Post on 12-Feb-2016
description
Access Manager 11gR2 (11.1.2.0.0) Technical Presentation
R2
Venu ShastriSenior Principal Product ManagerIdentity Management, Oracle
2Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Agenda
• Overview• Key Features• Architecture & Deployment• Extensibility & Integrations• Q & A
3Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Agenda
• Overview• Key Features• Architecture & Deployment• Extensibility & Integrations• Q & A
4Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Management Platform – 11gR2Complete & Scalable
5Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Objectives
• Provide scalable foundation for Access Management Platform
• Converge OAM10g, OSSO, and OpenSSO
• Provide new and advanced functionality to customers
• Tighten integrations
6Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Key Features
• Simplified Web Single Sign On (SSO)• Authentication and Authorization• Centralized Policy Administration• Advanced Session Management• Centralized Agent Management• Native Password Management• Windows Native Authentication• Comprehensive Auditing and Logging
7Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Benefits
• Centralized policy management and auditing reduces cost and improves compliance.
• Support for access management in a complex, heterogeneous environment reduces total cost of ownership and accelerates deployment.
• Flexible and powerful policy model allow organizations to meet complex access management needs.
• Scalable deployment model supports most demanding, internet scale deployments.
• Extensible architecture enables easy customization to meet organization specific requirements.
8Oracle Confidential – Do Not DistributeCopyright © 2011, Oracle and/or its affiliates. All right
Access Manager 11gR2Deployment Overview
9Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Agenda
• Overview• Key Features• Architecture & Deployment• Extensibility & Integrations• Q & A
10Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• Enhanced security• Closed world – access is denied to resources unless a policy
specifically allows access• Resource simplification
• No URL Prefixes – resources are defined as complete URL patterns (“*” and “…”) associated with host id and used to determine the sole policy applicable to a request
• Responses• Expression based responses that are powerful• Ability to return user, request, and session information
Access Manager 11gR2Policy Model
11Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Policy Model
Access Manager
Authentication Schemes Application Domains
Identity Store
Legend
- Relationship: One-to-Many
- Relationship: Many-to-Many
- External Dependencies
- Relationship: Containment
Authentication Policies Authorization Policies
Resource Types Host Identifiers
ResourcesPolicies
Authentication Modules
12Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• Multiple IP Ranges• Wildcard enhancements• Resource Operation/Custom Types• Authorization expressions
• AND, OR, NOT• ( and ) – precedence indicators
• User Attribute Condition• LDAP Filter / Search
• Enables creation of more complex and flexible authorization constraints that deals only with LDAP attributes
• Session Attribute Condition
Access Manager 11gR2Policy Model Enhancements
13Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Policy Model Enhancements – LDAP Query/Filter Condition
14Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Policy Model Enhancements – Complex Expressions
15Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• Stateful sessions with detailed security context information that can be further propagated
• Tracks active user sessions using a high performance distributed cache• Admin can specify Session Lifetime & Idle Timeout globally • Admin can limit the number of concurrent sessions a user can have at one time• Out-of-band session termination
• Prevents unauthorized access to systems when a user has been terminated• Can be done with or without persistent storage• Provides automatic session failover
Access Manager 11gR2Session Management
16Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Session Management
17Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• SPNEGO based credential validation for true Windows desktop to web single sign-on
• Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously• Does not need IIS based solution for WebGate• WebGates and Oracle SSO protected applications need not run
on Windows platform• Can be enabled for a subset of protected applications
• Internal vs External websites
Access Manager 11gR2Windows Native Authentication
18Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• OAM 11g collects credentials at the runtime server• Login pages are presented by the OAM runtime servers• OAM runtime servers can redirect to login pages located
in a separate web server • Regardless of where the login pages are, credentials are
sent to the OAM runtime servers for collection• Sample Login pages are provided out-of-the-box
Access Manager 11gR2Embedded Credential Collection
19Oracle Confidential – Do Not Distribute
• Extends 11g Webgate with an option to enable Credential Collection capability (Authentication Gate)
• Back Channel communications use OAP protocol whilst Front channel uses HTTPS• Decouples credential collection from Server
• Provides flexibility to place DCC anywhere in the DMZ• More security. End-user HTTP sessions get terminated at DMZ• Reduces overhead on server. Improves performance
Access Manager 11gR2Detached Credential Collector
20Oracle Confidential – Do Not Distribute
Access Manager 11gR2Detached Credential Collector
21Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• Native password management for simple password mgmt requirements
• In-band Password Capability• Password Warning • Forced Password Reset(expired / reset)
• Password Policy Enforcement• Password Composition Rules• Password History• Account Lockout
• OAM – OIM Password Integration still supported
Access Manager 11gR2Password Management
22Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Password Management
23Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• One administration console to manage all agents within the deployment
