Learning Center
Plans & pricing Sign in
Sign Out



                                                                      Parto Jalili, Independent Consultant

Identity Management is a combination of business and technical processes to manage information
about people and things. This information is critical to identify users, and facilitate their access to
information and services.

In preceding decades Identity management started with userid and password. This was the simplest way
to identify who you are, and who you claim to be. This userid and password is suppose to be kept
secure, and kept away from wandering eyes.
Let’s take a step back, way back, to the times when a soldier was sent from one battlefield to another.
He has been given a phrase or an object to identify himself so everyone can identify him as a member of
the trusted group. If that object or phrase was exposed to the enemy, then they would use it as
evidence of his group and do all kind of malicious things.
So, as you can see identity management has always existed, sometimes important though sometimes

Identity Management is a hot topic these days. You see articles, analysis, conferences, and books, more
frequently than before. In the last couple of years, corporations have just begun to think about identity
management and secure user sensitive information in a proper way. They just started to allocate time,
money and energy to implement a technical process to secure information.

The concept of Identity management is getting stronger and evidently more noticeable over time. It is
visible that the concept is getting more and more sophisticated; these processes of identifying people
are getting more complex and new ideas and ways to secure data is introduced every day. We feel safer
and happier in a more secure environment, don’t we?


Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
To be compliant with regulatory mandates is one the most Fortune 500 companies’ efforts. Most
companies search for products that help them to simplify their compliance program. They are looking
for an automated, self contained and less expensive product that help them to satisfy government
regulations. This concept is what Oracle compliance architecture is based on.

Oracle Compliance Architecture is designed to answer all the compliance efforts. It delivers a complete
product set that combines identity management, risk management, business process and controls,
auditing and reporting. Oracle compliance architecture focuses to achieve all the efficiency needed to
support any compliance or governance mandate. It allows companies to build their infrastructure in a
less expensive way and attain compliance.

The Oracle Identity and Access Management Suite is a complete unit that allows enterprises to control
the end-to-end life cycle of user identities. The ability to simplify and automate the process of user
authentications and authorizations can be implemented by this suite. Companies are able to use this
product to monitor and audit any activities across all the enterprise resources. . From the time that a
user enters into a department and requires certain access to different applications till the time he or she
leaves; Identity management can be used to automate and simplify all the user’s authentication and
authorization processes.

Oracle Identity management is a solution to implement the mechanism to control people’s identities in
a secure and reliable way. This white paper explains the main product and components of Identity
management and a basic functionality of each utility. But before going further, let’s take a look at the
abbreviation of each product that is used commonly in “Identity management world”.

OIF: Oracle Identity Federation

IdM: Oracle Identity management

OIM: Oracle Identity Manager

OID: Oracle Internet Directory

OAM: Oracle Access Manager

OSSO: Oracle Single Sign-on

OVD: Oracle Virtual Directory

OWSM: Oracle Web Services Manager


Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
Oracle Identity Federation (OIF) is a solution for multicorporated organizations to provide access to
internal and external applications without compromising security. By creating a virtual community,
applications can be shared between vendors, providers, partners and employees which in turn preserves
the privacy and data ownership. By Adding Single Sign-on capabilities in this structure, user
authentication is easier and more maintainable.


                                         Web Server
                                                                                                                                     OAM Access                    Source Identity
         Source Domain Local User
                                                                                                                      d   ata          Server                       Repository
                                                                                                               s   er
                                                                                                tr   ac

                                                         Send Assertion

                                                                   Federation Server Source

                                                         Federation Channel

                                                                      Accept Assertion
                                            Web Server                                                                                                  Authenticate
         Destination Domain Local User
                                                                                                                            c   al Us
                                                                                                      w              ith Lo
                                                                                                rtion                                                                   Detination
                                                                                      Ma p                                                 OAM Access                    Identity
                                                                                                                                             Server                     Repository

                                                             Federation Server Destination

The process of OIF authentication and authorization consist of:

    1. User identification needs to be authenticated internally. This authentication can be done by
       LDAP, OAM, Oracle Database

    2. User data will be extracted in a form of assertion. Assertion profile determines the contents of
       the assertion exchanged with a destination domain.

    3. The assertion will be sent from source domain to destination domain.

Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
    4. Assertion data will be authenticated by destination. Assertion mapping defines at the
       destination domain as part of agreement between the source and the destination to map the
       values in the assertion to a local user at the destination domain.

