oracle identity cloud service

📧[email protected] 📧[email protected]

Oracle Identity Cloud Service


Agenda

Cloud Security Fundamentals

IAM Overview Introduction to

Oracle Cloud Security

Oracle Cloud Security

Architecture

Oracle Cloud Security Services

•Cloud Service Model: Saas,Iaas,Paas

•Identity Management

•Access Management

•Oracle IDCS introduction

•Advantages and Disadvantages

•IDCS Pricing Model

•Accessing IDCS console

•Integration of IDCS with Active Directory

•Delegated Authentication

•Users,Groups,Jobs and application settings

•User and Default Settings


Cloud Security Fundamentals

● Cloud is service offered publicly and can use the services anytime anywhere and

by anyone .

● Cloud security is securing the applications or services to defend confidentiality

,Integrity and Availability


Cloud security Model

IaaS PaaS SaaS

•IaaS is also known as Hardware as a Service (HaaS). It is a computing infrastructure managed over the internet

•The main advantage of using IaaS is that it helps users to avoid the cost and complexity of purchasing and managing the physical servers.

•Resources are available as a service, Highly scalable,Automated Administrative service

•Example: AWS,Azure

•PaaS cloud computing platform is created for the programmer to develop, test, run, and manage the applications.

•Accessible to various users via the same development application,Auto scalability

•Example:Oracle IDCS

•SaaS is also known as "on-demand software". It is a software in which the applications are hosted by a cloud service provider.

•Users can access these applications with the help of internet connection and web browser.

•Managed centrally on remote server,Users are not responsible for hardware and software updates,Pay per use

•Example:Salesforce,0365


IAM Overview

● Identity and Access Management(IAM) in an enterprise IT is about defining and managing

roles and access privileges of individual network entities to the variety of cloud and

on-premise components .

● Users include customers,partners and employees .Devices include

computers,smartphones,servers,routers .

● The core objective of IAM system is one digital identity per individual/item.


How IAM works?

A typical IAM comprises of four elements :

● A directory or identity repository of the personal data the system uses to define individual

users

● A set of tools for adding, modifying and deleting that data (related to access lifecycle

management)

● A system that regulates and enforces user access

● An auditing and reporting system


Identity Lifecycle Management

The term refers to the entire set of processes and technologies for maintaining and updating

digital identities. Identity lifecycle management includes identity synchronization,

provisioning, de-provisioning, and the ongoing management of user attributes, credentials

and entitlements

Various tools like Sailpoint ,Saviynt, CA IDM , Oracle IDCS


Access Management

Access management refers to the processes and technologies used to control and monitor

network access. Access management features, such as authentication, authorization, trust and

security auditing, are part and parcel of the top ID management systems for both on-premises

and cloud-based systems

Two main pillars of AM are:

1) Authentication : Who the user is?

2) Authorization : Who the user has right access to ?

Various tools which helps achieving AM are CA Siteminder, Forgerock OpenAM ,Ping Identity ,

Oracle IDCS .


Questions and Answers?


Introduction to Oracle cloud security

Oracle Cloud Infrastructure enables enterprises to migrate their mission-critical workloads to the

cloud while continuing to maintain the same security posture. Reduce the overhead of building

and operating data center infrastructure without sacrificing security.

● Oracle Cloud Infrastructure security approach is based on seven core pillars. Each pillar has

multiple solutions designed to maximize the security and compliance of the platform.

1) Customer Isolation

2) Data encryption

3) Security Controls

4) Visibility

5) High Availability

6) Secure Hybrid cloud

7) Verifiably secure infrastructure


Oracle Identity Cloud Service(Oracle IDCS)

Oracle Identity Cloud Service manages user access and entitlements across a wide range of cloud and on-premises applications and services using a cloud-native, identity as a service (IDaaS) platform.Oracle IDCS is cloud native service providing coverage of IAM use cases for employees, contractors and consumers enabling management of access and entitlements .

1) Manage access across hybrid environmentsOrganizations need to securely manage access and entitlements across a wide range of cloud and On-premises applications. The solution should be easy to use ,centrally managed .Oracle solves enterprise IAM solution via Oracle IDCS.

1) Sign on with flexible authentication optionsIDCS enables flexible sign on option with support for federated social ,delegated sign On ,

robust adaptive security (based on network perimeter,device,time etc) and numerous MFA options .


