Identity Access and Management
31
1 A Report On:-
-
Upload
sugandha-bornwhimsical -
Category
Documents
-
view
38 -
download
3
description
This is a document describing the IDAM architecture and system.
Transcript of Identity Access and Management
1
A Report On:-
2
TABLE OF CONTENTSTABLE OF CONTENTS.............................................................................12. IDENTITY AND ACCESS MANAGEMENT SYSTEMS................................4
2.1 Components of IDAM.....................................................................42.1.1 Authentication.........................................................................42.1.2 Authorization...........................................................................42.1.3 User management Life Cycle..................................................52.1.4 Central user repositories.........................................................5
2.2 Advantages of employing IDAM systems......................................52.3 Organizations employing IDAM systems.......................................6
3. ARCHITECTURE OF IDAM SYSTEM......................................................73.1 ARCHITECTURE GOALS..................................................................73.2 TECHNICAL PLATFORM..................................................................8
3.2.1 Technical Benefits...................................................................83.2.2 Security...................................................................................83.2.3 JAAS Based Authentication......................................................93.2.4 Transaction Management.......................................................93.2.5 Persistence..............................................................................93.2.6 Reliability & scalability..........................................................103.2.7 Performance..........................................................................103.2.8 Customization.......................................................................10
3.3 QUALITY....................................................................................103.3.1 Reliability............................................................................103.3.2 Portability............................................................................103.3.3 Recoverability.....................................................................113.3.4 Securability.........................................................................113.3.5 Auditability..........................................................................113.3.6 Manageability and maintainability......................................113.3.7 Response............................................................................113.3.8 Scalability...........................................................................113.3.9 Availability..........................................................................12
3.4 ORACLE IDENTITY MANAGER USAGE OVERVIEW......................123.4.1 Provision manager..............................................................123.4.1 Provision Server..................................................................123.4.2 Adapter Factory..................................................................133.4.3 Reconciliation Engine..........................................................133.4.4 Applications Integration for user life cycle management....13
4 ORACLE IDENTITY MANAGER ARCHITECTURE...................................144.1 Identity Manger Architecture......................................................14
4.1.1 Presentation Layer..............................................................144.1.2 Business Logic Layer...........................................................154.1.3 Data Access Layer..............................................................15
5 ORACLE ACCESS MANAGER ARCHITECTURE.....................................155.1 Access Manager Architecture......................................................165.2 Access Manager Component’s overview.....................................17
3
5.2.1 Identity Server....................................................................185.2.2 WebPass.............................................................................195.2.3 WebGate.............................................................................195.2.4 Access Server.....................................................................195.2.5 Policy Manager....................................................................205.2.6 New Administrator Functionality in Access Manager..........205.2.7 Oracle Virtual Directory......................................................205.2.8 Oracle Internet Directory......................................................205.2.9 Oracle HTTP Standalone Web Server..................................21
6. Acronyms and Glossary....................................................................217. References.......................................................................................22
1. IDENTITY AND ACCESS MANAGEMENT SYSTEMSIdentity and Access Management systems provide an interface to allow or simplify access for people, processes and products to identify
4
and manage the data used in an information system to basically validate users and grant or deny access rights to data and system resources. The basic goal of IDAM (Identity and Access Management) is to provide appropriate access to enterprise resources.
2.1 Components of IDAM
In order to meet the security and compliance requirements for an organization, there must be an ability to quickly search, identify and verify the user or process which is accessing the system. By Implementing IDAM models for a every part of the organization we can reap benefits monetarily. Also, IDAM systems offer high degree of security which is the basic requirement of an organization.
IDAM is made up of four main components namely, Authentication, Authorization, User Management and Central User Repository. The main objective of IDAM is to provide with the right access to the right people in order to protect information sources.
2.1.1 Authentication
This area covers the verification of the identity of an internet user i.e. AUTHENTICATION and to track the interactions of the user with the computer system i.e. SESSION MANAGEMENT. The most common way to provide access control and information privacy to user is to use USERID/PASSWORD authentication. We can track the different sessions of the users from centralized locations when we implement IDAM systems.
2.1.2 Authorization
AUTHORIZATION firmly decides that whether the user has the required permission or access right to a particular resource. IDAM system tests
5
the user access request against authorization policies of the organization. Authorization mainly includes user groups to which the user belongs, access channels and data resources that can be accessed. Certain complex criteria such as time-based access or some complex business rules which determine the access permissions that constantly change over time are also included in authorization.
