access manager 11gr2 (11.1.2.0.0) technical presentation

Access Manager 11gR2 (11.1.2.0.0) Technical Presentation

R2

Venu ShastriSenior Principal Product ManagerIdentity Management, Oracle

2Oracle Confidential – Do Not DistributeCopyright © 2012, Oracle and/or its affiliates. All right

Agenda

• Overview• Key Features• Architecture & Deployment• Extensibility & Integrations• Q & A


Agenda



Access Management Platform – 11gR2Complete & Scalable


Access Manager 11gR2Objectives

• Provide scalable foundation for Access Management Platform

• Converge OAM10g, OSSO, and OpenSSO

• Provide new and advanced functionality to customers

• Tighten integrations


Access Manager 11gR2Key Features

• Simplified Web Single Sign On (SSO)• Authentication and Authorization• Centralized Policy Administration• Advanced Session Management• Centralized Agent Management• Native Password Management• Windows Native Authentication• Comprehensive Auditing and Logging


Access Manager 11gR2Benefits

• Centralized policy management and auditing reduces cost and improves compliance.

• Support for access management in a complex, heterogeneous environment reduces total cost of ownership and accelerates deployment.

• Flexible and powerful policy model allow organizations to meet complex access management needs.

• Scalable deployment model supports most demanding, internet scale deployments.

• Extensible architecture enables easy customization to meet organization specific requirements.


Access Manager 11gR2Deployment Overview


Agenda



• Enhanced security• Closed world – access is denied to resources unless a policy

specifically allows access• Resource simplification

• No URL Prefixes – resources are defined as complete URL patterns (“*” and “…”) associated with host id and used to determine the sole policy applicable to a request

• Responses• Expression based responses that are powerful• Ability to return user, request, and session information

Access Manager 11gR2Policy Model


Access Manager 11gR2Policy Model

Access Manager

Authentication Schemes Application Domains

Identity Store

Legend

- Relationship: One-to-Many

- Relationship: Many-to-Many

- External Dependencies

- Relationship: Containment

Authentication Policies Authorization Policies

Resource Types Host Identifiers

ResourcesPolicies

Authentication Modules


• Multiple IP Ranges• Wildcard enhancements• Resource Operation/Custom Types• Authorization expressions

• AND, OR, NOT• ( and ) – precedence indicators

• User Attribute Condition• LDAP Filter / Search

• Enables creation of more complex and flexible authorization constraints that deals only with LDAP attributes

• Session Attribute Condition

Access Manager 11gR2Policy Model Enhancements


Access Manager 11gR2Policy Model Enhancements – LDAP Query/Filter Condition


Access Manager 11gR2Policy Model Enhancements – Complex Expressions


• Stateful sessions with detailed security context information that can be further propagated

• Tracks active user sessions using a high performance distributed cache• Admin can specify Session Lifetime & Idle Timeout globally • Admin can limit the number of concurrent sessions a user can have at one time• Out-of-band session termination

• Prevents unauthorized access to systems when a user has been terminated• Can be done with or without persistent storage• Provides automatic session failover

Access Manager 11gR2Session Management


Access Manager 11gR2Session Management


• SPNEGO based credential validation for true Windows desktop to web single sign-on

• Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously• Does not need IIS based solution for WebGate• WebGates and Oracle SSO protected applications need not run

on Windows platform• Can be enabled for a subset of protected applications

• Internal vs External websites

Access Manager 11gR2Windows Native Authentication


• OAM 11g collects credentials at the runtime server• Login pages are presented by the OAM runtime servers• OAM runtime servers can redirect to login pages located

in a separate web server • Regardless of where the login pages are, credentials are

sent to the OAM runtime servers for collection• Sample Login pages are provided out-of-the-box

Access Manager 11gR2Embedded Credential Collection

19Oracle Confidential – Do Not Distribute

• Extends 11g Webgate with an option to enable Credential Collection capability (Authentication Gate)

• Back Channel communications use OAP protocol whilst Front channel uses HTTPS• Decouples credential collection from Server

• Provides flexibility to place DCC anywhere in the DMZ• More security. End-user HTTP sessions get terminated at DMZ• Reduces overhead on server. Improves performance

Access Manager 11gR2Detached Credential Collector


Access Manager 11gR2Detached Credential Collector


• Native password management for simple password mgmt requirements

• In-band Password Capability• Password Warning • Forced Password Reset(expired / reset)

• Password Policy Enforcement• Password Composition Rules• Password History• Account Lockout

• OAM – OIM Password Integration still supported

Access Manager 11gR2Password Management


Access Manager 11gR2Password Management


• One administration console to manage all agents within the deployment

• Simultaneously manage and configure mod_osso, OAM 10g webgates, OpenSSO Agents and OAM 11g webgates