    5. With a successful authentication on destination domain, user will be connected to destination

Single Sign-on is a concept that allows different applications share a user authentication service. Users
need to log in one time and switch between different applications without the need to sign in for each
application. Single Sign-On makes this functionality possible to authenticate users once and keep the
authentication across the enterprise. Users can access the enterprise resources with a onetime
password entry. SSO makes the disabling users simple; there is no need to disable users from each
application. Disabling users in SSO, disables authentications from all the applications that were
registered in SSO.

To register an application with eSSO, eSSO Sign-on Manager Administrative Console needs to be run
against the application. Then the Manager Administrative Console will create a configuration for the
targeted application. By using the Console, you can publish the new application configuration in eSSO
repository and all their Oracle eSSO Sign-On Manager clients will be updated with the new application
configuration. This way, all the applications registered in eSSO are aware of other application
configurations and make the “Single Sign-on” possible.

Imagine this scenario; suppose you want to check the status of a claim from your insurance company.
You access your insurance company’s website and select to sign-in. At this point, Oracle SSO
automatically launches a dialog box, indicating it did not find log-in information for this web site. This
dialog box allows you to choose whether or not to create this information. When you accept to
configure SSO for this web site, Oracle log-on wizard automatically launches and prompts for username
and password for targeted site. This configuration will be saved in SSO repository and next time, user
will be connected to the web site without providing log-in information.

Five components of the enterprise Single Sign-on (eSSO) platform:

       Oracle Enterprise Single Sign-On Authentication Manager (eSSO AM) – extends Logon Manager
        to leverage strong authentication option such as biometrics, smart cards, token, etc.

       Oracle Enterprise Single Sign-On Provisioning Gateway (eSSO PG) – Provides interface to Oracle
        Identity manager (OIM) to accept credentials and settings from the provisioning system.

       Oracle Enterprise Single Sign-On Kiosk Manager (eSSO KM) – monitors kiosk sessions and
        provides security controls for sessions left unattended, safe application termination, and fast
        user switching.


Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
             Oracle Enterprise Single Sign-On Logon Manager (eSSO LM) – is the desktop resident password
              manager for virtually any application, presenting users with an authentication request.

             Oracle Enterprise Single Sign-On Password Reset (eSSO PR) – is an enterprise level self-service
              password reset solution for Windows with both a Web interface and a windows desktop log-on

                                                Management                     Provisioning
                   Password Reset                                                                      Identity Manager
                                                 Console                        Gateway

                                                        Directory database

                                                                     Logon Manager


           Token/Smart                                                Kiosk Manager
                                                                                                       Application Sign-on
           User Auth

     Oracle Identity Management, Governance, Risk, and Compliance Architecture by Marlin B. Pohlman. P.86


Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
Oracle Internet Directory (OID) is the main component of IdM. OID is a LDAP v3 service in Oracle
database with more flexibility which makes the synchronization possible with other enterprise
directories such as Microsoft Active Directory. OID supports multi-master replication between various
directories. OID can support tens of thousands of client requests because of multi-threading and multi-
processing capability of LDAP. This increases the performance of OID response to milliseconds. OID also
can manipulate huge amounts of data using OID bulk loader (based on SQL*Loader). This will help
administrators to load millions of user records in a short amount of time.

The graphical tool to administrator OID is called Oracle Directory Manager (ODM). ODM helps
administrators to locate the users data, view and modify password policy, as well as performing many
other operational tasks. The Oracle Directory Integration Platform (DIP) is a set of services that allow
synchronizing OID with other enterprise directories such as Microsoft Active Directories.

Depending on where the changes are made, synchronization can occur as follow:

           From a connected directory to OID

           From OID to a connected directory

During synchronization, incremental changes made on one directory are propagated to the other. Once
synchronization is complete, the information maintained on both directories is the same. Each time the
Oracle Directory Synchronization Service processes a synchronization profile,it

       1. Retrieves the latest change log number up to which all changes have been applied

       2. Checks each change log entry more recent than that number

       3. Selects changes to be synchronized with the connected directory by using filtering rules in the

       4. Applies the mapping rules to the entry and makes the corresponding changes in the connected

     Oracle Identity Management, Governance, Risk, and Compliance Architecture by Marlin B. Pohlman. P.123

Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
Oracle Virtual Directory (OVD) is a solution to enable a virtual view of identity data from different data
sources. By using Oracle Virtual Directory, users can join the identity attributes from multiple data
sources without synchronizations and storing data in an alternate location. This data join is
accomplished by mapping the identity attributes between different data sources.

                                                                             Web Services

                                                                                         Microsoft Active Directory

                                             Virtual Directory



Imagine this scenario; part of the customer’s record exists in the Active Directory server and another
part exists in the customer database. However, the directory-enabled applications need all this data in a
single record to make decision. The OVD Join View Adapter is designed for this kind of scenario.

