PAGE 1 Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group
PA
GE
1
Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group
PA
GE
2
Agenda
• Organization
• Speakers
Introduction
• Information Security Spectrum
• Oracle Identity Management Platform
Security Spectrum
• Access Management Framework
• Oracle Access Management System Architecture
• Oracle Access Management Integration Architecture
• Benefits – Access Control System
Access Control
• Support Architecture
• Integration Flow
• Integration of OID and E-Biz (GUID)
• Access Gate integration
• Third-party directories integration (AD)
• Deployment Topology
• Best Practices
Oracle Applications (E-Business) Integration
PA
GE
3 P
AG
E 3
Introduction
PA
GE
4
About BIAS Corporation
• Founded in 2000
• Distinguished Oracle Leader
– Technology Momentum Award
– Portal Blazer Award
– Titan Award – Red Stack + HW Momentum Awards
– Excellence in Innovation Award
• Management Team is Ex-Oracle
• Location(s): Headquartered in Atlanta; Regional office in Washington
D.C.; Offshore – Hyderabad and Chennai, India
• ~250 employees with 10+ years of Oracle experience on
average
• Inc.500|5000 Fastest Growing Private Company in the U.S.
for the 5th Time
• Voted Best Place to work in Atlanta for 2nd year
• 30 Oracle Specializations spanning the entire stack
Who We Are…
PA
GE
5
• Practice Director, Identity Management and Data Security
• Enterprise and Solution Architect
• 15+ years of experience in delivering solutions around middleware technologies including Security, SOA , Portal and Custom developed solutions
• 7+ years with BIAS Corporation and Previously held positions at Oracle and IBM
• Focused on delivering solutions to provide best practices and industry standards based solution to BIAS customers
• Leading team of solution and technical architects for delivery of solutions across multiple industries
Kashif Dhatwani
• Solution Architect, Identity Management & Data Security
• 15+ years of experience in middleware technologies
• 3+ years with BIAS Corporation
• Solution Architect, Technical Architect – Middleware Technologies including Java / J2EE, Portals, Data Security and Identity & access Management
• Leading Development teams to deliver Solutions for Identity & Access Management and Data Security
• Oracle Access Management Suite Plus 11g Certified Implementation Specialist and Oracle Database 11g Security Certified Implementation Specialist
Madan Shah
Speakers Profile
PA
GE
6
BIAS Practice Areas
PA
GE
7 P
AG
E 7
BIAS Corporation is a recognized leader in Identity & Access Management system assessment,
design and implementation. As an Oracle Platinum partner, BIAS Corporation’s IDM Practice
provides experienced architects who have expertise in assessment of environments, building
roadmaps, design systems with deep technical experience and implementing solutions using
experienced developers part of BIAS IDM practice.
PA
GE
8 P
AG
E 8
Security Spectrum
PA
GE
9
Information Security Spectrum
Identity Management
• Governance
• Compliance
• Single Source of Truth
• Provisioning / De-provisioning
• SoD – Separation of Duties
Access Management
• Access Control
• Authentication
• Authorization
• Single Sign-On
• Multi-Factor Authentication
Mobile Security
• Security Container
• Single Sign-On
• Application Management
Data Security
• Protect your data at Rest and in Transit
• Data Access - Authentication
• Data Access – Fine Grained Control
• Auditing
PA
GE
10
Governance
• Oracle Identity
Manager (OIM)
• Oracle Privileged
Account Manager
(OPAM)
Access
• Oracle Access
Manager (OAM)
• Oracle Adaptive
Access Manager
(OAAM)
• Oracle API Gateway
(OEG)
• Oracle Identity
Federation (OIF)
• Oracle Security
Token Services
(OSTS)
• Oracle Entitlement
Server (OES)
• Oracle Enterprise
SSO (OeSSO)
Directory
• Oracle Unified
Directory (OUD)
• Oracle Virtual
Directory (OVD)
• Oracle Internet
Directory (OID)
Platform Security Services
Identity Management Portfolio – 11gR2 Modern, Innovative & Integrated
Mobile Security
• Oracle Mobile
Security Suite
(OMSS)
• Oracle Access
Manager (OAM)
• Oracle Identity
Manager (OIM)
PA
GE
11
• Database Activity Auditing
• Database Firewall Monitoring
• Centralized Audit Data Warehouse
Audit Vault, Database
Firewall
• Transparent Data Encryption
• Network Encryption/Strong Auth
• Data Masking for Non-Production
Advanced Security, Data
Masking
• Separation of Duties for DBAs
• Protection Realms & Rules
• Label Based Access Control
Database Vault, Label
Security
Maturity of Database Environment
Oracle Database Security Solutions
PA
GE
12 P
AG
E 12
Access Control
PA
GE
13
Access Management Framework
