Upload File

agenda

29
<Insert Picture Here> Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK

Upload: holly-adams

Post on 30-Dec-2015

17 views

Category:

Documents


0 download

Report

Tags:

DESCRIPTION

Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Agenda

<Insert Picture Here>

Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK

Page 2: Agenda

- 2 -

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle.

Page 3: Agenda

- 3 -

Agenda • Access Management introduction

• Oracle Access Manager 11gR2 Overview

• Oracle SSO v OAM 11gR2

• OAM 11gR2- Migration and Coexistence with OSSO

• Q&A

Page 4: Agenda

- 4 -

<Insert Picture Here>

Access Management Introduction

Page 5: Agenda

- 5 -

Governance

Password Reset

Privileged Accounts

Access Request

Roles Based Provisioning

Role Mining

Attestation

Separation of Duties

Access

Web Single Sign-on

Federation

Mobile, Social & Cloud

External Authorization

SOA Security

Integrated ESSO

Token Services

Fraud Detection

Directory

LDAP Storage

Virtual Directory

Meta Directory

Platform Security Services

Identity Management Portfolio – 11gR2Modern, Innovative & Integrated

Page 6: Agenda

- 6 -

Taking a Platform ApproachBuilding on Components of Fusion Middleware

Fusion Middleware

WebCenter ADF

Workflow SOA

Coherence CAF

User Interface

Customization

Performance

Page 7: Agenda

- 7 -

Oracle Access Management

• Comprehensive security for applications, data, and web services

• End-to-end authentication, single sign-on, and fine grained application protection

• Innovative anomaly detection, transaction security, and multi-factor authentication

• Extensive 3rd party integrations

Page 8: Agenda

- 8 -

Oracle Access Management Suite Plus

Entitlements Server Adaptive Access Manager

Access Manager

• Entitlements Management

• Fine Grained Authorization

• Web Access Control

• Single Sign-On

• Risk-based Authentication

• Real-time Fraud Prevention

Identity Federation

• Partner SSO & Identity Federation

• Fedlet SP integration

Secure Token Services

• Security Token Management

• Identity Propagation

Page 9: Agenda

- 9 -

Oracle Access ManagementBlueprint Architecture

Page 10: Agenda

- 10 -

<Insert Picture Here>

Oracle Access Manager 11gR2 Overview

Page 11: Agenda

- 11 -

Oracle Access Manager 11gObjectives

• Provide foundation for Access Management Suite

• Converge OAM, OSSO, and OpenSSO

• Provide new and advanced functionality to customers

• Tighten integrations

Page 12: Agenda

- 12 -

Oracle Access Manager 11g

Key Features Benefits

Modular Architecture Separated admin and runtime server to enable independent operations

Secure Policy Model Access is denied by default until policies are created to allow access

Simplified Install & Config One package to install and one series of steps to configure a simple working environment

Session Management Allows admin tracking and termination of user sessions

Diagnostics & Monitoring Allows administrators to monitor key operational metrics in real-time

Central Agent Management

Administration console provides a holistic view of all agents and shows the server they are connected to

Backwards Compatibility Compatible with 10g webgates and 10g mod_osso

Windows Native AuthN Enables Windows desktop to web single sign-on

Improved Utilities Remote registration utility, remote access tester, and WLST cmds for policy operations

Page 13: Agenda

- 13 -

Oracle Access Manager 11gArchitecture – Runtime Server

Protocol Compatibility FrameworkProtocol Compatibility Framework

OAM ServerOAM Server

Coherence Distributed CacheCoherence Distributed Cache

Oracle Platform Security ServicesOracle Platform Security Services

Credential Collector

Credential Collector

Session Management

Session Management

SSO EngineSSO Engine AuthN ServiceAuthN

ServiceAuthZ

ServiceAuthZ

Service

Identity ProviderIdentity Provider

Token Processing

Token Processing

Partner & Trust

Partner & Trust

Configuration ServiceConfiguration Service

Policy ServicePolicy Service

Page 14: Agenda

- 14 -

• Integrated Security Administration, Agent Administration

Oracle Access Manager 11gAdministration Console

Page 15: Agenda

- 15 -

Access Manager 11gR2Deployment Overview

Page 16: Agenda

- 16 -

Protected

External Client Firewall

(Web Tier)

Internet

Load Balancer

Web Hosts

Firewall(App Tier)