With the Join View Adapter, it is possible to link entries from two or more sources into a single virtual
entry. The joins are constructed using a Join Rule. These are built-in rules such as Simple Join Rule and it
is possible to construct custom rules.The most common way to build a Join adapter is to link entries
using Simple Join Rule. This rule links entries together using a shared attribute value similar to a simple
SQL join. For example, the values of employeeid in one adapter and empid in another adapter may be
the same. Thus OVD could link them together on the fly.1

     Oracle Identity Management, Governance, Risk, and Compliance Architecture by Marlin B. Pohlman. P.145


Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
This is a solution for centralized identity administration and access control. OAM delivers the
functionalities of Web SSO, access policy creation and enforcement, user self-registration and self-
service, delegated administration, password management, and reporting and auditing. OAM consists of
the Access System and the Identity system. The Access System secures applications by providing
centralized authentication, authorization and auditing to enable SSO and secure access control across
enterprise resources. The Identity System manages information about individuals, groups and
organizations. It enables delegated administration of users as well as self-registration interfaces with
approval workflows. These systems integrate seamlessly and may be deployed together or individually.
Together they support all leading directory servers, application servers, Web servers and enterprise
applications1.The backend repository for the Access Manager is an LDAP-based directory service that can
be a combination of a multiple directory servers, which is leveraged for two main purposes:

           As the store for policy, configuration and workflow related data, which is used and managed by
            the Access and Identity Systems
           As the identity store, containing the user, group and organization data that is managed through
            the Identity System and is used by the Access System to evaluate access policies.2

The diagram below illustrates the Access System deployed with 3 main components – WebGate, Access
Server and the Policy Manager, as well as the backend Directory Server which is used as both the policy
store and the identity repository.

                                                                                                        Web Apps and
                                                                                                        Enterprise Resources

                  HTTP(S)                                                                              Single Sign-On to
                                                                                                      enterprise resources

                                                                                      Oracle Access
                                                     WebGate                            Protocol

                                                                                                         LDAP over

                                                                                                                   User and Policy
                                                                                       Access Server                 Data Store

     Oracle Identity Management, Governance, Risk, and Compliance Architecture by Marlin B. Pohlman. P.51



Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
The components of the Identity System include the Identity Server, and WebPass web server plug-in.
The Identity Server is a stand-alone server that manages identity information about users, groups,
organizations, and other objects, as well as providing a workflow engine specialized in identity
management flows. The WebPass plug-in passes information between a web server and one or more
Identity Server instances. This architecture provides a high degree of scalability, allowing more Identity
Servers to be deployed as required by administrative demands.

The diagram below illustrates the basic Identity System components in a simple environment. The end
users and Administrators are typically separated from components by a Firewall. The web server with
WebPass installed resides in the DMZ. The Identity Server and directory server reside behind the second
firewall. The Oracle Identity Protocol facilitates communication between the Identity Server and the
associated WebPass instances.1

                                                                             Oracle Identity                     LDAP over
                                                                               Protocol                            SSL

                                                                                                                             User and Policy
                                                   WebPass                                     Identity Server                 Data Store

Oracle Access Manager is the industry’s most comprehensive identity and access management solution
with integrated identity administration, single sign-on, centralized policy management and a
compliance-reporting framework. Oracle Access Manager supports a wide variety of authentication
mechanisms – for example HTML Forms, X.509 certificates, and smart cards – and has a flexible
administration framework for creating, managing, or customizing access control policies. Authentication
control and policy enforcement is provided out of the box for a wide variety of web servers, application
servers, and packaged applications running on nearly any flavor of operating system, including
Windows, SUSE Linux, RedHat Linux, Solaris, AIX, and HP-UX. Oracle Access Manager is the choice for
complex, heterogeneous, highly distributed, or massively scaled environments, and has been
consistently recognized as the leading web access management solution by the industry's most
important analysts.2



Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
Oracle Web Services Manager (OWSM) is a solution to securely deploy Web services. Organizations can
have a common security infrastructure for all the Web services and develop and deploy the web services
from one central place. OWSM provides this functionality. OWSM is a unique tool-kit to manage Web
services in a cost-effective fashion. The architecture of OWSM has the following components:

      Policy Manager - Policy Manager is a graphical tool for building new security and operations
       policies, storing policies and managing distribution and updates to runtime policy enforcement
       points (gateways and agents). Policy Manager allows administrators to configure operational
       rules and propagate them to the appropriate enforcement components across an application
       deployment of any scale and complexity.