Cloud Providers
Internal
External
(partners, vendors)
Web Applications
LDAP
Sin
gle
User
accou
nt
Sin
gle
Lo
go
n
Web Applications
Web Applications
Single User account
Single Logon
PA
GE
14
Oracle Access Management System Architecture
PA
GE
15
Access Management Integration Architecture Cloud Providers
On Premise Apps
Internal
External
(partners, vendors)
Web Applications
LDAP
Web Applications
Web Applications
Access G
ate
Web
ga
te
Oracle Access Manager
Authentication / SSO
Authentication / SSO
Federation / SSO
PA
GE
16
Identity Management Overview
PA
GE
17
Benefits
Centralized Access Management
• A centralized security enforcement
• A centralized policy control on application access
Single Sign-On
• Use one (1) set of credentials to access all your applications
• No need to remember multiple user-IDs and passwords
• Reduced risk to compromise credentials
• One Time login to your first application
• Navigate securely to multiple applications
Federation
• Single Sign-On for Third-Party application partners
• Single Sign-On for Cloud based applications
User Repositories
• Integration with multiple user repositories
• Support for commonly used LDAPs and Microsoft Active Directory
Productivity
• Increase productivity of employees
• Maintain compliance standards
• Capability to self service such as self password management
PA
GE
18 P
AG
E 18
Oracle e-Business Application
Single Sign-On
PA
GE
19
Oracle E-Business and Access Manager Support Architecture
11.5.10.2
12.1.3
12.2
E-Business Suite 12.2.2+
Oracle Access Manager 11.1.2.2
Oracle Identity Management 11.1.1.7
Oracle Web Gate 11.1.2.2
E-Business Suite 12
Oracle Access Manager 11.1.2.2
Oracle Identity Management 11.1.1.7.0
Oracle Access Manager Webgate 11.1.2.2.0
Oracle E-Business Suite Access Gate 1.2.3.4
PA
GE
20
Integration Architecture
Oracle
E-Business
Suite
Oracle
E-Business
Suite
1. User Requests protected resource
WebServer
Webgate
E-Business Suite
Access Gate
4. Webgate connects user to EBS Access Gate
To collect credentials
8. EBS access gate identifies the
EBS user linked to authenticated OID user
Oracle
Internet
Directory
Oracle
Access
Manager
3.
Web
gat
e In
terc
epts
Per
OA
M p
oli
cies
5. User Submits Credentials to OAM Server
2. User redirected to
EBS Access Gate
Protected by OAM
6. OAM verifies credentials against user repository
7. OAM returns user identifier to EBS
access gate
PA
GE
21
EBS Access Gate
Oracle E-Business Suite AccessGate
E-Business Suite Instance Database
FND_USR LinkOracle Access Manager Web GateUID +
ORCLGUIDUID +
ORCLGUID
Oracle Internet Directory
FND_USR Link
JAVA EE Application
Deployed on WebLogic Domain
Every User record has
unique ORCLGUID
PA
GE
22
Deployment Topology (Clustered)
Oracle E-Business Suite Release 12.2 single sign-on
User
OAM Server1OID 1
Oracle E-BusinessSuite Release 12.2.2+
Load Balancer
Oracle Access Manager Server
Oracle HTTP Server
Oracle Internet Directory
Load Balancer
EBS
AccessGateWebGate
Web Server 1Web Server 2
OAM Server 2OID 2
Oracle Database
PA
GE
23
Third-Party LDAP Integration
PA
GE
24
Third-Party Access Management
PA
GE
25
Architectural Considerations
• Unidirectional Provisioning
• From Oracle Internet Directory to Oracle E-Business Suite only
• From Oracle E-Business Suite to Oracle Internet Directory only
• Bi-Directional Provisioning
• From Oracle Internet Directory to Oracle E-Business Suite
• From Oracle E-Business Suite to Oracle Internet Directory
Provisioning
• Microsoft Active Directory
• LDAPs
• Databases
Corporate User Repositories
• EBS responsibilities are managed within EBS
Authorization
• Existing environment can upgrade from OSSO to OAM
Upgrade
• Multiple E-Business systems using same Security Framework (Access Manager)
Co-Existence
Key Decisions
PA
GE
26
Best Practices
• High Availability
• Disaster Recovery Environment
• Performance Considerations
• OAM Detached Credential Collector vs Embedded Credential Collector
• Multi Factor Authentication and Risk-based Authentications
SSO Infrastructure
• Encrypt all HTTP and LDAP Traffic
• TLS 1.2/TLS 1.1
End To End SSL
• Out of the Box Auditing functionality provided by OAM for User Authentications
• BI Publisher Reports
Auditing
PA
GE
27
Oracle created the OPN Specialized Program to showcase the Oracle partners who have achieved expertise in Oracle product areas and reached
specialization status through competency development, business results, expertise and proven success. BIAS is proud to be specialized in 30
areas of Oracle products, which include the following:
PA
GE
28
Contact Us
Kashif Dhatwani
Practice Director - Identity Management & Data Security
770-685-6240
PA
GE
29