2.1.3 User management Life Cycle
IDAM describes or defines the rules for administrative functions like password resetting, identity creation, identity deletion and privileges management. This component basically manages the entire user life-cycle starting from identity creation to final de-provisioning from accounts database. Hence it is a basic requirement to install an integrated workflow system that can take care of user management activities.
2.1.4 Central user repositories
We can store and pass on identity information from a single commanding source to other IT services and can also provide verification on demand by implementing IDAM systems in an organization. That is this component of IDAM presents a logical view of the identities and their relationships to various other systems. This shows a logical view of existing stored information that can be physically or virtually maintained depending on the increase in the number of identities.
2.2 Advantages of employing IDAM systems
When the organization is able to protect the data which is either created, processed or used by it, the business value of the organization is likely to improve.
6
IDAM systems provide the kind of dependability and accessibility to user access control that is of vital importance to most e-business sites these days.
IDAM systems provide the capability to open up only a part of the organization’s information sites to customers, vendors, and partners hence it provides an effective information exchange that can be made suitable to a particular user group.
By the use of IDAM systems, one can enable new users to obtain vital information from applications so that they can achieve a particular goal and at the same time allow the organization to keep a check on the access rights as their roles require.
IDAM basically eases IT management in organizations to reduce the overall effort of IT administration and hence the productivity of each employee is increased over a period of time.
2.3 Organizations employing IDAM systems
IDAM systems involve either stages or organizational units to provide access controls that helps to identify any ambiguity in control points. Hence these IDAM systems provide an approach that can be measured over time and hence it enables IT expansion in growing organizations. By expansion of IT management we can enhance the overall ROI for business.
The main organizations which employ IDAM systems to rapidly search , identify and verify that who is accessing the system are:
Online banking Service delivery Retail sites Defense information systems
7
Telecommunication industries
3. ARCHITECTURE OF IDAM SYSTEMThe Architecture describes the high-level conceptual elements that are part of the solution and the ways in which they interact.
Identity management solution for Typical IDAM system is based on Oracle IDM Suite. The identity Management solution to be deployed for Typical IDAM will consist of the following major components.
Figure 1- Architecture of IDAM system
3.1 ARCHITECTURE GOALS
Foundation builds of th e Identity and Access Manager infrastructure for Typical IDAM system.
Set up Internal consolidated directory as the trusted source (contains data of Typical employees, non-employees from SAP HR data system).
8
Password synchronization and reverse password synchronization with Active Directory.
Self-service capabilities for end-users such as:o Raising application access request.o Change password.
Approval workflows for access requests raised by the user for each application.
Approval workflows for access requests rose for the third party user for each application.
Integrate eSSO Provisioning gateway with Identity Manager.
3.2 TECHNICAL PLATFORM
3.2.1 Technical Benefits
Ease of Deployment: Deployment Manager assists in the migration of integration and configuration between environments.
Flexible and Resilient: Oracle Identity Manager can be deployed in single or multiple server instances. Multiple server instances provide optimal configuration options, fault tolerance, redundancy, fail-over and system load balancing.
Modular Architecture: Oracle Identity Manager is made up of abstraction layers, which allows the execution logic to be changed and refined without affecting logic or definitions that still apply.
Built-in Audit and Compliance: Oracle Identity Manager is a fully integrated platform for identity provisioning and identity audit and compliance.
3.2.2 Security
Oracle Identity Manager enforces internal security policies and eliminates potential security threats from rogue, expired and unauthorized accounts and privileges. When users change roles within
9
an organization, it is often the case that they have the wrong accounts and access rights in applications and systems due to inadequate user maintenance. Frequently users who have left an organization weeks or months earlier still have accounts and access to applications and systems. Finally, users authenticate to applications using different strength passwords with different password rules (e.g. frequency of password change).
3.2.3 JAAS Based Authentication
Oracle Identity Manager relies on the J2EE framework to secure access to the EJB exposed APIs using the JAAS (Java Authentication and Authorization Services) service. Using this, Oracle Identity Manager ensures that only authenticated users are able to access the API methods that expose Oracle Identity Manager Functionality.