• Operational status of each individual agent can be monitored• Agent hostname, IP address, connected server, number of active connections,

average operation latency, and more…

Access Manager 11gR2Centralized Agent Management


Access Manager 11gR2Centralized Agent Management


• 11g Cookie is hosted scoped

• Cookie Encryption for each 11g WebGate is unique to that WebGate

• Authorization Caching• Resource to Authorization Policy• Authorization Result• Diagnostic page

• OUI Installer that lays out a WebGate package depending on platform used

Access Manager 11gR211g WebGate


• Remote Registration Tool• Application administrators can register agents without the help of

the Security team• Policy objects can be automatically created to protect resources of

a given application at registration time

• Access Tester Tool• Simulates resource requests to ensure policy evaluates correctly• Uncovers network issues that impact webgates or mod_osso

agents due to the tool’s remote nature

Access Manager 11gR2Utilities


Access Manager 11gR2Access Tester Tool


• Logging • Centralized log management via Enterprise Manager (EM)• Graphical tools for configuring and viewing logs (EM)• Multiple logging levels

• Auditing• Standardized auditing across FMW components• Common Audit Framework allows audit logs to be directed and

persisted into an audit database• Reports generated via Oracle BI Publisher

Access Manager 11gR2Logging and Auditing


Agenda



Access Manager 11gR2Internal Architecture

Protocol Compatibility Framework

OAM Server

Coherence Distributed CacheOracle Platform Security Services

Credential Collector

Session Management

SSO Engine AuthN Service AuthZ Service

Identity Provider Token Processing

Partner & Trust

Configuration Service

Policy Service


• Installation process• OAM 11g installs using Oracle Universal Installer (OUI)• The installation process copies all the software bits to the host

machine• OUI does not perform product configuration

• Configuration process requires 2 steps• Database schema configuration using Repository Creation Utility

(RCU)• Product configuration and deployment using WebLogic

Configuration Wizard

Access Manager 11gR2Installation and Configuration


Access Manager 11gR2Deployment on WebLogic Cluster


• Supporting Active - Active, Active - Passive or Active - Hot Standby deployments

• Enables seamless user SSO across data centers with session continuity

• Follows Master-Slave configuration for Access Manager deployment across Data-Centers. Policy and configuration keeps in sync via T2P processes.

• Behavior is configurable based on Session Adoption Policy• Re-authentication Required – True/False• Remote Session Invalidation - True/False• On-Demand Session Data Retrieval - True/False

Access Manager 11gR2Multi-data-center Deployment


Global Load Balancer

Access Manager Cluster in Data-Center 1

(Master)


(Slave)

User 1 (Geo-location 1)


ActiveActive Stand-byStand-by

Synchronized using T2P Process

OAM CookieDC=DC1

OAM CookieDC=DC2

Access Manager 11gR2Multi-data-center Deployment – Active/Active


Global Load Balancer


(Master)


(Slave)

User 1

(Geo-location 1)


Data-Center 1 is down or over-loaded

OAM CookieDC=DC1DC=DC2

OAM CookieDC=DC2

Retrieve Remote Session DataInvalidate Remote Session

Back-channel OAP call

Re-authenticate User

Access Manager 11gR2Multi-data-center Deployment – Active/Active


Agenda



• Authentication Extensibility Framework• Allows for customized authentication modules to be plugged into

the system• Includes Java SDK tooling for users to create customized

modules• Pure Java based ASDK

• Includes authentication services and authorization services• One platform independent package• Includes APIs for the extended protocol-level op codes• Backward compatible against OAM 10g

Access Manager 11gR2Extensibility


OAM OSTS

OAM Federation

Identity Propagation

Federated SSO

• SSO to web services• Issuance and validation of web service

tokens

• Identity propagation from federated partners into the local environment• Simplify authentication flows

Access Manager 11gR2Key IDM Integrations


OAM OAAM

OAM OAAM OIM

Authentication

End-to-End

• Reinforce password Authentication• Risk-based authentication

• Secure self-service flows• Increase security and usability

• Consistent user experience

Access Manager 11gR2Key IDM Integrations


• New platform support• Solaris x64, AIX 7.1, and Oracle Linux 6.x / RHEL 6.x

• 3rd party integrations• Microsoft SharePoint 2010• RSA Authentication Manager 7.1• JBoss 5.1.0• Microsoft Outlook Web Application (OWA) 2010 – Post R2• Microsoft Forefront TMG 2010 – Post R2• SAP Portal 7.0 – Post R2• IBM WebSphere Portal 7.0 – Post R2

Access Manager 11gR2New Platform and Integration Support


Q&A

access manager 11gr2 (11.1.2.0.0) technical presentation

Documents