html5-img
1 / 41

Modernized and Complete Access

Modernized and Complete Access. Forest Yin Senior Director, Product Management, Oracle Identity Management.

espen
Télécharger la présentation

Modernized and Complete Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modernized and Complete Access Forest YinSenior Director, Product Management, Oracle Identity Management

  2. This document is for informational purposes.  It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.  The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle.  This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle.  This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle.   This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.

  3. Graphic Section Divider

  4. IdM Market Trends

  5. Agenda • Introducing Complete Access • Complete Access Services

  6. Market Trend: New Mobile and Cloud Opportunities • Securing access to systems from mobile phones and tablets • Securing access and managing risk/compliance across enterprise and cloud applications • Identifying web site visitors via consumer social identities • Proliferation of APIs

  7. Market Trend: Avoiding System Fragmentation & Reducing Cost • Shunning the current complex customizations • Seeking to accelerate deployment and simplify maintenance • Avoiding multi-vendor gaps, performance issues, integration challenges, upgrade cycle timing • Reducing high TCO

  8. Oracle Access Management 11gR2Reference Architecture • Complete • Modernized • Simplified • Innovative • Scalable

  9. Access Management 11gR2Complete • Identify, authenticate, federate and authorize • Real time authorization and data redaction based on contextual authentication techniques to reduce fraud • Multi-user type, multi-platform, multi-channel and multi-device security • Secure & Manage API’s • Lower TCO due to common policy store for all access events • Support Oracle, 3rd party and custom applications Access Web Single Sign-on Federation Mobile, Social & Cloud External Authorization API Security Integrated ESSO Token Services Fraud Detection

  10. Access Management 11gR2Simplified • Converged Services • Authentication and SSO (OAM) • Federated SSO (OIF) • Mobile & Social • Security Token Service • Common Infrastructure • Session management • Identity Context • Policy Store • Lifecycle Management • Install & Configuration

  11. Access Management 11gR2Innovative • Mobile Security • Social Identity • REST Services • End-to-end Identity Context

  12. Access Management 11gR2 Context and Risk Aware • Real-time context collection, propagation for risk analysis, authentication and authorization Enterprise / Work Social / Life Mobile / Presence ApplicationTier DeviceTier DMZ & Web Tier ServiceTier API Gateway OES Authorization Web Services Context Smartphone WEB SSO Application Identity Federation EJBs Portal Tablet Risk / Adaptive Authentication SOA Databases Laptop 1. Collect Attributes Service Bus Directories Server OES Authorization OES Authorization 2. Publish, Propagate & Evaluate attributes across Oracle’s Fusion Middleware stack

  13. Scalable AccessEconomies of Scale & Faster Performance Adaptive Access Manager Access Manager 250M Users 3K Auth/Second Two Servers at 5250 TPS

  14. Agenda • Introducing Complete Access • Complete Access Services

  15. Authentication and Web SSOOracle Access Manager Web App / Corporate Portal Identity / Policy Stores and Audit logs OAM Servers – Runtime (PDP) & Admin (PAP) Microsoft SharePoint 3 2 5 HR/CRM 6 4 1

  16. Authentication and Web SSOOracle Access Manager • Simplified Web Single Sign On (SSO) • Authentication and Authorization • Centralized Policy Administration • Advanced Session Management • Native Password Management • Windows Integrated Authentication • Extensibility with REST APIs • Multi-data-center HA • Comprehensive Auditing and Logging • Upgrade path for OAM 10g, OpenSSO and OSSO

  17. Authentication and Web SSO Heterogeneity • Supported Web Servers • Apache, IIS, OHS, IHS, Lotus Domino, iPlanet….. • 3rd party integrations • Microsoft SharePoint 2010 • RSA Authentication Manager 7.1 • JBoss 5.1.0 • Microsoft Outlook Web Application (OWA) 2010 • Microsoft Forefront TMG 2010 • SAP Portal 7.0 • IBM WebSphere Portal 7.0