OHSWebHosts

OHS

IDMHosts

Admin Server WLS_ODSM

Admin Console

EM

ODSM

IAM HostsAppHosts

AccessGateWLS

Firewall(Data Tier)

DB Hosts RAC

Metadata DB(OAM, OID, Schema)

WebGateWebGate

WLS_OAM

OAM

Admin Server

Admin Console

LDAP Hosts

OVD OID

Access Manager 11gR2Deployment Detail

Page 17: Agenda

- 17 -

• Installation process• OAM 11g installs using Oracle Universal Installer (OUI)• The installation process copies all the software bits to the host

machine• OUI does not perform product configuration

• Configuration process requires 2 steps• Database schema configuration using Repository Creation

Utility (RCU)• Product configuration and deployment using WebLogic

Configuration Wizard• Oracle Support Note 340.1 provides a good starting point

Access Manager 11gR2Installation and Configuration

Page 18: Agenda

- 18 -

• SPNEGO based credential validation for true Windows desktop to web single sign-on

• Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously

• Does not need IIS based solution for WebGate• WebGates and Oracle SSO protected applications need

not run on Windows platform• Can be enabled for a subset of protected applications

• Internal vs External websites

Oracle Access Manager 11gWindows Native Authentication

Page 19: Agenda

- 19 -

• Basic steps are as follows:• Edit /etc/krb5.conf file• Create Service Principal Name• Obtain Kerberos Ticket• Set-up OAM Kerberos AuthN Module• Configure Kerberos AuthN Scheme for WNA• Register AD as OAM User Store• Verify OAM configuration (oam-config.xml)• Enable Kerberos in Web Browser• Test

• See OAM Admin Guide, Chapter 7 (link here)

Oracle Access Manager 11gWindows Native Authentication - Setup

Page 20: Agenda

- 20 -

<Insert Picture Here>

Oracle SSO v OAM 11gR2

Page 21: Agenda

- 21 -Oracle Confidential – For Internal Use Only 21

Oracle Access Manager Sample Oracle SSO Architecture

Oracle Single Sign-On Server

User Authentication

Authentication

End User

Authentication Decisions

Oracle Internet Directory

User Data

Directory Integration Platform or Oracle Identity Manager

Oracle HTTP Server

LDAP Authentication

User Synchronization

MOD_OSSO agent

Enterprise User Store

Enterprise User Store

Local User Store

Deployed Application

OC4J Application Server

Page 22: Agenda

- 22 -

Oracle Access Manager Key differences v OSSO

OAM 11gR2 OSSO

SSO, policy-based AuthN & AuthZ SSO and simple AuthN only

WebLogic Server-based OC4J-based

3rd-Party LDAP server support Dependence on OID

Support for OSSO, OAM 10g, OAM 11g and OpenSSO agents via PCL

Support for only OSSO agents (mod_osso)

Server-based session management Sessions via client cookies only

Cross-domain SSO is native Single network domain only

Native password policy (R2+) OIDDAS for password policy

Integration with OIM (optional) for User Self-Service

OIDDAS for user self-service

Page 23: Agenda

- 23 -

<Insert Picture Here>

OAM 11gR2- Migration and Coexistence with OSSO

Page 24: Agenda

- 24 -

Oracle Access Manager 11gOSSO 10g Upgrade

• Facilitated through AS Upgrade Assistant• Process:

• Install OAM 11g• Run Upgrade Assistant pointing to Oracle AS Single-On

10.1.4.3• Two modes:

• Retain Ports: no changes required on partner sites• Change Ports: partner sites need new osso.conf which is

generated by the Upgrade Assistant• See Support Migration Advisor (note 343.1) and upgrade

viewlet (note 1230123.1)

Page 25: Agenda

- 25 -

Co-existence: OAM11g & SSO 10g

Supports OracleAS SSO 10g Release (10.1.2.0.2) through OracleAS SSO 10g Release (10.1.4.3.0)

Co-existence requires same back-end user identity store: Oracle Internet Directory (OID)

Page 26: Agenda

- 26 -

Co-existence: OAM11g & SSO 10g

Without Proxy

• mod_osso redirects requests to the 11g OAM Server for authentication through a proxy.

• mod_wl replaces mod_oc4j. mod_wl enables SSO to work without any changes on the OHS

Page 27: Agenda

- 27 -

Co-existence: SSO between Partner Applications

App1 upgraded to OAM11g

User accessing App1

OAM sets the SSO cookie and updates session information accordingly.

