Oracle Identity and Access Management Suite
Oracle Identity Management is an integrated and open set of 14 components that can be licensed as standalone products or as part of several suites. They cover areas such as identity administration, access management to web, web services and other applications and systems including SSO and federation with collaborating organizations, directory services, web services, entitlements management, real-time fraud prevention, multi-factor authentication, information rights management, and identity and access governance (functional areas are outlined in the below figure: product architecture diagram).
The components are built around an SOA using shared services, both within the suite and across the wider Oracle environment. For example, functions such as identity administration and password management, workflow, authentication and authorization, cryptographic services and auditing are provided as services in the suite, which is positioned as a pillar of Oracle’s Fusion middleware platform and is a core component of its GRC strategy.
The identity services can be placed in tiers relating to their position in the construction of the identity infrastructure:
- Strategy formulation – policy management and trust.
- Management of permissions – identity administration, role management and provisioning.
- Operational control – authentication, authorization and federation.
Oracle Identity Management allows enterprises to manage the end-to-end life cycle of user identities across enterprise resources both within and beyond the firewall, independently from enterprise applications. In other words, Oracle Identity Management’s application-centric approach allows customers to clearly separate business logic from security and resource management, thus promoting development agility and lowering maintenance costs.
Oracle’s strategy for identity and access management provides the following key benefits:
Complete: Oracle Identity Management provides a comprehensive set of market-leading services including identity administration and role management; user provisioning and compliance; web applications and web services access control; single sign-on and federated identities; fraud detection; strong, multifactor authentication and risk management; role governance and identity analytics, audit and reports. All Oracle Identity Management components leverage the product suite’s best-in-class, highly scalable directory and identity virtualization services to maximize operational efficiency and ensure the highest levels of performance and availability.
Integrated: Oracle Identity Management components can be deployed separately or together as an integrated suite of identity services. The various components making up Oracle Identity Management are designed to work together to satisfy each identity management and access control requirement met throughout a business transaction. Oracle Identity Management components integrate seamlessly with Oracle applications such as human capital management (Oracle’s PeopleSoft), performance management (Oracle’s Hyperion), customer relationship management (Oracle’s Siebel), as well as other Oracle Fusion Middleware components such as Oracle SOA, Oracle WebCenter, and Oracle Business Intelligence. Oracle Identity Management integrates with Oracle’s Governance, Risk, and Compliance platform to provide an enterprise-wide governance solution. Oracle Identity Management leverages and integrates with Oracle Database through its own directory and identity virtualization services, thus providing extreme scalability and lower cost of ownership. Finally, Oracle Identity Management provides extensions to Oracle Information Rights Management, closing the gap between identity management and content management.
Hot-Pluggable: Oracle Identity Management’s standards-based suite of products is designed to support heterogeneous, multiple-vendor development and runtime environments, including operating systems, web servers, application servers, directory servers, and database management systems. For example, XML standards for federation (e.g., Security Services Markup Language – SAML and WS-Federation) allow Oracle Identity Management components to support both in-house, mission-critical applications (e.g., Java-based service providers) and third-party packaged applications (e.g., Microsoft .NET-based accounting or project management systems), thus optimizing past and future IT investments.
Best-Of-Breed: In addition to Oracle Identity Management’s level of completeness, integration, and hot-pluggable, the components of the suite deliver functional depth and sophistication that, taken individually, makes them market-leading, best-of-breed products. Customers, especially those looking for advanced capabilities to support their application grid, can choose the best Oracle Identity Management component to meet their specific requirements and integrate that component with the rest of their existing identity management portfolio, or they can deploy the best-of-breed Oracle Identity Management suite to take advantage of its enhanced integration.
Oracle Identity Management is an integral part of Oracle Fusion Middleware. It leverages Oracle Fusion Middleware’s services such as Business Intelligence, Enterprise Management, and SOA and Process Management, and it provides security services to multiple Oracle Fusion Middleware components and Oracle Fusion Applications.
Introducing Oracle Identity Management 11g
Oracle Identity Management 11g is characterized by the following:
- Establishment of Oracle Identity Management as a security development platform.
