agenda
DESCRIPTION
Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK. - PowerPoint PPT PresentationTRANSCRIPT
<Insert Picture Here>
Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK
- 2 -
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle.
- 3 -
Agenda • Access Management introduction
• Oracle Access Manager 11gR2 Overview
• Oracle SSO v OAM 11gR2
• OAM 11gR2- Migration and Coexistence with OSSO
• Q&A
- 4 -
<Insert Picture Here>
Access Management Introduction
- 5 -
Governance
Password Reset
Privileged Accounts
Access Request
Roles Based Provisioning
Role Mining
Attestation
Separation of Duties
Access
Web Single Sign-on
Federation
Mobile, Social & Cloud
External Authorization
SOA Security
Integrated ESSO
Token Services
Fraud Detection
Directory
LDAP Storage
Virtual Directory
Meta Directory
Platform Security Services
Identity Management Portfolio – 11gR2Modern, Innovative & Integrated
- 6 -
Taking a Platform ApproachBuilding on Components of Fusion Middleware
Fusion Middleware
WebCenter ADF
Workflow SOA
Coherence CAF
User Interface
Customization
Performance
- 7 -
Oracle Access Management
• Comprehensive security for applications, data, and web services
• End-to-end authentication, single sign-on, and fine grained application protection
• Innovative anomaly detection, transaction security, and multi-factor authentication
• Extensive 3rd party integrations
- 8 -
Oracle Access Management Suite Plus
Entitlements Server Adaptive Access Manager
Access Manager
• Entitlements Management
• Fine Grained Authorization
• Web Access Control
• Single Sign-On
• Risk-based Authentication
• Real-time Fraud Prevention
Identity Federation
• Partner SSO & Identity Federation
• Fedlet SP integration
Secure Token Services
• Security Token Management
• Identity Propagation
- 9 -
Oracle Access ManagementBlueprint Architecture
- 10 -
<Insert Picture Here>
Oracle Access Manager 11gR2 Overview
- 11 -
Oracle Access Manager 11gObjectives
• Provide foundation for Access Management Suite
• Converge OAM, OSSO, and OpenSSO
• Provide new and advanced functionality to customers
• Tighten integrations
- 12 -
Oracle Access Manager 11g
Key Features Benefits
Modular Architecture Separated admin and runtime server to enable independent operations
Secure Policy Model Access is denied by default until policies are created to allow access
Simplified Install & Config One package to install and one series of steps to configure a simple working environment
Session Management Allows admin tracking and termination of user sessions
Diagnostics & Monitoring Allows administrators to monitor key operational metrics in real-time
Central Agent Management
Administration console provides a holistic view of all agents and shows the server they are connected to
Backwards Compatibility Compatible with 10g webgates and 10g mod_osso
Windows Native AuthN Enables Windows desktop to web single sign-on
Improved Utilities Remote registration utility, remote access tester, and WLST cmds for policy operations
- 13 -
Oracle Access Manager 11gArchitecture – Runtime Server
Protocol Compatibility FrameworkProtocol Compatibility Framework
OAM ServerOAM Server
Coherence Distributed CacheCoherence Distributed Cache
Oracle Platform Security ServicesOracle Platform Security Services
Credential Collector
Credential Collector
Session Management
Session Management
SSO EngineSSO Engine AuthN ServiceAuthN
ServiceAuthZ
ServiceAuthZ
Service
Identity ProviderIdentity Provider
Token Processing
Token Processing
Partner & Trust
Partner & Trust
Configuration ServiceConfiguration Service
Policy ServicePolicy Service
- 14 -
• Integrated Security Administration, Agent Administration
Oracle Access Manager 11gAdministration Console
- 15 -
Access Manager 11gR2Deployment Overview
- 16 -
Protected
External Client Firewall
(Web Tier)
Internet
Load Balancer
Web Hosts
Firewall(App Tier)
OHSWebHosts
OHS
IDMHosts
