Access and Identity Management forEnterprise Portals Rohit GuptaDirector, Identity ManagementProduct ManagementOracle Corporation

Topics

• Introduction – portal identity management issues

• Identity consolidation• Password and identity administration• Centralized authorization and authentication• Automated user identity provisioning• Federated identity support• Summary and conclusions

Oracle Fusion Middleware Application Platform Suite

Develop Orchestrate

Deploy

Secure

Access

Integrate

Manage

Analyze

Oracle Portal Aggregates Customers Web Applications

Any Data Source

Packaged Apps

Page Assembly

Engine

PersonalizationPortal

PortletEngine

Runtime(User, Session,

Management

Wireless &Mobile

Internet / intranetUsers

– Reduce web sites, simplify searches & navigation– Single sign-on security framework, enterprise search– Assemble portals from pre-built “portlets” and Web Services – Personalize portals by user / role

Any Web Site

Identity Management Challenges for Customers

Deploying PortalsProblem Issue for users Issue for

administrators

Lack of centralized user identity management

Too many identities and credentials to manage

Frequent calls to the helpdesk for password resets

Lack of centralized web authorization and authentication service

Multiple log-ins to different applications within the enterprise

Inconsistent application security policies

Manual user provisioning process

Delays in getting needed access to applications

Labor intensive, error prone, and difficult to keep in compliance

Lack of identity federation support

Multiple log-ins to applications hosted outside the enterprise

Managing authorization credentials for outside users

What is Identity Management?Securing your IT assets from within

• Management of digital user identities through their complete lifecycle

• Employee hire -> promotion -> departure • Securing access to applications and information

• Authentication: proving you are who you say you are• Authorization: what you have access to, when, where

• Scalable and available storage of identity information• Profile: roles and attributes about you

Oracle Identity Management

• Access Control• Single Sign-On• Identity Federation• Web Access Control• Web Services Security

• Identity Administration• User, Role Management• User Provisioning

• Identity Infrastructure• Virtual Directory• Directory

Identity Consolidation

Identity Consolidation Overview

• Oracle Portal includes Oracle Internet Directory as a user management repository

• Frequent deployment requirement for integration with• Enterprise directories• Application directories• User repositories

• Oracle Virtual Directory and Directory Integration Platform facilitate portal integration with these environments

Oracle Internet Directory

• Features• Full feature LDAP server with a

RDBMS data-store• Industry leading scalability and

HA capabilities• Strong Oracle Platform integration• VSLDAP certified and EAL4

compliant• Benefits

• Reduced operational cost and improved availability with Oracle Grid support

• Seamless integration with Oracle Applications and Products

Directory Integration Platform

Connectors

External Directories

Sun1(iPlanet)

Active Directory

Oracle HR

Oracle DB

OpenLDAP

eDirectory

OracleInternet

Directory

DirectoryIntegration

Service

Oracle Virtual Directory

• Features• Virtual, real-time LDAP application views of

directories, databases and other user repositories

• Modern Java & Web Services technology

• Virtualization, Proxy, Join & Routing capabilities

• Superior extensibility• Scalable multi-site administration• Direct data access

• Benefits• Rapid application deployment• Tighter controls on identity data• Realtime identity information

access

Directory Deployment Options

Portal/Access Mgmt System

Oracle Internet Directory/DIP

Other Directories

and Repositories

Portal/Access Mgmt System

Oracle Virtual

Directory

Other Directories

and Repositories

-or-

Point of Administration

Points of Administration

Benefits for Portal Deployments

• Extremely scalable, highly-available LDAP directory option for any portal deployment

• Ready integration with enterprise user repositories; rapid deployment in any environment

• Flexibility in how and where user information is administered

Password and Identity Administration

Password and Identity Administration - Overview

• Basic user administration is provided in the Portal environment

• Oracle COREid Identity provides richer enterprise user administration functionality, including• Self-service• Delegated administration• Customized approval workflows

• COREid Identity functionality integrates into Oracle Portal applications, providing a unified look and feel

Oracle COREid Identity

• Features• Web application for user, group, and

organization management• Self Service and Self

Registration functionality• Password Management• Delegated Administration• Unified Workflow

• Benefits• Reduced operational costs through user

self-service• Efficient management of large user

populations

Integrated User Administration

Oracle COREid Identity Server

Web Server

User

WebPass

Web Server

LDAPDirectories

PresentationXML and Portal Inserts allow Portal customers to customize the

look-and-feel of Oracle COREid and seamlessly integrate its functionality

into portal applications.