- Oracle Identity Management becomes Oracle Fusion Applications’ de facto security infrastructure.
- Enhanced integration between Oracle Identity Management’s components and other Oracle Fusion Middleware components, Oracle Applications, and third-party security providers.
- Enhanced functionality allowing easier environment deployments (e.g., wizards to guide users through rapid deployment tasks, multi-level actionable dashboards for business users to analyze compliance and risk indicators, and take remediation actions).
- Streamlined release synchronization and technology uptake between the various products making up Oracle Identity Management.
Key to Oracle Identity Management 11g is the concept of Service-Oriented Security (SOS). SOS provides a set of security services leveraged by Oracle Fusion Middleware components, as shown in the figure below:
Oracle’s SOS applies Service-Oriented Architecture (SOA) principles to security in order to promote better design (industry-standard security “components”), deployment (appropriate level of security applied where necessary), and management (through a single point of administration). SOS is built upon Oracle Platform Security Services (OPSS), a security development framework.
Oracle Identity Management leverages SOS to provide “identity as a service”. Identity services take the functionality of an identity management solution that would otherwise be bolted onto applications and make the set of identity services available in a SOA environment. Applications following SOA guidelines are able to leverage these services without any concern about how these services are provided. Shared identity services enable enterprises to make identity a reusable, standard, transparent, and ubiquitous part of their applications.
Instead of cobbling together a heterogeneous environment from diverse, separate products, each service (for example user on-boarding) works with other identity services through standard interfaces to provide a complete, homogeneous environment.
SOA architecture allows each service to leverage the environment within and outside identity management. For example, the workflow engine used in user provisioning approvals is the same, standards-based workflow engine used by Oracle SOA Suite. Likewise, the same standard cryptographic libraries are used throughout the identity management environment and other Oracle Fusion Middleware components.
The following tables summarize Oracle’s identity services and products by category.
Platform Security Services
|Oracle Platform Security Services (OPSS)||Standards-based, enterprise-grade framework exposing security services through pluggable abstraction layers. OPSS provides the “service-oriented security” approach for Oracle Identity Management.||Security foundation for Oracle Fusion Middleware: all Oracle Fusion Middleware components and Oracle Fusion Applications “consume” the OPSS framework’s services.|
|Oracle Authorization Policy Manager (OAPM)||OAPM is a graphical user interface console for administering OPSS-based authorization policies.||OAPM is intended for customers relying on Oracle Fusion Middleware products based on OPSS, custom or in-house applications built with Oracle ADF, and next-generation Oracle Fusion Applications.|
|Identity Governance Framework (IGF)||Oracle’s IGF is designed to help enterprises control how identity-related information (e.g., attributes and entitlements) is used, stored, and propagated between applications.||Originally started by Oracle, IGF is an open-source project hosted by The Liberty Alliance.|
|Authorization API (OpenAz)||Oracle’s Authorization API provides a standard interface between an application and a general authorization service. It also provides an effective way to enable authorization providers to plug in client-side authorization functionality.||Authorization API is a public project started by Oracle. As part of OPSS, it will become the sole authorization API for Oracle Fusion Middleware.|
|Oracle Web Services Manager (OWSM)||OWSM secures standards-compliant web services (Java EE, Microsoft .NET, PL/SQL, etc.), service-oriented architecture (SOA) composites, and Oracle WebCenter’s remote portlets.||Standards-based, policy-centric security lynchpin for Oracle Fusion Middleware web services.|
|Oracle Internet Directory (OID)||Enterprise Lightweight Directory Access Protocol (LDAP) directory server and directory integration platform implemented on top of Oracle Database technology providing unsurpassed level of scalability, high availability, and information security.OID includes Oracle Directory Services Manager (ODSM), a web-based administration user interface for server configuration.||Highly scalable LDAP directory integrated with Oracle Fusion Middleware and Oracle Fusion Applications.|
