Oracle Single Sign-On to Oracle Access Manager Migration

translatoryazooInternet και Εφαρμογές Web

12 Νοε 2013 (πριν από 3 χρόνια και 5 μήνες)

279 εμφανίσεις

<Insert Picture Here>

Oracle Single Sign
-
On to Oracle Access Manager
Migration

Rob Otto


Oracle Consulting Services UK









-

2

-

The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.

The development, release, and timing of any
features or functionality described for Oracle’s
products remain at the sole discretion of Oracle.









-

3

-


Agenda


Access Management introduction


Oracle Access Manager 11gR2 Overview


Oracle SSO v OAM 11gR2


OAM 11gR2
-

Migration and Coexistence with OSSO


Q&A









-

4

-

<Insert Picture Here>

Access Management Introduction









-

5

-

Governance

Password Reset

Privileged Accounts

Access Request

Roles Based Provisioning

Role Mining

Attestation

Separation of Duties

Access

Web Single Sign
-
on

Federation

Mobile, Social & Cloud

External Authorization

SOA Security

Integrated ESSO

Token Services

Fraud Detection


Directory

LDAP Storage

Virtual Directory

Meta Directory

Platform Security Services

Identity Management Portfolio


11gR2

Modern, Innovative & Integrated









-

6

-

Taking a Platform Approach

Building on Components of Fusion Middleware



Fusion Middleware

User Interface

Customization

Performance









-

7

-

Oracle Access Management


Comprehensive security for
applications, data, and web
services



End
-
to
-
end authentication,
single sign
-
on, and fine
grained application protection



Innovative anomaly detection,
transaction security, and
multi
-
factor authentication



Extensive 3
rd

party
integrations

Access Management


Authentication


Single Sign
-
On


Federation


Fraud Prevention


Authorization & Entitlements


Web Services Security


Secure Token Services









-

8

-

Oracle Access Management Suite Plus

Entitlements Server

Adaptive Access Manager

Access Manager


Entitlements
Management


Fine Grained
Authorization


Web Access Control


Single Sign
-
On


Risk
-
based
Authentication


Real
-
time Fraud
Prevention

Identity Federation


Partner SSO & Identity
Federation


Fedlet SP integration

Secure Token Services


Security Token
Management


Identity Propagation









-

9

-

Oracle Access Management

Blueprint Architecture









-

10

-

<Insert Picture Here>

Oracle Access Manager 11gR2
Overview









-

11

-



Oracle Access Manager 11g

Objectives




Provide foundation for Access Management Suite



Converge OAM, OSSO, and
OpenSSO



Provide new and advanced functionality to customers



Tighten integrations












-

12

-



Oracle Access Manager 11g


Key

Features

Benefits

Modular Architecture

Separated

admin and runtime server to enable
independent operations

Secure Policy

Model

Access

is denied by default until policies are created to
allow access

Simplified Install &
Config

One package

to install and one series of steps to
configure a simple working environment

Session Management

Allows

admin tracking and termination of user sessions

Diagnostics & Monitoring

Allows administrators to monitor key operational
metrics in real
-
time

Central Agent
Management

Administration

console provides a holistic view of all
agents and shows the server they are connected to

Backwards Compatibility

Compatible

with 10g
webgates

and 10g
mod_osso

Windows Native

AuthN

Enables Windows desktop to web single sign
-
on

Improved Utilities

Remote registration utility, remote access

tester, and
WLST
cmds

for policy operations









-

13

-

Oracle Access Manager 11g

Architecture


Runtime Server

Protocol Compatibility Framework

OAM Server

Coherence Distributed Cache

Oracle Platform Security Services

Credential
Collector

Session
Management

SSO Engine

AuthN

Service

AuthZ

Service

Identity
Provider

Token
Processing

Partner &
Trust

Configuration Service

Policy Service









-

14

-




Integrated Security Administration, Agent Administration


Oracle Access Manager 11g

Administration Console









-

15

-

Access Manager 11gR2

Deployment Overview









-

16

-

Protected




External
Client

Firewall

(Web Tier)

Internet

Load Balancer

Web Hosts

Firewall

(App Tier)

OHS

WebHosts

OHS

IDMHosts

Admin Server

WLS_ODS
M

Admin Console

EM

ODSM

IAM Hosts

AppHosts

AccessGate

WLS

Firewall

(Data Tier)

DB Hosts

RAC

Metadata DB

(OAM, OID, Schema)

