oracle identity cloud service
TRANSCRIPT
📧[email protected] 📧[email protected]
Agenda
Cloud Security Fundamentals
IAM Overview Introduction to
Oracle Cloud Security
Oracle Cloud Security
Architecture
Oracle Cloud Security Services
•Cloud Service Model: Saas,Iaas,Paas
•Identity Management
•Access Management
•Oracle IDCS introduction
•Advantages and Disadvantages
•IDCS Pricing Model
•Accessing IDCS console
•Integration of IDCS with Active Directory
•Delegated Authentication
•Users,Groups,Jobs and application settings
•User and Default Settings
📧[email protected] 📧[email protected]
Cloud Security Fundamentals
● Cloud is service offered publicly and can use the services anytime anywhere and
by anyone .
● Cloud security is securing the applications or services to defend confidentiality
,Integrity and Availability
📧[email protected] 📧[email protected]
Cloud security Model
IaaS PaaS SaaS
•IaaS is also known as Hardware as a Service (HaaS). It is a computing infrastructure managed over the internet
•The main advantage of using IaaS is that it helps users to avoid the cost and complexity of purchasing and managing the physical servers.
•Resources are available as a service, Highly scalable,Automated Administrative service
•Example: AWS,Azure
•PaaS cloud computing platform is created for the programmer to develop, test, run, and manage the applications.
•Accessible to various users via the same development application,Auto scalability
•Example:Oracle IDCS
•SaaS is also known as "on-demand software". It is a software in which the applications are hosted by a cloud service provider.
•Users can access these applications with the help of internet connection and web browser.
•Managed centrally on remote server,Users are not responsible for hardware and software updates,Pay per use
•Example:Salesforce,0365
📧[email protected] 📧[email protected]
IAM Overview
● Identity and Access Management(IAM) in an enterprise IT is about defining and managing
roles and access privileges of individual network entities to the variety of cloud and
on-premise components .
● Users include customers,partners and employees .Devices include
computers,smartphones,servers,routers .
● The core objective of IAM system is one digital identity per individual/item.
📧[email protected] 📧[email protected]
How IAM works?
A typical IAM comprises of four elements :
● A directory or identity repository of the personal data the system uses to define individual
users
● A set of tools for adding, modifying and deleting that data (related to access lifecycle
management)
● A system that regulates and enforces user access
● An auditing and reporting system
📧[email protected] 📧[email protected]
Identity Lifecycle Management
The term refers to the entire set of processes and technologies for maintaining and updating
digital identities. Identity lifecycle management includes identity synchronization,
provisioning, de-provisioning, and the ongoing management of user attributes, credentials
and entitlements
Various tools like Sailpoint ,Saviynt, CA IDM , Oracle IDCS
📧[email protected] 📧[email protected]
Access Management
Access management refers to the processes and technologies used to control and monitor
network access. Access management features, such as authentication, authorization, trust and
security auditing, are part and parcel of the top ID management systems for both on-premises
and cloud-based systems
Two main pillars of AM are:
1) Authentication : Who the user is?
2) Authorization : Who the user has right access to ?
Various tools which helps achieving AM are CA Siteminder, Forgerock OpenAM ,Ping Identity ,
Oracle IDCS .
📧[email protected] 📧[email protected]
Introduction to Oracle cloud security
Oracle Cloud Infrastructure enables enterprises to migrate their mission-critical workloads to the
cloud while continuing to maintain the same security posture. Reduce the overhead of building
and operating data center infrastructure without sacrificing security.
● Oracle Cloud Infrastructure security approach is based on seven core pillars. Each pillar has
multiple solutions designed to maximize the security and compliance of the platform.
1) Customer Isolation
2) Data encryption
3) Security Controls
4) Visibility
5) High Availability
6) Secure Hybrid cloud
7) Verifiably secure infrastructure
📧[email protected] 📧[email protected]
Oracle Identity Cloud Service(Oracle IDCS)
Oracle Identity Cloud Service manages user access and entitlements across a wide range of cloud and on-premises applications and services using a cloud-native, identity as a service (IDaaS) platform.Oracle IDCS is cloud native service providing coverage of IAM use cases for employees, contractors and consumers enabling management of access and entitlements .
1) Manage access across hybrid environmentsOrganizations need to securely manage access and entitlements across a wide range of cloud and On-premises applications. The solution should be easy to use ,centrally managed .Oracle solves enterprise IAM solution via Oracle IDCS.
1) Sign on with flexible authentication optionsIDCS enables flexible sign on option with support for federated social ,delegated sign On ,
robust adaptive security (based on network perimeter,device,time etc) and numerous MFA options .