|Oracle Directory Server Enterprise Edition (ODSEE)||Enterprise identity services including the LDAP Directory Server, Directory Proxy, Directory Synchronization, web-based management user interface and deployment tools. ODSEE is the industry’s leading, carrier-grade directory.||Small-footprint, best-of-breed LDAP directory, recommended for heterogeneous application deployments. Will be integrated with ODSM and Data Integration Platform (DIP).|
|Oracle Virtual Directory (OVD)||Java-based environment designed to provide real-time identity aggregation and transformation without data copying or data synchronization. OVD includes two primary components: the OVD Server to which applications connect and ODSM (described above).||OVD provides a single standard interface to access identity data no matter where it resides while hiding the complexity of the underlying data infrastructure (OVD does not store information, this role is left to the persistence systems used for that purpose, such as OID and ODSEE).|
|Oracle Access Manager (OAM)||OAM provides centralized, policy driven services for web applications authentication, web single sign-on (SSO), and identity assertion.||OAM integrates with a broad array of authentication mechanisms, third-party web servers and application servers, and standards-based federated SSO solutions to ensure maximum flexibility and a well-integrated, comprehensive web access control solution.|
|Oracle Identity Federation (OIF)||OIF is a self-contained solution enabling browser-based, cross-domain single sign-on using industry standards (SAML, Liberty ID-FF, WS-Federation and Microsoft Windows CardSpace).||OIF seamlessly integrates with third party identity and access management solutions.OIF is specifically designed for identity providers.|
|Oracle OpenSSO Fedlet||A lightweight federation extension allowing a service provider to immediately federate with an identity provider without requiring a full blown federation solution in place.||Oracle’s Fedlet is specifically designed for service providers and fully integrated with OIF.|
|Oracle OpenSSO Security Token Service (STS)||Oracle’s STS establishes a trust relationship between online partners through web services. STS provides both standard and proprietary security token issuance, validation, and exchange.||STS is currently available with the Oracle Access Management Suite Plus. Going forward, Oracle’s STS will be integrated with OAM.|
|Oracle Enterprise Single Sign-On (eSSO)||Oracle eSSO is a Microsoft Windows desktop based set of components providing unified authentication and single sign-on to both thick and thin-client applications with no modification required to existing applications.||Using Oracle eSSO, enterprise users benefit from single sign-on to all of their applications, whether users are connected to the corporate network, traveling away from the office, roaming between computers, or working at a shared workstation.|
|Oracle Entitlements Server (OES)||OES is a fine-grained authorization engine that externalizes, unifies, and simplifies the management of complex entitlement policies.||OES provides a centralized administration point for complex entitlement policies across a diverse range of business and IT systems.|
|Oracle Adaptive Access Manager (OAAM)||OAAM provides resource protection through real-time fraud prevention, software-based multifactor authentication, and unique authentication strengthening.||OAAM consists of components that create one of the most powerful and flexible weapons in the war against fraud.|
Identity Management, Identity and Access Governance
|Oracle Identity Manager (OIM)||OIM typically answers the question “Who has access to What, When, How, and Why?”. OIM is designed to administer both intranet and extranet user access privileges across a company’s resources throughout the entire identity management life cycle, from initial on-boarding to final de-provisioning of an identity.||In extranet environments, OIM’s superior scalability allows enterprises to support millions of customers accessing the company’s resources using traditional clients (e.g., browsers) or smart phones.|
|Oracle Identity Analytics (OIA)||OIA helps enterprises address regulatory mandates, automate processes, and quickly make compliance a repeatable and sustainable part of business. OIA provides a comprehensive solution for attestation (access certification), role governance, and enterprise level segregation-of-duties enforcement.||Integrates with OIM for role administration and role-based provisioning automation as part of Oracle remediation.|
|Oracle Identity Navigator (OIN)||OIN is an SSO-enabled launch pad for all of Oracle Identity Management services’ administrative consoles.||OIN acts as a user experience consolidation point for Oracle Identity Management.|
|Oracle Management Pack for Identity Management||Oracle Management Pack for Identity Management leverages Oracle Enterprise Manager’s broad set of capabilities to control end-to-end identity management components.||Support for service-level configuration, dashboard-based user interaction, environment monitoring, performance automation, and patch management.|