Building an Identity Services Layer with Oracle Identity Management Nishant Kaushik Consulting Member of Technical Staff

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Agenda Introduction Identity-Enabling Applications Defining the Identity Services Platform Putting it together using Oracle Identity Management Standardization Efforts Get Involved <Insert Picture Here>

Introduction

Identity-Enabling Applications

Defining the Identity Services Platform

Putting it together using Oracle Identity Management

Standardization Efforts

Get Involved

<Insert Picture Here> Introduction

The Identity Equation Identity is an enterprise-wide concern that must… …be aligned with the strategic direction of the enterprise …be holistic in its coverage …help identify your “future state” …bring adaptability to your enterprise …satisfy technology, regulatory and business needs …introduce consistency and efficiency in IT infrastructure Guru Pitka says: Identity (Externalized, Centralized, Rationalized) + SOA = Security, Compliance & Manageability Nirvana

Identity is an enterprise-wide concern that must…

…be aligned with the strategic direction of the enterprise

…be holistic in its coverage

…help identify your “future state”

…bring adaptability to your enterprise

…satisfy technology, regulatory and business needs

…introduce consistency and efficiency in IT infrastructure

An Ongoing Discussion Started at OpenWorld 2006 S281669: Application-Centric Identity Management: Identity-enabled applications made easy Continued at OpenWorld 2007 S291824: Rationalize, Centralize, Externalize: Identity Management in Oracle Fusion Architecture And here we are at OpenWorld 2008 Lets look at the State of Identity Services

Started at OpenWorld 2006

S281669: Application-Centric Identity Management: Identity-enabled applications made easy

Continued at OpenWorld 2007

S291824: Rationalize, Centralize, Externalize: Identity Management in Oracle Fusion Architecture

And here we are at OpenWorld 2008

Lets look at the State of Identity Services

Service-Oriented Security A key step towards Oracle’s vision of Service-Oriented Security is &quot;Identity Externalization“ The externalization of user and security policy data from the applications themselves SOS enables the creation of an Identity Services layer An enterprise platform on which all identity-enabled applications are built, deployed and managed

A key step towards Oracle’s vision of Service-Oriented Security is &quot;Identity Externalization“

The externalization of user and security policy data from the applications themselves

SOS enables the creation of an Identity Services layer

An enterprise platform on which all identity-enabled applications are built, deployed and managed

Identity Services is “In” Enterprises want it SOA objectives align well with customer requirements Don’t want the headache of development and integration Prefer avoiding vendor lock-in Application vendors starting to realize the value of externalized identity Focus on core functionality, not infrastructure-ey stuff IdM industry sees advantage in being able to interoperate Want to get away from costly integration and certification efforts Want to penetrate competitive strongholds

Enterprises want it

SOA objectives align well with customer requirements

Don’t want the headache of development and integration

Prefer avoiding vendor lock-in

Application vendors starting to realize the value of externalized identity

Focus on core functionality, not infrastructure-ey stuff

IdM industry sees advantage in being able to interoperate

Want to get away from costly integration and certification efforts

Want to penetrate competitive strongholds

<Insert Picture Here> Identity-Enabling Applications

An Identity-Enabled Application Architecturally: Built to SOA guidelines Functionally: Understands and consumes identity constructs defined at the Enterprise/Domain level Structurally: Conforms to consistent expression of business and security policies

Architecturally: Built to SOA guidelines

Functionally: Understands and consumes identity constructs defined at the Enterprise/Domain level

Structurally: Conforms to consistent expression of business and security policies

Identity-Enabling an Application Identity Services provide identity in a consistent, reusable way to all applications/services Enables them to make identity an integral part of their business logic in a coordinated and meaningful way Presentation (Interfaces) Process (Application, Controller) Domain (Business) Data (Persistence) Data Sources Identity Services Platform Infrastructure

Identity Services provide identity in a consistent, reusable way to all applications/services

Enables them to make identity an integral part of their business logic in a coordinated and meaningful way

The 10 Commandments of identity-enabled applications Thou shall NOT build proprietary user repositories Thou shall ascribe to the principle of least knowledge Thou shall respect privacy concerns regarding PII Thou shall NOT hard-code authentication logic in application code Thou shall define security policies around risk-based assurance of user identity Thou shall define a clear role model for access control and business functionality Thou shall NOT hard code authorization logic in application code Thou shall define authorization policies based on entitlement models, roles and contextual rules Thou shall formalize administration requirements around self-service, self-registration and change management Thou shall identify and publish a well-defined set of audit events for identity transactions and user activity