3.2.4 Transaction Management
An important requirement for the Oracle Identity Manager application to operate is for the backend database to be XA-compliant. This requires XA support to be turned on at the database level. This is important for the application server to properly manage transactions that involve not just database connections but also message delivery and receipt. In XA functionality, the transaction manager uses XA resource instances to prepare and coordinate each transaction branch and then to commit or roll back all transaction branches appropriately.
3.2.5 Persistence
Oracle Identity Manager has a custom persistence layer that has been built on the JDBC framework to manage persistence of the data to the database. This custom implementation is optimized to deal with the
10
complexity of the data involved in the provisioning transactions in an optimal manner above and beyond what container managed persistence and generic persistence mechanisms can support.
3.2.6 Reliability & scalability
Oracle Identity Manager is reliable with consistency of application and transactions. When a user connects to the system to process a specific request, the system is guaranteed to provide the expected results or a reasonable response. Oracle identity manager has the built-in ability to accept additional users in accordance with growth in business without rewriting or redesigning systems.
3.2.7 Performance
Speedy response times and efficient navigation.
3.2.8 Customization
Being based on the Struts framework, Oracle identity manager supports a great deal of configurability and customization.
3.3 QUALITY3.3.1 ReliabilityThe system will be reliable, i.e., when a user connects to the IDAM system to process a specific request, the system will be guaranteed to provide the expected results or a reasonable response. In order to make the system reliable Typical IDAM system will be designed into OS clustered environment.
11
All web servers, OVD component will be with load balancer mode, Application servers will be on OS clustered mode. Please refer to the deployment Architecture details.
3.3.2 PortabilityThe Typical IDAM enterprise system is portable to various platforms as the business grows and when bigger and more efficient hardware platforms are needed. Oracle Identity Manager is portable to most of the environments.
3.3.3 RecoverabilityThe system is able to recoverable from failures with minimal downtime. At a basic level it is the average time required to repair a failed system or the database. Database recoverability directly relates to the quality of the backup strategy in place for Typical.
Oracle Identity Manager is deployed in Typical clustered environment so if one of node goes down the other node is up neglecting the downtime.
3.3.4 SecurabilityData is vital to a business and will be protected from hackers in best possible manner. Oracle advanced security option provides encryption of data via the network. Oracle Identity Manager enforces internal security policies and eliminates potential security threats from rogue, expired and unauthorized accounts and privileges.
3.3.5 Auditability
Auditability of data refers to the ability to retrieve sufficient information with respect to the creation of data, such as who created the data, why the data was created, who modified the data, when it was modified. Oracle Identity Manager reports on both the history and the current state of the Typical user provisioning environment.
12
3.3.6 Manageability and maintainability
Typical IDAM system will be tuned to suit the organizational needs.
3.3.7 Response
Time from a user's perspective is the time taken for the system to respond to a request. Oracle Identity Manager provides high response time.
3.3.8 Scalability
Typical IDAM system is reliable and has capability to accept additional users’ request with growth in business with horizontal hardware scaling for web servers and application servers. As of now Application servers will be OS clustered and Web servers/LDAP component will configured with load balancing mode.
3.3.9Availability
In order to make the system highly available Typical IDAM system will be designed into clustered environment. All web servers, OVD component will be with load balancer mode, Application servers will be on OS clustered mode.
3.4 ORACLE IDENTITY MANAGER USAGE OVERVIEWOracle Identity Manager is built on an enterprise-class, modular architecture that is both open and scalable. Each module plays a critical role in the overall functionality of the system.
Oracle Identity Manager User Interfaces define and administer the provisioning environment. Oracle Identity Manager offers two feature-rich user interfaces to satisfy both administrator and user requirements:
13
Powerful Java-based Design Console for developers and system administrators.
Web-based Administration Console for identity administrators and end users.
3.4.1 Provision manager
Provision Manager is where provisioning transactions are assembled and modified. User profiles, access policies and resources are defined through the Provision Manager, as are business process workflow and business rules.
3.4.1 Provision Server
Provision Server is Oracle Identity Manager’s run-time engine, which executes the provision process transactions as defined through the Design Console and maintained within the Provision Manager.
