Oracle Entitlements Server 10.1.4.3 - Сервер назначений
Обзор возможностей
Игорь Минеев Oracle СНГ
О чем пойдет речь?
• Oracle Access Management Suite
• Почему все так не просто
• Что такое Oracle Entitlements Server?
• Oracle Entitlements Server Security Modules
• Возможности масштабирования
• Установка OES
• Интеграция с другими компонентами Oracle Access
Management Suite
Oracle Identity & Access Management
Access Management
Identity Manager
Role Manager
Identity Admin. Directory Services
Identity&Access Management
Audit & Compliance
Enterprise Manager IdM Pack
Manageability
Access Manager
Adaptive Access Manager
Enterprise Single Sign-On
Identity Federation
Entitlements Server
Web Services Manager
Authentication Service for OS
Internet Directory
Virtual Directory
Область применения
IAM сервис Реализация
Хранение учетных данных OVD (+ OID при необходимости)
Аутентификация OAM + OAAM
Авторизация OES + OAAM
Управление ролями ORM
Распространение учетных данных OIM
Программный интерфейс OPSS
Oracle Access Management Suite 10g
Entitlements Server Adaptive Access Manager
Access Manager Identity Federation
• Управление “назначениями”(entitlements)
• Fine Grained Authorization
• Управление доступом для Web приложений
• Single Sign-On
• SSO для слабосвязанных систем
• Поддержка стандартов (SAML, WS Federation, Liberty)
• Авторизация, основанная на оценке рисков
• Пресечение попыток мошеннических действий в масштабе реального времени
Что такое предоставление прав?
Почему не так все просто?
Сложные
сценарии
• Сложные сценарии
работы, отражающие
требования закона и
корпоративных правил
• Множественные иерархии
• Роли
• Ресурсы
• Действия
• Атрибуты
Логика встроена
в приложения
• Логика безопасности встроена в приложения
• Изменить сложно
• Могут существовать несовместимые политики
• Централизованное управление политиками не возможно
• Может быть затруднен аудит доступа
Различные
технологии
безопасности
• Существующие системы
• Каталоги пользователей
• Web SSO
• Бизнес процессы
• Распространение ID
• Необходима интеграция с
существующими системами
для получения
идентификаторов
пользователей и
дополнительных атрибутов
Entitlements System должна обеспечивать возможность централизованного
управления политиками и распределенного применения политик
Возможные сценарии работы.
Операции
Чтение/Запись
ЧтениеЗапись
Ограниченное чтение
Управляющий
Администратор счетов
Аналитик
Клиент банка
Иерархия ролейБанковское приложение
Ведение счетовФормирование
отчетности
Отчет за
период
Иерархия ресурсов
Итоговый
отчет
Расположение Орг. структура Дата/Время
АтрибутыНе в рабочие
дни
с 9 до 18
Россия
МоскваНовосибирск
Петровское отд.