WebGate

WebGate

WLS_OAM

OAM

Admin Server

Admin Console

LDAP Hosts

OVD

OID

Access Manager 11gR2

Deployment Detail









-

17

-




Installation process


OAM 11g installs using Oracle Universal Installer (OUI)


The installation process copies all the software bits to the host
machine


OUI does not perform product configuration


Configuration process requires 2 steps


Database schema configuration using Repository Creation
Utility (RCU)


Product configuration and deployment using
WebLogic

Configuration Wizard


Oracle Support Note 340.1
provides a good starting point



Access Manager 11gR2

Installation and Configuration









-

18

-




SPNEGO based credential validation for true Windows
desktop to web single sign
-
on


Allows single sign
-
on for
WebGate

and Oracle SSO protected
applications simultaneously


Does not need IIS based solution for
WebGate


WebGates

and Oracle SSO protected applications need
not run on Windows platform


Can be enabled for a subset of protected applications


Internal
vs

External websites




Oracle Access Manager 11g

Windows Native Authentication









-

19

-




Basic steps are as follows:


Edit /etc/krb5.conf file


Create Service Principal Name


Obtain Kerberos Ticket


Set
-
up OAM Kerberos
AuthN

Module


Configure Kerberos
AuthN

Scheme for WNA


Register AD as OAM User Store


Verify OAM configuration (oam
-
config.xml)


Enable Kerberos in Web Browser


Test


See OAM Admin Guide, Chapter 7 (
link here
)





Oracle Access Manager 11g

Windows Native Authentication
-

Setup









-

20

-

<Insert Picture Here>

Oracle SSO v OAM 11gR2









-

21

-

Oracle Confidential


For Internal Use Only





21

Oracle Access Manager


Sample Oracle SSO Architecture

Oracle Single Sign
-
On
Server




User
Authentication

Authentication

End User

Authentication
Decisions

Oracle Internet Directory

User Data

Directory Integration
Platform or Oracle
Identity Manager

Oracle HTTP Server

LDAP
Authentication

User
Synchronization




MOD_OSSO agent

Enterprise User Store

Enterprise
User Store

Local User
Store

Deployed
Application

OC4J Application
Server









-

22

-

Oracle Access Manager


Key differences v OSSO



OAM 11gR2

OSSO

SSO, policy
-
based

AuthN

&
AuthZ

SSO and simple
AuthN

only

WebLogic

Server
-
based

OC4J
-
based

3
rd
-
Party

LDAP server support

Dependence on OID

Support for OSSO, OAM 10g, OAM
11g and
OpenSSO

agents via PCL

Support for only OSSO agents
(
mod_osso
)

Server
-
based session management

Sessions via client cookies only

Cross
-
domain

SSO is native

Single network

domain only

Native password policy

(R2+)

OIDDAS for password policy

Integration

with OIM (optional) for User
Self
-
Service

OIDDAS for user self
-
service









-

23

-

<Insert Picture Here>

OAM 11gR2
-

Migration and
Coexistence with OSSO









-

24

-



Oracle Access Manager 11g

OSSO 10g Upgrade


Facilitated through AS Upgrade Assistant


Process:


Install OAM 11g


Run Upgrade Assistant pointing to Oracle AS Single
-
On
10.1.4.3


Two modes:


Retain Ports: no changes required on partner sites


Change Ports: partner sites need new
osso.conf

which is
generated by the Upgrade Assistant


See Support Migration Advisor (
note 343.1
) and upgrade
viewlet

(
note 1230123.1
)









-

25

-

Co
-
existence: OAM11g & SSO 10g

Supports OracleAS SSO 10g Release (10.1.2.0.2) through
OracleAS SSO 10g Release (10.1.4.3.0)

Co
-
existence requires same back
-
end user identity store:
Oracle Internet Directory (OID)









-

26

-

Co
-
existence: OAM11g & SSO 10g

Without Proxy


mod_osso redirects requests to the 11g OAM Server for authentication
through a proxy.


mod_wl replaces mod_oc4j. mod_wl enables SSO to work without any
changes on the OHS









-

27

-

Co
-
existence: SSO between Partner
Applications

App1 upgraded to OAM11g

User accessing
App1

OAM sets the SSO cookie and
updates session information
accordingly.

The cookie includes a flag
indicating that an OSSO
cookie must also exist for this
cookie to be valid.









-

28

-









-

29

-