Internet

Database

Red Hat Linux

App1

Cluster DNS

Windows Servers

External F5 LB

Environment: Created by: (Mike Reams) New Servers: 0

irtual

hysical

LDAP

Cluster

Software Load

Balancer

Software ModuleExternal Network

Internal Network

Data CallLoad

Balancer

Intranet Internal NetworkExternal Network

External

Firewall

Windows 2012

Windows 2012 IIS 7.5

Identity Web Services

Linux Red Hat

Linux VM 1

Linux VM 2

Internal LB: Service Bus

Java Web Service

Linux Red Hat

Linux VM 1

Linux VM 2

Active Directory

Oracle LDAP

Process

Images into

binary data

File from client

Resizing

Process

Oracle Federation

Oracle Web Gate

OHS Provides Reverse Proxy to internal services

such as the Oracle Identity Services

When a person uploads a file, the screen executes code to

copy it to a Linux server and where it is cropped and resized

to small, medium, and large. This cropping and resizing is

occurring on the Linux server using an optional Linux install

package

Project Name

Architecture for User Flow to secure application data

Revision:

1.0

Drawing #

1.1

Date:

11/29/2015

Size:

Letter

Technical Design

Get and display image to

browser via REST

Oracle Web Gate

The process is to copy the original file from the

down to a Linux directory /psoft/datafiles/

. Run the “convert” command to do the croppy

and resizing, and then load the resulting files

into the tables blob fields. Then delete files

from Linux directory

Write Data to DB

Internal F5 LB

Clie

nt

Netw

ork

Mid

-Tie

rD

ata

La

yer

EndStart

Proxy Layer

Middleware

Virtual

Web Server

A User signed-in to their Portal and

invokes an IdP federation link to

federate into a Federated Service

Provider

Identity Authorization Layer

Federation

Web Servers

Web Gate

Access Management Layer

Virtual

Apache

OHS

Reverse Proxy

Web Gate

User’s Session now has

the credentials and will

redirect to RelayState

Service Provider

(HCM)

SecurityUser FlowSoftware Module

Back-end Service

DNS or IP Range

Security

Module

Access Points

Project Name: Designed By:

Solutions Architect

Revision: 1.3Environment: DR Date: 11/29/2015

HCM

App DB

Virtual

WebLogic

F5 Load Balancer

Apache OHS w/ WebGate

Load Balancer

User’s Session is automatically

redirected by definition of the

“RelayState” (from IdP) after

Credentials/Token is created

External/Internal DNS Resolution

Internal Facing

Firewall

External

F5 Load Balancer

Listens on port 443

Virtual Directory

Layer

Virtual

Apache

Get

Authorization

for ID

to generate

Token

Data Access

Directory Server 1Directory Server 2

SQL Server 1SQL Server 2

Web Gate

Get

Authorization

Get

Authorization

External Firewall

End-User

Load Balancer

Proxy to Authorization Layer

based on NameID in assertion

Federated "Service

Provider"

(aka. SP)

Abstracted Data

Repositories

New Hire Workflow ( Business Process 1.1, 1.2, 1.3 )P

rovi

sio

nin

gH

irin

g P

roce

ssR

esou

rce

sDemonstrates an employee becoming a “New Hire” in the Identity Management Environment . This workflow addresses 3 business requirements in a single architecture

Oracle Service Bus sends

data to Queue for data

processing of employee

HR receives the new hire

information and enters

them into HCM

Manager initiates

new hire form

3HCM instantly sends data

to the Oracle Service Bus4

5

The Queue sends the XML

message to the

OIM End-Point 6

OIM received data &

processes the new

employee record

7

OIM begins business

logic to determine how

to process the

employee

8

OIM performs

lookup on new

account to see if

it exists

Account

exists?

OIM will provision a new

Active Directory account using

the automatic naming

convention

OIM sends email to Help Desk to

request to create a new naming

convention since one exists or to use

the one it is trying to create

The OIM BPEL process

receives email from

CSC and processes the

employee with the

assigned NOS account

OIM provisions records into Birth-Right Resources, but will

assign the existing account referenced in the email or will

create using a new naming convention specified by Help Desk

10e

OIM provisions employee records

into resources as a normal and

creates new network account

14

OIM BPEL sends

email to manager

that the

provisioning

process is

complete

16

Corporate

employee?

