Overview: Transferring Oracle Identity

Practice 13 Overview: Transferring Oracle Identity Manager Configurations

In this practice, you use the Deployment Manager to export several configuration objects to an XML file. The configuration objects include policies, organizations, roles, and their

dependencies. You next import configuration objects from an XML file provided for you. The XML file contains an organization hierarchy and roles for the ACME company. Finally, you configure and execute the MDS utilities to export and import the Oracle Identity Manager configuration to and from the MDS repository.

Practice 13 Overview: Transferring Oracle Identity Manager Configurations

In this practice, you learn how to:

• Use the Deployment Manager to export several configuration objects to a single XML file

• Import an organizational hierarchy from an XML file

• Set up the MDS utility to export and reimport the Oracle Identity Manager configuration

Transferring Oracle Identity Manager Configurations

Chapter 13 - Page 43

Road Map

This section provides you with a high-level overview of what you are to learn in the next lesson of this course.

Road Map

• Lesson Objectives

• Deployment Manager Overview

– Methods of Transferring Configurations – Advantages of Transferring

Configurations – Best Practices

• Exporting Oracle Identity Manager Configurations

• Importing Oracle Identity Manager Configurations

• Lesson Summary

• Lesson Practice

• What’s Next?

What’s Next?

This slide concludes the Oracle Identity Manager 11g: Essentials course. If you have any questions about this course, feel free to contact Robert La Vallie (robert.lavallie@oracle.com) or Terri Cantor (terri.cantor@oracle.com).

If you would like to receive additional training in Oracle Identity Manager 11g, why not sign up for the five-day Oracle Identity Manager 11g: Develop Identity Provisioning Instructor-led Training (ILT) class? In this course, you learn the essential tasks for developers who are to use Oracle Identity Manager. This includes:

• Creating and managing configurations for direct or automated provisioning, approval workflows, request workflows, and configurations for advanced provisioning

functionalities

• Creating and managing advanced reconciliation workflows

• Using the Generic Technology Connector (GTC) framework

• Using advanced techniques to customize the Oracle Identity Manager User Interface

• Customizing Oracle Identity Manager by using Java APIs and by developing and deploying plug-ins

What’s Next?

Course Website

Oracle Identity Manager 11g: Develop Identity ProvisioningILT

http://education.oracle.com/pls/web_prod-plq- dad/show_desc.redirect?dc=D65156GC10

Oracle Identity Management Products: Overview

Chapter 14 - Page 1

Oracle Identity Management Products: Overview

Chapter 14

Oracle Identity Management Products: Overview

Oracle Identity Management Products:

Overview

Oracle Identity Management Products: Overview

Chapter 14 - Page 3

Road Map

This slide contains the road map for this appendix. The road map is a listing of sections in this appendix. These sections contain information about understanding the functional aspects, infrastructures, features, and benefits of the suite of Oracle Identity Management products.

Road Map

• Appendix Objectives

• Oracle Identity Management Products

• Appendix Summary

Appendix Objectives

This slide lists the objectives of this appendix. These objectives include functional aspects, infrastructures, features, and benefits of the suite of Oracle Identity Management products that an administrator or developer must know.

Appendix Objectives

After completing this appendix, you should be able to describe the functional aspects, infrastructures, features, and benefits of the suite of Oracle Identity Management products.

Oracle Identity Management Products: Overview

Chapter 14 - Page 5

Road Map

In this section, you become familiar with the suite of Oracle Identity Management products.

Specifically, you learn about functional aspects, infrastructures, features, and benefits of this product suite.

Road Map

• Appendix Objectives

• Oracle Identity Management Products

• Appendix Summary

Oracle Identity Management Products

Oracle Identity Management Products Oracle Identity Management products include:

• Oracle Virtual Directory: Oracle Virtual Directory presents a single logical directory that exposes real-time data from multiple heterogeneous data sources without directory synchronization. That is, it provides real-time identity aggregation and transformation without data copying or data synchronization. Oracle Virtual Directory hides the

complexity of underlying data infrastructures by providing industry-standard LDAP and XML views of existing enterprise identity information, without moving data from its native location.

• Oracle Internet Directory: Oracle Internet Directory is an LDAP v3 directory service that leverages the scalability, high availability, and security features of Oracle Database.