3.4.2 Adapter Factory
Adapter Factory builds and maintains the integrations between Oracle Identity Manager and managed systems and applications. The Adapter Factory allows administrators and subject matter experts to work at a higher level of abstraction by mapping the Oracle Identity Manager provisioning process directly to the target application’s configuration requirements. Once mapped, the Adapter Factory will generate the necessary integration code.
3.4.3 Reconciliation Engine
Reconciliation Engine ensures consistency between Oracle Identity Manager provisioning environment and Oracle Identity Manager managed resources within the enterprise. The Reconciliation Engine discovers illegal accounts created outside of Oracle Identity Manager. Reconciliation Engine will also synchronize business rules located inside and outside the provisioning system to ensure consistency.
14
3.4.4 Applications Integration for user life cycle management
The Target Applications to be integrated with OIM for user lifecycle management will be integrated by following methods:
Out-of-Box connectors - IDM provides default connectors for standard applications.
DB based connectors – connectors that management accounts directly on application backend.
API based connector - these connectors use target application API for account management.
15
4 ORACLE IDENTITY MANAGER ARCHITECTURE 4.1 Identity Manger Architecture
The architecture of Identity manager can be defined as shown below:
Figure 2 Oracle Identity Manager architecture
The layers of this architecture are described below.
4.1.1 Presentation Layer
The presentation layer consists of two clients –1. The Administrative and End-User Console is a web-based
thin client that can be accessed from any web browser. The A&EU Console provides user self-service and delegated administration features that serve the bulk of the user base of the provisioning system.
16
2. The Design Console is a feature-rich, sophisticated client accessed using a desktop java client as an admin activity. The Design Console provides the full range of Xellerate’s system configuration and development capabilities including form designer, workflow designer, adapter factory and the deployment utility for automated change management.
4.1.2 Business Logic Layer
The business logic layer for Xellerate is implemented as an EJB application. Xellerate runs on leading J2EE compliant application server platforms, leveraging the J2EE services provided by these industry-leading application servers to deliver a high-performance, fault tolerant enterprise application. The core functionality for the Xellerate platform is implemented in Java using a highly modular, object-oriented methodology. This makes the application extremely flexible and extensible.
4.1.3 Data Access Layer
J2EE contains several technologies for manipulating and interacting with transactional resources like Databases, based on JDBC, JTA and JTS. The Xellerate architecture leverages the following J2EE services:
• Database Connection Pooling.
• Integration with JNDI – Lookup of Data Sources in the JNDI Namespace.
• XA Compliance.
• Batch Updates.
17
5 ORACLE ACCESS MANAGER ARCHITECTUREOracle Access Manager helps enterprises create greater levels of business agility, ensure seamless business partner integration, and enable regulatory compliance. Through an innovative, integrated architecture Oracle Access Manager uniquely combines identity management and access control services to provide centralized authentication, policy-based authorizations, and auditing with rich identity administration functionality such as delegated administration and workflows. Protecting resources at the point of access and delegating authentication and authorization decisions to a central authority, Oracle Access Manager helps secure web, J2EE, and enterprise applications.
5.1 Access Manager Architecture
The architecture of Access manager can be defined as shown below:
Figure 3 Oracle Access Manager architecture
18
When a user tries to access a protected enterprise resource, the WebGate and the Access Server execute the following sequence of steps:
1. The WebGate intercepts the user request and checks with the Access Server whether the resource being accessed is protected.
2. If the resource is protected, the WebGate challenges the user for credentials and forwards those credentials to the Access Server for validation.
3. The Access Server validates the submitted user credentials against the backend directory server.
4. The result of this validation is sent back to the WebGate. If the authentication is successful, the WebGate sets a cookie in the user’s browser and checks with the Access Server whether the user has permissions to access the protected resource.
5. The Access Server fetches the policies from the directory and evaluates whether the user has access to the protected resource. The result is sent back to the WebGate.
6. If the user is authorized, he gets access to the secured resource
5.2 Access Manager Component’s overview
Below diagram depicts the flow between Access Manager Components.
19
Figure 4 Flow diagram between access manager's components
This is an architectural diagram showing how Oracle Access Manager Components communicate with Oracle Application Server middle-tier components.
On the Oracle Access Manager side, there are the following:
A special browser client for management: Communicates with the Oracle Access Manager Web server.
20
Oracle Access Manager Web server (Oracle HTTP Server, for example) has WebGate, Policy Manager, and WebPass installed. WebGate communicates with Access Server. Policy Manager communicates with the LDAP server (such as Oracle Internet Directory). WebPass communicates with Identity Server.
