terminated.)
Session Management
Policy Engine
Session Management
End User
2. Create
Session
3. Return
Session ID
Oracle Access Manager 11g
Oracle Weblogic Server
1. Authenticate (anonymous)
4. Authentication success with Session ID
5. Authenticated Access 7. Application Access
6. Validate Session & Authorize
WebGate
Application
Admin User
Terminate Session
Oracle Coherence in Session Management
• provides a distributed cache with low-data access latencies
• transparently move data between distributed caches (that includes optional database store)
• Coherence traffic is encrypted
• enables failover and reconciliation
Manage Session
Common Session Settings
• Session Lifetime
• Idle Timeout
• Maximum Number of Sessions per User
Operations:
• Delete All User Sessions
• Delete Sessions based on Userid
Synchronizing OAM Server Clocks:
• Ensure all computer clocks are synchronized.
• Ensure Webgate clock is not ahead of the OAM Servers
<Insert Picture Here>
Agenda
• Oracle Identity Management - The Big Picture
• Oracle Access Manager 11g architecture
• OAM 11g Installation & Deployment
• Session Management
• Authentication Engine
• Managing Authorization Policies
• OAM 11g Patchset 1 new features overview
• Getting more information
The 11g policy model was designed to support some key product goals:
• Simplify everything. Make it easier for new customers to pick up and
use the product,
• Secure by default
• Smooth migration path for OSSO and OAM 10g
• Improved diagnostics when things go wrong, whether due to user
error or a product issue
Policy Model
Resource Definitions
• resource definitions exist as a flat collection of objects
• Each resource is defined as a specific resource type
• The URL value of a resource must begin with / and must match a
resource value for the chosen host identifier.
• The asterisk (*) The asterisk matches zero or more characters.
• An ellipses (…) represents a sequence of zero or more intermediate
levels
• Examples
– /mydirectory/*
– /mydirectory/projects/myexe.exe
– /.../*.html
Host Identifiers
• Identifies a computer host
• Administrators can apply security policies to resources based on host identifiers
• Host Identifiers are automatically created during registration (Console or RREG)
• Each resource and host identifier combination must be unique across all application domains
• Host identifier variations: site.com,site.com:80, www.site.com, 216.200.159.58:80 etc or 3232236564 (decimal addressing)
Authentication
• The authentication engine is driven by authentication schemes.
• Authentication policies determine the applicable authentication
scheme.
• Each authentication scheme consists of a CHALLENGE metadata and
reference to an instance of an authentication module.
• Centralized credential collector
• Supported authentication module types are LDAP, X.509 and
Kerberos.
• Authentication or user mapping is performed against a primary
identity provider.
Authentication Module
• AuthN modules are plug-ins used in AuthN schemes.
• Three types of AuthN modules are supported:
• LDAP
• Kerberos
• X.509
• You can create several different AuthN modules based on one of the
three AuthN module types to use in AuthN schemes.
Authentication Modules
• LDAP Module
– Validates identity against Primary Id Store [LDAP]
– Credentials required - Username/Password
– Supports only Username verification
(no password required) for Identity Assertion
– Performs backend operation for BASIC & FORM credential
collection mechanism
• Kerberos Module
– Asserts identity using SPNEGO token & GSS API’s
– Credentials required - SPNEGO token
– Supported with Fallback mechanism (BASIC)
Authentication Modules
• X509 Module
– Asserts identity using X.509 client certificates
– Credentials required - Client Certificate
– Verifies certificate using Java Security API
• Anonymous Module
– Creation of subject/session without user identity validation
– Credentials required - NONE
– Anonymous username is configurable
Authentication Schemes
• Resources within an application domain are protected by authN policies
• Each authN policy is defined by one authentication scheme
• Authentication scheme defines:
– Challenge mechanism
• Challenge method: Form, Basic (LDAP), X.509, WNA, None
• Challenge Redirect URL
– Authentication level: 1, 2 etc.
– Authentication module: X.509, LDAP, Kerberos
• Authentication module is the smallest executable unit of an authentication
scheme
• Only one authentication module must be assigned to an authentication
scheme
Challenge Methods
Determining what credentials a user must supply when requesting
access to a resource
• Form – Custom html login page - LDAP Module
• Basic – Default web server challenge using pop-up box for
Username/Password fields – LDAP Module
• WNA – Uses Windows Native Authentication with AD – Kerberos
Module
• X509 – Requesting X509 Certificate from client browser for two
way SSL – X509 Module
• None
Multi-Level Authentication
• Different resources of the same application can be protected with
different authentication levels.
• Registered agents detect the different levels :
• mod_osso detects the authentication level from dynamic
directives.
• OAM agents receive an Insufficient Level error message from the
OAM server (in case of step-up AuthN).
• Both agent types redirect the user to the OAM server to re-
authenticate.
• All the resources protected by mod_osso on a host are protected at
the same level.
• For mod_osso, multi-level authentication applies to resources
across hosts.
