IDAM

Identity and Access Management

 

Oracle Identity Manager

(OIM)

Oracle Identity Manager is an enterprise/organization management system that automatically manages user’s access privileges. It has the following uses:

·         User Provisioning

·         Role & policy management

·         Reconciliation

·         Self service

1.      Provisioning

Process to create, update or delete user information in target resource. It is all done by OIM. Data flow from OIM to target resource.

Resource: Resources here means external source like E-directory, LDAP.

 

2.      Reconciliation

The process of comparing and synchronizing accounts information in target system with OIM. Here data flows from target resources (external) to Oracle Identity Manager.

a)      Trusted Source Reconciliation

The external source which is being used by OIM to pull the information has to be a trusted or Authoritative source (Eg. PeopleSoft, Workday).

b)     Full Reconciliation

The purpose of full recon is to reconcile all accounts on the target system into Oracle Identity Manager. It is mainly done when there is a migration from legacy system.

            Reconciliation can be done according to the need of enterprise/organization. Recon can be done on the weekly, regular or daily basis.

3.      Self Service

Oracle Identity Manager’s self-service capabilities allow users to manage their own passwords across managed resources. In case a user forgets his password, OIM presents questions which can be answered by user to enable identity verification and password retrieval. It is used as cost cutting service.

 OIM Overview

                        The OIM (Oracle Identity Manager) uses a trusted source to pull the data or information from it, which is known as Reconciliation. The data is stored in ODSEE (Oracle directory server enterprise edition). ODSEE is also called as E-directory server. The data is pushed to the target resources, which is known as Provisioning. ODSEE makes use of Connectors to map the data to target resources.

Connectors

            It holds the information that OIM needs to reconcile user identity with external source and provision user with target resource.

 Ø For validating user credentials, directory server/E-directory is being used. Whereas for application authentication ODSEE is used.
Ø  For protecting the application, the respective application “URL” has to be protected.

 

Oracle Access Manager

(OAM)

                    It is an access management tool which recommends Single Sign-On (SSO) solution. In simple words OAM is responsible for Authentication and Authorization. Where Authentication means validating the credentials and Authorization means what level of access to be authorized.

 

OAM Overview

                        When the user sends a request through the internet, the request goes to the WEB-GATE. Which is used to communicate between internet and OAM. The request which has come to the web-gate can be of two types i.e. Protected or Unprotected URL. Web-gate is the place where PEP (Policy enforcement point) is being used.

If it is an Unprotected URL then it goes to the OAM and the access is granted without asking any credentials but if the URL is a protected one, then the request flows to OAM which in turn goes to the ODSEE. Where ODSEE is connected to the OIM. Where the credentials are verified and access is given according to the roles and policy.

Load balancer is used to balance out the request which are coming from the users. It divides the load equally between the servers to execute the request as fast as possible. It the tool which is connected between the Web-gate and OAM.

Clustering is the other way of handling the load. It has a server and an instance of that server is made and its pre-defined how much load will be taken by which server. It is used for High Availability.

 

Disaster Recovery

            It is precautionary step which has to be implemented to safe guard the data or information. In case if one DC (data center) fails due to some unavoidable reasons then the data should be saved automatically to the backup DC, from where data can be retrieved at any given time.

 

Agents

            It is a tool which is used to communicate between Web-gate and OAM.

 

Oracle HTTPS Server (OHS)

            Every application needs a Web-gate. So instead of installing each Web-gate in front of each application, all the Web-gates are installed at a single point which is known as OHS.

 

Oracle Virtual Directory (OVD)

            It virtually collects or clusters all identity information from multiple directory servers or Database and gives back to OAM.

 

Session

            Same Idle time is maintained for all the application.

 

 

 

 

Application Domain

·         Resource policy

 

·         Authentication policy  and

 

·         Authorization policy

 

 

Resource policy

            A resource is a document entity, or content stored on the server that is available to users. Users/clients access the resources using a particular protocol (Eg. HTTP, HTTPS etc.). This resources are defined within the OAM.

 

Authentication policy 

            This mainly deals with how users/clients are authenticated i.e. against which source and for which all resources. Authentication policies are defined for resources in the application domain.

 

Authorization policy

            Authorization is the process of determining if a user has the right to access the requested page/resource. The Authorization is granted based on the roles and policy which are defined in the application domain.