2

Introduction to Oracle Access Manager

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Objectives
After completing this lesson, you should be able to:
• Explain the salient features of Oracle Access Manager
• Explain the key products that comprise the Oracle Access
Management Suite
• Explain the functional areas for each of the Oracle Access
Management products
• Explain Oracle Access Manager overall architecture
• Explain Oracle Access Manager run-time architecture
• Explain the Oracle Access Manager request flow diagram
• Identify key Oracle Access Manager 11g new features
• Map Oracle Access Manager 10g and 11g terminologies

2-2

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Oracle Identity Management
Oracle + Sun Combination
Identity Administration

Identity Manager

Access Management*
Access Manager
Adaptive Access Manager
Enterprise Single Sign-On
Identity Federation
Entitlements Server

Directory Services

Directory Server EE
Internet Directory
Virtual Directory

Identity & Access Governance
Identity Analytics
Oracle Platform Security Services

Operational Manageability
Management Pack for Identity Management
*Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet

2-3

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Oracle Access Management Suite Plus
Entitlements Server

Adaptive Access Manager

• Risk-based
authentication
• Real-time fraud
prevention

• Entitlements
management
• Fine-grained
authorization

Access Manager
• Web Access
Control/Authentication
• Single Sign-On

Identity Federation
• Partner SSO & Identity
Federation
• Fedlet SP integration

OpenSSO STS
• Security Token
Management
• Identity Propagation

• Assert Identity
2-6

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.



Salient Features of OAM
Oracle Access Manager provides:
• Authentication service for Web-based applications
• Single sign-on access for applications
• Identity assertion service
• Session management
• Coarse-level authorization protection

2-8

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


OAM 11g Architecture

• Simplified deployment
architecture
• Built-in backward
compatibility
• Ease of administration
and configuration

2 - 10

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Enterprise Deployment Architecture


2 - 11

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


SSO Login Processing with OAM Agents

2 - 15

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Installation and Configuration
•

Installation process:
– OAM 11g is installed by using Oracle Universal Installer
(OUI).
– The installation process copies all the software bits to the
host machine.
– OUI does not perform product configuration.

•

The configuration process requires the following two steps:
– Database schema configuration by using the Repository
Creation Utility (RCU)
– Product configuration and deployment by using the
WebLogic Configuration Wizard


2 - 18

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Installation and Configuration
•

Database schema configuration:
– RCU allows customers to choose the product for which they
want to create database schema and creates the schema
after providing the database details.

•

Product configuration and deployment:
– OAM 11g is a J2EE application that deploys into a container.
– The deployment and configuration is handled by the
WebLogic Configuration Wizard.
– The Configuration Wizard uses configuration templates
provided by each product to configure the product.
– It deploys the product into a new or existing WLS domain.

2 - 19

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Installation and Configuration
Configuration Wizard Screenshot: Templates


2 - 20

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


OAM 11g R1 Run-Time Architecture
WebLogic Administration Server
WebLogic
Admin
Console

OAM 11g
Admin
Console

FMW
Control

WebLogic Managed Server(s)
OAM 11g
Runtime
Server

2 - 21

Shared Information
1. Policies
2. Configuration
3. User Sessions


•

Isolated run-time
and admin server

•

Configuration and
policy
propagation

•

User sessions
shared across all
run-time servers

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Management Interfaces
•

Three primary GUI management interfaces are available:
– OAM administration console
– WLS administration console
– Oracle Enterprise Manager FMW Control

•


2 - 23

Using WLST to provide limited command-line capability.

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Backward Compatibility of Agents in a
Heterogeneous Environment
•

•

•

•
•
2 - 25

The OSSO and OAM proxy server within OAM 11g provide
backward compatibility to OSSO and OAM 10g agents
(WebGate, Access SDK , mod_osso).
Oracle Access Manager 11g servers are compatible with
earlier (10g) OAM agents and OSSO agents (mod_osso).
(Earlier OAM 10g agents or OSSO agents need to be
registered with OAM 11g.)
The coexistence of OAM 10g agents, OSSO 10g agents
and OAM 11g agents in the same deployment is
supported.