3) Seamless user experience with self-service

IDCS provides an intuitive user experience that’s easy to use from start. A dashboard view offers easy access to applications with the ability to select favorites for quick movements in busy environments .

4) Easy Administration of Users, groups and access

Create and Manage users, groups and apps in admin console via step-step wizards.

5) Flexible Application Management

In addition to App catalog and supports for common SSO protocols (SAML,Oauth ,OIDCS) ,IDCS supports variety of apps via proxy-app gateway which offers SSO capabilities .

6) Built in Reporting and auditing tasks

Access logs ,system logs and diagnostics .

Oracle Identity Cloud Service(Oracle IDCS)


Oracle IDCS pricing models

● Oracle Identity Cloud Service is a cloud-based multi-tenant solution that is designed to be an integral part of the enterprise security fabric and provide advanced identity and access management functions for on-premise and cloud enterprise resources.

There are two pricing models for Oracle Identity Cloud Service.1) User Per Month

Oracle Identity Cloud Service has new pricing model for customers. This pricing model bills users on the activity that they perform with IDCS on monthly basis .

2) Active user per hourThis pricing model bills users on hourly session of the user. This is no longer valid for new customers .


Understand user per month pricing Model

● Oracle Identity Cloud Service Foundation

Oracle provides free version of IDCS for customers that subscribes to Oracle

(SaaS,PaaS,cloud infrastructure).

Customer can use this version to perform basic IDM functions including group

management, user management, password management and reporting .

Customer can’t use this version to integrate third party application on cloud or

on-premise applications .

● Oracle Identity Cloud Service Standard

The Licensed edition provides customer with additional set of IDCS features to integrate

with 3rd party applications

An incentive of the Standard tier for the User per Month pricing model is the Bring Your

Own License (BYOL) program.


Feature Description Foundation Standard

License Types

Available: Oracle Identity Cloud - Enterprise User - User Per Month, Oracle Identity Cloud - Consumer User - User Per Month, Oracle Identity Cloud - Enterprise User - BYOL - User Per Month, Oracle Identity Cloud - Consumer User - BYOL - User Per Month, Oracle Identity Foundation Cloud ServiceDefault (for primordial instance): Oracle Identity Foundation Cloud ServiceOptions: Customer intending to use paid IDCS features should update the instance to one of the paid SKUs (based on usage, on-premises license, and other factors).

Group-Based Password Policies

You can create multiple password policies in Oracle Identity Cloud Service, set the priority of these policies to determine in which order they apply, and then attach them to groups.



User and Group Management

Manage the lifecycle of users and groups in Oracle Identity Cloud Service. Users and groups can be onboarded manually or can be imported in bulk from a CSV file.

User and Group Management

Grant user access to various applications by assigning users to the applications directly, or by assigning users to groups and groups to applications.

Self-Service Profile Management

Perform self-service capabilities to update user profile attributes and change passwords.

Advanced Self-Service Profile Management

Perform self-service capabilities to update user profile attributes, change passwords, manage linked social login accounts, view and manage devices registered for second-factor verification, and generate second-factor bypass codes.



Self-Service Password Reset

Perform self-service reset of users’ forgotten passwords.

(using challenge questions and answers)

(using all factors including email, SMS and push notifications)

SSO for Oracle Cloud Services

Authenticate to Oracle Identity Cloud Service and gain single-click access to Oracle Cloud services.

External Identity Provider Federation

Configure a SAML 2.0 external identity provider such as Active Directory Federation Services (AD FS) for federated SSO to Oracle Identity Cloud Service.

(for one SAML identity provider)

(for more than one SAML identity provider)



Basic User Provisioning and Synchronization for Oracle Cloud Apps

Provision user accounts to multiple Oracle SaaS and Oracle PaaS applications. You can also enable account synchronization to detect and synchronize any changes made directly on these target applications. Although you can use the provisioning templates, you can't change the default attribute mappings for provisioning and synchronization, or make any configuration changes to them.


