Identity and Resource Management
Solution on Access and Identity
�COREid Access & Identity
Managing All Aspects of Identity & Access
COREid Access
• • •
COREid Provisioning
• •
Web Single Sign-On Flexible Authentication Methods Policy-based Authorization
Template-based workflow Agent and Agentless account provisioning Metadirectory synchronization Password synchronization Cross-platform connectivity
Increased Security
Benefits
• •
COREid Identity
•
•
Integrated solution Define and enforce security, administrative, and access control policies consistently across enterprise applications
User, Group, and Organization Management Delegated Administration Self Service and Self Registration Unified Workflow
• •
Increased Compliance
Audit events across entire enterprise Who has access to which applications Access control managed per attribute Meet Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley compliance
• • •
Identity Web Services Controls
Password Management
COREid Integration
• •
COREid Reporting
Centralized auditing Pre-built identity and security reports Global View user access Robust logging framework
Increased Governance
Pre-built Connectors – to leading application servers, web servers, portal servers, and directory servers. “Data Anywhere” Configuration
•
Centralized policy definition with localized enforcement
• •
•
�COREid Access: Overview
Web Server
WebGate
Enterprise Resources
HTTP(s) Single Sign-on to Enterprise Applications
Web Server
WebGate
HTTP(s)
Users (Employees, Partners, Customers, Suppliers, etc) Secure Protocol over SSL
COREid Access Server™
User Identities for Authentication and Authorization LDAP over SSL LDAP-ba sed Directory Server Firewall DMZ Firewall
Security Policies for Authentication and Authorization
�COREid Identity
Firewall DMZ Firewall
WebPass
HTTP(s)
Secure Protocol over SSL (NIP)
LDAP over SSL
LDAP
COREid Identity Server
Users (Employees, Partners, Customers, Suppliers, etc) Web Server
Identity Workflow
Delegated Administration
User Management
Group Management
Organization Management
�COREid Identity: Identity Workflow
Create User: By User Self Registration Step 1: User Selfregisters Step 2: Delegated Administrator approves request Step 3: IT team approves request Step 4: Application owner approves request
Callout to an external application
Flexible multi-step workflow engine: Custom develop workflows for each process in each organization.
Attribute Change
Create User: By Delegated Administration Role-based routing: Routing based on user role or other attribute
Step 1: Delegated administrator creates user
Step 2: Approval from IT team
LDAP
Step 1: End User requests change to role
Pre-processing action before next step is entered
Step 2: Manager approves change
Post-processing action after step is completed
Step 3: HR approves change
�COREid Access and Identity
• Benefits
• Centralized and Consistent security across heterogeneous environments • Reduced administration cost • Improved end user experience • Better compliance
Authentication
• Features
• • • • • • Common policy management Multi-level, multi-factor auth mgmt Self-service and password mgmt Delegated administration Workflow engine Web Services interfaces
Authorization
Identity Admin
�Demonstration
Identity Management & Access
�COREid Federation
• Benefits
• Secure integration with partners • Reduce administration cost • Deliver improved end user experience
• Features
• Seamless SSO and Identity Sharing • Multi-protocol gateway – SAML, Liberty, WS-Federation • Service Provider or Identity Provider • Flexible deployment configurations • Standalone for use with pre-existing web-access management solution • Protocol SDK for custom applications
�Xellerate Identity Provisioning
• Benefits
• Reduced administration cost • Critical for regulatory compliance • Improved security through centralized administration
• Features
• Identity life-cycle management for the heterogeneous enterprise • Complete workflow for approvals • Connectors for OS’es, DBs, Directories, Groupware, Apps, etc. • Direct connectivity to HR • Compliance reporting
�Oracle Web Services Manager
SOA Security, Java Container Security
• Benefits
• Development and deployment time security policy enforcement • Cross-platform monitoring and service level enforcement • Compliance Reporting