It serves as the central user repository for Oracle Access Manager and other Oracle applications. Oracle Internet Directory provides Oracle Fusion Middleware components, Oracle Fusion applications, and in-house enterprise applications with an LDAP-based mechanism for storing and accessing identity data such as user credentials (for authentication), access privileges (for authorization), and profile information.

Note: Oracle Internet Directory includes the Oracle Directory Integration Platform (DIP), which enables directory synchronization between Oracle Internet Directory and other directories.

Oracle Identity Management Products

Oracle Identity Management Products: Overview

Chapter 14 - Page 7

• Oracle Identity Analytics: Oracle Identity Analytics (formerly Sun Role Manager) is now the strategic product going forward for Role Administration and Role Governance. It provides enterprises with the ability to engineer and manage roles and automate critical identity-based controls. After roles are defined, certified, and assigned, the software continues to deliver value throughout the user access life cycle.

• Oracle Identity Manager: Oracle Identity Manager is a highly flexible and scalable enterprise identity management system that controls user accounts and access privileges in enterprise IT resources centrally. It provides the functionalities of

provisioning, identity and role administration, approval and request management, policy- based entitlement management, technology integration, and audit and compliance automation.

Oracle Identity Manager typically answers the question “Who has access to What, When, How, and Why?” Oracle Identity Manager is designed to administer both intranet and extranet user access privileges across a company's resources throughout the entire identity management life cycle, from initial onboarding to final deprovisioning of an identity. In extranet environments, Oracle Identity Manager’s superior scalability enables enterprises to support millions of customers accessing the company’s resources by using traditional clients (for example, browsers) or smart phones.

• Oracle Web Services Manager: Oracle Web Services Manager is to Web services what Oracle Access Manager is to Web applications. Oracle Web Services Manager is a J2EE application designed to define and implement Web services security in

heterogeneous environments, provide tools to manage Web services based on service- level agreements, and enable the user to monitor run-time activity in graphical charts.

Oracle Web Services Manager is designed to protect access to multiple types of resources including standards-compliant Web services (Java EE, Microsoft .NET, PL/SQL, and so on); service-oriented architecture (SOA) composites including Business Process Execution Language (BPEL) and enterprise service bus (ESB) processes; and Oracle WebCenter’s remote portlets.

Oracle Web Services Manager provides component-level security (securing BPEL, Mediator) in an SOA composite application and is interoperable with most other security frameworks, such as WLS security, OSB security, OC4J security, and the Microsoft WCF/.NET 3.5 security environment.

• Oracle Enterprise Single Sign-On: Oracle Enterprise Single Sign-On is a Microsoft Windows desktop-based suite of products providing Web-based and non-Web-based SSO functionality at the user desktop level. It is a thick client-based solution for SSO, resetting passwords, and unified authentication to both thick- and thin-client applications with no modification required to existing applications. Using Oracle Enterprise Single Sign-On, enterprise users benefit from single sign-on to all of their applications, whether users are connected to the corporate network, traveling away from the office, roaming between computers, or working at a shared workstation.

• Oracle Authentication Services for Operating Systems (OS): Oracle Authentication Services for OS provides Linux and Unix environments a centralized, secure, and seamless user authentication infrastructure. Access to operating systems can be centrally managed, enforced, and audited, providing a true end-to-end security service.

• Oracle Identity Federation: Oracle Identity Federation is a self-contained and flexible multiprotocol federation server that is deployable with existing identity management systems. It enables browser-based, cross-domain SSO by using industry standards (Security Assertion Markup Language [SAML], Liberty ID-FF, WS-Federation, and so on). Version 11g of Oracle Identity Federation introduces support for Microsoft Windows CardSpace (for example, an Oracle Identity Federation identity provider can challenge a

user for login through the CardSpace protocol and then return a SAML assertion based on the CardSpace authentication and claims).

The two common federation models are browser-based and document-based. Oracle Identity Federation is used primarily for browser-based federation, whereas Oracle Web Services Manager is used primarily for document-based federation.

• Oracle Entitlements Server: Oracle Entitlements Server is a fine-grained authorization engine that externalizes, unifies, and simplifies the management of complex entitlement policies. Oracle Entitlements Server secures access to application resources and

software components (such as URLs, Enterprise JavaBeans, and JavaServer Pages) as well as arbitrary business objects (such as customer accounts or patient records in a database).

Oracle Entitlements Server provides a centralized administration point for managing complex, standards-based entitlement policies across enterprise applications. This results in a more-secure enterprise environment, improved ease of administration, consistent policy enforcement, and improved compliance.