9

OIM provisions new

account in OIM

identity store and

assigns resources

based on role

OIM provisions new

employee records into

downstream resources

10a

10b 13

10c

10d

11

12

Manager initiates

new hire process

from Talent

Management

1a

1b

Manager initiates

badge request form2

Yes

Yes

No

No

OIM writes email &

phone number to

HCM

15

Integrated SSO into Service Provider

Mid

-tie

r Id

PC

lien

t B

row

ser

SP

& t

he

Id

P

Demonstrates a user accessing an SSO provider from Portal as an authenticated/authorized user originating from the IdP

SP authorizes user

from the Header

passed or the SAML

request

Portal

SSO Landing Page

Enter

credentials to

Login Page

3

Successful AuthN

will redirect to

Portal4

Invoke configured Link to

protected URL &

generate Token.

Redirects using the

relaystate parameter

Click link to

SSO Service

6

5

SSO Application

8

Identity Web Services

Oracle Web Gate allows access to

Resource defined in OAM if token is

present

9

Error Trapping will

send to default Error

page if there’s a

session issue

Error Trapping will send to

default Error page if there’s a

session issue

Front-end access point to the Oracle

federation requests, will broker the

SAML request to the vendor’s SP (ACS)

Is session directing

to integrated or

federated

7

Federated

Integrated

Jump Service

Internal or

External?

Internal

Post Credentials

Via Reverse Proxy Rules

Extranet Appliance

Invoke Company

Portal

User

1

External

As a guest, your

directed to a Login

Page2

Troux Application Flow[Last Updated: 11/29/2015]

Author: mreams

Client Browser Back-End

C

om

pa

ny

A

Co

mpa

ny

B

User A

User is logged into computer

with companya.com Active

Directory credentials

AD

Au

then

tica

tion

User invokes in IE browser

Portfolio Instance A

The WAFFLE agent runs in front of

the Web Servers as the gateway into

the app. WAFFLE checks the user’s

Windows AD credentials against it’s

configured Troux Roles the person is

or is not assigned toWaffle

Tomcat

Troux_A

SQL Cluster

Active DirectoryUser Flow Database

AD Forest

Companya.com

Service Account runs the

Windows service and

brokers against coxinc in

order to see if the user is

in AD groups mapped to

Troux Roles

Service Account

AD Forest

Companya.com

Is user

authorized?

User is granted access and

will see designated content

based on role

Yes

User is not in any Troux roles

and will see blank content

on the screen or a message

saying access denied

No

User B

User is logged into computer

with companyb.com Active

Directory credentials

AD

Au

then

tica

tion

User invokes in IE browser

Portfolio Instance B

The WAFFLE agent runs in front of

the Web Servers as the gateway into

the app. WAFFLE checks the user’s

Windows AD credentials against it’s

configured Troux Roles the person is

or is not assigned toWaffle

Tomcat

Troux_B

SQL Cluster

AD Forest

Companyb.com

Service Account runs the

Windows service and

brokers against coxinc in

order to see if the user is

in AD groups mapped to

Troux Roles

Service Account

AD Forest

Companyb.comUser is granted access and

will see designated content

based on role

Yes

User is not in any Troux roles

and will see blank content

on the screen or a message

saying access denied

No

Is user

authorized?

User is granted access

User is granted access

Refresh System Perform backups

Execute Script

Check Disk Space

Check MemoryCheck

System Processes

Check Connectivity

Backup Registry

User

Access DB

D:\Administration\DB\

Stores info

Check Log Sizes Collect Network Info

Check PageSys sizeCheck NTFS

permissions

Selectable

Options

Backup IIS Meta DB

Gather Server Info and store

into DB

Create Report

Backup

IISReset

Clear Logs

Truncate SQL Logs

Check Application

Config