Feature DescriptionFounda

tionStandar

d

Sign-on Policies

Use these policies to define criteria that Oracle Identity Cloud Service uses to determine whether to allow a user to sign in to Oracle Identity Cloud Service or prevent a user from accessing Oracle Identity Cloud Service. By defining this criteria, you control access that users have to your applications based on conditions such as the identity providers that will be used to authenticate the users, the groups to which the users belong, whether the users are assigned to administrator roles in Oracle Identity Cloud Service, or whether the users are accessing Oracle Identity Cloud Service using an IP address that's contained in a network perimeter.Oracle Identity Cloud Service provides you with a default sign-on policy. In addition to the default sign-on policy, you can add sign-on policies and associate them with specific apps. When a user uses one of these apps to attempt to sign in to Oracle Identity Cloud Service, Oracle Identity Cloud Service checks to see if the app has any sign-on policies associated with it. If so, then Oracle Identity Cloud Service evaluates the criteria of the sign-on rules assigned to the policy. If there are no sign-on policies for the app, then the default sign-on policy is evaluated by Oracle Identity Cloud Service.

(for the default sign-on policy)

(for any sign-on policies that you add)



Application Development SDKs

Enable your mobile and web applications to authenticate to Oracle Identity Cloud Service by using software development kits (SDKs).

Security and Usage Reports

Execute and view operational or historical reports that capture usage data about Oracle Identity Cloud Service users, and applications, and diagnostic level logs.

Oracle Identity Manager Connector for Oracle Identity Cloud Service

Use this connector in Oracle Identity Manager to manage the complete lifecycle of users and groups in Oracle Identity Cloud Service from Oracle Identity Manager. This connector also enables access certification of SaaS resources, Segregation of Duties (SoD) violation checks during the request and approval process, and reports on SaaS app usage in Oracle Identity Manager.


Understand user per month pricing Model

● Oracle Identity Cloud Service Foundation

Oracle provides free version of IDCS for customers that subscribes to Oracle (SaaS,PaaS,cloud

infrastructure).

Customer can use this version to perform basic IDM functions including group management, user

management, password management and reporting .

Customer can’t use this version to integrate third party application on cloud or on-premise applications .

● Oracle Identity Cloud Service Standard

The Licensed edition provides customer with additional set of IDCS features to integrate with 3rd party

applications

An incentive of the Standard tier for the User per Month pricing model is the Bring Your Own License

(BYOL) program.

● Oracle Identity Cloud Service Basic

This licensed edition provides all of the features of Oracle Identity Cloud Service Foundation plus the

ability to synchronize Microsoft Active Directory user identities and groups into Oracle Identity Cloud Service.


Oracle IDCS concepts

● Oracle Cloud services

○ Oracle cloud offers hosting of cloud services

○ SaaS,PaaS,DaaS,IaaS

● Identity Domain

○ An Identity domain is a construct for managing users,roles,integration

standard through SSO configs and Oauth administration

● SAML,Oauth, and OPENID connect

SAML: Security Assertion Markup Language .

SAML assertion, SAML protocol, Bindings

Oauth and OIDC: Various grant types , mobile applications .

● SCIM

○ Using IDCS API, System for cross domain Identity Management (SCIM) is

securely managed


Other Key Concepts

● 2-step verification

● Access request

● Access Token

● Account recovery

● Adaptive security

● Admin role

● Application

● Application role/template

● Bridge

● Bulk loading

● Federated SSO

● IDP

● JOB

● NOTIFICATIONS

● Provisioning Bridge

● App gateway

● Asserter

● User life cycle


Questions And Answers


Access IDCS Consoles

SIGN IN PAGE MY PROFILE CONSOLE

IDCS ADMIN CONSOLE

MY APPS

CATALOG 2-FACTOR AUTHENTICATION


Sign In Page

● Oracle IDCS provides Sign In ,Set, Reset password features

● When your account has been added to Oracle Identity Cloud Service, you receive an

activation email instructing you to activate your account. Click the activation link, and then

set your password.

● If you forget your own password and can't sign into Oracle Identity Cloud Service, you can

reset your password using your username.

● Password less Login


My Profile Console

● My Profile Details

● Change My Password

● Email Options

● Security

● Social Accounts

● My Access

● My requests


Oracle IDCS Admin Console

Depending on your administrator type, use this console to manage users, groups, applications,

administrative settings and security settings, customize the service, and run reports.


