Mechanics of Oracle Portal and Identity Management Mechanics of Oracle Portal and Identity Management Paper 36768 Sanjeev Mohan Golden Gate University,

Mechanics of Oracle Portal and Mechanics of Oracle Portal and Identity ManagementIdentity ManagementPaper 36768

Sanjeev Mohan

Golden Gate University,

San Francisco

Topics

IntroductionBusiness RequirementsCase Study: Golden Gate

UniversityPortal Identity Management (LDAP)Single Sign On (SSO)

Case Study: Golden Gate University’s Legacy Environment

Operating systems: Solaris, Windows, MPE/ix, Netware, Mac OS, Digital Unix

Hardware platforms: SUN (Sparc), Dell (Intel), HP 3000, Macintosh, DEC Alpha

Databases: Oracle, SQL Server, Access, FoxPro, HP Image

Development: Coldfusion, HTML, Javascript, UniBasic No common code, data, OS, management process,

customer experience

GGU’s new Web Architecture

JSP Pages/XML/HTML

Application Server / Business Tier

HumanResource

Financials Student

Data Mining /Reporting

Portal

Oracle Text Search Oracle Collaboration Suite

LDAP - Oracle OID

Storage Area Network / Physical Data Layer

Oracle 9i Enterprise Edition DBMS

IBM IBMIBM

Migrate legacy apps /File / Print / Messaging

Application Layer

Enterprise Database

Server TierLinux / Solaris

Storage Tier

Business Requirements: Challenges

Profusion of stand alone servers and applications

Redundant storage of data Inaccurate / Out-of-Sync data Lack of Consolidated view of data Inability to produce business intelligence

Business Requirements: Why Portal?

Higher productivity for the employees by providing single point of access to integrated applications.

Better employee communication and collaboration. More efficient business process and improvements Help make an organization more competitive. A well

designed portal could provide an organization with a differentiation over its competition.

Better customer satisfaction and retention. Lower cost and better utilization of the staff e.g. IT

support, HR staff etc. Lower cost by reducing the number of servers.

Integration Levels

Integration of Databases Data Warehouse Enterprise Application Integration (EAI) Application Level Integration Web Services Portal

Integration Architecture

ERP

CRM

EM A I L

LOB

LEGACy

Portal Definition

The term portal is often misused and many describe it as an entry point into a site e.g. a company’s home page.

Portals provide an organizations’ customers and employee an integrated access to applications and services in a highly secure and customizable manner.

Portals

Enterprise Portal– Internal / Corporate Portal– eBusiness Portal

Public Internet Portal Appliance Portal Vertical Portal

Portal features – End User

Access to Enterprise Applications (Self Service)

Categorization of External / Unstructured Content (Taxonomy)

Collaboration Tools Personal Organization Tools Search Tool Personalization / Customization Tools

Portal features – Technology

Identity Management Single Sign On Content Management System Highly Available and Secure Infrastructure Administration Tools User Interface Services e.g. Wireless Support

Portal Vendors

Pure Play Vendors– Epicentric (acquired by Vignette), Plumtree,

Hummingbird, Citrix NFuse, CA CleverPath, Corechange Coreport

Application Server Vendors– BEA WebLogic, IBM WebSphere, Oracle 9iAS,

Sun One and BroadVision InfoExchange ERP Vendors (Oracle, People Soft, SAP) BI Vendors (Brio, Cognos, SAS, Business Objects) Others (UPortal, TIBCO, ATG, Microsoft

SharePoint )

Oracle Portal Architecture

Oracle 9i Application Server

PortalRepositoryOracle 9i

ExternalWeb

Providers

Web Browser

Oracle HTTPServer(Apache)

OC4J (JavaServlet Engine)

ServletConnector

modPL/SQL

ParallelPage

Engine

JavaPortlets

Oracle 9iAS R2 Components

Mid-tier Infrastructure

HTTP Server HTTP Server

BC4J; OC4J_Demo; OC4J_Home; OC4J_Portal

OC4J_Demo; OC4J_Home; OC4J_DAS

Clickstream Clickstream

Portal Internet Directory

SSO SSO

Webcache

Strategic and primary interface for students, faculty, staff, alumni (through Oracle Single Sign On (OSSO)

Portal as a subset of the GGU web site Support for portal standards (JSR 168, WSRP) Robust Portal Integration Framework (PDK)

– Ease of portal page and portlet development– Extensible portlets – calendar, eLearning,

Business Intelligence, OEM 4.0, ERP– External 3rd-party Portlets

Clickstream Analysis

Why Oracle Portal?