Руководитель подразделения
Главный бухгалтерАудитор
Кассир
Oracle Entitlements Server
Oracle Entitlements Server
Приложениясобственной разработки
Проверка
прав
Сервисы
Готовые
приложения
Базы данныхEntitlement Data
Каталоги
пользователей
Требование
Разрешить
Запретить
Пользователи
Oracle Entitlements Server (OES) – это решение для управления
“назначениями” (entitlements) с высокой степенью детализации,
обеспечивающие централизованное администрирование политик и их
распределенное применение при работе приложений в различных
архитектурах
Типичные сценарии использования OES
• Динамически изменять интерфейс приложения
• Ограничивать доступ пользователя к интерфейсу приложения при
определенных условиях
Привязать интерфейс
пользователя к ролям
• Обеспечить прозрачную интеграцию с системами веб SSO и
корпоративными системами управления идентификационными
данными
• Разрешить передачу полномочий другим пользователям во время
отсутствия пользователя или в других ситуациях
Разрешить определенным
пользователям доступ к
приложениям
• Создать различные представления общей базы данных о клиентах
для различных организаций
• Закрыть доступ к информации и зарплате работников для всех,
кроме руководителей подразделений
• Показывать кредитную историю только клиентов, находящихся в
том же регионе, что и Call Center
Ограничить доступ к
данным
• Только старшие менеджеры могут совершать сделки по продаже
акций , суммы которых превышают 10 000 000 рублей, менее чем за
пол часа до закрытия биржи
Ограничить
функциональность
приложения
OES обеспечиваетТребования
OES работает в:
Entitlements - основы
• PAP(PMA) – Policy Administration Point (Policy
Management Authority)
• Централизованное управление политиками
• PDP – Policy Decision Point
• Оценка запросов в контексте существующих политик
• PEP – Policy Enforcement Point
• Исполнение решений PDP
• PIP – Policy Information Point
• Обеспечение информацией, необходимой для оценки запросов
Общая схема
Administration Server
(PAP)
Security Module
(PDP)
OES Policy
StorePolicy
Administrator
ApplicationSecurity Module
(PDP)
Application
Application
Application
Policy Information Points
PoliciesPolicies
Policy
Enforcement
Point (PEP)
PEP
Архитектура Oracle Entitlements Server
Policy
Database
Business Logic
Manager (BLM)
Administration Server
Admin
Console
Policy Distributor
SSM
Policy LoaderBulk
Policy
To SSMs
Архитектура Oracle Entitlements Server
(PAP)
OES сервер администрирования (PAP)
• Средство для администрирование политик для корпоративных приложений.
• Распространяет политики по Security Modules.
• Обеспечивает генерацию отчетов и моделирование политик
• Имеет возможность делегированного администрирования
• Поддерживает WebLogic Server, Tomcat и WebSphere.
Структура объектов OES• Организации могут представлять
компании, подразделения и
другие бизнес единицы.
• Приложения – программное
обеспечение организации (web
приложения, java …)
Организация
Учетные данные
Организация
Учетные данные
Приложение
Ресурсы Роли Действия Политики
Приложение
Ресурсы Роли Действия Политики
Сис. Админ.
Сис. Админ
Админ Прил
Админ Прил
Роль системного администратора
• Pop-up панель для определения роли администратора.
Роль администратора приложения
• Create
• Modify
• Remove
• Clone
• Move
Политики авторизации
Grant (view, /app/Sales/RevenueReport, /role/Manager) if region = “East”;
Application
Objects
Resources Subjects
Constraint
Boolean
Attributes
Eval Functions
Action
Read
Write
View
…
External
DataIdentity
Store(s)
Authorization RequestAuthorization Response
Effect
Grant
Deny
Delegate
Maps toBased on
Read from
Grant (/role/Executive, /app/Sales/, /sgrp/manager) if level > 5;
Ролевые политики
Application
Objects
ResourcesSubjects Constraint
Boolean
Attributes
Eval Functions
External
DataIdentity
Store(s)
Authorization RequestAuthorization Response
Effect
Grant
Deny
Delegate
Maps to
Based on Read from
Roles
Based on
OES Policy Management
• OES policies grant or deny roles or privileges to users, groups,
or roles subject to a set of constraints
• Policies are scoped to an application or an application resource
• OES policies have the following form:
Effect (Role | Privilege, Resource, Subject) Constraint
• Effect: Grant, Deny, or Delegate
• Role: A specific role to be granted or denied
• Privilege: Resource specific action (get, view, transfer)
• Resource: Protected object (Portlet, EJB, Account …)
• Subject: User, Group, Role
• Constraint: Expression operating on Attributes (Date, Time,
Environment, User, Group, Role, Custom)
OES Access Policy
• OES Access policy is used to grant or deny privileges to resources in the
application to specific users, groups, or roles
• Example access policies
• Grant the “view” privilege for the application reports if the user is a BankManager and
are in the same business unit as the report
Grant (view, //app/Reports, //group/UnitManagers) if
Reports.BusinessUnit=user.BusinessUnit
• Grant the transfer privilege on the account if the user is in the list of account owners and
the request is below the account limit
Grant (transfer, //app/account, everyone)
if user IN account.owners AND transferrequest <= transferlimit
• Return entitlements information (e.g. account transfer limit) as part of entitlements
decision
Grant (transfer, //app/account, everyone)
if user IN account.owners AND (REPORT_AS(transferlimit))
OES Role Policy
• OES role policy is used to dynamically determine role membership
• Role policies are always scoped to a resource or set of resources
• Example role policies
• Grant the role “BankManager” for the resource “AccountReports”
to everyone whose job title is “BankManager”
Grant (//role/BankManagers, //app/AccountReports, everyone)
if (User.JobTitle=BankManager)
• Deny the “Analyst” role to anyone who has the “Trader” role in the “Brokerage”
application
Deny (//role/Analyst, //app/Brokerage, //role/Trader)
• Temporarily delegate John’s “Approver” role in the “AcctsPayable” application to
members of John’s group while John is on vacation
Delegate(//role/Approver, //app/AcctsPayable, //grp/JReports, John)
if (date > 08/01/06) and (date < 08/10/06)
OES – проверка (моделирование )
политик
• Administrators can verify
policy correctness before
writing an application.