Thou shall NOT build proprietary user repositories

Thou shall ascribe to the principle of least knowledge

Thou shall respect privacy concerns regarding PII

Thou shall NOT hard-code authentication logic in application code

Thou shall define security policies around risk-based assurance of user identity

Thou shall define a clear role model for access control and business functionality

Thou shall NOT hard code authorization logic in application code

Thou shall define authorization policies based on entitlement models, roles and contextual rules

Thou shall formalize administration requirements around self-service, self-registration and change management

Thou shall identify and publish a well-defined set of audit events for identity transactions and user activity

Impact on Application Lifecycle Identity Services plays a role in each stage of an applications lifecycle – from design to administration Design Management & Administration Packaging Runtime Integration Development Deployment

Identity Services plays a role in each stage of an applications lifecycle – from design to administration

<Insert Picture Here> Defining the Identity Services Platform

The Identity Services Platform Identity Services Role Provider Controls & Audit Identity Hub Authorization Authentication I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Provisioning A P I I N T ERFAC E S STANDARD PROTOCOLS

Consuming the Platform Applications consume the services through easy-to-use programmatic APIs Where possible, applications interact with the Runtime Container, not directly with Identity Services In all other cases, standard programmatic APIs should be used to interact with the service abstraction Identity Services Role Provider Controls & Audit Identity Hub Authorization Authentication I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Provisioning A P I I N T ERFAC E S STANDARD PROTOCOLS

Applications consume the services through easy-to-use programmatic APIs

Where possible, applications interact with the Runtime Container, not directly with Identity Services

In all other cases, standard programmatic APIs should be used to interact with the service abstraction

Key Service Capabilities Authentication Single/Multi-Factor Authentication, with support for Up-Leveling, based on risk mitigation needs Identity Proofing Identity Hub Required attributes as per policy Virtualization of disparate, distributed identity stores Role Provider Runtime role resolution based on session and context Identity Services Role Provider Controls & Audit Identity Hub Authorization Authentication I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Provisioning A P I I N T ERFAC E S STANDARD PROTOCOLS

Authentication

Single/Multi-Factor Authentication, with support for Up-Leveling, based on risk mitigation needs

Identity Proofing

Identity Hub

Required attributes as per policy

Virtualization of disparate, distributed identity stores

Role Provider

Runtime role resolution based on session and context

Key Service Capabilities (cont’d) Authorization Static/dynamic granting of access to protected resources, fine-grained entitlements Provisioning Delegated Administration with support for Self-Service Password Management Approval based Change Management Controls and Audit Auditing, monitoring of session activities Identity Services Role Provider Controls & Audit Identity Hub Authorization Authentication I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Provisioning A P I I N T ERFAC E S STANDARD PROTOCOLS

Authorization

Static/dynamic granting of access to protected resources, fine-grained entitlements

Provisioning

Delegated Administration with support for Self-Service

Password Management

Approval based Change Management

Controls and Audit

Auditing, monitoring of session activities

Provider Model IdM Products act as Service Providers in this architecture Support all core capabilities Could provide value-added capabilities Standard protocols are used to plug the SPs into the Service Framework SAML, XACML, SPML, … Management of Services through IdM Product Administration Consoles Identity Services Role Provider Controls & Audit Identity Hub Authorization Authentication I D M I N F R A S T R U C T U R E M A N A G E M E N T & A D M I N Users Business Applications Provisioning A P I I N T ERFAC E S STANDARD PROTOCOLS

IdM Products act as Service Providers in this architecture

Support all core capabilities

Could provide value-added capabilities

Standard protocols are used to plug the SPs into the Service Framework

SAML, XACML, SPML, …

Management of Services through IdM Product Administration Consoles

<Insert Picture Here> Putting it together using Oracle Identity Management

Oracle Fusion Middleware

Oracle Identity Management Suite Access Manager Adaptive Access Manager Enterprise Single Sign-On Identity Federation Entitlements Server Web Services Manager Authentication Service for OS Access Management Identity Manager Role Manager Identity Admin. Internet Directory Virtual Directory Directory Services Identity Management Suite Audit & Compliance Enterprise Manager IdM Pack Manageability