📧[email protected] 📧[email protected]
3) Seamless user experience with self-service
IDCS provides an intuitive user experience that’s easy to use from start. A dashboard view offers easy access to applications with the ability to select favorites for quick movements in busy environments .
4) Easy Administration of Users, groups and access
Create and Manage users, groups and apps in admin console via step-step wizards.
5) Flexible Application Management
In addition to App catalog and supports for common SSO protocols (SAML,Oauth ,OIDCS) ,IDCS supports variety of apps via proxy-app gateway which offers SSO capabilities .
6) Built in Reporting and auditing tasks
Access logs ,system logs and diagnostics .
Oracle Identity Cloud Service(Oracle IDCS)
📧[email protected] 📧[email protected]
Oracle IDCS pricing models
● Oracle Identity Cloud Service is a cloud-based multi-tenant solution that is designed to be an integral part of the enterprise security fabric and provide advanced identity and access management functions for on-premise and cloud enterprise resources.
There are two pricing models for Oracle Identity Cloud Service.1) User Per Month
Oracle Identity Cloud Service has new pricing model for customers. This pricing model bills users on the activity that they perform with IDCS on monthly basis .
2) Active user per hourThis pricing model bills users on hourly session of the user. This is no longer valid for new customers .
📧[email protected] 📧[email protected]
Understand user per month pricing Model
● Oracle Identity Cloud Service Foundation
Oracle provides free version of IDCS for customers that subscribes to Oracle
(SaaS,PaaS,cloud infrastructure).
Customer can use this version to perform basic IDM functions including group
management, user management, password management and reporting .
Customer can’t use this version to integrate third party application on cloud or
on-premise applications .
● Oracle Identity Cloud Service Standard
The Licensed edition provides customer with additional set of IDCS features to integrate
with 3rd party applications
An incentive of the Standard tier for the User per Month pricing model is the Bring Your
Own License (BYOL) program.
📧[email protected] 📧[email protected]
Feature Description Foundation Standard
License Types
Available: Oracle Identity Cloud - Enterprise User - User Per Month, Oracle Identity Cloud - Consumer User - User Per Month, Oracle Identity Cloud - Enterprise User - BYOL - User Per Month, Oracle Identity Cloud - Consumer User - BYOL - User Per Month, Oracle Identity Foundation Cloud ServiceDefault (for primordial instance): Oracle Identity Foundation Cloud ServiceOptions: Customer intending to use paid IDCS features should update the instance to one of the paid SKUs (based on usage, on-premises license, and other factors).
Group-Based Password Policies
You can create multiple password policies in Oracle Identity Cloud Service, set the priority of these policies to determine in which order they apply, and then attach them to groups.
📧[email protected] 📧[email protected]
Feature Description Foundation Standard
User and Group Management
Manage the lifecycle of users and groups in Oracle Identity Cloud Service. Users and groups can be onboarded manually or can be imported in bulk from a CSV file.
User and Group Management
Grant user access to various applications by assigning users to the applications directly, or by assigning users to groups and groups to applications.
Self-Service Profile Management
Perform self-service capabilities to update user profile attributes and change passwords.
Advanced Self-Service Profile Management
Perform self-service capabilities to update user profile attributes, change passwords, manage linked social login accounts, view and manage devices registered for second-factor verification, and generate second-factor bypass codes.
📧[email protected] 📧[email protected]
Feature Description Foundation Standard
Self-Service Password Reset
Perform self-service reset of users’ forgotten passwords.
(using challenge questions and answers)
(using all factors including email, SMS and push notifications)
SSO for Oracle Cloud Services
Authenticate to Oracle Identity Cloud Service and gain single-click access to Oracle Cloud services.
External Identity Provider Federation
Configure a SAML 2.0 external identity provider such as Active Directory Federation Services (AD FS) for federated SSO to Oracle Identity Cloud Service.
(for one SAML identity provider)
(for more than one SAML identity provider)
📧[email protected] 📧[email protected]
Feature Description Foundation Standard
Basic User Provisioning and Synchronization for Oracle Cloud Apps
Provision user accounts to multiple Oracle SaaS and Oracle PaaS applications. You can also enable account synchronization to detect and synchronize any changes made directly on these target applications. Although you can use the provisioning templates, you can't change the default attribute mappings for provisioning and synchronization, or make any configuration changes to them.
