Access Manager 11gR2 (11.1.2.0.0) Technical Presentation

splattersquadSecurity

Nov 16, 2013 (3 years and 4 months ago)

409 views

Access Manager 11gR2 (11.1.2.0.0) Technical Presentation

R
2

Venu Shastri

Senior Principal Product Manager

Identity Management, Oracle


2

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

Agenda



Overview


Key Features


Architecture & Deployment


Extensibility & Integrations


Q & A

3

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

Agenda



Overview


Key Features


Architecture & Deployment


Extensibility & Integrations


Q & A

4

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

Access Management Platform


11gR2

Complete & Scalable

5

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right



Access
Manager
11gR2

Objectives




Provide
scalable foundation
for Access Management

Platform



Converge OAM10g, OSSO, and
OpenSSO



Provide new and advanced functionality to customers



Tighten integrations




6

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right



Access
Manager
11gR2

Key Features





Simplified Web Single Sign On (SSO)



Authentication and Authorization



Centralized Policy Administration



Advanced Session Management



Centralized Agent Management



Native Password Management



Windows Native Authentication



Comprehensive Auditing and Logging




7

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right



Access
Manager
11gR2

Benefits




Centralized policy management and auditing reduces cost and improves
compliance.


Support for access management in a complex, heterogeneous
environment reduces total cost of ownership and accelerates deployment.


Flexible and powerful policy model allow organizations to meet complex
access management needs.


Scalable deployment model supports most demanding, internet scale
deployments.


Extensible architecture enables easy customization to meet organization
specific requirements
.



8

Oracle Confidential


Do Not Distribute

Copyright © 2011, Oracle and/or its affiliates. All right

Access Manager 11gR2

Deployment Overview

9

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

Agenda



Overview


Key Features


Architecture & Deployment


Extensibility & Integrations


Q & A

10

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




Enhanced security


Closed world


access is denied to resources unless a policy
specifically allows access


Resource simplification


No URL Prefixes


resources are defined as complete URL
patterns (“*” and “…”) associated with host id and used to
determine the sole policy applicable to a request


Responses


Expression based responses that are powerful


Ability to return user, request, and session information



Access Manager 11gR2

Policy Model

11

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

Access Manager 11gR2

Policy Model

Access
Manager

Authentication
Schemes

Application Domains

Identity Store

Legend

-

Relationship: One
-
to
-
Many

-

Relationship: Many
-
to
-
Many

-

External Dependencies

-

Relationship: Containment

Authentication Policies

Authorization Policies

Resource Types

Host

Identifiers

Resources

Policies

Authentication Modules

12

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




Multiple IP Ranges


Wildcard enhancements


Resource Operation/Custom Types


Authorization expressions


AND, OR, NOT


( and )


precedence indicators


User Attribute Condition


LDAP Filter / Search


Enables creation of more complex and flexible authorization
constraints that deals only with LDAP attributes


Session Attribute Condition


Access Manager 11gR2

Policy Model Enhancements



13

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right



Access Manager 11gR2

Policy Model Enhancements


LDAP Query/Filter Condition


14

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right



Access Manager 11gR2

Policy Model Enhancements


Complex Expressions


15

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




Stateful

sessions with detailed security context information that can be further
propagated


Tracks active user sessions using a high performance distributed cache


Admin can specify Session Lifetime & Idle Timeout globally


Admin can limit the number of concurrent sessions a user can have at one time


Out
-
of
-
band session termination


Prevents unauthorized access to systems when a user has been terminated


Can be done with or without persistent storage


Provides automatic session failover


Access Manager 11gR2

Session Management

16

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right



Access Manager 11gR2

Session Management

17

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




SPNEGO based credential validation for true Windows desktop to
web single sign
-
on


