Internet
Database
Red Hat Linux
App1
Cluster DNS
Windows Servers
External F5 LB
Environment: Created by: (Mike Reams) New Servers: 0
irtual
hysical
LDAP
Cluster
Software Load
Balancer
Software ModuleExternal Network
Internal Network
Data CallLoad
Balancer
Intranet Internal NetworkExternal Network
External
Firewall
Windows 2012
Windows 2012 IIS 7.5
Identity Web Services
Linux Red Hat
Linux VM 1
Linux VM 2
Internal LB: Service Bus
Java Web Service
Linux Red Hat
Linux VM 1
Linux VM 2
Active Directory
Oracle LDAP
Process
Images into
binary data
File from client
Resizing
Process
Oracle Federation
Oracle Web Gate
OHS Provides Reverse Proxy to internal services
such as the Oracle Identity Services
When a person uploads a file, the screen executes code to
copy it to a Linux server and where it is cropped and resized
to small, medium, and large. This cropping and resizing is
occurring on the Linux server using an optional Linux install
package
Project Name
Architecture for User Flow to secure application data
Revision:
1.0
Drawing #
1.1
Date:
11/29/2015
Size:
Letter
Technical Design
Get and display image to
browser via REST
Oracle Web Gate
The process is to copy the original file from the
down to a Linux directory /psoft/datafiles/
. Run the “convert” command to do the croppy
and resizing, and then load the resulting files
into the tables blob fields. Then delete files
from Linux directory
Write Data to DB
Internal F5 LB
Clie
nt
Netw
ork
Mid
-Tie
rD
ata
La
yer
EndStart
Proxy Layer
Middleware
Virtual
Web Server
A User signed-in to their Portal and
invokes an IdP federation link to
federate into a Federated Service
Provider
Identity Authorization Layer
Federation
Web Servers
Web Gate
Access Management Layer
Virtual
Apache
OHS
Reverse Proxy
Web Gate
User’s Session now has
the credentials and will
redirect to RelayState
Service Provider
(HCM)
SecurityUser FlowSoftware Module
Back-end Service
DNS or IP Range
Security
Module
Access Points
Project Name: Designed By:
Solutions Architect
Revision: 1.3Environment: DR Date: 11/29/2015
HCM
App DB
Virtual
WebLogic
F5 Load Balancer
Apache OHS w/ WebGate
Load Balancer
User’s Session is automatically
redirected by definition of the
“RelayState” (from IdP) after
Credentials/Token is created
External/Internal DNS Resolution
Internal Facing
Firewall
External
F5 Load Balancer
Listens on port 443
Virtual Directory
Layer
Virtual
Apache
Get
Authorization
for ID
to generate
Token
Data Access
Directory Server 1Directory Server 2
SQL Server 1SQL Server 2
Web Gate
Get
Authorization
Get
Authorization
External Firewall
End-User
Load Balancer
Proxy to Authorization Layer
based on NameID in assertion
Federated "Service
Provider"
(aka. SP)
Abstracted Data
Repositories
New Hire Workflow ( Business Process 1.1, 1.2, 1.3 )P
rovi
sio
nin
gH
irin
g P
roce
ssR
esou
rce
sDemonstrates an employee becoming a “New Hire” in the Identity Management Environment . This workflow addresses 3 business requirements in a single architecture
Oracle Service Bus sends
data to Queue for data
processing of employee
HR receives the new hire
information and enters
them into HCM
Manager initiates
new hire form
3HCM instantly sends data
to the Oracle Service Bus4
5
The Queue sends the XML
message to the
OIM End-Point 6
OIM received data &
processes the new
employee record
7
OIM begins business
logic to determine how
to process the
employee
8
OIM performs
lookup on new
account to see if
it exists
Account
exists?
OIM will provision a new
Active Directory account using
the automatic naming
convention
OIM sends email to Help Desk to
request to create a new naming
convention since one exists or to use
the one it is trying to create
The OIM BPEL process
receives email from
CSC and processes the
employee with the
assigned NOS account
OIM provisions records into Birth-Right Resources, but will
assign the existing account referenced in the email or will
create using a new naming convention specified by Help Desk
10e
OIM provisions employee records
into resources as a normal and
creates new network account
14
OIM BPEL sends
email to manager
that the
provisioning
process is
complete
16
Corporate
employee?
