Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation

Topics Introduction – portal identity management issues Identity consolidation Password and identity administration Centralized authorization and authentication Automated user identity provisioning Federated identity support Summary and conclusions

Oracle Fusion Middleware Application Platform Suite Integrate Orchestrate Develop Analyze Deploy Access Secure Manage

Oracle Portal Aggregates Customers Web Applications Packaged Apps Internet / intranet Users Page Assembly Engine Portlet Engine Personalization Portal Runtime (User, Session, Management Any Data Source Wireless & Mobile Reduce web sites, simplify searches & navigation Single sign-on security framework, enterprise search Assemble portals from pre-built “portlets” and Web Services Personalize portals by user / role Any Web Site

Identity Management Challenges for Customers Deploying Portals Problem Issue for users Issue for administrators Lack of centralized user identity management Too many identities and credentials to manage Frequent calls to the helpdesk for password resets Lack of centralized web authorization and authentication service Multiple log-ins to different applications within the enterprise Inconsistent application security policies Manual user provisioning process Delays in getting needed access to applications Labor intensive, error prone, and difficult to keep in compliance Lack of identity federation support Multiple log-ins to applications hosted outside the enterprise Managing authorization credentials for outside users

What is Identity Management? Securing your IT assets from within Management of digital user identities through their complete lifecycle Employee hire -> promotion -> departure Securing access to applications and information Authentication: proving you are who you say you are Authorization: what you have access to, when, where Scalable and available storage of identity information Profile: roles and attributes about you Identity Management is fundamentally about securing access to your organization’s information assets from within the enterprise. At it’s core this represents the efficient management of typically thousands of user accounts across hundreds of applications, from the time user accounts are created to through their complete lifecycle including role changes and termination. Identity Management has three fundamental components: Authentication, which consists of being able to verify who you are, I.e. username/password in most cases Authorization, which defines policies for what data and resources a user has access to Profile, attributes about you, such as your name, title, role, contact info, groups belonged to, etc.

Oracle Identity Management Access Control Single Sign-On Identity Federation Web Access Control Web Services Security Identity Administration User, Role Management User Provisioning Identity Infrastructure Virtual Directory Directory We are now going to quickly highlight some of the key areas of Identity Management. Our discussion today is going to be based mostly around these topics. On the subsequent slides we’ll highlight key functionality and benefits offered by each of these functional areas.

Identity Consolidation

Identity Consolidation Overview Oracle Portal includes Oracle Internet Directory as a user management repository Frequent deployment requirement for integration with Enterprise directories Application directories User repositories Oracle Virtual Directory and Directory Integration Platform facilitate portal integration with these environments

Oracle Internet Directory Features Full feature LDAP server with a RDBMS data-store Industry leading scalability and HA capabilities Strong Oracle Platform integration VSLDAP certified and EAL4 compliant Benefits Reduced operational cost and improved availability with Oracle Grid support Seamless integration with Oracle Applications and Products Scalability Millions of users 1000’s of simultaneous clients High availability Multimaster & Fan-out replication Hot backup/recovery, RAC, etc. Manageability Grid Control multi-node monitoring Security Flexible authentication mechanisms Role & policy based access control Auditability Extensibility & Virtualization Plug-in Framework Attribute and namespace virtualization External authentication Custom password policies Certifications Open Group VSLDAP Certified Common Criteria EAL4 Compliant

Directory Integration Platform External Directories Directory Integration Service Sun1(iPlanet) Active Directory Oracle Internet Directory Oracle HR Oracle DB OpenLDAP eDirectory Connectors

Oracle Virtual Directory Features Virtual, real-time LDAP application views of directories, databases and other user repositories Modern Java & Web Services technology Virtualization, Proxy, Join & Routing capabilities Superior extensibility Scalable multi-site administration Direct data access Benefits Rapid application deployment Tighter controls on identity data Realtime identity information access

Directory Deployment Options Portal/Access Mgmt System Portal/Access Mgmt System Oracle Internet Directory/DIP Oracle Virtual Directory Point of Administration Other Directories and Repositories Other Directories and Repositories Points of Administration

Benefits for Portal Deployments Extremely scalable, highly-available LDAP directory option for any portal deployment Ready integration with enterprise user repositories; rapid deployment in any environment Flexibility in how and where user information is administered

Password and Identity Administration

Password and Identity Administration - Overview Basic user administration is provided in the Portal environment Oracle COREid Identity provides richer enterprise user administration functionality, including Self-service Delegated administration Customized approval workflows COREid Identity functionality integrates into Oracle Portal applications, providing a unified look and feel

Oracle COREid Identity Features Web application for user, group, and organization management Self Service and Self Registration functionality Password Management Delegated Administration Unified Workflow Benefits Reduced operational costs through user self-service Efficient management of large user populations