Allows single sign
-
on for
WebGate

and Oracle SSO protected
applications simultaneously


Does not need IIS based solution for
WebGate


WebGates

and Oracle SSO protected applications need not run
on Windows platform


Can be enabled for a subset of protected applications


Internal
vs

External websites




Access Manager 11gR2

Windows Native Authentication


18

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




OAM 11g collects credentials at the runtime server


Login pages are presented by the OAM runtime servers


OAM runtime servers can redirect to login pages located
in a separate web server


Regardless of where the login pages are, credentials are
sent to the OAM runtime servers for collection


Sample Login pages are provided out
-
of
-
the
-
box



Access Manager 11gR2

Embedded C
redential Collection

19

Oracle Confidential


Do Not Distribute



Extends 11g Webgate with an option to enable Credential Collection capability
(Authentication Gate)


Back Channel communications use OAP protocol whilst Front channel uses HTTPS


Decouples credential collection from Server


Provides flexibility to place DCC anywhere in the DMZ


More security. End
-
user HTTP sessions get terminated at DMZ


Reduces overhead on server. Improves performance



Access Manager 11gR2

Detached Credential Collector


20

Oracle Confidential


Do Not Distribute

Access Manager 11gR2

Detached Credential Collector


21

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right


Native password management for simple password mgmt requirements



In
-
band Password Capability


Password Warning


Forced Password Reset(expired / reset)



Password Policy Enforcement


Password Composition Rules


Password History


Account Lockout



OAM


OIM Password Integration still supported

Access Manager 11gR2

Password Management


22

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

Access Manager 11gR2

Password Management

23

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




One administration console to manage all agents within the deployment



Simultaneously manage and configure
mod_osso
, OAM 10g webgates,
OpenSSO

Agents and OAM 11g webgates



Operational status of each individual agent can be monitored


Agent hostname, IP address, connected server, number of active connections,
average operation latency, and more…



Access Manager 11gR2

Centralized Agent Management

24

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right



Access Manager 11gR2

Centralized Agent Management

25

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




11g Cookie is hosted scoped



Cookie Encryption for each 11g
WebGate

is unique to that
WebGate



Authorization Caching


Resource to Authorization Policy


Authorization Result


Diagnostic page



OUI Installer that lays out a
WebGate

package depending on
platform used




Access Manager 11gR2

11g
WebGate

26

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




Remote Registration Tool


Application administrators can register agents without the help of
the Security team


Policy objects can be automatically created to protect resources of
a given application at registration time



Access Tester Tool


Simulates resource requests to ensure policy evaluates correctly


Uncovers network issues that impact
webgates

or
mod_osso

agents due to the tool’s remote nature




Access Manager 11gR2

Utilities

27

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right



Access Manager 11gR2

Access Tester Tool

28

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




Logging


Centralized log management via Enterprise Manager (EM)


Graphical tools for configuring and viewing logs (EM)


Multiple logging levels


Auditing


Standardized auditing across FMW components


Common Audit Framework allows audit logs to be directed and
persisted into an audit database


Reports generated via Oracle BI Publisher





Access Manager 11gR2

Logging and Auditing

29

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

Agenda



Overview


Key Features


Architecture & Deployment


Extensibility & Integrations


Q & A

30

Oracle Confidential


Do Not Distribute

Copyright © 2011, Oracle and/or its affiliates. All right

Access Manager 11gR2

Internal Architecture

Protocol Compatibility Framework

OAM Server

Coherence Distributed Cache

Oracle Platform Security Services

Credential
Collector

Session
Management

SSO Engine

AuthN

Service

AuthZ

Service

Identity Provider

Token
Processing

Partner & Trust

Configuration Service

Policy Service

31

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




Installation process


OAM 11g installs using Oracle Universal Installer (OUI)


The installation process copies all the software bits to the host
machine


OUI does not perform product configuration



Configuration process requires 2 steps


Database schema configuration using Repository Creation Utility
(RCU)


Product configuration and deployment using
WebLogic

Configuration Wizard



Access Manager 11gR2

Installation and Configuration

32

Oracle Confidential


Do Not Distribute

Copyright © 2011, Oracle and/or its affiliates. All right

Access Manager 11gR2

Deployment on
WebLogic

Cluster

33

Oracle Confidential


Do Not Distribute


Supporting Active
-

Active, Active
-

Passive or Active
-

Hot Standby
deployments


Enables seamless user SSO across data centers with session
continuity


Follows Master
-
Slave configuration for Access Manager deployment
across Data
-
Centers. Policy and configuration keeps in sync via T2P
processes.


