A quick introduction to Oracle Access
Manager (OAM), Oracle Identity Manager (OIM) and Oracle Internet Directory
(OID).
Oracle Access Manager (OAM)
Oracle Access Manager is a J2EE application typically
deployed on a dedicated managed server in a Weblogic (Application Server)
clustered environment.
An enterprise typically has
many applications for different purposes. Each application typically has its
own authentication and authorization functionality.
OAM provides a single point to
control all resource grants in an enterprise where multiple applications exist
on different platform.
OAM provides:
Single Sign On (SSO)
Authentication
Authorization
Real time session management
Auditing
Policy Administration
Flaws in conventional security
model.
Individual authentication/authorization
for each independent application in the enterprise. .net, J2EE, SAP, WebCenter
etc. All application have their *own* authentication and authorization
mechanism.
Effective Security
Cost
Inconsistence
Security Complainces
Ease for users (Single Sign On)
Governance, Support and
Management
One of the web server will have
OAM-Agent. Other web servers will be redirected to this OAM-Agent via a reverse
proxy. Hence, we don't need OAM-Agent on each Web Server.
The request goes to the OAM
agent which redirects the request to OAM which in turn challenges the user for
user/pwd. Once user/pwd is provided the OAM goes to the LDAP (AD or OID) to
authenticate the user. Once the user is authenticated the webgate opens the
gate to the underlying corresponding web server.
Oracle Identity Manager (OIM)
OIM does life cycle management
of an identity (generally a user, e.g employee).
OIM server is a J2EE
application. User provisioning is done in OIM. The OIM integrates this with all
the other applications.
Lets take an example of an
employee joining an organizaiton. He/She needs access to various applications
in the organization. The HR typically creates the employee in HRMS on the
joining date.The manager raises various user ids crations for this new employee
for email, timesheet app, crm, leave mgmt app etc. With OIM this provisionting
can be done automatically or manually at single point.
OIM provides a unified access control for all the applications in the enterprize. Once the employee quits, the manager need only to log onto OIM and delete (soft/hard) the employee from various applications.OIM integrates with other application using SOA suite with respective JCA adapters.
Oracle Internet Directory (OID)
This is a directory of objects. For e.g in case of employees in an organization, this directory will hold employees details like name, designation, enterprize roles, applicaiton specific roles, security credentials like password, password reminder questions.This is typically a single source of truth for information about employees in an organization.
Various applications access OID to authenticate and authorize users.
Typically, OID is integrated with OAM.OID is Oracle's LDAP implementation. Active Directory or AD is similar implementation for the same solution from Microsoft.OID generally uses oracle database for storage of all the said information above
No comments:
Post a Comment