      Enforcement - To ensure maximum deployment flexibility, Oracle WSM provides two kinds of
       policy enforcement components: Gateways and Agents. Gateways are deployed in front of a
       group of applications or services. Gateways can intercept inbound requests to these applications
       in order to enforce policy steps defined in the Policy Manager, adding application security and
       other operation rules to applications that are already deployed. Agents provide "last-mile"
       security by running directly into an application or service.1

                                          1             2
                                                                    Web Service
             Web Service Client               Gateway
                                          4             3

                    Protecting Access To Web Services Using Gateway


                                                                    Web Service
            Web Service Client
               Protecting Access To Web Services Using Server-Side Agent


                                                  2                 Web Service
            Web Service Client
               Protecting Access To Web Services Using Client-Side Agent



Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
       Monitoring Dashboard - Monitoring Dashboard collects data from Gateways and Agents as they
        execute policies and displays results in a graphical format. This allows administrators to set
        quality-of-service levels for each application and display alerts when the application exceeds
        established thresholds. Monitoring Dashboard provides IT operations staff with real-time
        visibility into the health, performance, security and utilization of crucial web services. By
        harnessing the real-time data collection capabilities of the enforcement components,
        Monitoring Dashboard enables administrators to analyze discrepancies between expected and
        actual performance and to monitor compliance with IT operational best practices.1

Oracle Identity Manager (OIM) is a solution to manage users’ accounts and access privilege across the
whole enterprise. OIM manages the work flow process of approval or rejection of a request as well as
monitoring and auditing accounts. OIM is a flexible product that helps the organizations to automatically
grant access to resources for users. OIM is a Oracle Grid compatible with browser-based user interface.

The features of Oracle Identity Manager can be divided into the following categories2:

       Self-Service and Delegated Administration - By deploying self-service features and delegating
        administrative functions, an organization can increase user productivity, user satisfaction, and
        operational efficiency.

       Workflow and Policy - The use of workflow and policy to automate business and IT processes
        can lead to improved operational efficiency, enhanced security, and more cost-effective
        compliance tracking.
       Password Management - Implementing a password management solution reduces cost and
        overhead related to raising tickets or calling help desks.
       Audit and Compliance Management - Identity management forms a key component in any audit
        compliance solution of an organization. Oracle Identity Manager helps an organization to
        minimize risk and reduces the cost of meeting internal and external governance and security
        audits. This section discusses the features of Oracle Identity Manager that are listed in the audit
        and compliance management category.
       Integration Solutions - A scalable and flexible integration architecture is critical for the successful
        deployment of organization provisioning solutions. Oracle Identity Manager offers a proven
        integration architecture and preconfigured connectors for fast and low-cost deployments.




Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
Oracle Identity Manager provides a flexible Deployment Manager utility to assist in the migration of
integration and configuration information between environments. The utility exports integration and
configuration information as XML files. These files are then imported into the destination environment,
which can be staging or production. You can use the XML files to archive configurations and maintain
versions, as well as replicate integrations.

The Deployment Manager provides you with the flexibility to select what to import and export. It also
helps you to identify data object dependencies during both import and export steps. This flexibility
enables you to merge integration work done by multiple people and to ensure the integrity of any

Oracle Identity Manager has a three-tier integration solutions strategy to provide connectors to various
heterogeneous identity-aware IT systems. This three-tier strategy is designed to minimize custom
development, maximize the reuse of code, and reduce deployment time. The three tiers are2:

       Out-of-the box integration using predefined connectors and predefined generic technology
        connector providers
       Connectors based on custom generic technology connector providers
       Custom connectors using the Adapter Factory

                                                    Predefined Generic Connector
                    Predefined Connectors

                             Generic Technology Connector Providers

                                        Adapter Factory




Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386
Predefined connector is the preferred integration method and it is the quickest integration method.
These connectors support the most popular business applications such as Oracle eBuisiness Suite,
PeopleSoft, Microsoft Active Directories, and databases.

For the target system that has no corresponding predefined connector, you can create a custom
connector either by using Generic Technology Connector of Oracle Identity Manager or by using Adaptor
factory. Adaptor Factory tool in the Design Console Provides a definitional user interface that facilitates
such custom development efforts without coding or scripting.

A Generic Technology Connector acts as the bridge for reconciliation and provisioning operations
between Oracle Identity Manager and a target system. In terms of functionality, a generic technology
connector can be divided into a reconciliation module and provisioning module. When you create a
generic technology connector, you can specify whether you want to include both modules or only the
reconciliation or provisioning module.

Oracle Identity Management, Governance, Risk, and Compliance Architecture by Marlin B. Pohlman

Oracle® Identity Manager Concepts


Identity Management Fundamentals Author: Parto Jalili, Independent Consultant Session#:386

To top