• Oracle Adaptive Access Manager: Oracle Adaptive Access Manager is a Web-based solution that provides resource protection by enabling an enterprise to perform fraud detection software-based, multifactor authentication; and unique authentication strengthening in real time through the Web and SMS devices such as cell phones.

Oracle Adaptive Access Manager supports complex, heterogeneous enterprise environments.

Oracle Adaptive Access Manager consists of two primary components that together create one of the most powerful and flexible weapons in the war against fraud. Adaptive Strong Authenticator provides multifactor authentication and protection mechanisms for sensitive information such as passwords, tokens, account numbers, and other

credentials. Adaptive Risk Manager provides online risk analysis in real time, and proactive actions to prevent fraud at critical log-in and transaction checkpoints.

• Oracle Access Manager: Oracle Access Manager provides centralized, policy-driven services for authentication and SSO. Oracle Access Manager integrates with various authentication mechanisms, third-party Web servers and application servers, and standards-based federated SSO solutions to ensure maximum flexibility and a well- integrated, comprehensive web access control solution. Oracle Access Manager

complements its own coarse-grained authorization capabilities by integrating with Oracle Entitlements Server to provide fine-grained authorization to applications, portals,

databases, and Web services.

Oracle Identity Management Products: Overview

Chapter 14 - Page 9

Oracle Identity Management Products: Functional Aspects

Functional aspects of the suite of Oracle Identity Management products include:

• Identity administration: Enables management of user and organizational identities and their associated attributes

• Access management: Facilitates authentication of resource-related accounts for users and organizations, and authorizes users and organizations to access their accounts

• Directory services: Provides efficient storage, lookup, synchronization, replication, and virtualization of identity management data across heterogeneous identity repositories

• Audit and compliance: Minimizes risk and reduces cost for an enterprise to meet internal and external governance and security audits

• Suite management: Delivers comprehensive service-level monitoring, configuration, performance tracking, automation, and logging capabilities for the suite of Oracle Identity Management products. These products include Oracle Access Manager, Oracle

Adaptive Access Manager, Oracle Authentication Services for OS, Oracle Enterprise Single Sign-On, Oracle Entitlements Server, Oracle Identity Analytics, Oracle Identity Federation, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory, and Oracle Web Services Manager.

Oracle Identity Management Products:

Functional Aspects

Suite management Audit and

compliance Directory

services

Access management Identity

administration

Oracle Identity Management Products: Functionalities

Oracle Identity Management products have rich features and can be used individually to implement multiple functionalities. However, each product is better suited to provide particular types of functionality. The table in the slide shows products targeted for each functional area.

Note: Oracle Identity Management products include Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Authentication Services for OS, Oracle Enterprise Single Sign-On, Oracle Entitlements Server, Oracle Identity Analytics, Oracle Identity Federation, Oracle Identity Manager, Oracle Internet Directory, Oracle Virtual Directory, and Oracle Web Services Manager.

Access Manager Adaptive Access Manager Authentication Service for OS

Enterprise Single Sign-On Entitlements Server

Identity Federation Web Services Manager

Access Management

Identity Manager Identity Analytics Identity Administration

Virtual Directory Internet Directory Directory Services

Oracle Identity Management Products:

Functionalities

Identity Management Suite Audit and Compliance

Enterprise Manager IdM Pack Suite Management

Oracle Identity Management Products: Overview

Chapter 14 - Page 11

Oracle Identity Management Products: Solutions

The five functional areas of identity management are Identity Administration, Access Management, Directory Services, Audit and Compliance, and Suite Management. Each functional aspect addresses solutions to problems companies face with managing their user, group, and organizational identities. These solutions include:

Identity Administration

• Identity life cycle: Managing the complete security life cycle of resources for its internal and external users and organizations

• Role management and mining: Retrieving and assigning roles to resource-related accounts for users and organizations. This occurs by importing existing data about users, resources, and entitlements to discover candidate roles and membership policies.

• Organization management: Managing users, groups, and resources for a company’s organizational units

• Provisioning: A process by which an action to create, modify, or delete user information in a resource is initiated from an Oracle Identity Management product (for example, Oracle Identity Manager) and passed into the resource. In terms of data flow, provisioning provides outward flow of user information. The provisioning system communicates with the resource and specifies changes to be made to the account.

