Building an Identity Services Layer with Oracle Identity Management

Building an Identity Services Layer with Oracle Identity Management Nishant Kaushik Consulting Member of Technical Staff

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Agenda
Introduction
Identity-Enabling Applications
Defining the Identity Services Platform
Putting it together using Oracle Identity Management
Standardization Efforts
Get Involved
<Insert Picture Here>

<Insert Picture Here> Introduction

The Identity Equation
Identity is an enterprise-wide concern that must…
…be aligned with the strategic direction of the enterprise
…be holistic in its coverage
…help identify your “future state”
…bring adaptability to your enterprise
…satisfy technology, regulatory and business needs
…introduce consistency and efficiency in IT infrastructure
Guru Pitka says: Identity (Externalized, Centralized, Rationalized) + SOA = Security, Compliance & Manageability Nirvana

An Ongoing Discussion
Started at OpenWorld 2006
S281669: Application-Centric Identity Management: Identity-enabled applications made easy
Continued at OpenWorld 2007
S291824: Rationalize, Centralize, Externalize: Identity Management in Oracle Fusion Architecture
And here we are at OpenWorld 2008
Lets look at the State of Identity Services

Service-Oriented Security
A key step towards Oracle’s vision of Service-Oriented Security is "Identity Externalization“
The externalization of user and security policy data from the applications themselves
SOS enables the creation of an Identity Services layer
An enterprise platform on which all identity-enabled applications are built, deployed and managed

Identity Services is “In”
Enterprises want it
SOA objectives align well with customer requirements
Don’t want the headache of development and integration
Prefer avoiding vendor lock-in
Application vendors starting to realize the value of externalized identity
Focus on core functionality, not infrastructure-ey stuff
IdM industry sees advantage in being able to interoperate
Want to get away from costly integration and certification efforts
Want to penetrate competitive strongholds

<Insert Picture Here> Identity-Enabling Applications

An Identity-Enabled Application
Architecturally: Built to SOA guidelines
Functionally: Understands and consumes identity constructs defined at the Enterprise/Domain level
Structurally: Conforms to consistent expression of business and security policies

Identity-Enabling an Application
Identity Services provide identity in a consistent, reusable way to all applications/services
Enables them to make identity an integral part of their business logic in a coordinated and meaningful way
Presentation (Interfaces) Process (Application, Controller) Domain (Business) Data (Persistence) Data Sources Identity Services Platform Infrastructure

The 10 Commandments of identity-enabled applications
Thou shall NOT build proprietary user repositories
Thou shall ascribe to the principle of least knowledge
Thou shall respect privacy concerns regarding PII
Thou shall NOT hard-code authentication logic in application code
Thou shall define security policies around risk-based assurance of user identity
Thou shall define a clear role model for access control and business functionality
Thou shall NOT hard code authorization logic in application code
Thou shall define authorization policies based on entitlement models, roles and contextual rules
Thou shall formalize administration requirements around self-service, self-registration and change management
Thou shall identify and publish a well-defined set of audit events for identity transactions and user activity

Impact on Application Lifecycle
Identity Services plays a role in each stage of an applications lifecycle – from design to administration
Design Management & Administration Packaging Runtime Integration Development Deployment

<Insert Picture Here> Defining the Identity Services Platform

The Identity Services Platform Identity Services Role Provider Controls & Audit Identity Hub Authorization Authentication I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Provisioning A P I I N T ERFAC E S STANDARD PROTOCOLS

Consuming the Platform
Applications consume the services through easy-to-use programmatic APIs
Where possible, applications interact with the Runtime Container, not directly with Identity Services
In all other cases, standard programmatic APIs should be used to interact with the service abstraction
Identity Services Role Provider Controls & Audit Identity Hub Authorization Authentication I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Provisioning A P I I N T ERFAC E S STANDARD PROTOCOLS

Key Service Capabilities
Authentication
Single/Multi-Factor Authentication, with support for Up-Leveling, based on risk mitigation needs
Identity Proofing
Identity Hub
Required attributes as per policy
Virtualization of disparate, distributed identity stores
Role Provider
Runtime role resolution based on session and context

Key Service Capabilities (cont’d)
Authorization
Static/dynamic granting of access to protected resources, fine-grained entitlements
Provisioning
Delegated Administration with support for Self-Service
Password Management
Approval based Change Management
Controls and Audit
Auditing, monitoring of session activities

Provider Model
IdM Products act as Service Providers in this architecture
Support all core capabilities
Could provide value-added capabilities
Standard protocols are used to plug the SPs into the Service Framework
SAML, XACML, SPML, …
Management of Services through IdM Product Administration Consoles

<Insert Picture Here> Putting it together using Oracle Identity Management

Oracle Fusion Middleware

Oracle Identity Management Suite Access Manager Adaptive Access Manager Enterprise Single Sign-On Identity Federation Entitlements Server Web Services Manager Authentication Service for OS Access Management Identity Manager Role Manager Identity Admin. Internet Directory Virtual Directory Directory Services Identity Management Suite Audit & Compliance Enterprise Manager IdM Pack Manageability

Implementing using Oracle IdM CAF Controls & Audit OIM Provisioning OPSS API Interfaces ORM Role Provider OES + OAAM Authorization OAM + OAAM Authentication OVD + IGF (+ OID, if needed) Identity Hub Implement Using Identity Service