Integrated User Administration PresentationXML and Portal Inserts allow Portal customers to customize the look-and-feel of Oracle COREid and seamlessly integrate its functionality into portal applications. Finally, to provide a high-quality, customized user experience, these administrative tools need to integrate into the look-and-feel of the portal environment. Using mechanisms call PresentationXML and Portal Inserts, Oracle COREid integrates easily and seamlessly into the portal. WebPass Web Server Oracle COREid Identity Server Web Server LDAP Directories User

Self-Service and Delegated Administration Site 1 3 End Users Self-service Change identity profile Password changes Initiate workflow changes WebPass Site 2 1 Delegated Administrator 6 End Users Delegated administration Create and delete users at site Ongoing management of users at site Approve workflow changes Web Server Oracle COREid Access or other access manager Step 4: User role automatically updated in directory Site 3 2 Delegated Administrator 8 End Users An important aspect of customization is managing and administering the user’s identity, organizational roles, application preferences and credentials such as passwords and PINs. We saw how this was accomplished using Oracle COREid…. Step 3: Extranet team approves change Extranet Team Oracle Internet Directory or other LDAP-based Directory Server Step 2: Delegated administrator approves change Step1: End User requests change to role

Benefits for Portal Deployments Oracle Identity Management reduces administrative burden and cost Administer Portal and enterprise users with a single application Support multiple levels of delegated administration of Portal user communities Self-service ROI by allowing users to perform password resets, role requests and manage identity information Automate approval workflows for user access requests

Centralized Authorization and Authentication

Centralized Authorization and Authentication - Overview Oracle Single Sign-On addresses authentication for the Oracle application environment COREid Access provides authentication and access management for a wide variety of third party application environments The two components work together to provide a seamless application experience for users, and a single point of access control for administrators

Oracle COREid Access Features Benefits Scalable web access management solution Common policy management across applications Multi-level, multi-factor authentication management Web Services interfaces Benefits Centralized and consistent security across heterogeneous environments Reduced administration cost Improved end user experience Better compliance Dual purpose role Stand alone product Common Services Platform for Oracle eBus, PeopleSoft, JDE, Retek, iFlex, App Server, Portal, OCS… Provisioning Console Front end UI, Target Registration, Workflow SOA Enabled Identity Management BPEL Integration “Entity” Management Verizon (Telco) Manage 50M entries Highest possible availability Geographical distribution AT&T (Telco) Scalable Customer Directory 25M entries for various applications Shanda (China online gaming company) Scale to 200M users started with 50M user Highly available Directory based on combined directory replication and OracleAS cluster with RAC DB Centralize control of security policies and authentication

Single Sign-On to Heterogeneous Applications Oracle Applications OracleAS SSO Other Enterprise Applications Oracle Internet Directory App Servers Access Server SDK Single Sign-On Packaged eBusiness Apps Oracle COREid Access As we have seen, deploying a portal involves aggregating a number of enterprise applications into a single interface. Controlling access and authorizations to these applications is essential to the organization's security policy, and to the user experience. Here we show some of the Oracle technology involved in making this happen … Portals Sun Directory Services Static HTML content Virtual Directory Server Microsoft ADS Mainframe Systems

Benefits for Portal Customers Users have single sign-on to all applications accessed through their portal Administrators have a single point of control for authentication and authorization Oracle access management is pre-integrated with Portal and other Oracle applications and offers out-of-the-box integration with other enterprise applications, portals and application servers

Automated User Identity Provisioning

Automated User Identity Provisioning - Overview Provisioning users to an enterprise portal typically involves also provisioning them for a number of applications Oracle, 3rd party, custom developed Running on a variety of platforms Internal processes for granting/terminating application access can be quite complex Handling these in a secure, efficient and compliant way requires automation Oracle Xellerate Identity Provisioning integrates with the portal and the backend applications to provide these capabilities