📧[email protected] 📧[email protected]
Feature DescriptionFounda
tionStandar
d
Sign-on Policies
Use these policies to define criteria that Oracle Identity Cloud Service uses to determine whether to allow a user to sign in to Oracle Identity Cloud Service or prevent a user from accessing Oracle Identity Cloud Service. By defining this criteria, you control access that users have to your applications based on conditions such as the identity providers that will be used to authenticate the users, the groups to which the users belong, whether the users are assigned to administrator roles in Oracle Identity Cloud Service, or whether the users are accessing Oracle Identity Cloud Service using an IP address that's contained in a network perimeter.Oracle Identity Cloud Service provides you with a default sign-on policy. In addition to the default sign-on policy, you can add sign-on policies and associate them with specific apps. When a user uses one of these apps to attempt to sign in to Oracle Identity Cloud Service, Oracle Identity Cloud Service checks to see if the app has any sign-on policies associated with it. If so, then Oracle Identity Cloud Service evaluates the criteria of the sign-on rules assigned to the policy. If there are no sign-on policies for the app, then the default sign-on policy is evaluated by Oracle Identity Cloud Service.
(for the default sign-on policy)
(for any sign-on policies that you add)
📧[email protected] 📧[email protected]
Feature Description Foundation Standard
Application Development SDKs
Enable your mobile and web applications to authenticate to Oracle Identity Cloud Service by using software development kits (SDKs).
Security and Usage Reports
Execute and view operational or historical reports that capture usage data about Oracle Identity Cloud Service users, and applications, and diagnostic level logs.
Oracle Identity Manager Connector for Oracle Identity Cloud Service
Use this connector in Oracle Identity Manager to manage the complete lifecycle of users and groups in Oracle Identity Cloud Service from Oracle Identity Manager. This connector also enables access certification of SaaS resources, Segregation of Duties (SoD) violation checks during the request and approval process, and reports on SaaS app usage in Oracle Identity Manager.
📧[email protected] 📧[email protected]
Understand user per month pricing Model
● Oracle Identity Cloud Service Foundation
Oracle provides free version of IDCS for customers that subscribes to Oracle (SaaS,PaaS,cloud
infrastructure).
Customer can use this version to perform basic IDM functions including group management, user
management, password management and reporting .
Customer can’t use this version to integrate third party application on cloud or on-premise applications .
● Oracle Identity Cloud Service Standard
The Licensed edition provides customer with additional set of IDCS features to integrate with 3rd party
applications
An incentive of the Standard tier for the User per Month pricing model is the Bring Your Own License
(BYOL) program.
● Oracle Identity Cloud Service Basic
This licensed edition provides all of the features of Oracle Identity Cloud Service Foundation plus the
ability to synchronize Microsoft Active Directory user identities and groups into Oracle Identity Cloud Service.
📧[email protected] 📧[email protected]
Oracle IDCS concepts
● Oracle Cloud services
○ Oracle cloud offers hosting of cloud services
○ SaaS,PaaS,DaaS,IaaS
● Identity Domain
○ An Identity domain is a construct for managing users,roles,integration
standard through SSO configs and Oauth administration
● SAML,Oauth, and OPENID connect
SAML: Security Assertion Markup Language .
SAML assertion, SAML protocol, Bindings
Oauth and OIDC: Various grant types , mobile applications .
● SCIM
○ Using IDCS API, System for cross domain Identity Management (SCIM) is
securely managed
📧[email protected] 📧[email protected]
Other Key Concepts
● 2-step verification
● Access request
● Access Token
● Account recovery
● Adaptive security
● Admin role
● Application
● Application role/template
● Bridge
● Bulk loading
● Federated SSO
● IDP
● JOB
● NOTIFICATIONS
● Provisioning Bridge
● App gateway
● Asserter
● User life cycle
📧[email protected] 📧[email protected]
Access IDCS Consoles
SIGN IN PAGE MY PROFILE CONSOLE
IDCS ADMIN CONSOLE
MY APPS
CATALOG 2-FACTOR AUTHENTICATION
📧[email protected] 📧[email protected]
Sign In Page
● Oracle IDCS provides Sign In ,Set, Reset password features
● When your account has been added to Oracle Identity Cloud Service, you receive an
activation email instructing you to activate your account. Click the activation link, and then
set your password.
● If you forget your own password and can't sign into Oracle Identity Cloud Service, you can
reset your password using your username.
● Password less Login
📧[email protected] 📧[email protected]
My Profile Console
● My Profile Details
● Change My Password
● Email Options
● Security
● Social Accounts
● My Access
● My requests
📧[email protected] 📧[email protected]
Oracle IDCS Admin Console
Depending on your administrator type, use this console to manage users, groups, applications,
administrative settings and security settings, customize the service, and run reports.