Multi-Level Authentication
<Insert Picture Here>
Agenda
• Oracle Identity Management - The Big Picture
• Oracle Access Manager 11g architecture
• OAM 11g Installation & Deployment
• Session Management
• Authentication Engine
• Managing Authorization Policies
• OAM 11g Patchset 1 new features overview
• Getting more information
Authorization
• Authorization performed through embedded OES engine with OAM
extensions
– OAM custom resource matching
– OAM constraint evaluation (IP and Time)
• Policies are persisted to Database (Oracle DB)
• Support for user/group, ip address and time constraints– ALLOW jdoe for RESOURCE(<hostid:uri>)
• IF ip=x.x.x.x & time=Sunday
• RESPOND WITH <header(name=val), cookie(name=val)>
– DENY jsmith for RESOURCE(<hostid:uri>)
• IF ip=x.x.x.x & time=Sunday
• RESPOND WITH <header(name=val), cookie(name=val)>
Authorization Policies
• OAM 11g provides coarse-level authorization using AuthZ policies
• Each authorization policy is a combination of:
– One or more resources to which the authorization policy applies
– Success and Failure URLs to direct events following an
authorization attempt
– Specific conditions or constraints whose outcome determines
whether access to the requested resource should be granted
– One or more responses performed by the web agent after the
authorization process
Access Tester
• Customers need a tool to test access to resources.
• OAM 10g had a server-side Access Tester.
• OAM 11g provides a tool that can be run anywhere.
• The new Access Tester simulates an actual WebGate.
• It simulates resource requests to ensure that policy evaluates
correctly.
• It also uncovers network issues that might impact WebGates or mod_osso agents because it can be run anywhere, including on
the Web server host.
Access Tester
• GUI Mode for manual testing
• Command line mode for
automated testing
• portable, standalone Java application
– Java [-Dxxx=“yyy”] –jar oamtest.jar
– 2 jars: oamtest.jar, nap-api.jar
• Ships with OAM
– Location: <Oracle Home>/oam/server/tester
<Insert Picture Here>
Agenda
• Oracle Identity Management - The Big Picture
• Oracle Access Manager 11g architecture
• OAM 11g Installation & Deployment
• Session Management
• Authentication Engine
• Managing Authorization Policies
• OAM 11g Patchset 1 new features overview
• Getting more information
OAM 11g PS1 features
• Extensibility Framework
• Allows for customized authentication modules to be plugged into the
system
• Includes SDK tooling for users to create customized modules
• Allows for orchestration of authentication modules into a customized
flow for an authentication scheme
• Exclusion List Support and Authorization Caching
• Provide policy elements to define resources to be excluded from
policy evaluation altogether
• Increases runtime processing performance
OAM 11g PS1 features
• Pure Java ASDK
• Addition to OAM 10g C/C++ based ASDK
• Includes authentication and authorization APIs
• One platform independent package
• API support for the extended protocol-level op codes
• Will support working against OAM 10g and OAM 11g
• Does not include policy administration APIs• Java ASDK will include some session management calls
• Session Management Engine Enhancement• Wildcard in username search• Shows impersonation sessions
OAM 11g PS1 features
• Multiple ID Store
• Allows customers to pick which LDAP to authenticate and authorize
against
• Includes backend support for multiple ID Store connectivity
• Impersonation Support
• Allows for impersonation of users for help desk support
• Requires customers to set certain LDAP attributes to control
impersonation behavior
• Requires customers to build front-end application to initiate and
terminate impersonation sessions
OAM 11g PS1 features
• Oracle STS Integration
• Identity propagation from the web tier to the application tier and also
into web services tier
• Supports trust brokering between different identity domains using
standard WS-Trust protocol• Unified user interface with OSTS• OOTB co-installation and deployment of OAM and OSTS
<Insert Picture Here>
Agenda
• Oracle Identity Management - The Big Picture
• Oracle Access Manager 11g architecture
• OAM 11g Installation & Deployment
• Session Management
• Authentication Engine
• Managing Authorization Policies
• OAM 11g Patchset 1 new features overview
• Getting more information
Getting more information
• Oracle Identity Management 11g documentation:
http://download.oracle.com/docs/cd/E21764_01/im.htm
• Oracle Learning Library, IdM tutorials:
http://apex.oracle.com/pls/apex/f?p=44785:2:5321303512854647::NO:RIR::
• Oracle Access Management blog:
http://oracleaccessmanagement.blogspot.com
• OAM Academy from Fusion Middleware Security blog:
http://fusionsecurity.blogspot.com/2011/03/oracle-access-manager-academy-
from.html
• ISV Migration Center can deliver free workshop on Oracle Access Manager
11g. Please contact [email protected] if you want to participate
Questions
©2011 Oracle Corporation
Dmitry Nefedkin
Oracle ISV Migration Center FMW Consultant
ISV Migration Center blog: http://blogs.oracle.com/imc