Access Server: Communicates with WebGate, the LDAP server, each Application instance in the middle-tier, and Web Server middle tier.
Identity Server: Communicates with WebPass and the LDAP server.
5.2.1 Identity Server
The Identity Server manages identity information about users, groups, organizations, and other objects. The Identity Server performs three main functions:
1. Reads the user data from OVD and writes the data on to OID server across a network connection.
2. Stores user information on a directory server and keeps the directory current.
3. Processes all requests related to user, group, and organization identification.
5.2.2WebPass
WebPass is a web server plug-in that passes information back and forth between the web server and the Identity Server over the Oracle Identity Protocol (formerly Netpoint or COREid Identity Protocol).
21
Hence, WebPass is the presentation tier of the Identity System. By default, WebPass renders its content as HTML so that it can be accessed through a browser.
5.2.3WebGate
WebGate is an out-of-the-box access client for enforcing access policy on HTTP-based resources; hence it is the Access System’s web Policy Enforcement Point or PEP. The WebGate client runs as a plug-in or module on top of most popular web servers, and intercepts HTTP requests for web resources and forwards them to the Access Server where access control policies are applied. WebGates are optimized to work on web server environments, as are streamlined for the HTTP protocol, and understand URLs, session cookies, HTTP redirects, secure sessions (HTTPS); and also implement policy caches that improve WebGate’s performance and allow for scalability in highly trafficked sites.
5.2.4Access Server
Access Server is a standalone software server that enforces access policies on web and non-web resources, so it is the Access System’s Policy Decision Point or PDP. The Access Server can be deployed in a single instance, or as part of a clustered implementation to support load balancing and failover. Load-balancing and failover of the Access Server is built in and does not require the deployment of external load-balancers. The Access Server provides dynamic policy evaluation as user’s access resources, as well as authentication, authorization, and auditing services.
22
5.2.5Policy Manager
Policy Manager is a browser-based graphical tool for configuring resources to be protected and well as creating and managing access policies, so it is the Access System’s Policy Management Authority or PMA The Policy Manager provides the login interface for the Access System, communicates with the directory server to manage policy data, and communicates with the Access Server over the Oracle Access Protocol to update the Access Server cache when policies are modified.
5.2.6New Administrator Functionality in Access Manager
Once the user is authenticated by the Access Manager, based on the user role (e.g. administrator or non-administrator), appropriate links on landing page will be displayed. For an administrator user, an additional link “Administrator” will be displayed.Thus, the administrator will have the authority to add a new application, edit and delete an existing application link on the landing page. This will help the administrator to perform all these tasks through the landing page itself, rather than adding, editing or deleting from the database.
5.2.7Oracle Virtual Directory
Oracle Virtual Directory provides Internet and industry-standard LDAP view of existing enterprise identity information, without synchronizing or moving data from its native locations.
5.2.8 Oracle Internet Directory
Oracle Internet Directory is an LDAP v3 directory that leverages the scalability, high availability and security features of the Oracle
23
Database. Oracle Internet Directory serves as the central user repository for Oracle Identity Management, simplifying user administration in the Oracle environment and providing a standards-based application directory for the heterogeneous enterprise. Additionally, Oracle Directory Synchronization allows Oracle Identity Management to seamlessly integrate with other directories and enterprise user repositories, allowing users to leverage identity information wherever it resides.
5.2.9Oracle HTTP Standalone Web Server
The Oracle HTTP server is a simple Web HTTPD server (Web listener). It is based on the Apache Web Server provided by the Apache Group. Oracle Access Manager will be installed on the Oracle HTTP Web server.
6. Acronyms and Glossary IDAM Identity And Access Management
AD Active Directory
24
LDAP Lightweight Directory Access Protocol
OVD Oracle Virtual Directory
OID Oracle Internet Directory
AM Access Manager
JDBC Java Database Connectivity
HTTP Hyper Text Transfer Protocol
JTA Java Transaction Api
JTS Java Transaction Service
7. References
Figure - 1 Referred Oracle IDAM Architecture document
Figure-2 Referred oracle indentity management document
Figure-3 Referred oracle access manager
25
documentFigure-4 Referred Oracle access manager
document