• Lets administrators try out
various entitlement
scenarios without involving
development teams.
• Reduces testing and set-up
costs.
OES Архитектура – SCM
Service Control
Manager
Admin
Server
SSM
SCM
SSM
Admin Server SCM & SSM Configuration ID
Configuration ID
Fu
ncti
on
al
Se
para
tio
nEnrollment data
Policy Data &
Configuration
SSM Configuration
SSM Conf ID
SSM Conf ID
Ad
min
istr
ati
on
Ex
tern
al
Ap
plic
ati
on
SCM
SSM
BLM
Security Module Pluggable Framework
OES Security Module
Authentication
Framework API
Authorization Role Mapping Auditing Cred Mapping
Entitlements
Identity
Directories
Entitlements Secure
Audit Logs
External
Application
• Integrate with LDAP,
RDBMS, Custom
Identity Stores
• Leverage multiple
stores
simultaneously
• Assert identity from
SSO or custom
tokens
• Establishes JAAS
Subject
• Provide Grant/Deny
decisions based
upon policies
• Integrate external
entitlement attribute
data from LDAP,
RDBMS, SDO
• Dynamically map
users to Roles based
upon policy
• Log messages
generated by
framework events
• Write to everything
from log4j to secured
filesystems and
RDBMS
• Describe custom
handlers for various
events
• Translate
credentials into
custom formats
• Helps propagate
identity across
disparate
systems
Распределенная конфигурация
Централизованная конфигурация
Centralized PDP Embedded PDP
Security Module Configurations
Java API / RMI
.Net API
SOAP API
XACML 2.0
Oracle DB (with VPD)
SharePoint (MOSS)
WebLogic Server, Tomcat, Websphere
Plain Old Java Object (POJO)
Oracle Service Bus
Documentum Client/Content Server
SMs are kept synchronized with central policy store
•Handle “push” from Admin Server
•Retrieve policy upon startup
• SMs maintain local persistent caches of relevant policy
• SMs maintain local caches of attribute and policy decisions
Security Module
ATN ATZ RM AD CM
Security Module
ATN ATZ RM AD CM
Custom
Standardized enterprise data sources can be easily integrated into
OES policy decision points by an administrator.
Integrating Enterprise Data Sources Making Policy Decisions On Current Business Information
• Relational Databases
• LDAP Directories
• Custom Sources
PDP
LDAP
RDBMS• Caching framework ensures performance
for latency-sensitive decision points
• Data sources can be added or changed in
minutes by an administrator
• Non-standard data sources can also be
incorporated manually
Security Module
ATN ATZ RM AD CM
• OES Developer Tools
• OES Java API
• Automatic resource generation
• JSP tag library
• C# Client library
• ASP .NET tag library
OES and Developers Policy Decisions and Enforcement
Extensibility, Customization
• Extensibility points:
• Open provider interface to implement custom logic for all security services
• Support for custom plug-ins
• Policy evaluation functions
• Custom attribute retrievers
• Management API to implement custom management applications
• Ability to customize Entitlement Management UI
• Customization is used by practically every deployed customer. Most popular
extensions are
• Custom attribute retrievers and evaluation functions
• Custom Authentication providers
• Custom Audit providers
• Custom management applications
OES and Java Application (Centralized)
• OES provides powerful PDP Proxy
client for standalone PDP functions
• PDP Proxy handles decision caching,
logging and failover across SOAP and
RMI Security Modules
• Make authorization decisions using
shared policy across different
applications
RMI-SM or WS-SM
Policy
Cache
Java Application
Identity
Directory
Decision
Cache
PDP
Proxy
Security Module
ATN ATZ RM AD CM
Java Application
OES and Java Application (Embedded)
• Changing from Centralized to
Embedded is a simple configuration
change.