9
OIM provisions new
account in OIM
identity store and
assigns resources
based on role
OIM provisions new
employee records into
downstream resources
10a
10b 13
10c
10d
11
12
Manager initiates
new hire process
from Talent
Management
1a
1b
Manager initiates
badge request form2
Yes
Yes
No
No
OIM writes email &
phone number to
HCM
15
Integrated SSO into Service Provider
Mid
-tie
r Id
PC
lien
t B
row
ser
SP
& t
he
Id
P
Demonstrates a user accessing an SSO provider from Portal as an authenticated/authorized user originating from the IdP
SP authorizes user
from the Header
passed or the SAML
request
Portal
SSO Landing Page
Enter
credentials to
Login Page
3
Successful AuthN
will redirect to
Portal4
Invoke configured Link to
protected URL &
generate Token.
Redirects using the
relaystate parameter
Click link to
SSO Service
6
5
SSO Application
8
Identity Web Services
Oracle Web Gate allows access to
Resource defined in OAM if token is
present
9
Error Trapping will
send to default Error
page if there’s a
session issue
Error Trapping will send to
default Error page if there’s a
session issue
Front-end access point to the Oracle
federation requests, will broker the
SAML request to the vendor’s SP (ACS)
Is session directing
to integrated or
federated
7
Federated
Integrated
Jump Service
Internal or
External?
Internal
Post Credentials
Via Reverse Proxy Rules
Extranet Appliance
Invoke Company
Portal
User
1
External
As a guest, your
directed to a Login
Page2
Troux Application Flow[Last Updated: 11/29/2015]
Author: mreams
Client Browser Back-End
C
om
pa
ny
A
Co
mpa
ny
B
User A
User is logged into computer
with companya.com Active
Directory credentials
AD
Au
then
tica
tion
User invokes in IE browser
Portfolio Instance A
The WAFFLE agent runs in front of
the Web Servers as the gateway into
the app. WAFFLE checks the user’s
Windows AD credentials against it’s
configured Troux Roles the person is
or is not assigned toWaffle
Tomcat
Troux_A
SQL Cluster
Active DirectoryUser Flow Database
AD Forest
Companya.com
Service Account runs the
Windows service and
brokers against coxinc in
order to see if the user is
in AD groups mapped to
Troux Roles
Service Account
AD Forest
Companya.com
Is user
authorized?
User is granted access and
will see designated content
based on role
Yes
User is not in any Troux roles
and will see blank content
on the screen or a message
saying access denied
No
User B
User is logged into computer
with companyb.com Active
Directory credentials
AD
Au
then
tica
tion
User invokes in IE browser
Portfolio Instance B
The WAFFLE agent runs in front of
the Web Servers as the gateway into
the app. WAFFLE checks the user’s
Windows AD credentials against it’s
configured Troux Roles the person is
or is not assigned toWaffle
Tomcat
Troux_B
SQL Cluster
AD Forest
Companyb.com
Service Account runs the
Windows service and
brokers against coxinc in
order to see if the user is
in AD groups mapped to
Troux Roles
Service Account
AD Forest
Companyb.comUser is granted access and
will see designated content
based on role
Yes
User is not in any Troux roles
and will see blank content
on the screen or a message
saying access denied
No
Is user
authorized?
User is granted access
User is granted access
Refresh System Perform backups
Execute Script
Check Disk Space
Check MemoryCheck
System Processes
Check Connectivity
Backup Registry
User
Access DB
D:\Administration\DB\
Stores info
Check Log Sizes Collect Network Info
Check PageSys sizeCheck NTFS
permissions
Selectable
Options
Backup IIS Meta DB
Gather Server Info and store
into DB
Create Report
Backup
IISReset
Clear Logs
Truncate SQL Logs
Check Application
Config