📧[email protected] 📧[email protected]
My Apps, Catalog , MFA
● On “MY APPS” you can access all the applications you are assigned to
● Catalog: Use this option to view /request access to the groups/applications
● MFA: Use this option to enroll for 2 –step authentication
📧[email protected] 📧[email protected]
Oracle Cloud Security Services
Understand Administrator roles
Administrator Role Privileges
Identity domain administrator
Has superuser privileges for an identity domain in Oracle Identity Cloud ServiceIdentity domain administrators can:•Manage users, groups, applications, system configuration, and security settings•Perform delegated administration by assigning users to different administrative roles•Enable and disable Multi-Factor Authentication (MFA), configure MFA settings, and configure authentication factors•Create self-registration profiles to manage different sets of users, approval policies, and applications.
📧[email protected] 📧[email protected]
Administrator Role Privileges
Security administrator
Manage Oracle Identity Cloud Service system configuration and security settings for an identity domain in Oracle Identity Cloud Service.Security administrators can customize the interface, default settings, notifications, and the password policies, configure Multi-Factor Authentication (MFA), and manage the Microsoft Active Directory (AD) Bridge, Provisioning Bridge, identity providers, and trusted partner certificates.
Application administrator
Manage Oracle Identity Cloud Service applications. Application administrators can create, update, activate, deactivate, and delete applications. Application administrators can also grant and revoke access to applications for groups and users.
User administratorManage users, groups, and group memberships for an identity domain in Oracle Identity Cloud Service.
📧[email protected] 📧[email protected]
Administrator Role Privileges
User manager
Manage all users or users of selected groups in Oracle Identity Cloud Service. User managers can update, activate, deactivate, remove, and unlock user accounts. User managers can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.
Help desk administrator
Manage all users or users of selected groups in Oracle Identity Cloud Service. Help desk administrators can view the details of a user and unlock a user account. Help desk administrators can also reset passwords, reset authentication factors, and generate bypass codes for user accounts.
Audit administrator Run reports for an identity domain in Oracle Identity Cloud Service.
📧[email protected] 📧[email protected]
Manage Users
● Understand the user lifecycle
● Create/Modify user accounts
● Activate and deactivate user accounts
● Import and export user account
● Reset password for user accounts
● Manage delegated authentication
📧[email protected] 📧[email protected]
Manage Groups
● Create groups
● Import groups
● Assign groups to the application
● Assign users to groups
● Bulk assignment of users to respective groups
● Assigning respective roles and responsibilities to groups with respect to different
set of applications
📧[email protected] 📧[email protected]
Managing Jobs
● Importing bulk loading of users● Importing groups● Gathering diagnostics data
📧[email protected] 📧[email protected]
Active Directory Integration
● An Oracle Identity Cloud Service agent installed in your local environment automatically and
continuously synchronizes users and groups from your Microsoft Active Directory to Oracle
Identity Cloud Service
● What Do You Need?
● Access to Oracle Identity Cloud Service with authorization to manage Directory Integrations
(either Identity Domain Administrator or Security Administrator)
● A Windows OS desktop or server (to host the bridge agent).
Tip: For learning purposes, you can use your own Windows desktop. For production, its
recommended to use a server.
● Your Active Directory Domain Name.
Tip: You can get this information in the Active Directory Users and Computers utility.
In this tutorial, the domain name is example.com.
📧[email protected] 📧[email protected]
Download and install AD Bridge
● Download the AD Bridge from IDCS console
● Place the binaries in AD Member server
● Proceed with Installation
● Installation process would need below details:
○ Install Path
○ Specify Proxy
○ IDCS URL,Client ID,Client Secret
● Provide AD username /Password
● Setup Complete
📧[email protected] 📧[email protected]
Configure settings for AD integration
● Login to IDCS Admin console and Navigate to Directory Integrations
📧[email protected] 📧[email protected]
Manage AD Bridge
1.In the bridge agent host, launch the bridge configuration utility (C:\Program
Files\Oracle\IDBridge\IDBridgeUI.exe).
2.If the OS displays an authorization dialog, click Yes.
3.The Oracle Identity Cloud Service Active Directory Agent window is displayed.
4.Optionally, explore the View logs and Stop button.
•The View logs button opens a file explorer where the agent log files are stored.
•The Stop and Start button control the agent service by enabling and disabling it.
5.Close the utility.
📧[email protected] 📧[email protected]
Delegated Authentication
● With delegated authentication, identity domain administrators and security administrators
don’t have to synchronize user passwords between an on-premises Microsoft Active
Directory (AD) enterprise directory structure and Oracle Identity Cloud Service. Users can
use their AD passwords to sign in to Oracle Identity Cloud Service to access resources and
applications protected by Oracle Identity Cloud Service.
📧[email protected] 📧[email protected]
Thanks!
Contact us:
+44 207 101 9262
+ 1 212 404 1735
www.apps2fusion.com