• No code changes required in
application.
Java-SM
Policy
CacheIdentity
Directory
Decision
Cache
PDP
Proxy
Security Module
ATN ATZ RM AD CM
OES and Oracle RDBMS
Oracle-SM
Oracle Server
With VPD
DB Storage
Policy
Cache
Java
Stored
Procedure
OES
Plug-in
LOGON
trigger
grant(select, //DB/University/Engineering/Students, John)
report_as(“Apply_Where”, “course_id=CS100 or course_id=CS200”)
“select * from courses;”
user context
user, resource, sql action
“where course_id = …”
protected results
Policy Sync From
Admin Server
Security Module
ATN ATZ RM AD CM
OES and .NET
• Externalize security for .NET based
applications
• OES ships with C# client for
standalone PDP functions
• Authenticate against Active Directory
(or ADAM)
• Make authorization decisions using
shared policy across different
applications
Web Services-SM
Policy
Cache
.NET Application
OES C#
Client
Active
Directory
Security Module
ATN ATZ RM AD CM
OES and SharePoint• OES protects
• Web Sites
• Web Pages
• Web Parts
• List Items
• Custom page content
• Any ASP page
• Standalone SM supported- may be shared by multiple SharePoint servers
• Resource discovery of existing SharePoint assets
Server Host
.NET SharePoint 2007
Web PageWeb Page
WS-SM
OES Custom
HTTP Module
Web Page
Web PartsWeb PartsWeb Parts
OES
Control
Entitlements
Entitlements
Security Module
ATN ATZ RM AD CM
Поддержка жизненного циклаEvolve Security Policy Without Changing Applications
Администраторы и
контролирующие
органы
Администраторы приложений
DeveloperOracle
Entitlements
Server
РазработчикиОфицер
безопасности
<Insert Picture Here>
Massive Scalability Case
Study
Oracle Entitlements Server (OES)Case Study
Retail Banking Customer Requirements
• Ability to model complex set of business policies
• Ability to support big user population with complex set of
entitlements
• Ability to support complex infrastructure with multiple
functional components
• Ability to support multiple environments (.NET, Web
Services)
• Ability to support high load
Use Cases
• Run time use cases
• Login, view list of accounts and
available services
• View Account details and
available services
• Transfer to account
Login HostWLS
Details Host.NET
ApplicationWebService on
WLS
Users
and
Accounts
Database
• Administration use cases
• Create sub-user
• Grant sub-user access to
some services and set
transfer limit
• Designate user as
Administrator by CSR
Requirements - User Base
• User can be Primary or Sub-User. Primary User can be
Administrator. Administrator may have Sub-Users
• 1-to-1 mapping between Primary Users and Customers
• Customer/Primary User may have multiple accounts
Primary Users 24,000,000
Administrators 1,000,000
Number of Sub-Users per Administrator 0-150
Average number of Sub-Users per Administrator
5
Total Users (approximate) 30,000,000
Requirements - Accounts and Entitlements
• Customer may have many accounts
• Customer is associated with one of 5 segments and one of 9 banks
• Account may be one of 6 types
• User may be enrolled into one of 3 services
• Sub-User has access to subset of services available to Admin
• Sub-User transfer limit is defined by Admin
• User transfer limit is defined Daily limit and segment specific limit
Max number of accounts per customer 1000
Average number of accounts per customer 2.43
Total Accounts (approximate) 60,000,000
Requirements - Complex Policies
• Run Time Policies (simplified examples)
• Transfer between accounts is granted if accounts are in good status, amount doesn’t
exceed transfer limit, and transfer is allowed for both accounts.
