Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK.

Similar presentations

Presentation on theme: "Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK."— Presentation transcript:

1 Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK

2 - 2 - The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle.

3 - 3 - Agenda Access Management introduction Oracle Access Manager 11gR2 Overview Oracle SSO v OAM 11gR2 OAM 11gR2- Migration and Coexistence with OSSO Q&A

4 - 4 - Access Management Introduction

5 - 5 - Governance Password Reset Privileged Accounts Access Request Roles Based Provisioning Role Mining Attestation Separation of Duties Access Web Single Sign-on Federation Mobile, Social & Cloud External Authorization SOA Security Integrated ESSO Token Services Fraud Detection Directory LDAP Storage Virtual Directory Meta Directory Platform Security Services Identity Management Portfolio – 11gR2 Modern, Innovative & Integrated

6 - 6 - Taking a Platform Approach Building on Components of Fusion Middleware Fusion Middleware WebCenter ADF Workflow SOA Coherence CAF User InterfaceCustomizationPerformance

7 - 7 - Oracle Access Management Comprehensive security for applications, data, and web services End-to-end authentication, single sign-on, and fine grained application protection Innovative anomaly detection, transaction security, and multi-factor authentication Extensive 3 rd party integrations

8 - 8 - Oracle Access Management Suite Plus Entitlements Server Adaptive Access Manager Access Manager Entitlements Management Fine Grained Authorization Web Access Control Single Sign-On Risk-based Authentication Real-time Fraud Prevention Identity Federation Partner SSO & Identity Federation Fedlet SP integration Secure Token Services Security Token Management Identity Propagation

9 - 9 - Oracle Access Management Blueprint Architecture

10 Oracle Access Manager 11gR2 Overview

11 Oracle Access Manager 11g Objectives Provide foundation for Access Management Suite Converge OAM, OSSO, and OpenSSO Provide new and advanced functionality to customers Tighten integrations

12 Oracle Access Manager 11g Key FeaturesBenefits Modular ArchitectureSeparated admin and runtime server to enable independent operations Secure Policy ModelAccess is denied by default until policies are created to allow access Simplified Install & ConfigOne package to install and one series of steps to configure a simple working environment Session ManagementAllows admin tracking and termination of user sessions Diagnostics & MonitoringAllows administrators to monitor key operational metrics in real-time Central Agent Management Administration console provides a holistic view of all agents and shows the server they are connected to Backwards CompatibilityCompatible with 10g webgates and 10g mod_osso Windows Native AuthNEnables Windows desktop to web single sign-on Improved UtilitiesRemote registration utility, remote access tester, and WLST cmds for policy operations

13 Oracle Access Manager 11g Architecture – Runtime Server Protocol Compatibility Framework OAM Server Coherence Distributed Cache Oracle Platform Security Services Credential Collector Session Management SSO EngineAuthN Service AuthZ Service Identity Provider Token Processing Partner & Trust Configuration Service Policy Service

14 Integrated Security Administration, Agent Administration Oracle Access Manager 11g Administration Console

15 Access Manager 11gR2 Deployment Overview

16 Protected External Client Firewall (Web Tier) Internet Load Balancer Web Hosts Firewall (App Tier) OHS WebHosts OHS IDMHosts Admin ServerWLS_ODS M Admin Console EM ODSM IAM HostsAppHosts AccessGate WLS Firewall (Data Tier) DB Hosts RAC Metadata DB (OAM, OID, Schema) WebGate WLS_OAM OAM Admin Server Admin Console LDAP Hosts OVDOID Access Manager 11gR2 Deployment Detail

17 Installation process OAM 11g installs using Oracle Universal Installer (OUI) The installation process copies all the software bits to the host machine OUI does not perform product configuration Configuration process requires 2 steps Database schema configuration using Repository Creation Utility (RCU) Product configuration and deployment using WebLogic Configuration Wizard Oracle Support Note provides a good starting point Access Manager 11gR2 Installation and Configuration

18 SPNEGO based credential validation for true Windows desktop to web single sign-on Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously Does not need IIS based solution for WebGate WebGates and Oracle SSO protected applications need not run on Windows platform Can be enabled for a subset of protected applications Internal vs External websites Oracle Access Manager 11g Windows Native Authentication

19 Basic steps are as follows: Edit /etc/krb5.conf file Create Service Principal Name Obtain Kerberos Ticket Set-up OAM Kerberos AuthN Module Configure Kerberos AuthN Scheme for WNA Register AD as OAM User Store Verify OAM configuration (oam-config.xml) Enable Kerberos in Web Browser Test See OAM Admin Guide, Chapter 7 (link here)link here Oracle Access Manager 11g Windows Native Authentication - Setup

20 Oracle SSO v OAM 11gR2

21 Oracle Confidential – For Internal Use Only21 Oracle Access Manager Sample Oracle SSO Architecture Oracle Single Sign-On Server User Authentication Authentication End User Authentication Decisions Oracle Internet Directory User Data Directory Integration Platform or Oracle Identity Manager Oracle HTTP Server LDAP Authentication User Synchronization MOD_OSSO agent Enterprise User Store Local User Store Deployed Application OC4J Application Server

22 Oracle Access Manager Key differences v OSSO OAM 11gR2OSSO SSO, policy-based AuthN & AuthZSSO and simple AuthN only WebLogic Server-basedOC4J-based 3 rd -Party LDAP server supportDependence on OID Support for OSSO, OAM 10g, OAM 11g and OpenSSO agents via PCL Support for only OSSO agents (mod_osso) Server-based session managementSessions via client cookies only Cross-domain SSO is nativeSingle network domain only Native password policy (R2+)OIDDAS for password policy Integration with OIM (optional) for User Self-Service OIDDAS for user self-service

23 OAM 11gR2- Migration and Coexistence with OSSO

24 Oracle Access Manager 11g OSSO 10g Upgrade Facilitated through AS Upgrade Assistant Process: Install OAM 11g Run Upgrade Assistant pointing to Oracle AS Single-On Two modes: Retain Ports: no changes required on partner sites Change Ports: partner sites need new osso.conf which is generated by the Upgrade Assistant See Support Migration Advisor (note 343.1) and upgrade viewlet (note )

25 Co-existence: OAM11g & SSO 10g Supports OracleAS SSO 10g Release ( ) through OracleAS SSO 10g Release ( ) Co-existence requires same back-end user identity store: Oracle Internet Directory (OID)

26 Co-existence: OAM11g & SSO 10g Without Proxy mod_osso redirects requests to the 11g OAM Server for authentication through a proxy. mod_wl replaces mod_oc4j. mod_wl enables SSO to work without any changes on the OHS

27 Co-existence: SSO between Partner Applications App1 upgraded to OAM11g User accessing App1 OAM sets the SSO cookie and updates session information accordingly. The cookie includes a flag indicating that an OSSO cookie must also exist for this cookie to be valid.

28 Q & A

29 - 29 -

Download ppt "Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK."

Similar presentations

Ads by Google