  18. Authetication and Web SSOOAM 10g, SAM 7.1 and OpenSSO Migration Strategy • Migration Utilities • Scripts and tools to support migration of policies and configuration data to OAM 11g • Can be run on “Assessment mode” to generate report and analyze. • OAM 10g migration supports Complete and Incremental modes. • OpenSSO and SAM 7.1 migration supports Complete, Delta and Incremental modes. • Agent Compatibility Layer • Provides agent compatibility with • OpenSSO Policy Agents (version 2.2 and 3.0) • OAM 10g WebGates • Allows customers to upgrade server while maintaining client layer as-is till they are ready. • Server side Co-existence • Enables SSO between an existing environment and a new OAM 11gR2 environment • Interim solution for customers that need to complete migration over time.

  19. Identity Federation – Identity Provider B2B Partner Resource Service Provider Oracle Identity Federation - Identity Provider and Service Provider Oracle Access Management Protected Resources

  20. Identity Federation – Identity Provider SaaS Partner Resource Service Provider Oracle Identity Federation - Identity Provider and Service Provider Oracle Access Management Protected Resources

  21. Identity Federation Session Attributes support SAML attributes in response headers SAML attributes in authorization policy Attribute mapping • Converged services • Admin, server and data • Protocol Support • SAML 2.0, SAML 1.1, OpenID2.0 and WSFed • IdP/SP – initiated SSO, Logout 11gR2 Service Provider Identity Provider Filter attributes Establish Identity Map Attributes Link Identities Pass Identity Attributes to Apps Maintain session Assert Identity

  22. Fine-grained Authorization Database / PIP Identity Store Access Manager Oracle Entitlement Server ✔ Public Microsoft SharePoint ✔ Private Editor SecLev1 Oracle Entitlements Server ✔ Private ✔ SecLev2 Private Job Title=xxx Security Lev=1 Function=Editor ✖ Private SecLev1 Manager

  23. Oracle Entitlement Server OES Policy Store Fine Grained Authorization SOA Identity Management Enterprise Performance Management Fusion Applications PDP *$#%^*!@ *$#%^*!@ OracleEntitlementsServer ContentManagement PEP VerticalApplications ..Card No: 124 ..Card No: 124 Enterprise Gateway Mobile & Social Adaptive Access eSSSO Oracle RDBMS WebCenterPortal Identity Manager BusinessIntelligence WebLogicCoherence • Coarse Grained / URL levelauthorization through OES • Provides Authentication, Federation, and IdentityContext for Fine Grained Authz • OES fine grained authorization for services & svc operations • Data redaction in response payload through OES • Identity Context propagation (also done through OWSM) • OES authorization for Delegated Administration and Self Requests • Policies authored throughthe OES Console • Provides Device, Firewall, Anti-Virus Context for Fine Grained Authz • Provides Device andLocation Context for Fine Grained Authorization • Provides Risk and Authentication Context for Fine Grained Authz • Common Policy Store

  24. Oracle Entitlement Server Embedded in Fusion Middleware Fine-grained Authorization In WebCenter Portal In WebCenter Spaces In ADF & JDeveloper Entitlements Server Identity Manager Access Manager Web Services Mgr SOA Identity Management Enterprise Performance Management Fusion Applications Single Sign-On Fine Grained Authorization Identity & Enterprise Role Mgmt OracleEntitlementsServer ContentManagement VerticalApplications In Fusion Applications & GBU’s In Oracle SOA Oracle RDBMS WebCenterPortal BusinessIntelligence WebLogicCoherence Service Bus WebLogic Web Service OES Policy Store OID ID Store Service ServiceProxy - sayHello - sayHello WebLogic Fusion Applications For Oracle Service Bus ADF, SOA, BI, WebCenter, etc OPSS Web Service Client OSB Virtualized Service Oracle RDBMS Web Service Cloud Apps Databases SOA & Web Svcs Mobile Web Service Security