• Transfer of less then $4,000 is not allowed from Home Equity accounts in certain states
• Transfer is denied to particular account type
• Transfer is allowed only from particular account types for particular banks
• Wire Services is available only if user is enrolled into Wire Service, has access to
account, account is of certain type, and in good standing
• Administration Policies (simplified examples)
• Only Admin can grant services and define transfer limits for sub-users
• Admin can grant services and define transfer limits only for his/her own sub-user
• Admin can grant only services he/she has
• Only CSR can designate a Primary User as an Admin
Performance Requirements
• Throughput
Number of accounts per
customer
90%
customers
10%
customers
Average
Mean number of accounts < 250ms < 2sec < 250ms
Max number of accounts < 1sec < 10 sec < 1 sec
Transaction Peak Busy Hour Peak Busy Minute
Login/List of Accounts 400,000 (111 tps) 9,000 (150 tps)
Accounts Details 114,286 (32 tps) 2,571 (43 tps)
Transfer 57,143 (16 tps) 1,286 (21 tps)
Sustain for 4 hours Sustain for 10 min
• Login latency – contributed by entitlement processing
Database Server
Testing Approach - Site InfrastructureLoad Runner Agent
Login
Host
Ethernet Switch
OES DB
Users
Entitlements
Accounts DB
Accounts
Customers
OES
Admin
Server
Login
Host
Details
Host
App
Host
App
Host
Login
Host
Login
Host
Details
Host
App
Host
App
Host
Ethernet Switch
Load Runner Agent
Block 2Block 1
• 1Block – 2 Login
Hosts, 1 Details Host,
2 MMS Hosts
• Increasing number of
blocks we can linearly
increase
performance of
test site
Generating Test Data
• List of users (30,000,000) was generated using US Census Bureau data on
most frequent first and last names.
• Program was written to generate user, customer, account, entitlement
records in accordance with the required distribution.
Users 30,000,000
Administrators 999,588
Sub-Users 5,009,181
Customers 24,990,819
Accounts 60,630,229
Customers with 10 accounts or more 649,690
Customers with 20 accounts or more 489,946
Customers with 100 accounts or more 244
Customers with 500 accounts or more 101
Customers with 1000 accounts or more 40
Results in a Glance• Test Hardware vs. Production hardware
Host Test Production
Login Sun Fire V440, 4 CPUs,
1.2GHz, 8GB RAM
Sun Fire v1280, 8 CPUs,
24GB RAM
Details Sun Fire V440, 4 CPUs,
1.2GHz, 8GB RAM
HP Proliant DL580, 8 CPUs,
3GHz, 8GB RAM
Application Sun Fire V440, 4 CPUs,
1.2GHz, 8GB RAM
Sun Fire V440, 4 CPUs,
1.2GHz, 8GB RAM
• Throughput: met Peak Busy Hour requirement with 106 Logins/sec
• Latency: OES added just 41ms to Login with total Login latency of 213ms
Test Results – Total Latency
• Latency increase at Peak Busy Minute indicates system is loaded to
capacity
• Adding hardware will “flatten” the line.
Latency (sec)- Customers with mean number of accounts
0.00
0.20
0.40
0.60
0.80
1.00
1.20
1.40
0:00 0:14 0:28 0:43 0:57 1:12 1:26 1:40 1:55 2:09 2:24 2:38 2:52 3:07 3:21 3:36 3:50 4:04 4:19
Hour:Min
Logins Details Transfer Choose Account for Transfer
PBM
Test Results - Scalability of a Block
• Dashed lines indicate 1 Block, Solid lines indicate 2 Blocks
• Throughput of the system can be “linearly” increased by increasing
number of blocks
Transactions per Second
0
20
40
60
80
100
120
140
160
0:00 0:14 0:28 0:43 0:57 1:12 1:26 1:40 1:55 2:09 2:24 2:38 2:52 3:07 3:21 3:36 3:50 4:04 4:19
Hour:Min
Logins Details Transfer Logins-1 Details-1
High Availability - Runtime• Security Module/PDP continues to provide security services even if external components it relies
on (such as authentication database, for example) become unavailable.