Identity Management

An infrastructure to centralize the management of users and the privileges assigned to them

User life cycle management – creation of a new user account, modification, assignment of roles and privileges and finally deletion of the user account.

Business Requirements: Challenges

User information available in multiple systems – redundancy

Programs needed to sync user data Data is not consistent / accurate Security issues when accounts are not

deleted for ex-employees

What is a Directory / What is it not?

Directory is a specialized database Doesn’t contain tables, columns, relations Contains attributes (single valued / multi

valued) Access is not via SQL but via a protocol such

as LDAP (Lightweight Directory Access Protocol)

Tuned for fast reads but not writes

LDAP Schema – Building Blocks

Entries (details for persons / resources) Attributes Primary Key

– E.g. Distinguished Name or DN

Examples:– dn: uid = jdoe, ou = hr, o = acme, dc = com– dn: cn = smohan, dc = ggu, dc = edu

Object Class

Group of attributes Uniquely identified by Abstract Syntax Notation

(ASN.1) object identifiers (OID) Vendor includes standard classes as well as

proprietary. Example “Person” object class contains:

– Mandatory attributes: cn (common name) and sn (surname)

– Optional attributes: userPassword, telephoneNumber etc.

Object Class Hierarchy

inetOrgPerson (2.16.840.113730.3.2.2)

Top (2.5.6.0)

Person (2.5.6.6)

organizationalPerson (2.5.6.7)

Proprietary / User-Defined Object Class

Oracle proprietary: orclSubscriber GGU user-defined: gguPerson Internet Assigned Numbers Authority (IANA)

assigns a “private enterprise number” gguPerson attributes: ClassesEnrolledIn,

StudentId etc.

Directory Integration

Identify Systems of record: HR, email, PBX Some data only in directory

– MD5 hashed user password

Synchronization of sources of data with directory

Create users’ roles and group memberships (Access Control Policy)

Setup Delegated Administration

OID Applications at GGU

Intranet / Portal user authentication Database User Authentication OS Authentication Oracle Net Directory Naming Wireless User Authentication using RADIUS Integration with Oracle 11i eBusiness Suite

LDAP Product Vendors

Novell eDirectory

Sun One

Oracle Internet Directory (OID)

Microsoft Active Directory

OpenLDAP

Entrust (GetAccess) / IBM (Tivoli Policy Director) Netegrity (SiteMinder) / Entegrity (AssureAccess) RSA Security (ClearTrust) / Oblix (NetPoint)

Oracle Internet Directory (OID)

Underlying storage is the database so we get all the benefits of Oracle 9i R2 (RMAN backup, Replication)

Required by Oracle Portal, Collaboration Suite and future Oracle products and Oracle SSO

Integrates with Oracle HRMS, iPlanet and Microsoft Active Directory

Oracle Delegated Administration Service

Business Requirements: Challenges

Help desk inundated with password resets Users leaving passwords on their desks Users wasting time trying to remember

passwords Applications forcing password changes

causing more confusion Applications not securing password

adequately

Single Sign On - Benefits

Ease of administration User convenience Higher security Eases development Reduces help desk support calls

SSO Standards and Vendors

Microsoft .NET Passport (Kerberos) Liberty Alliance (Security Assertion Markup

language - SAML)

--- Oracle Single Sign On (OSSO) Computer Associates (eTrust) IBM (Access360)

Single Sign On - Architecture

Client Web browser

Apache web server (mod_sso)

SSO Server / Identity Provider

LDAP

Authenticated Portal Page / application

1

2

3

6

9

4

5

8

7

Question & Answers