Xellerate Identity Provisioning Features Identity life-cycle management for the heterogeneous enterprise Complete workflow for approvals Connectors for OS’es, DBs, Directories, Groupware, Apps, etc. Direct connectivity to HR Compliance reporting and account reconciliation Benefits Reduced administration cost Critical for regulatory compliance Improved security through centralized administration Provisioning Application COREid Identity Administration Server Provisioning Server – Interfaces with BPEL engine Provisioning Tools, APIs and Web Services Provisioning Meta Data Provisioning Process and Sub-process Templates Policy Data Process Designer Graphical tool to model a business process Customers use this tool to create their provisioning process from the shipped templates BPEL Orchestration Engine Executes various BPEL processes for user provisioning Identity and Account Repository To store identity and account information for users, groups Broad directory support Provisioning Connectors For Oracle Ebiz Suite, Peoplesoft, JDE, SAP, Lotus Notes, RACF and others Pre-packaged with sub-process templates for each Administer users and groups Using COREid Identity Administration Rich delegated administration capability End-user self-service Workflow for creation of users and groups, requests and approvals Provision user accounts in Oracle and custom apps Using Oracle’s provisioning server Configure provisioning targets through command-line tools Built-in events notification engine Built-in attributes mapping engine Continued support for MIIS, where needed For 3rd-party application provisioning Leverage industry standards (BPEL, SPML) For provisioning workflow and policy management For JCA-based provisioning connectors Graphical rule-based provisioning policy and workflow management Automatic account discovery and reconciliation Graphical attributes mapping Graphical configuration of connectors New provisioning connectors For PeopleSoft, JDE, SAP, Siebel, IBM Domino/Notes, Exchange, IBM RACF, AS/400 and other 3rd-party packaged applications and systems

Benefits for Portal Deployments Efficient enterprise portal user management Rapid on-boarding of new users Improved application security No “old” user accounts in the system Improved ability to address compliance requirements No rogue or orphan accounts

Federated Identity Support

Federated Identity Support - Overview Portals often have a need to service users across administrative domains Inter-agency, partners, customers, etc. Emerging, web services standards are addressing these requirements SAML, Liberty Oracle COREid Federation provides portal applications the ability to participate as federated identity and service providers

COREid Federation Features Benefits Seamless SSO and Identity Sharing Multi-protocol gateway – SAML, Liberty, WS-Federation Service Provider or Identity Provider Flexible deployment configurations Standalone for use with pre-existing web-access management solution Protocol SDK for custom applications Benefits Secure integration with partners Reduce administration cost Deliver improved end user experience Part of Oracle Identity Management, a component of Oracle Fusion Middleware Umbrella for federation technologies solution: Standalone federation server Java based SDKs Liberty Alliance Certified Interoperable Oracle Secure Federation Server (OSFS) Self-contained package deployable on any platform 3rd party LDAP and authentication system support Load balancing and high availability Federation server with support for third party AAA infrastructures (Netegrity, Oblix, etc.).   Management/logging/auditing console will be specific to federation features/functions – i.e., the customer will not need to interact with the underlying Oracle stack.  Federation server will support J2EE standard management interfaces (JMX) and thus lend itself to be managed and monitored via management consoles and tools based on these open standards.  Highly scalable.  Support for Liberty ID-FF 1.1, 1.2, SAML 2.0 (available after specification ratifies) No dependency or requirement for third party application server. The Federation server will be capable of accessing resources/applications residing on third party application servers. Platform support for Linux, Windows, Solaris, HP, AIX, HP Tru64.   Installs via Oracle Universal Installer.  Capable of acting in the role of an Identity Provider or a Service Provider.  Capable of being pre-loaded on a standalone box – i.e. an organization acting in the role of a service provider can easily add partner IDPs by dropping in additional servers. Stand-alone, drop-in federation server product Can be both an IDP or SP Federation management admin console Configurable for integration with third party LDAP and AAA infrastructures Self-contained bundle All the necessary components to run are bundled Runs on any platform Full federation protocol support Web based management and monitoring Web-based administration console Configuration of federations, user data in the context of supported protocols Auditing and monitoring features Oracle Fusion Middleware OSFS can leverage platform-level features of Oracle Fusion Middleware Centralized management High Availability Web Services and Service Oriented Architecture (SOA) Oracle Identity Management Certified with Oracle Internet Directory, Oracle Single Sign-On and Oracle COREid Access and Identity Authorization, authentication and provisioning functionality Oracle products that leverage Oracle Identity Management: Oracle Database – OSFS to be certified against Oracle 10g Oracle Applications Oracle Collaboration Suite Oracle E-Business Suite

Example Federated Identity Single Sign-On Scenario 401k Benefits Site Employee Portal Employee Medical Benefits Site Federated SSO Federated SSO Identifier: Principal ABC Password: XXXX Sign On

Benefits for Portal Deployments Portal users can transparently access applications of federation partners (such as travel agencies, employee benefits providers, etc.) Applications secured by Oracle Identity Management can be made accessible to partners through federation No need to manage these users locally No re-engineering of applications required

Summary and Conclusions Enterprise portal deployments raise a number of management and security issues Oracle Identity Management enables Portal customers to: Support single sign-on of portal users to enterprise applications Provide rich user administration and self-service seamlessly integrated into the portal environment Manage enterprise portal and application users centrally Automatically provision and de-provision enterprise portal users Allow their portal users to access federated applications Make their portals available to partner access

Q & A

Please point your browser to http://www.oracle.com/identity For more information Please point your browser to http://www.oracle.com/identity