• Failover for authentication sources
• Failover for entitlement sources (attribute retrievers)
• Failover for Credential Mapper sources
• For data replication between data sources we recommend to use vendor specific approach or
use solutions like Oracle RAC
• Runtime independence of SM/PDP from Admin Server
Application Environment
Authentication
Providers
Security Framework
Role
Providers
Authorization
Providers
Auditing
Providers
Credential
Providers
Security Module
Back-up
Authentication
Source
Primary
Authentication
Source
Source specific
replication
Back-up
Entitlements
Source
Primary
Entitlements
Source
Source specific
replication
High Availability – Management Time
• OES continues to provide policy modification and distribution
functionality even if external components it relies on (such as Admin
Server, for example) become unavailable
• Support for primary and secondary Admin Server
• Support for primary and secondary Admin Policy Store
• Support for Oracle RAC
• Support for transactional management operations
• Support for transactional policy distribution
High Availability – Management Time
RDBMS specific
replication
New York LondonTokyo
SSM
Application Environment
Primary
Admin Server
Primary
OES DB
OES Administrator
SSM
Application Environment
SSM
Application Environment
Secondary
OES DB
OES AdministratorOES Administrator
Secondary
Admin Server
High Availability – Management TimeNew York LondonTokyo
SSM
Application Environment
Primary
Admin Server
Primary
ALES DB
ALES Administrator
SSM
Application Environment
SSM
Application Environment
Secondary
ALES DB
ALES AdministratorALES Administrator
Secondary
Admin Server
Устанавливаем OES…
Oracle Weblogic
Server 10.3
OES Admin
Oracle DB
Webservice
SSM
.Net SSMOracle SSM
Default SCM deployed
during OES Admin
Installation
Устанавливаем OES…
Устанавливаем OES…
Устанавливаем OES…
Устанавливаем OES…
Устанавливаем OES…
Устанавливаем OES…
Устанавливаем OES…
Устанавливаем OES…
Устанавливаем OES…
Устанавливаем OES SM…
Устанавливаем OES SM…
Устанавливаем OES SM…
Настраиваем OES SM…(Authentication
Provider)
Настраиваем OES SM…(Credential
Mapping Provider)
Настраиваем OES SM…(Attribute Retriever)
OES : Oracle SM
• The primary method of enforcing protection is through a “where” SQL clause.
• Protection is limited to “select”, “update” and “delete” SQL statements
• OES policy can give a “deny”, which will prevent the execution of the underlying query
• OES policy can give an unrestricted allow, which will allow execution without any restrictions
• Using “report_as” clause, OES policy can generate a “where” clause predicate which can be used as a restriction. For e.g. if OES generates predicate “DEPT = 101”:• Original query: Select * from orders
• New query: Select * from orders where DEPT=101”
OES : Oracle SM
• WebService SSM will act as PDP
• Oracle-SSM is implemented by a Oracle Java Stored Procedure (JSP) which forwards Authorization requests to WebService SSM (JSP is functionally similar to PL/SQL stored procedures, but is written in Java)
• Supporting Java Libraries: Following 3rd party modules are loaded into Oracle schema to support OES Java Stored Procedure
• saaj.jar
• jaxrpc.jar
• wsdl4j.jar
• log4j.jar
• commons-logging.jar
• commons-discovery-0.2.jar
• axis.jar
• ssmwsClientStub.jar
• FGACIdentityAsserter (Identity Asserter provider)
• This provider will allow Oracle-SSM to rely on Oracle DB to authenticate users.