• Simultaneously manage and configure mod_osso, OAM 10g webgates, OpenSSO Agents and OAM 11g webgates
• Operational status of each individual agent can be monitored• Agent hostname, IP address, connected server, number of active connections,
average operation latency, and more…
Access Manager 11gR2Centralized Agent Management
24Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Centralized Agent Management
25Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• 11g Cookie is hosted scoped
• Cookie Encryption for each 11g WebGate is unique to that WebGate
• Authorization Caching• Resource to Authorization Policy• Authorization Result• Diagnostic page
• OUI Installer that lays out a WebGate package depending on platform used
Access Manager 11gR211g WebGate
26Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• Remote Registration Tool• Application administrators can register agents without the help of
the Security team• Policy objects can be automatically created to protect resources of
a given application at registration time
• Access Tester Tool• Simulates resource requests to ensure policy evaluates correctly• Uncovers network issues that impact webgates or mod_osso
agents due to the tool’s remote nature
Access Manager 11gR2Utilities
27Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Access Manager 11gR2Access Tester Tool
28Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• Logging • Centralized log management via Enterprise Manager (EM)• Graphical tools for configuring and viewing logs (EM)• Multiple logging levels
• Auditing• Standardized auditing across FMW components• Common Audit Framework allows audit logs to be directed and
persisted into an audit database• Reports generated via Oracle BI Publisher
Access Manager 11gR2Logging and Auditing
29Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Agenda
• Overview• Key Features• Architecture & Deployment• Extensibility & Integrations• Q & A
30Oracle Confidential – Do Not DistributeCopyright © 2011, Oracle and/or its affiliates. All right
Access Manager 11gR2Internal Architecture
Protocol Compatibility Framework
OAM Server
Coherence Distributed CacheOracle Platform Security Services
Credential Collector
Session Management
SSO Engine AuthN Service AuthZ Service
Identity Provider Token Processing
Partner & Trust
Configuration Service
Policy Service
31Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• Installation process• OAM 11g installs using Oracle Universal Installer (OUI)• The installation process copies all the software bits to the host
machine• OUI does not perform product configuration
• Configuration process requires 2 steps• Database schema configuration using Repository Creation Utility
(RCU)• Product configuration and deployment using WebLogic
Configuration Wizard
Access Manager 11gR2Installation and Configuration
32Oracle Confidential – Do Not DistributeCopyright © 2011, Oracle and/or its affiliates. All right
Access Manager 11gR2Deployment on WebLogic Cluster
33Oracle Confidential – Do Not Distribute
• Supporting Active - Active, Active - Passive or Active - Hot Standby deployments
• Enables seamless user SSO across data centers with session continuity
• Follows Master-Slave configuration for Access Manager deployment across Data-Centers. Policy and configuration keeps in sync via T2P processes.
• Behavior is configurable based on Session Adoption Policy• Re-authentication Required – True/False• Remote Session Invalidation - True/False• On-Demand Session Data Retrieval - True/False
Access Manager 11gR2Multi-data-center Deployment
34Oracle Confidential – Do Not Distribute
Global Load Balancer
Access Manager Cluster in Data-Center 1
(Master)
Access Manager Cluster in Data-Center 2
(Slave)
User 1 (Geo-location 1)
User 2 (Geo-location 2)
ActiveActive Stand-byStand-by
Synchronized using T2P Process
OAM CookieDC=DC1
OAM CookieDC=DC2
Access Manager 11gR2Multi-data-center Deployment – Active/Active
35Oracle Confidential – Do Not Distribute
Global Load Balancer
Access Manager Cluster in Data-Center 1
(Master)
Access Manager Cluster in Data-Center 2
(Slave)
User 1
(Geo-location 1)
User 2 (Geo-location 2)
Data-Center 1 is down or over-loaded
OAM CookieDC=DC1DC=DC2
OAM CookieDC=DC2
Retrieve Remote Session DataInvalidate Remote Session
Back-channel OAP call
Re-authenticate User
Access Manager 11gR2Multi-data-center Deployment – Active/Active
36Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Agenda
• Overview• Key Features• Architecture & Deployment• Extensibility & Integrations• Q & A
37Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
• Authentication Extensibility Framework• Allows for customized authentication modules to be plugged into
the system• Includes Java SDK tooling for users to create customized
modules• Pure Java based ASDK
• Includes authentication services and authorization services• One platform independent package• Includes APIs for the extended protocol-level op codes• Backward compatible against OAM 10g
Access Manager 11gR2Extensibility
38Oracle Confidential – Do Not DistributeCopyright © 2011, Oracle and/or its affiliates. All right
OAM OSTS
OAM Federation
Identity Propagation
Federated SSO
• SSO to web services• Issuance and validation of web service
tokens
• Identity propagation from federated partners into the local environment• Simplify authentication flows
Access Manager 11gR2Key IDM Integrations
39Oracle Confidential – Do Not DistributeCopyright © 2011, Oracle and/or its affiliates. All right
OAM OAAM
OAM OAAM OIM
Authentication
End-to-End
• Reinforce password Authentication• Risk-based authentication
• Secure self-service flows• Increase security and usability
• Consistent user experience
Access Manager 11gR2Key IDM Integrations
40Oracle Confidential – Do Not Distribute
• New platform support• Solaris x64, AIX 7.1, and Oracle Linux 6.x / RHEL 6.x
• 3rd party integrations• Microsoft SharePoint 2010• RSA Authentication Manager 7.1• JBoss 5.1.0• Microsoft Outlook Web Application (OWA) 2010 – Post R2• Microsoft Forefront TMG 2010 – Post R2• SAP Portal 7.0 – Post R2• IBM WebSphere Portal 7.0 – Post R2
Access Manager 11gR2New Platform and Integration Support
41Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right
Q&A
42Oracle Confidential – Do Not DistributeCopyright © 2011, Oracle and/or its affiliates. All right