Implementing using Oracle IdM CAF Controls & Audit OIM Provisioning OPSS API Interfaces ORM Role Provider OES + OAAM Authorization OAM + OAAM Authentication OVD + IGF (+ OID, if needed) Identity Hub Implement Using Identity Service

The Identity Hub Using OVD and IGF container IGF Attribute Service API IAttrSvcsStack Interface OVD Provider CARML Declarations CARML passed through IAttrSvcsStack Interface Application Oracle Virtual Directory (OVD) Identity Stores (HR, CRM, LDAP,…) Bonus: Use OID if an LDAP Store is needed

The Authentication Service Using OAM container Container Security (JAAS Login Module) Application OVD Identity Hub Web Server + OAM WebGate OAM Access Server

The Authentication Service Adding Risk & Fraud capabilities using OAAM container Container Security (JAAS Login Module) OAAM Native/SOAP APIs Application OVD Identity Hub Web Server + OAM WebGate OAM Access Server OAAM Server (ASA  ARM)

The Authorization Service Using OES container Container Security OES Security Module Application OVD Identity Hub OES Policy Store OES Administration Server Management & Administration OES Administration XACML Request/Response API

The Authorization Service Adding Risk-based Authorization using OAAM container Container Security OES Security Module Application OVD Identity Hub OES Policy Store OES Administration Server Management & Administration OES Administration XACML Request/Response API OAAM Server (ARM) OAAM Native API

The Role Provider Using ORM container Container Security JPS Plug-in Application Oracle Role Manager (ORM) Management & Administration ORM Administration ORM Native APIs

The Provisioning Service Using OIM container Application Oracle Identity Manager (OIM) Management & Administration OIM Administration SPML-based APIs Self-Service Console OVD Identity Hub ORM

The Controls & Audit Service Coming Soon A Common Audit Framework across the middleware environment Set of Audit APIs that applications use to audit events Framework for defining application-specific audit events Centralized administration for all audit-related configuration across all the consuming applications Audit data is pushed into an audit schema acting as a centralized audit repository for all applications within the same administrative domain Allows rich reporting with a variety of export format and scheduling support Built with extensibility and customization in mind

A Common Audit Framework across the middleware environment

Set of Audit APIs that applications use to audit events

Framework for defining application-specific audit events

Centralized administration for all audit-related configuration across all the consuming applications

Audit data is pushed into an audit schema acting as a centralized audit repository for all applications within the same administrative domain

Allows rich reporting with a variety of export format and scheduling support

Built with extensibility and customization in mind

API Interfaces Using OPSS Oracle defining Oracle Platform Security Services as a standards-based, portable, enterprise-grade security platform Provides abstraction levels (APIs) that insulate developers from security and identity management implementation details Security (Authentication, Authorization, Credential Store Management, Key Store Management) Audit Roles and Credentials Mapping Identity Attributes, User Roles, Privacy (CARML API / IGF) Cryptography (OSDT) Identity Administration Services (IDx)

Oracle defining Oracle Platform Security Services as a standards-based, portable, enterprise-grade security platform

Provides abstraction levels (APIs) that insulate developers from security and identity management implementation details

Security (Authentication, Authorization, Credential Store Management, Key Store Management)

Audit

Roles and Credentials Mapping

Identity Attributes, User Roles, Privacy (CARML API / IGF)

Cryptography (OSDT)

Identity Administration Services (IDx)

<Insert Picture Here> Standardization Efforts

Standardization is key Vision for Identity Services cannot become reality without Agreement on the set of services and their capabilities Standard API interfaces for the services Incorporation of services and API interfaces into Application Containers (J2EE, .NET, …) Buy-in from Application Vendors and IdM Vendor alike

Vision for Identity Services cannot become reality without

Agreement on the set of services and their capabilities

Standard API interfaces for the services

Incorporation of services and API interfaces into Application Containers (J2EE, .NET, …)

Buy-in from Application Vendors and IdM Vendor alike

Ongoing Efforts Burton Group leading an effort to define the Identity Services Platform under their Identity Services Working Group Oracle is an active contributor to the effort Oracle has been leading an open source effort under OpenLiberty to develop IGF compliant Identity Hub APIs Other efforts: Higgins, Bandit Identity Assurance Framework attempts to standardize authentication levels My Blog 

Burton Group leading an effort to define the Identity Services Platform under their Identity Services Working Group