My Apps, Catalog , MFA

● On “MY APPS” you can access all the applications you are assigned to

● Catalog: Use this option to view /request access to the groups/applications

● MFA: Use this option to enroll for 2 –step authentication


Access Oracle IDCS console


Questions and Answers


Oracle Cloud Security Services

Understand Administrator roles

Administrator Role Privileges

Identity domain administrator

Has superuser privileges for an identity domain in Oracle Identity Cloud ServiceIdentity domain administrators can:•Manage users, groups, applications, system configuration, and security settings•Perform delegated administration by assigning users to different administrative roles•Enable and disable Multi-Factor Authentication (MFA), configure MFA settings, and configure authentication factors•Create self-registration profiles to manage different sets of users, approval policies, and applications.



Security administrator

Manage Oracle Identity Cloud Service system configuration and security settings for an identity domain in Oracle Identity Cloud Service.Security administrators can customize the interface, default settings, notifications, and the password policies, configure Multi-Factor Authentication (MFA), and manage the Microsoft Active Directory (AD) Bridge, Provisioning Bridge, identity providers, and trusted partner certificates.

Application administrator

Manage Oracle Identity Cloud Service applications. Application administrators can create, update, activate, deactivate, and delete applications. Application administrators can also grant and revoke access to applications for groups and users.

User administratorManage users, groups, and group memberships for an identity domain in Oracle Identity Cloud Service.



User manager

Manage all users or users of selected groups in Oracle Identity Cloud Service. User managers can update, activate, deactivate, remove, and unlock user accounts. User managers can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.

Help desk administrator

Manage all users or users of selected groups in Oracle Identity Cloud Service. Help desk administrators can view the details of a user and unlock a user account. Help desk administrators can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.

Audit administrator Run reports for an identity domain in Oracle Identity Cloud Service.


Manage Users

● Understand the user lifecycle

● Create/Modify user accounts

● Activate and deactivate user accounts

● Import and export user account

● Reset password for user accounts

● Manage delegated authentication


Manage Groups

● Create groups

● Import groups

● Assign groups to the application

● Assign users to groups

● Bulk assignment of users to respective groups

● Assigning respective roles and responsibilities to groups with respect to different

set of applications


Managing Jobs

● Importing bulk loading of users● Importing groups● Gathering diagnostics data


Active Directory Integration

● An Oracle Identity Cloud Service agent installed in your local environment automatically and

continuously synchronizes users and groups from your Microsoft Active Directory to Oracle

Identity Cloud Service

● What Do You Need?

● Access to Oracle Identity Cloud Service with authorization to manage Directory Integrations

(either Identity Domain Administrator or Security Administrator)

● A Windows OS desktop or server (to host the bridge agent).

Tip: For learning purposes, you can use your own Windows desktop. For production, its

recommended to use a server.

● Your Active Directory Domain Name.

Tip: You can get this information in the Active Directory Users and Computers utility.

In this tutorial, the domain name is example.com.


Download and install AD Bridge

● Download the AD Bridge from IDCS console

● Place the binaries in AD Member server

● Proceed with Installation

● Installation process would need below details:

○ Install Path

○ Specify Proxy

○ IDCS URL,Client ID,Client Secret

● Provide AD username /Password

● Setup Complete


Configure settings for AD integration

● Login to IDCS Admin console and Navigate to Directory Integrations


Manage AD Bridge

1.In the bridge agent host, launch the bridge configuration utility (C:\Program

Files\Oracle\IDBridge\IDBridgeUI.exe).

2.If the OS displays an authorization dialog, click Yes.

3.The Oracle Identity Cloud Service Active Directory Agent window is displayed.

4.Optionally, explore the View logs and Stop button.

•The View logs button opens a file explorer where the agent log files are stored.

•The Stop and Start button control the agent service by enabling and disabling it.

5.Close the utility.


Delegated Authentication

● With delegated authentication, identity domain administrators and security administrators

don’t have to synchronize user passwords between an on-premises Microsoft Active

Directory (AD) enterprise directory structure and Oracle Identity Cloud Service. Users can

use their AD passwords to sign in to Oracle Identity Cloud Service to access resources and

applications protected by Oracle Identity Cloud Service.


Questions And answers


Thanks!

Contact us:

[email protected]

+44 207 101 9262

+ 1 212 404 1735

www.apps2fusion.com

http://www.apps2fusion.com/

oracle identity cloud service

Documents