The Identity Hub Using OVD and IGF container IGF Attribute Service API IAttrSvcsStack Interface OVD Provider CARML Declarations CARML passed through IAttrSvcsStack Interface Application Oracle Virtual Directory (OVD) Identity Stores (HR, CRM, LDAP,…) Bonus: Use OID if an LDAP Store is needed

The Authentication Service Using OAM container Container Security (JAAS Login Module) Application OVD Identity Hub Web Server + OAM WebGate OAM Access Server

The Authentication Service Adding Risk & Fraud capabilities using OAAM container Container Security (JAAS Login Module) OAAM Native/SOAP APIs Application OVD Identity Hub Web Server + OAM WebGate OAM Access Server OAAM Server (ASA  ARM)

The Authorization Service Using OES container Container Security OES Security Module Application OVD Identity Hub OES Policy Store OES Administration Server Management & Administration OES Administration XACML Request/Response API

The Authorization Service Adding Risk-based Authorization using OAAM container Container Security OES Security Module Application OVD Identity Hub OES Policy Store OES Administration Server Management & Administration OES Administration XACML Request/Response API OAAM Server (ARM) OAAM Native API

The Role Provider Using ORM container Container Security JPS Plug-in Application Oracle Role Manager (ORM) Management & Administration ORM Administration ORM Native APIs

The Provisioning Service Using OIM container Application Oracle Identity Manager (OIM) Management & Administration OIM Administration SPML-based APIs Self-Service Console OVD Identity Hub ORM

The Controls & Audit Service Coming Soon
A Common Audit Framework across the middleware environment
Set of Audit APIs that applications use to audit events
Framework for defining application-specific audit events
Centralized administration for all audit-related configuration across all the consuming applications
Audit data is pushed into an audit schema acting as a centralized audit repository for all applications within the same administrative domain
Allows rich reporting with a variety of export format and scheduling support
Built with extensibility and customization in mind

API Interfaces Using OPSS
Oracle defining Oracle Platform Security Services as a standards-based, portable, enterprise-grade security platform
Provides abstraction levels (APIs) that insulate developers from security and identity management implementation details
Security (Authentication, Authorization, Credential Store Management, Key Store Management)
Audit
Roles and Credentials Mapping
Identity Attributes, User Roles, Privacy (CARML API / IGF)
Cryptography (OSDT)
Identity Administration Services (IDx)

<Insert Picture Here> Standardization Efforts

Standardization is key
Vision for Identity Services cannot become reality without
Agreement on the set of services and their capabilities
Standard API interfaces for the services
Incorporation of services and API interfaces into Application Containers (J2EE, .NET, …)
Buy-in from Application Vendors and IdM Vendor alike

Ongoing Efforts
Burton Group leading an effort to define the Identity Services Platform under their Identity Services Working Group
Oracle is an active contributor to the effort
Oracle has been leading an open source effort under OpenLiberty to develop IGF compliant Identity Hub APIs
Other efforts: Higgins, Bandit
Identity Assurance Framework attempts to standardize authentication levels
My Blog 

Fusion Middleware Identity Services Project IDx
Oracle working on developing a common Identity Services subsystem that ships as part of Fusion Middleware
Defines the API Interfaces and Services to support basic identity services (OPSS)
Supports provider model that can be wired to Identity Management products (Oracle and 3 rd party)
Base infrastructure for identity-enabling Oracle Fusion Applications

Much Work is Needed
More work needed around Fine-Grained Authorization
Role Structures need agreement
Get beyond the idea of “Role as an Attribute”
Rich Role Provider APIs are needed
Relationship-based Roles, Business Roles & Session Roles need runtime APIs for dynamic retrieval
Emergence of Claims-based Model for Identity Services
Changes interaction model between consumer & service providers

<Insert Picture Here> Get Involved

Resources
Oracle Whitepapers on Identity Services
http://www.oracle.com/technology/products/id_mgmt/pdf/serv_oriented_sec.pdf 1st in a series (2nd published this week on Identity Hub)
Standards Initiatives
Identity Governance Framework
Identity Assurance Framework
Oracle Platform Security
Information on OTN

Continue the Dialogue On My Blog http:// blogs.oracle.com/talkingidentity

For More Information
Other sessions of interest
S298921 – Using Oracle Adaptive Access Manager to Detect and Prevent Fraud in Oracle Applications
Wednesday, September 24, 1PM, Marriot Salon 14/15
S299261 – Foundation for Security in Oracle Fusion Middleware: Oracle Platform Security
Wednesday, September 24, 5PM, Marriot Golden Gate C3
S298936 – Oracle Role Manager: Architecture, Deployment, and Integration
Thursday, September 25, 9AM, Marriot Salon 05
S298938 – Audit Framework for Oracle Fusion Middleware
Thursday, September 25, 12PM, Marriot Salon 05
ADDITIONAL SESSIONS
Visit our demos in Moscone South
Automated Provisioning into Oracle Applications
Context-Aware Fine-Grained Access Control
Identity Audit and Compliance
Oracle Adaptive Access Manager
Oracle Directory Services and Operating System Security
Oracle Enterprise Single Sign-On Suite
Oracle Identity Management Suite Manageability
Oracle Role Manager
PRODUCTS IN ACTION

http://www.slideshare.net	44
http://blog.talkingidentity.com	35
http://tanweerahmad.blogspot.com	2

Building an Identity Services Layer with Oracle Identity Management

by Nishant Kaushik on Oct 01, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

3 Embeds 81

Statistics

Building an Identity Services Layer with Oracle Identity Management — Presentation Transcript