1 / 42

Access Manager 11gR2 (11.1.2.0.0) Technical Presentation

R 2. Access Manager 11gR2 (11.1.2.0.0) Technical Presentation. Venu Shastri Senior Principal Product Manager Identity Management, Oracle . Agenda. Overview Key Features Architecture & Deployment Extensibility & Integrations Q & A. Agenda. Overview Key Features

fayre
Télécharger la présentation

Access Manager 11gR2 (11.1.2.0.0) Technical Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. R2 Access Manager 11gR2 (11.1.2.0.0) Technical Presentation Venu Shastri Senior Principal Product Manager Identity Management, Oracle

  2. Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q & A

  3. Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q & A

  4. Access Management Platform – 11gR2Complete & Scalable

  5. Access Manager 11gR2Objectives • Provide scalable foundation for Access Management Platform • Converge OAM10g, OSSO, and OpenSSO • Provide new and advanced functionality to customers • Tighten integrations

  6. Access Manager 11gR2Key Features • Simplified Web Single Sign On (SSO) • Authentication and Authorization • Centralized Policy Administration • Advanced Session Management • Centralized Agent Management • Native Password Management • Windows Native Authentication • Comprehensive Auditing and Logging

  7. Access Manager 11gR2Benefits • Centralized policy management and auditing reduces cost and improves compliance. • Support for access management in a complex, heterogeneous environment reduces total cost of ownership and accelerates deployment. • Flexible and powerful policy model allow organizations to meet complex access management needs. • Scalable deployment model supports most demanding, internet scale deployments. • Extensible architecture enables easy customization to meet organization specific requirements.

  8. Access Manager 11gR2Deployment Overview

  9. Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q & A

  10. Access Manager 11gR2Policy Model • Enhanced security • Closed world – access is denied to resources unless a policy specifically allows access • Resource simplification • No URL Prefixes – resources are defined as complete URL patterns (“*” and “…”) associated with host id and used to determine the sole policy applicable to a request • Responses • Expression based responses that are powerful • Ability to return user, request, and session information

  11. Access Manager Resource Types Host Identifiers Application Domains Authentication Schemes Policies Resources Authentication Policies Authorization Policies Legend Identity Store - Relationship: One-to-Many - Relationship: Many-to-Many - External Dependencies - Relationship: Containment Access Manager 11gR2Policy Model Authentication Modules

  12. Access Manager 11gR2Policy Model Enhancements • Multiple IP Ranges • Wildcard enhancements • Resource Operation/Custom Types • Authorization expressions • AND, OR, NOT • ( and ) – precedence indicators • User Attribute Condition • LDAP Filter / Search • Enables creation of more complex and flexible authorization constraints that deals only with LDAP attributes • Session Attribute Condition

  13. Access Manager 11gR2Policy Model Enhancements – LDAP Query/Filter Condition

  14. Access Manager 11gR2Policy Model Enhancements – Complex Expressions

  15. Access Manager 11gR2Session Management • Stateful sessions with detailed security context information that can be further propagated • Tracks active user sessions using a high performance distributed cache • Admin can specify Session Lifetime & Idle Timeout globally • Admin can limit the number of concurrent sessions a user can have at one time • Out-of-band session termination • Prevents unauthorized access to systems when a user has been terminated • Can be done with or without persistent storage • Provides automatic session failover

  16. Access Manager 11gR2Session Management

  17. Access Manager 11gR2Windows Native Authentication • SPNEGO based credential validation for true Windows desktop to web single sign-on • Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously • Does not need IIS based solution for WebGate • WebGates and Oracle SSO protected applications need not run on Windows platform • Can be enabled for a subset of protected applications • Internal vs External websites

  18. Access Manager 11gR2Embedded Credential Collection • OAM 11g collects credentials at the runtime server • Login pages are presented by the OAM runtime servers • OAM runtime servers can redirect to login pages located in a separate web server • Regardless of where the login pages are, credentials are sent to the OAM runtime servers for collection • Sample Login pages are provided out-of-the-box

  19. Access Manager 11gR2Detached Credential Collector • Extends 11g Webgate with an option to enable Credential Collection capability (Authentication Gate) • Back Channel communications use OAP protocol whilst Front channel uses HTTPS • Decouples credential collection from Server • Provides flexibility to place DCC anywhere in the DMZ • More security. End-user HTTP sessions get terminated at DMZ • Reduces overhead on server. Improves performance

  20. Access Manager 11gR2Detached Credential Collector

  21. Access Manager 11gR2Password Management • Native password management for simple password mgmt requirements • In-band Password Capability • Password Warning • Forced Password Reset(expired / reset) • Password Policy Enforcement • Password Composition Rules • Password History • Account Lockout • OAM – OIM Password Integration still supported