  25. Stronger Authentication and Identity VerificationOracle Adaptive Access Manager John Smith Password Lexis Nexis Instant Authenticate Location Profile Transaction Risk Protected Resources Device Tracking OAAM Challenge users based on multiple public and private data sources Oracle Validated Integration – fully tested and vetted solution Challenge processor = no custom development required

  26. Risk-Aware Authentication and AuthorizationOracle Adaptive Access Manager Loan application: Name: Jane Doe Email: funycat87@gmail.com Phone: 865-478-2611 SSN: *** ** **** Drivers lic: ********* Address: 123 Fake Street Santa Pueblo CA 953284 John Smith Oracle Access Management Suite AuthZ Policy: Mask SSN and drivers license if login risk score was more than 500 Risk Evaluation Policy: Access from a new device = 300 Anomalous time of day = 300 TOTAL RISK = 600 Identity Context: John Smith login risk score= 600 Dynamically adjust authorization based on risk to prevent fraud and misuse

  27. Risk Profiling and Auto-LearningOracle Adaptive Access Manager Has he accesses between 00:00 – 03:00 in the last two months? Behavioral Patterns Has he used this device more than 20% in the last three months? Tuesday April 10th 2:15 am PDT Have orders with this card shipped to this country less than 5% in the last month? Order Transaction: 42” TV $1375 CC# 84908657392 Exp 05/2015 Calle 55 # 497-A, Merida, YUC, Mexico Has he made an order between $1000-$1500 in the last 6 months?

  28. Mobile Security and Social IdentityMobile and Social Single Sign-on APISecurity Authz OAuthOpenID Step-up Auth

  29. Mobile Security and Social IdentitySocial Sign-on Select Login Authorize

  30. Mobile Security and Social IdentityMobile Authentication

  31. API SecurityOracle API Gateway • ExtendAccess Management to REST API’s • Context Aware • Authentication • Authorization • Fraud Detection • Security Tokens • Data Redaction • Audit SecureREST API’s Client Throttling Access Management { “JSON” } < XML > ThreatProtection API Management & Monitoring API Control & Governance API Key Management OAUTH 2.0 Client & Server Native JSON & XMLProcessing Transformation

  32. API Security Oracle API Gateway 1gR2 Improved REST support with native JSON OAUTH 2.0 Client & Server Oracle Business Transaction Monitor New Unified Admin Console Parameterized Policies 11gR2 Certification Oracle Mobile & SocialAccess Management API Key Management

  33. Complete API & Web Services Security First Line Of Defense Shared Services Layer End PointSecurity HTTP, SOAP, REST, XML,JMS OWSM Agent HTTP, SOAP, REST, XML, JMS WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt WS-Security, Basic Auth, Digest, X509, UNT, SAML, Kerberos Sign & Encrypt OWSM Agent Service Bus Oracle API Gateway OWSM Agent OES PDP Extranet Counter External Threat Intranet Counter Internal Threats DMZ Common Policy Model

  34. Enterprise Single Sign On (eSSO) ESSO Admin Console ESSO Password Reset Directory Repository Provisioning System ESSO Provisioning Gateway ESSO-LM Agent Client PC • Only one password to remember • For web and non-web applications • Strong authentication out of the box • More secure and quick compliance

  35. Enterprise SSO • eSSO and OAM integration • Shared session • True SSO to any apps • Delegated account access • Without sharing passwords

  36. Oracle Access Management 11gR2 Access • Complete • Modernized • Simplified • Innovative • Scalable Web Single Sign-on Federation Mobile, Social & Cloud External Authorization SOA Security Integrated ESSO Token Services Fraud Detection

  37. www.oracle.com/Identity www.facebook.com/OracleIDM www.twitter.com/OracleIDM blogs.oracle.com/OracleIDM

More Related