Strong authentication Risk-based authorization

Single sign-on (SSO) Federation Fine-grained entitlements

Web Services Security OS security Access Management Identity life cycle

Role management and mining Organization management

Provisioning Reconciliation Password management Identity Administration

Storage Virtualization Synchronization Directory Services

Oracle Identity Management Products: Solutions

Audit and Compliance Suite Management Audit Reporting Analytics Fraud

Attestation Segregation of duties

Service-level Performance Configuration Monitoring

• Reconciliation: A process by which an action to create, modify, or delete user information for a resource in an Oracle Identity Management product (for example, Oracle Identity Manager) is initiated from another resource. The provisioning system communicates with this resource to receive user information. In terms of data flow, reconciliation provides inward flow of user information into the provisioning system, through which it learns about any activity on the resource.

• Password management: A process by which an Oracle Identity Management product (for example, Oracle Identity Manager) can manage passwords associated with resource-related accounts for users, groups, and organizations.

Access Management

• Strong authentication: Protecting a company’s sensitive credentials and data from phishing, pharming, Trojans, and proxy-based fraud

• Risk-based authorization: Providing a company with an antifraud software solution that works behind the scenes to provide security by verifying a host of factors to confirm a user’s identity. This includes a user’s computer or mobile device, location, and online behavioral profiles.

• Single Sign-On (SSO): Enabling a user to log in once and gain access to a company’s multiple resources without being prompted to log in again. Advantages of SSO include reducing password fatigue from different username and password combinations, reducing time spent reentering passwords for the same identity, having a centralized report for compliance adherence, reducing IT costs because of fewer help desk calls about passwords, and increased security on all levels of entry, exit, and access to systems without the inconvenience of re-prompting users.

• Federation: Extending identity management beyond a company’s boundaries to permit authenticated access to resources by entities of independently managed external domains

• Fine-grained entitlements: Customizing access rights users, groups, and organizations have with a company’s resource-related accounts on a granular level

• Web Services Security: Controlling access to and between a company’s Web services, based on security policies

• OS security: Controlling access to and between a company’s operating systems (OS), based on security policies

Directory Services

• Storage: Placing information associated with resource-related accounts for users, groups, and organizations into a directory. A directory is a special-purpose, distributable database that stores concise information, which can be searched easily. The data stored in a directory is mostly read or searched and is seldom modified. This data is stored in the directory in the form of entries.

• Virtualization: Providing a single directory “view” of one or more data sources. These data sources can be other directories or relational databases. Unlike traditional directories, a virtual directory does not store the information from these data sources within its own data repository. Instead, it handles data requests by translating and routing them to the appropriate data.

• Synchronization: Maintaining consistent data among connected directories in a company’s enterprise infrastructure

Oracle Identity Management Products: Overview

Chapter 14 - Page 13

Audit and Compliance

• Audit: Evaluating a person, organization, system, process, project, or product. Audits are performed to ascertain the validity and reliability of information, and also provide an assessment of a system’s internal control.

• Reporting: Generating a formal document, which is created as a result of an audit. The report is subsequently provided to a “user” (such as an individual, a group of persons, a company, a government, or even the general public, among others) as an assurance service so that the user can make decisions based on the results of the audit.

• Analytics: Using statistical analysis to discover and understand historical patterns with the goal of predicting and improving business performance in the future

• Fraud detection: Uncovering deceptive activities occurring with resources for a company’s users, groups, and organizations

• Attestation: The mechanism by which users designated as reviewers are notified of reports to review. These reports describe provisioned resources for users. Through attestation, a company authorizes established internal controls, processes, and policies for user-related and transaction-related data. In addition, attestation provides an audit trail of people who sign off on data or processes in an IT environment.

• Segregation of Duties (SOD): Having more than one person required to complete a task Suite Management

• Service-level: Helping a company configure and monitor service levels for its identity management services

• Configuration: Management capabilities for Oracle Identity Management products accelerate diagnostics and help users manage changes to their environment.

• Performance: Single-step discovery of three Oracle Identity Management products (Oracle Access Manager, Oracle Identity Manager, and Oracle Identity Federation) helps enterprises set up their monitoring environments quickly. In addition, Oracle Identity Management products deliver a collection of key performance metrics to help facilitate rapid time-to-value.

• Monitoring: Administrators can monitor performance and availability of a company’s identity management services internally or externally by using prerecorded transactions.

The next few slides examine the infrastructures of the Identity Administration, Access Management, and Directory Services functional areas of identity management as well as features associated with each Oracle Identity Management product.