Admin Server WLS_ODSM
Admin Console
EM
ODSM
IAM HostsAppHosts
AccessGateWLS
Firewall(Data Tier)
DB Hosts RAC
Metadata DB(OAM, OID, Schema)
WebGateWebGate
WLS_OAM
OAM
Admin Server
Admin Console
LDAP Hosts
OVD OID
Access Manager 11gR2Deployment Detail
- 17 -
• Installation process• OAM 11g installs using Oracle Universal Installer (OUI)• The installation process copies all the software bits to the host
machine• OUI does not perform product configuration
• Configuration process requires 2 steps• Database schema configuration using Repository Creation
Utility (RCU)• Product configuration and deployment using WebLogic
Configuration Wizard• Oracle Support Note 340.1 provides a good starting point
Access Manager 11gR2Installation and Configuration
- 18 -
• SPNEGO based credential validation for true Windows desktop to web single sign-on
• Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously
• Does not need IIS based solution for WebGate• WebGates and Oracle SSO protected applications need
not run on Windows platform• Can be enabled for a subset of protected applications
• Internal vs External websites
Oracle Access Manager 11gWindows Native Authentication
- 19 -
• Basic steps are as follows:• Edit /etc/krb5.conf file• Create Service Principal Name• Obtain Kerberos Ticket• Set-up OAM Kerberos AuthN Module• Configure Kerberos AuthN Scheme for WNA• Register AD as OAM User Store• Verify OAM configuration (oam-config.xml)• Enable Kerberos in Web Browser• Test
• See OAM Admin Guide, Chapter 7 (link here)
Oracle Access Manager 11gWindows Native Authentication - Setup
- 20 -
<Insert Picture Here>
Oracle SSO v OAM 11gR2
- 21 -Oracle Confidential – For Internal Use Only 21
Oracle Access Manager Sample Oracle SSO Architecture
Oracle Single Sign-On Server
User Authentication
Authentication
End User
Authentication Decisions
Oracle Internet Directory
User Data
Directory Integration Platform or Oracle Identity Manager
Oracle HTTP Server
LDAP Authentication
User Synchronization
MOD_OSSO agent
Enterprise User Store
Enterprise User Store
Local User Store
Deployed Application
OC4J Application Server
- 22 -
Oracle Access Manager Key differences v OSSO
OAM 11gR2 OSSO
SSO, policy-based AuthN & AuthZ SSO and simple AuthN only
WebLogic Server-based OC4J-based
3rd-Party LDAP server support Dependence on OID
Support for OSSO, OAM 10g, OAM 11g and OpenSSO agents via PCL
Support for only OSSO agents (mod_osso)
Server-based session management Sessions via client cookies only
Cross-domain SSO is native Single network domain only
Native password policy (R2+) OIDDAS for password policy
Integration with OIM (optional) for User Self-Service
OIDDAS for user self-service
- 23 -
<Insert Picture Here>
OAM 11gR2- Migration and Coexistence with OSSO
- 24 -
Oracle Access Manager 11gOSSO 10g Upgrade
• Facilitated through AS Upgrade Assistant• Process:
• Install OAM 11g• Run Upgrade Assistant pointing to Oracle AS Single-On
10.1.4.3• Two modes:
• Retain Ports: no changes required on partner sites• Change Ports: partner sites need new osso.conf which is
generated by the Upgrade Assistant• See Support Migration Advisor (note 343.1) and upgrade
viewlet (note 1230123.1)
- 25 -
Co-existence: OAM11g & SSO 10g
Supports OracleAS SSO 10g Release (10.1.2.0.2) through OracleAS SSO 10g Release (10.1.4.3.0)
Co-existence requires same back-end user identity store: Oracle Internet Directory (OID)
- 26 -
Co-existence: OAM11g & SSO 10g
Without Proxy
• mod_osso redirects requests to the 11g OAM Server for authentication through a proxy.
• mod_wl replaces mod_oc4j. mod_wl enables SSO to work without any changes on the OHS
- 27 -
Co-existence: SSO between Partner Applications
App1 upgraded to OAM11g
User accessing App1
OAM sets the SSO cookie and updates session information accordingly.
The cookie includes a flag indicating that an OSSO cookie must also exist for this cookie to be valid.
- 28 -
Q&A
- 29 -