The cookie includes a flag indicating that an OSSO cookie must also exist for this cookie to be valid.

Page 28: Agenda

- 28 -

Q&A

Page 29: Agenda

- 29 -


Agenda Payer Agenda Market Response Population Health

Agenda Tuesday, June 28,2011. Agenda Readings Agenda Readings Exercises

37 ANNUAL CONFERENCE & AGM TH AGENDA AGENDA

Agenda Item 1 Adoption of agenda

Agenda Item Reviewed: AGENDA REPORT AX—P

Council Agenda, Regular Agenda. June 2, 2014

Direct AGENDA Marketing AGENDA DATA CONFERENCE …

BPE USA agenda - Full Agenda

ART 1: REGULAR AGENDA ITEMS - Madhya Pradesh · 139 th AGENDA STATE LEVEL BANKERS’ COMMITTEE MADHYA PRADESH 139 th MEETING June 2010 AGENDA PART 1: REGULAR AGENDA ITEMS Agenda Item

Agenda Item Reviewed: AGENDA REPORT

AGENDA AND CONSENT AGENDA

AGENDA-SETTING AND AGENDA-BUILDING IN HIGHER …

Agenda - Agenda

SIE 2015 AGENDA - ie.mas.bg.ac.rsie.mas.bg.ac.rs/sie2015/Agenda SIE2015.pdf · SIE 2015 AGENDA Agenda Subject to Change ... Aleksandar Zunjic, Lidija Matija, ... Zorica A. Veljković,

AGENDA ITEM 3.8.3. AGENDA ITEM SUMMARY

CONSENT CALENDAR Agenda Item # 10 AGENDA REPORT …

European Parliament Directorate-General for the Presidency ... · 2.2 AGENDA Agenda The following are published for each part-session: a draft agenda; a final draft agenda; an agenda

AGENDA BOROUGH COUNCIL AGENDA REGULAR MEETING …

AGENDA - Bluewater Health · 2019-12-16 · AGENDA ITEM MOTION 2.1 Agenda to approve the agenda as presented 3.0 Consent Agenda to receive the reports presented and to approve the

rccdistrict.netrccdistrict.net/eb/PDF Conversions/150915_Consent_Agenda...e-board Agenda Item Agenda Item Agenda Item (VIA1) Meeting 9/15/2015 Regular Agenda Item Consent Agenda Action

Agenda - Agenda - Placer County, CA

ATTACHMENT RELATED TO AGENDA ITEM AFTER AGENDA PACKET … · 2013. 10. 15. · 10/15/2013 Agenda Item No. SA3 ATTACHMENT RELATED TO AGENDA ITEM AFTER AGENDA PACKET ... The City’s

REVIEW AND APPROVE AGENDA CONSENT AGENDA ITEMS

AGENDA 1. Roll Call 2. Agenda Amendments

KULTUR AGENDA / AGENDA CULTURAL

Meeting Agenda AUDIT AND FINANCE COMMITTEE AGENDA …

AGENDA - d3n9y02raazwpg.cloudfront.net€¦ · regarding an agenda item have been included in the agenda materials. Supplemental documents relating to specific agenda items, including

rccdistrict.netrccdistrict.net/eb/PDF Conversions/November_19_2013... · e-board Agenda Item Agenda Item Agenda Item (VI-A-1) Meeting 11/19/2013 - Regular Agenda Item Consent Agenda

AGENDA 1.00 AGENDA/MINUTES

AGENDA ITEM 1.1.1 REFERS - Home | City of Albany · agenda item 1.1.1 refers agenda item 1.1.1 refers agenda item 1.1.1 refers. agenda item 1.1.1 refers agenda item 1.1.1 refers agenda

Microsoft Word - 200 A-6.doc · Web viewAgenda for, 20 Agenda for, 20 Agenda for, 20 Agenda for, 20 Agenda for, 20 Agenda for, 20 Agenda for, 20 Agenda for, 20 Agenda for, 20 Agenda

Agenda 21 ph agenda 21

(Public Pack)Agenda Supplement- Youth Funding Agenda

CONSENT AGENDA REGULAR AGENDA

Over £500 report - FAQs Transparency Agenda · Over £500 report - FAQs Transparency Agenda The Government’s Transparency Agenda Q1What is the Government’s transparency agenda?