OES : Oracle SM – архитектура
Oracle-SM
Oracle Server
With VPD
DB Storage
Policy
Cache
Java
Stored
Procedure
OES
Plug-in
LOGON
trigger
grant(select, //DB/University/Engineering/Students, John)
report_as(“Apply_Where”, “course_id=CS100 or course_id=CS200”)
“select * from courses;”
user context
user, resource, sql action
“where course_id = …”
protected results
Policy Sync From
Admin Server
Security Module
ATN ATZ RM AD CM
OES - Oracle SM
select * from sales where ORDER >
10005
select app-root-node/<Oracle-SID>/<db-schema-name>/sales
OES Priv. name OES Resource name
db-user
//user/<identity-dir>/db-user
OES user name
• Need for Mapping
• Fit Oracle users, schema, table etc. into OES policy model
• Allow sharing of users with other applications
sqlplus client Oracle-DB
User Login
OES Login Trigger Webservice-ssm
Call Trigger
Authenticate with
webservice-ssm
FGACIdentityAsserter
Call
IdentityAsserter
User
Authenticated
OES : Oracle SM – аутентификация
OES : Oracle SM – авторизация
sqlplus client Oracle-DB
select * from table
OES JSP plug-in Webservice-ssm (ARME)
Call FGAC plug-inMap request to OES
format and make WS
isAccess() call
Evaluate OES policy
queries and insert
constraints (from
report_as())
Return constraint
as a SQL “where”
predicate
Return results
using OES
predicate
<Insert Picture Here>
DEMO
<Insert Picture Here>
Oracle Access Management
Functional Architecture
Oracle Access Management Functional Capabilities
Authentication
Security
Authentication Single Sign-On ID Assertion Authorization
WS SecurityFraud Detection EntitlementsID Federation Data Security
Functional Architecture
• Authentication & SSO
• Policy driven user authentication
• Challenge schemes, credential collection/validation
• SSO and session management
• Cross domain SSO, federated identity management
• Identity Assertion
• Provides authenticated identities to applications, portals, and web services
• Entitlements & Authorization
• Enforcing granular access in application environments
• Enforce data level security
Oracle Access Management Functional Architecture
Web Tier Application Tier Data Tier
Oracle Access
Manager
Federation
Service
Oracle
Entitlements
Server
Oracle
Entitlements
Server
Oracle Adaptive
Access Manager
Authentication &
SSO
Identity
Assertion
Oracle Adaptive
Access Manager
Federation
Service
Entitlements &
Authorization
Web Tier
Oracle Access Manager Applications
Authentication
Oracle Access Management OAM and Application Integration
Single Sign-On
1. Check URL Access
2. Challenge for Credentials
3. Validate Credentials
4. Set Session Cookie
5. Authorize URL Access
6. Assert Authenticated Identity
ID Assertion
HTTP Header Variables
Windows Users
JAAS Subject
Oracle Access Manager Oracle Entitlements Server
Authentication
Authorization
Oracle Access Management OAM and OES, Part I
Single Sign-On
Entitlements
ID Assertion
3. Validate Credentials
6. Assert Authenticated Identity
7. Fine-grained Resource
Access
1. Check URL Access
2. Challenge for Credentials
4. Set Session Cookie
5. Authorize URL Access
Oracle Access Manager Oracle Entitlements Server
Authorization
Oracle Access Management OAM and OES, Part II
Entitlements
7. Retrieve Trusted Subject,
Resource Request, &
Security ContextID Assertion
8. Dynamic Role Evaluation
9. Retrieve Additional Attributes
10. Check Application Authorization
Policy Against Subject/Roles +
Resource/Action
11. Enforce Fine Grained
Resource Access
6. Assert Authenticated Identity
Oracle Access Manager Oracle Entitlements Server
Oracle Access Management OAM and OES, Part III
Entitlements
7. Retrieve Subject, Security
Context, Data RequestID Assertion
8. Dynamic Role Evaluation
9. Retrieve Additional Attributes
10. Check Data Access Policy
11. Enforce Fine Grained
Data Access
Data Security
12. Redact Data From
Application/End User
