R 2 Venu Shastri Senior Principal Product Manager Identity Management Oracle Agenda Overview Key Features Architecture amp Deployment Extensibility amp Integrations Q amp A Agenda ID: 337285
Download Presentation The PPT/PDF document "Access Manager 11gR2 (11.1.2.0.0) Techni..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Access Manager 11gR2 (11.1.2.0.0) Technical Presentation
R
2
Venu
Shastri
Senior
Principal Product Manager
Identity
Management, Oracle Slide2
AgendaOverview
Key FeaturesArchitecture & DeploymentExtensibility & IntegrationsQ & ASlide3
AgendaOverview
Key FeaturesArchitecture & DeploymentExtensibility & IntegrationsQ & ASlide4
Access Management Platform – 11gR2Complete & ScalableSlide5
Access Manager 11gR2
Objectives
Provide scalable foundation for Access Management
PlatformConverge OAM10g, OSSO, and OpenSSOProvide new and advanced functionality to customersTighten integrationsSlide6
Access Manager 11gR2
Key Features
Simplified Web Single Sign On (SSO)
Authentication and Authorization Centralized Policy Administration Advanced Session Management Centralized Agent Management Native Password Management Windows Native Authentication Comprehensive Auditing and LoggingSlide7
Access Manager 11gR2
Benefits
Centralized policy management and auditing reduces cost and improves compliance.
Support for access management in a complex, heterogeneous environment reduces total cost of ownership and accelerates deployment.Flexible and powerful policy model allow organizations to meet complex access management needs.Scalable deployment model supports most demanding, internet scale deployments.Extensible architecture enables easy customization to meet organization specific requirements.Slide8
Access Manager 11gR2Deployment OverviewSlide9
AgendaOverview
Key FeaturesArchitecture & DeploymentExtensibility & IntegrationsQ & ASlide10
Enhanced security
Closed world – access is denied to resources unless a policy specifically allows access
Resource simplificationNo URL Prefixes – resources are defined as complete URL patterns (“*” and “…”) associated with host id and used to determine the sole policy applicable to a requestResponsesExpression based responses that are powerfulAbility to return user, request, and session information
Access Manager 11gR2
Policy ModelSlide11
Access Manager 11gR2Policy Model
Access Manager
Authentication Schemes
Application Domains
Identity Store
Legend
- Relationship: One-to-Many
- Relationship: Many-to-Many
- External Dependencies
- Relationship: Containment
Authentication Policies
Authorization Policies
Resource Types
Host
Identifiers
Resources
Policies
Authentication ModulesSlide12
Multiple IP Ranges
Wildcard enhancements
Resource Operation/Custom Types
Authorization expressions
AND, OR, NOT
( and ) – precedence indicators
User Attribute Condition
LDAP Filter / Search
Enables creation of more complex and flexible authorization constraints that deals only with LDAP attributesSession Attribute Condition
Access Manager 11gR2Policy Model EnhancementsSlide13
Access Manager 11gR2
Policy Model Enhancements – LDAP Query/Filter ConditionSlide14
Access Manager 11gR2
Policy Model Enhancements – Complex ExpressionsSlide15
Stateful
sessions with detailed security context information that can be further propagated
Tracks active user sessions using a high performance distributed cacheAdmin can specify Session Lifetime & Idle Timeout globally Admin can limit the number of concurrent sessions a user can have at one timeOut-of-band session termination
Prevents unauthorized access to systems when a user has been terminatedCan be done with or without persistent storageProvides automatic session failover
Access Manager 11gR2
Session ManagementSlide16
Access Manager 11gR2
Session ManagementSlide17
SPNEGO based credential validation for true Windows desktop to web single sign-on
Allows single sign-on for
WebGate and Oracle SSO protected applications simultaneouslyDoes not need IIS based solution for WebGateWebGates and Oracle SSO protected applications need not run on Windows platform
Can be enabled for a subset of protected applicationsInternal vs External websites
Access Manager 11gR2
Windows Native AuthenticationSlide18
OAM 11g collects credentials at the runtime server
Login pages are presented by the OAM runtime servers
OAM runtime servers can redirect to login pages located in a separate web server Regardless of where the login pages are, credentials are sent to the OAM runtime servers for collection
Sample Login pages are provided out-of-the-box
Access Manager 11gR2
Embedded C
redential CollectionSlide19
Extends 11g Webgate with an option to enable Credential Collection capability (Authentication Gate)Back Channel communications use OAP protocol whilst Front channel uses HTTPSDecouples credential collection from Server
Provides flexibility to place DCC anywhere in the DMZMore security. End-user HTTP sessions get terminated at DMZ
Reduces overhead on server. Improves performance
Access Manager 11gR2Detached Credential CollectorSlide20
Access Manager 11gR2
Detached Credential CollectorSlide21
Native password management for simple password mgmt requirementsIn-band Password CapabilityPassword Warning Forced Password Reset(expired / reset)Password Policy EnforcementPassword Composition Rules
Password HistoryAccount LockoutOAM – OIM Password Integration still supported