Benefits for Portal Deployments

• Oracle Identity Management reduces administrative burden and cost• Administer Portal and enterprise users with a single

application• Support multiple levels of delegated administration of

Portal user communities• Self-service ROI by allowing users to perform password

resets, role requests and manage identity information• Automate approval workflows for user access requests

Centralized Authorization and Authentication

Centralized Authorization and Authentication - Overview

• Oracle Single Sign-On addresses authentication for the Oracle application environment

• COREid Access provides authentication and access management for a wide variety of third party application environments

• The two components work together to provide a seamless application experience for users, and a single point of access control for administrators

Oracle COREid Access

• Features• Scalable web access management

solution• Common policy management

across applications• Multi-level, multi-factor

authentication management• Web Services interfaces

• Benefits• Centralized and consistent security

across heterogeneous environments

• Reduced administration cost• Improved end user experience• Better compliance

Single Sign-On to Heterogeneous Applications

OracleASSSO

Oracle COREidAccess

Oracle InternetDirectory

Single Sign-On

VirtualDirectory Server

Sun DirectoryServices

Microsoft ADS

Packaged eBusiness AppsPackaged eBusiness Apps

Static HTML contentStatic HTML content

App ServersApp Servers

Portals Portals

Mainframe Systems Mainframe Systems

Access Server SDK

Other Enterprise Applications

OracleApplications

Benefits for Portal Customers

• Users have single sign-on to all applications accessed through their portal

• Administrators have a single point of control for authentication and authorization

• Oracle access management is pre-integrated with Portal and other Oracle applications and offers out-of-the-box integration with other enterprise applications, portals and application servers

Automated User Identity Provisioning

Automated User Identity Provisioning - Overview

• Provisioning users to an enterprise portal typically involves also provisioning them for a number of applications• Oracle, 3rd party, custom developed• Running on a variety of platforms

• Internal processes for granting/terminating application access can be quite complex

• Handling these in a secure, efficient and compliant way requires automation

• Oracle Xellerate Identity Provisioning integrates with the portal and the backend applications to provide these capabilities

Xellerate Identity Provisioning

• Features• Identity life-cycle management

for the heterogeneous enterprise• Complete workflow for approvals• Connectors for OS’es, DBs, Directories,

Groupware, Apps, etc.• Direct connectivity to HR• Compliance reporting and account

reconciliation• Benefits

• Reduced administration cost• Critical for regulatory compliance• Improved security through

centralized administration

Benefits for Portal Deployments

• Efficient enterprise portal user management• Rapid on-boarding of new users

• Improved application security• No “old” user accounts in the system

• Improved ability to address compliance requirements• No rogue or orphan accounts

Federated Identity Support

Federated Identity Support - Overview

• Portals often have a need to service users across administrative domains• Inter-agency, partners, customers, etc.

• Emerging, web services standards are addressing these requirements• SAML, Liberty

• Oracle COREid Federation provides portal applications the ability to participate as federated identity and service providers

COREid Federation

• Features• Seamless SSO and Identity Sharing

• Multi-protocol gateway – SAML, Liberty, WS-Federation

• Service Provider or Identity Provider• Flexible deployment configurations

• Standalone for use with pre-existing web-access management solution

• Protocol SDK for custom applications• Benefits

• Secure integration with partners• Reduce administration cost• Deliver improved end user experience

Example Federated IdentitySingle Sign-On Scenario

Sign On

Identifier: Principal ABC

Password: XXXX

Employee MedicalBenefits Site

Employee Portal401k Benefits Site

Federated SSO

Federated SSO

Benefits for Portal Deployments

• Portal users can transparently access applications of federation partners (such as travel agencies, employee benefits providers, etc.)

• Applications secured by Oracle Identity Management can be made accessible to partners through federation• No need to manage these users locally• No re-engineering of applications required

Summary and Conclusions

• Enterprise portal deployments raise a number of management and security issues

• Oracle Identity Management enables Portal customers to:• Support single sign-on of portal users to enterprise applications• Provide rich user administration and self-service seamlessly

integrated into the portal environment• Manage enterprise portal and application users centrally• Automatically provision and de-provision enterprise portal users• Allow their portal users to access federated applications• Make their portals available to partner access

AQ&

For more information

Please point your browser to http://www.oracle.com/identity