6. Assert Authenticated Identity
Oracle Access Management OAAM and OES, Part I
Oracle Entitlements Server
6. User/Session ID
Authentication
SecurityFraud Detection
7. Retrieve Trusted Subject,
Resource Request, &
Security Context
Authorization
Entitlements
8. Evaluate Context Data and
Compute Risk Score
9. Return Risk Score Attribute
To OES
10. Enforce Fine Grained
Application Access Policy
with Risk Obligations
Oracle Adaptive
Access Manager
Oracle Adaptive
Access Manager
Oracle Access Management OAAM and OES, Part II
Oracle Entitlements Server
6. User/Session ID
Authentication
SecurityFraud Detection
Authorization
Entitlements
8. Evaluate Context Data and
Compute Risk Score
Oracle Adaptive
Access Manager
Oracle Adaptive
Access Manager
9. Present Knowledge-Based
Authentication Challenge
or OTP
10. Recalculate Risk Score Based on
Secondary Challenge
7. Resource Request
12. Enforce Fine
Grained Policy
11. Return New Risk Score
Attribute To OES
Oracle Access Management OAAM and OAM
Authentication
Security
Fraud Detection
Oracle Access Manager
Authentication
4. Authenticate with
Virtual AuthN Device
1. Check URL Access
Adaptive Access Manager
Adaptive Access Manager
ID Assertion
2. Evaluate Risk
3. Generate and Return Virtual
AuthN Device
5. Validate Credentials, Set SSO Cookie, Assert Identity 6. Evaluate Real Time Transaction Data
7. Calculate Risk for
Transaction 1, Set Alert
8. Calculate Risk for Transaction
2, Block Transaction
9. Calculate Risk for Transaction
3, Set Secondary Knowledge-
Based Authentication or One
Time Pin
Oracle Access Management OAM and OIF
Oracle Access Manager Identity Provider
Authentication
Single Sign-On
Federation
ServicesFederation
Services
Service Provider
1. User Requests Protected
Resource, OIF Redirects to
OAM for Authentication
2. Challenges User,
Authenticates
Credentials
3. Set SSO Cookie,
Asserts Authenticated
Identity to Federation
Service
4. IdP Generates Authentication
Assertion, Sends
Signed/Encrypted Assertion
to Service Provider
5. SP Consumes Authentication
Assertion, Locally
Authenticates User,
Redirects to Protected
Resource
Oracle Entitlements Server
Authorization
Oracle Access Management OES and OWSM
Entitlements
2. Retrieve Trusted Subject,
Service Request
3. Dynamic Role Evaluation
4. Retrieve Message Context
5. Check Application
Authorization Policy
Against Subject/Roles +
Resource/Action6. Provide service access
decision to OWSM
WS Security
1. User invokes secured web service
Oracle Web Services
Manager
7. Enforce Fine Grained Service
Access
Oracle Access Management OAM and OWSM
Oracle Web Services ManagerOracle Access Manager
Authentication
Single Sign-On
WS Security
1. Challenges User,
Authenticates
Credentials
2. Set SSO Cookie,
Asserts Authenticated
Identity to Portal
3. Portal Invokes Remote
Web Service on User’s
Behalf
4. PEP Intercepts
Request and Checks
for SSO Cookie
5. SSO Cookie Verified by
OAM, Service Access
Allowed
<Insert Picture Here>
DEMO
Интеграция OAM+OAAM+OES
Интеграция OAM+OAAM+OES
Интеграция OAM+OAAM+OES
if ( security.authorize( request.getHeader("UserId"), "mybank/customer/phone", "view" ) )
out.print(session.getAttribute("phone"));
else
out.print("(***) ***-****");
JSP tags
OES security = (OES) session.getAttribute("security");
boolean canTransfer = security.authorize( request.getHeader("UserId"), "mybank/transfer",
"transfer" );
if ( canTransfer )
{Here you can move money between your accounts. Please note that you are allowed up to six (6)
transfers per month. Transfers to Home Equity Lines of Credit may be subject to additional
regulations.}
else {We're sorry, but you are unable to perform transfers between accounts. Please contact a <a
href="www.oracle.com">Customer Representative</a> for additional information or questions.}
if ( !canTransfer ) out.print("disabled=true");