Access Manager 11gR2Password ManagementSlide22
Access Manager 11gR2
Password ManagementSlide23
One administration console to manage all agents within the deployment
Simultaneously manage and configure
mod_osso, OAM 10g webgates, OpenSSO Agents and OAM 11g webgatesOperational status of each individual agent can be monitoredAgent hostname, IP address, connected server, number of active connections, average operation latency, and more…
Access Manager 11gR2
Centralized Agent ManagementSlide24
Access Manager 11gR2
Centralized Agent ManagementSlide25
11g Cookie is hosted scoped
Cookie Encryption for each 11g
WebGate is unique to that WebGateAuthorization CachingResource to Authorization Policy
Authorization ResultDiagnostic pageOUI Installer that lays out a WebGate package depending on platform used
Access Manager 11gR2
11g
WebGateSlide26
Remote Registration Tool
Application administrators can register agents without the help of the Security team
Policy objects can be automatically created to protect resources of a given application at registration time
Access Tester ToolSimulates resource requests to ensure policy evaluates correctlyUncovers network issues that impact webgates or
mod_osso
agents due to the tool’s remote nature
Access Manager 11gR2
UtilitiesSlide27
Access Manager 11gR2
Access Tester ToolSlide28
Logging
Centralized log management via Enterprise Manager (EM)
Graphical tools for configuring and viewing logs (EM)Multiple logging levels AuditingStandardized auditing across FMW componentsCommon Audit Framework allows audit logs to be directed and persisted into an audit database
Reports generated via Oracle BI Publisher
Access Manager 11gR2
Logging and AuditingSlide29
AgendaOverview
Key FeaturesArchitecture & DeploymentExtensibility & IntegrationsQ & ASlide30
Access Manager 11gR2Internal Architecture
Protocol Compatibility Framework
OAM Server
Coherence Distributed Cache
Oracle Platform Security Services
Credential Collector
Session Management
SSO Engine
AuthN
Service
AuthZ
Service
Identity Provider
Token Processing
Partner & Trust
Configuration Service
Policy ServiceSlide31
Installation process
OAM 11g installs using Oracle Universal Installer (OUI)
The installation process copies all the software bits to the host machineOUI does not perform product configuration
Configuration process requires 2 stepsDatabase schema configuration using Repository Creation Utility (RCU)Product configuration and deployment using WebLogic
Configuration Wizard
Access Manager 11gR2
Installation and ConfigurationSlide32
Access Manager 11gR2Deployment on WebLogic ClusterSlide33
Supporting Active - Active, Active - Passive or Active - Hot Standby deploymentsEnables seamless user SSO across data centers with session continuity
Follows Master-Slave configuration for Access Manager deployment across Data-Centers. Policy and configuration keeps in sync via T2P processes.
Behavior is configurable based on Session Adoption PolicyRe-authentication Required – True/FalseRemote Session Invalidation - True/False
On-Demand Session Data Retrieval - True/False
Access Manager 11gR2
Multi-data-center DeploymentSlide34
Global Load Balancer
Access Manager Cluster in
Data-Center 1
(Master)
Access Manager Cluster in
Data-Center 2
(Slave)
User 1
(Geo-location 1)
User 2
(Geo-location 2)
Active
Active
Stand-by
Stand-by
Synchronized using T2P Process
OAM Cookie
DC=DC1
OAM Cookie
DC=DC2
Access Manager 11gR2
Multi-data-center Deployment – Active/ActiveSlide35
Global Load Balancer
Access Manager Cluster in
Data-Center 1
(Master)
Access Manager Cluster in
Data-Center 2
(Slave)
User 1
(Geo-location 1
)
User 2
(Geo-location 2)
Data-Center 1 is down or over-loaded
OAM Cookie
DC=DC1
DC=DC2
OAM Cookie
DC=DC2
Retrieve Remote Session Data
Invalidate Remote Session
Back-channel OAP call
Re-authenticate User
Access Manager 11gR2
Multi-data-center Deployment
– Active/ActiveSlide36
AgendaOverview
Key FeaturesArchitecture & DeploymentExtensibility & IntegrationsQ & ASlide37
Authentication Extensibility Framework
Allows for customized authentication modules to be plugged into the system
Includes Java SDK tooling for users to create customized modulesPure Java based ASDKIncludes authentication services and authorization servicesOne platform independent package
Includes APIs for the extended protocol-level op codesBackward compatible against OAM 10g
Access Manager 11gR2
ExtensibilitySlide38
OAM
OSTS
OAM
Federation
Identity Propagation
Federated
SSO
SSO to web services
Issuance and validation of web service tokens
Identity propagation from federated partners into the local environment
Simplify authentication flows
Access Manager 11gR2
Key IDM IntegrationsSlide39
OAM
OAAM
OAM
OAAM
OIM
Authentication
End-to-End
Reinforce password Authentication
Risk-based authentication
Secure self-service flows
Increase security and usability
Consistent user experience
Access Manager 11gR2
Key IDM IntegrationsSlide40
New platform supportSolaris x64, AIX 7.1, and Oracle Linux 6.x / RHEL 6.x
3rd
party integrationsMicrosoft SharePoint 2010RSA Authentication Manager 7.1
JBoss 5.1.0Microsoft Outlook Web Application (OWA) 2010 – Post R2Microsoft Forefront TMG 2010 – Post R2
SAP Portal 7.0 – Post R2
IBM
WebSphere Portal 7.0 – Post R2
Access Manager 11gR2
New Platform and Integration SupportSlide41
Q
&
ASlide42