Single sign-on experience is provided across both Oracle
SSO and OAM agents.
The OAM 11g server coexists with Oracle SSO 10g and
OAM 10g servers to ease migration.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Coexistence of OAM 10g and 11g Servers
Users

Webgate 10g

Webgate 11g

WebLogic Server
Oracle Access Manager 11gR1

Session
Audit

Policy
Engine

Authz
Engine

Authz
Engine

Application


Application

Oracle Access Manager 10g
Audit DB

2 - 26

Policy
Store DB

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Coexistence of OSSO 10g and OAM 11g Servers

Single Sign-On

Oracle Single
Sign-On Agent

Oracle Access
Manager 11g
WebGate

Protocol
Compatibility
Framework

Oracle Access

Manager 11g

Oracle Single
Sign-On Agent

Oracle SSO 10g
Oracle Single
Sign-On Agent

2 - 27

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Session Management
Session management:
• Manages the life cycle requirements of a user session and
notification of session events to enable global logout
• Tracks active user sessions by using a high-performance
distributed cache
• Can limit the number of concurrent sessions a user can
have at one time
• Performs out-of-band session termination
(Prevents unauthorized access to systems when a user
has been terminated.)

2 - 28

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.



Session Management

2 - 29

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Oracle Coherence in Session Management
Oracle Coherence:
• Provides a distributed cache with low-data access
latencies
• Transparently moves data between distributed caches
including an optional database store
• Encrypts coherence traffic.
(Enables failover and reconciliation).
Coherence

Session Data
Store
OAM Server
OAM
Server 1

OAM
Server 2

Database
2 - 30


Policy Store
Coherence
OAM Server

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Usability and Life Cycle Management
Enhancements
•
•
•

Rich Web-based configuration and policy management
Operational metrics support for agents and servers
Support for test-to-production migration
– Creation of new topologies based on a template
– Incremental migration of policy changes

•
•

Integration with EM Grid Control
Simplified application integration
– Intuitive UI to register an application
– Java-based command-line registration tool that can be run
remotely on any platform
– Automatic generation of agent configuration files

2 - 32


Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Usability and Life Cycle Management
Enhancements: Operational Metrics

2 - 33

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Windows Native Authentication
•

•
•

OAM 11g enables Microsoft Internet Explorer users to
automatically authenticate to their Web applications by
using their desktop credentials.
It provides SPNEGO-based credential validation for true
Windows desktop to Web single sign-on.
It allows single sign-on for WebGate- and Oracle SSOprotected applications simultaneously.
– It does not need an IIS-based solution for a WebGate.
– WebGate- and Oracle SSO-protected applications need
not run on a Windows platform.

•


It can be enabled for a subset of protected applications.
– Internal versus external Web sites

Note: In OAM 10g, only IWA (Integrated Windows
Authentication) was supported.
2 - 34

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Upgrade for OracleAS Single Sign-On 10.1.4.3.0
•
•
•

Primarily OAM 11g R1(11.1.1.3.0) uptake from existing
Oracle SSO 10g (10.1.4.3) customers
Facilitated through an Upgrade Assistant
Process:
– Install OAM 11g.
– Run the Upgrade Assistant pointing to OracleAS Single
Sign-On 10.1.4.3.

•

Two modes:
– In-place (Retain Ports): No changes required on partner
applications, but downtime required for server
– Out-of-place/Rolling upgrade (Change Ports): No downtime
required for server, but partner applications need a new

osso.conf, which is generated by the Upgrade Assistant

2 - 35

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Rich ADF-Based UI
•
•
•

2 - 36

Policy administration and system configuration
Operational metrics shown in the same UI
Tabbed navigation model

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.


Connection Simulator: Access Tester 11g
•

Customers need a tool to test access to resources.
– OAM 10g had a server-side Access Tester.
– OAM 11g provides a tool that can be run anywhere.

•


The new Access Tester simulates an actual WebGate.
– It simulates resource requests to ensure that policy
evaluates correctly.
– It also uncovers network issues that might impact WebGates
or mod_osso agents because it can be run anywhere,
including on the Web server host.

2 - 37

Copyright © 2010, Oracle and/or its affiliates. All rights reserved.