• Features
• Rich library of pre-built policies • Centralized policy management with local enforcement • JAAS, JACC, WS-Sec
�Oracle Virtual Directory Provides …
�Oracle Virtual Directory
Employees
Oracle Virtual Directory Customers
• Real-time “consolidation” • Technology abstraction • Complexity reduction
Partners
Protects Directory Investments Single Identity View
�Product Architecture
Service Listener Protocols
Data Transformation, Mapping, Routing, Security, Audit
LDAP
WEB SERVICE
WEB GATEWAY WEB GATEWAY
VDE DIRECTORY ENGINE
JOIN VIEW
Data Adapters
Local Store
LDAP
DB
NT
Custom Adapter
�Virtual Directory Provisioning
2. COREid initiates LDAP add operation 7. Authentication against Active Directory DC 4. VDE maps attributes and provisions NT or AD
Admin
COREid Identity
1. User created via workflow 6. Access System uses LDAP for AuthN and AuthZ
NT Directory
LDAP
VDE
Targets
3. Primary object created 8. Authorization for policy enforcement using LDAP directory Adapters and Mapping Rules create a joined view of back-end data Directory data is exposed through standard LDAP calls
User
COREid Access
5. Access System uses LDAP for AuthN and AuthZ
�Virtual Directory
• Benefits
• Rapid application deployment • Tighter controls on identity data • Realtime identity information access
• Features
• Modern Java & Web Services technology • Virtualization, Proxy, Join & Routing capabilities • Superior extensibility • Scalable multi-site administration • Direct data access
�Demonstration
Virtual Directory
�Oracle Differentiators
• Best-in-class solution across suite
• • • • • • Identity Provisioning: Scalability, most flexible adaptor technology Virtual Directory: High-performance direct data access, manageability, extensibility Extranet Identity Mgmt: One product for access control and delegated user administration Federation: Standalone or integrated, with support for bulk provisioning, broad protocol support Web-Services: Integrated with SOA platform, one solution for security & management Directory: Multi-process, multi-instance architecture to scale-up and scale-out
• That work with your Applications & Infrastructure
• • • Certified to work with the broadest set of business apps, middleware and databases Flexibility – modular/suite deployment Standards-based and hot-pluggable
�Heterogeneous Support
Portals Application/Web Servers
Applications
Groupware
Directories
Operating Systems
ACF-2 & TSS RACF
�Analyst Feedback
• “Over the past nine months Oracle has demonstrated a serious commitment to providing a strong technical solution for the identity and access management needs of both Oracle customers and the general market,”
Phil Schacter, Burton Group
•
“Oracle’s offering of IAM products now pushes ahead of other IAM competitors such as BMC, Computer Associates International, HewlettPackard, IBM, Microsoft, Novell and Sun Microsystems.”
Roberta Witty, Gartner
•
“With its acquisition of PeopleSoft, Oracle demonstrated it can move decisively to bring acquired companies under its corporate umbrella with minimum disruption. There’s no reason to believe that these new deals will not have similar outcomes for Oracle and its new customers.”
Aberdeen Group
�Embarking on an Identity or Security Project?
Some tips and knowledge points
�10 Identity Management Project Considerations
Set Realistic Targets Choose the Right Technology Focus on Business Value Support Your Customer – The Application Owner Understand The Scale of Investment Address Data Quality Up Front Monitor and Protect the Health of Your I&AM Solution Create Skills Based Work Teams Consolidate Ownership of I&AM Provide Strong Project Management and Architecture Resources
�The Identity Lifecycle is a Business Process
Focus on Process, Not Infrastructure
Provisioning processes exist today, but are largely manual or implemented in code that is spread throughout the organisation… • Process definitions should be owned by the business • Process owners and users should have visibility into their processes • Process execution should be controlled by I.T. • Although the identity lifecycle is one logical process, the underlying reality may be several physical processes
• Provisioning, de-provisioning, identity synchronisation, etc.
�QUESTIONS ANSWERS