Oracle is an active contributor to the effort

Oracle has been leading an open source effort under OpenLiberty to develop IGF compliant Identity Hub APIs

Other efforts: Higgins, Bandit

Identity Assurance Framework attempts to standardize authentication levels

My Blog 

Fusion Middleware Identity Services Project IDx Oracle working on developing a common Identity Services subsystem that ships as part of Fusion Middleware Defines the API Interfaces and Services to support basic identity services (OPSS) Supports provider model that can be wired to Identity Management products (Oracle and 3 rd party) Base infrastructure for identity-enabling Oracle Fusion Applications

Oracle working on developing a common Identity Services subsystem that ships as part of Fusion Middleware

Defines the API Interfaces and Services to support basic identity services (OPSS)

Supports provider model that can be wired to Identity Management products (Oracle and 3 rd party)

Base infrastructure for identity-enabling Oracle Fusion Applications

Much Work is Needed More work needed around Fine-Grained Authorization Role Structures need agreement Get beyond the idea of “Role as an Attribute” Rich Role Provider APIs are needed Relationship-based Roles, Business Roles & Session Roles need runtime APIs for dynamic retrieval Emergence of Claims-based Model for Identity Services Changes interaction model between consumer & service providers

More work needed around Fine-Grained Authorization

Role Structures need agreement

Get beyond the idea of “Role as an Attribute”

Rich Role Provider APIs are needed

Relationship-based Roles, Business Roles & Session Roles need runtime APIs for dynamic retrieval

Emergence of Claims-based Model for Identity Services

Changes interaction model between consumer & service providers

<Insert Picture Here> Get Involved

Resources Oracle Whitepapers on Identity Services http://www.oracle.com/technology/products/id_mgmt/pdf/serv_oriented_sec.pdf 1st in a series (2nd published this week on Identity Hub) Standards Initiatives Identity Governance Framework Identity Assurance Framework Oracle Platform Security Information on OTN

Oracle Whitepapers on Identity Services

http://www.oracle.com/technology/products/id_mgmt/pdf/serv_oriented_sec.pdf 1st in a series (2nd published this week on Identity Hub)

Standards Initiatives

Identity Governance Framework

Identity Assurance Framework

Oracle Platform Security

Information on OTN

Continue the Dialogue On My Blog http:// blogs.oracle.com/talkingidentity

For More Information Other sessions of interest S298921 – Using Oracle Adaptive Access Manager to Detect and Prevent Fraud in Oracle Applications Wednesday, September 24, 1PM, Marriot Salon 14/15 S299261 – Foundation for Security in Oracle Fusion Middleware: Oracle Platform Security Wednesday, September 24, 5PM, Marriot Golden Gate C3 S298936 – Oracle Role Manager: Architecture, Deployment, and Integration Thursday, September 25, 9AM, Marriot Salon 05 S298938 – Audit Framework for Oracle Fusion Middleware Thursday, September 25, 12PM, Marriot Salon 05 ADDITIONAL SESSIONS Visit our demos in Moscone South Automated Provisioning into Oracle Applications Context-Aware Fine-Grained Access Control Identity Audit and Compliance Oracle Adaptive Access Manager Oracle Directory Services and Operating System Security Oracle Enterprise Single Sign-On Suite Oracle Identity Management Suite Manageability Oracle Role Manager PRODUCTS IN ACTION

Other sessions of interest

S298921 – Using Oracle Adaptive Access Manager to Detect and Prevent Fraud in Oracle Applications

Wednesday, September 24, 1PM, Marriot Salon 14/15

S299261 – Foundation for Security in Oracle Fusion Middleware: Oracle Platform Security

Wednesday, September 24, 5PM, Marriot Golden Gate C3

S298936 – Oracle Role Manager: Architecture, Deployment, and Integration

Thursday, September 25, 9AM, Marriot Salon 05

S298938 – Audit Framework for Oracle Fusion Middleware

Thursday, September 25, 12PM, Marriot Salon 05

Visit our demos in Moscone South

Automated Provisioning into Oracle Applications

Context-Aware Fine-Grained Access Control

Identity Audit and Compliance

Oracle Adaptive Access Manager

Oracle Directory Services and Operating System Security

Oracle Enterprise Single Sign-On Suite

Oracle Identity Management Suite Manageability

Oracle Role Manager