Behavior is configurable based on Session Adoption Policy


Re
-
authentication Required


True/False


Remote Session Invalidation
-

True/False


On
-
Demand Session Data Retrieval
-

True/False





Access Manager 11gR2

Multi
-
data
-
center Deployment


34

Oracle Confidential


Do Not Distribute

Global Load Balancer

Access Manager Cluster in

Data
-
Center 1

(Master)

Access Manager Cluster in

Data
-
Center 2

(Slave)


User 1

(Geo
-
location 1)

User 2

(Geo
-
location 2)

Active

Active

Stand
-
by

Stand
-
by

Synchronized using T2P
Process

OAM Cookie

DC=DC1

OAM Cookie

DC=DC2

Access Manager 11gR2

Multi
-
data
-
center Deployment


Active/Active


35

Oracle Confidential


Do Not Distribute

Global Load Balancer

Access Manager Cluster in

Data
-
Center 1

(Master)

Access Manager Cluster in

Data
-
Center 2

(Slave)


User 1

(Geo
-
location 1
)

User 2

(Geo
-
location 2)

Data
-
Center 1 is down or
over
-
loaded

OAM Cookie

DC=DC1

DC=DC2

OAM Cookie

DC=DC2

Retrieve Remote Session Data

Invalidate Remote Session

Back
-
channel OAP call

Re
-
authenticate User

Access Manager 11gR2

Multi
-
data
-
center Deployment


Active/Active


36

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

Agenda



Overview


Key Features


Architecture & Deployment


Extensibility & Integrations


Q & A

37

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right




Authentication Extensibility Framework


Allows for customized authentication modules to be plugged into
the system


Includes Java SDK tooling for users to create customized
modules


Pure Java based ASDK


Includes authentication services and authorization services


One platform independent package


Includes APIs for the extended protocol
-
level op codes


Backward compatible against OAM 10g


Access Manager 11gR2

Extensibility

38

Oracle Confidential


Do Not Distribute

Copyright © 2011, Oracle and/or its affiliates. All right

OAM

OSTS

OAM

Federation

Identity
Propagation

Federated

SSO


SSO to web services


Issuance and validation of web service
tokens


Identity propagation from federated
partners into the local environment


Simplify authentication flows

Access Manager 11gR2

Key IDM Integrations

39

Oracle Confidential


Do Not Distribute

Copyright © 2011, Oracle and/or its affiliates. All right

OAM

OAAM

OAM

OAAM

OIM

Authentication

End
-
to
-
End


Reinforce password Authentication


Risk
-
based authentication


Secure self
-
service flows


Increase security and usability


Consistent user experience

Access Manager 11gR2

Key IDM Integrations

40

Oracle Confidential


Do Not Distribute


New platform support


Solaris x64, AIX 7.1, and Oracle Linux 6.x / RHEL 6.x



3
rd

party integrations


Microsoft SharePoint 2010


RSA Authentication Manager 7.1


JBoss

5.1.0


Microsoft Outlook Web Application (OWA) 2010


Post R2


Microsoft Forefront TMG 2010


Post R2


SAP Portal 7.0


Post R2


IBM
WebSphere

Portal 7.0


Post R2

Access Manager 11gR2

New Platform and Integration Support


41

Oracle Confidential


Do Not Distribute

Copyright © 2012, Oracle and/or its affiliates. All right

42

Oracle Confidential


Do Not Distribute

Copyright © 2011, Oracle and/or its affiliates. All right