  22. Access Manager 11gR2Password Management

  23. Access Manager 11gR2Centralized Agent Management • One administration console to manage all agents within the deployment • Simultaneously manage and configure mod_osso, OAM 10g webgates, OpenSSO Agents and OAM 11g webgates • Operational status of each individual agent can be monitored • Agent hostname, IP address, connected server, number of active connections, average operation latency, and more…

  24. Access Manager 11gR2Centralized Agent Management

  25. Access Manager 11gR211g WebGate • 11g Cookie is hosted scoped • Cookie Encryption for each 11g WebGate is unique to that WebGate • Authorization Caching • Resource to Authorization Policy • Authorization Result • Diagnostic page • OUI Installer that lays out a WebGate package depending on platform used

  26. Access Manager 11gR2Utilities • Remote Registration Tool • Application administrators can register agents without the help of the Security team • Policy objects can be automatically created to protect resources of a given application at registration time • Access Tester Tool • Simulates resource requests to ensure policy evaluates correctly • Uncovers network issues that impact webgates or mod_osso agents due to the tool’s remote nature

  27. Access Manager 11gR2Access Tester Tool

  28. Access Manager 11gR2Logging and Auditing • Logging • Centralized log management via Enterprise Manager (EM) • Graphical tools for configuring and viewing logs (EM) • Multiple logging levels • Auditing • Standardized auditing across FMW components • Common Audit Framework allows audit logs to be directed and persisted into an audit database • Reports generated via Oracle BI Publisher

  29. Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q & A

  30. Access Manager 11gR2Internal Architecture Protocol Compatibility Framework Credential Collector SSO Engine AuthN Service AuthZ Service OAM Server Session Management Identity Provider Token Processing Partner & Trust Policy Service Configuration Service Coherence Distributed Cache Oracle Platform Security Services

  31. Access Manager 11gR2Installation and Configuration • Installation process • OAM 11g installs using Oracle Universal Installer (OUI) • The installation process copies all the software bits to the host machine • OUI does not perform product configuration • Configuration process requires 2 steps • Database schema configuration using Repository Creation Utility (RCU) • Product configuration and deployment using WebLogic Configuration Wizard

  32. Access Manager 11gR2Deployment on WebLogic Cluster

  33. Access Manager 11gR2Multi-data-center Deployment • Supporting Active - Active, Active - Passive or Active - Hot Standby deployments • Enables seamless user SSO across data centers with session continuity • Follows Master-Slave configuration for Access Manager deployment across Data-Centers. Policy and configuration keeps in sync via T2P processes. • Behavior is configurable based on Session Adoption Policy • Re-authentication Required – True/False • Remote Session Invalidation - True/False • On-Demand Session Data Retrieval - True/False

  34. Access Manager 11gR2Multi-data-center Deployment – Active/Active User 2 (Geo-location 2) User 1 (Geo-location 1) OAM Cookie DC=DC2 OAM Cookie DC=DC1 Global Load Balancer Active Active Stand-by Stand-by Access Manager Cluster in Data-Center 2 (Slave) Access Manager Cluster in Data-Center 1 (Master) Synchronized using T2P Process

  35. Access Manager 11gR2Multi-data-center Deployment – Active/Active User 2 (Geo-location 2) User 1 (Geo-location 1) OAM Cookie DC=DC1 DC=DC2 OAM Cookie DC=DC2 Global Load Balancer Re-authenticate User Data-Center 1 is down or over-loaded Back-channel OAP call Access Manager Cluster in Data-Center 2 (Slave) Access Manager Cluster in Data-Center 1 (Master) Retrieve Remote Session Data Invalidate Remote Session

  36. Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q & A

  37. Access Manager 11gR2Extensibility • Authentication Extensibility Framework • Allows for customized authentication modules to be plugged into the system • Includes Java SDK tooling for users to create customized modules • Pure Java based ASDK • Includes authentication services and authorization services • One platform independent package • Includes APIs for the extended protocol-level op codes • Backward compatible against OAM 10g

  38. Access Manager 11gR2Key IDM Integrations • SSO to web services • Issuance and validation of web service tokens Identity Propagation OAM OSTS • Identity propagation from federated partners into the local environment • Simplify authentication flows Federated SSO Federation OAM

  39. Access Manager 11gR2Key IDM Integrations • Reinforce password Authentication • Risk-based authentication Authentication OAM OAAM • Secure self-service flows • Increase security and usability • Consistent user experience End-to-End OAM OAAM OIM

  40. Access Manager 11gR2New Platform and Integration Support • New platform support • Solaris x64, AIX 7.1, and Oracle Linux 6.x / RHEL 6.x • 3rd party integrations • Microsoft SharePoint 2010 • RSA Authentication Manager 7.1 • JBoss 5.1.0 • Microsoft Outlook Web Application (OWA) 2010 – Post R2 • Microsoft Forefront TMG 2010 – Post R2 • SAP Portal 7.0 – Post R2 • IBM WebSphere Portal 7.0 – Post R2

  41. Q & A

More Related