R2 Access Manager 11gR2 (11.1.2.0.0) Technical Presentation Venu

42 Slides1.69 MB

R2 Access Manager 11gR2 (11.1.2.0.0) Technical Presentation Venu Shastri Senior Principal Product Manager Identity Management, Oracle

Agenda Overview Key Features Architecture & Deployment Extensibility & Integrations Q&A Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 2

Agenda Overview Key Features Architecture & Deployment Extensibility & Integrations Q&A Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 3

Access Management Platform – 11gR2 Complete & Scalable Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 4

Access Manager 11gR2 Objectives Provide scalable foundation for Access Management Platform Converge OAM10g, OSSO, and OpenSSO Provide new and advanced functionality to customers Tighten integrations Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 5

Access Manager 11gR2 Key Features Simplified Web Single Sign On (SSO) Authentication and Authorization Centralized Policy Administration Advanced Session Management Centralized Agent Management Native Password Management Windows Native Authentication Comprehensive Auditing and Logging Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 6

Access Manager 11gR2 Benefits Centralized policy management and auditing reduces cost and improves compliance. Support for access management in a complex, heterogeneous environment reduces total cost of ownership and accelerates deployment. Flexible and powerful policy model allow organizations to meet complex access management needs. Scalable deployment model supports most demanding, internet scale deployments. Extensible architecture enables easy customization to meet organization specific requirements. Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 7

Access Manager 11gR2 Deployment Overview Copyright 2011, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 8

Agenda Overview Key Features Architecture & Deployment Extensibility & Integrations Q&A Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 9

Access Manager 11gR2 Policy Model Enhanced security Closed world – access is denied to resources unless a policy specifically allows access Resource simplification No URL Prefixes – resources are defined as complete URL patterns (“*” and “ ”) associated with host id and used to determine the sole policy applicable to a request Responses Expression based responses that are powerful Ability to return user, request, and session information Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 10

Access Manager 11gR2 Policy Model Access Access Manager Manager Authentication Authentication Schemes Schemes Application Application Domains Domains Resource Resource Types Types Host Host Identifiers Identifiers Authentication Authentication Modules Modules Policies Policies Resources Resources Legend Authentication Authentication Policies Policies Authorization Authorization Policies Policies - Relationship: One-to-Many - Relationship: Many-to-Many - External Dependencies - Relationship: Containment Identity Store Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 11

Access Manager 11gR2 Policy Model Enhancements Multiple IP Ranges Wildcard enhancements Resource Operation/Custom Types Authorization expressions AND, OR, NOT ( and ) – precedence indicators User Attribute Condition LDAP Filter / Search Enables creation of more complex and flexible authorization constraints that deals only with LDAP attributes Session Attribute Condition Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 12

Access Manager 11gR2 Policy Model Enhancements – LDAP Query/Filter Condition Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 13

Access Manager 11gR2 Policy Model Enhancements – Complex Expressions Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 14

Access Manager 11gR2 Session Management Stateful sessions with detailed security context information that can be further propagated Tracks active user sessions using a high performance distributed cache Admin can specify Session Lifetime & Idle Timeout globally Admin can limit the number of concurrent sessions a user can have at one time Out-of-band session termination Prevents unauthorized access to systems when a user has been terminated Can be done with or without persistent storage Provides automatic session failover Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 15

Access Manager 11gR2 Session Management Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 16

Access Manager 11gR2 Windows Native Authentication SPNEGO based credential validation for true Windows desktop to web single sign-on Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously Does not need IIS based solution for WebGate WebGates and Oracle SSO protected applications need not run on Windows platform Can be enabled for a subset of protected applications Internal vs External websites Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 17

Access Manager 11gR2 Embedded Credential Collection OAM 11g collects credentials at the runtime server Login pages are presented by the OAM runtime servers OAM runtime servers can redirect to login pages located in a separate web server Regardless of where the login pages are, credentials are sent to the OAM runtime servers for collection Sample Login pages are provided out-of-the-box Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 18

Access Manager 11gR2 Detached Credential Collector Extends 11g Webgate with an option to enable Credential Collection capability (Authentication Gate) Back Channel communications use OAP protocol whilst Front channel uses HTTPS Decouples credential collection from Server Provides flexibility to place DCC anywhere in the DMZ More security. End-user HTTP sessions get terminated at DMZ Reduces overhead on server. Improves performance Oracle Confidential – Do Not Distribute 19

Access Manager 11gR2 Detached Credential Collector Oracle Confidential – Do Not Distribute 20

Access Manager 11gR2 Password Management Native password management for simple password mgmt requirements In-band Password Capability Password Warning Forced Password Reset(expired / reset) Password Policy Enforcement Password Composition Rules Password History Account Lockout OAM – OIM Password Integration still supported Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 21

Access Manager 11gR2 Password Management Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 22

Access Manager 11gR2 Centralized Agent Management One administration console to manage all agents within the deployment Simultaneously manage and configure mod osso, OAM 10g webgates, OpenSSO Agents and OAM 11g webgates Operational status of each individual agent can be monitored Agent hostname, IP address, connected server, number of active connections, average operation latency, and more Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 23

Access Manager 11gR2 Centralized Agent Management Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 24

Access Manager 11gR2 11g WebGate 11g Cookie is hosted scoped Cookie Encryption for each 11g WebGate is unique to that WebGate Authorization Caching Resource to Authorization Policy Authorization Result Diagnostic page OUI Installer that lays out a WebGate package depending on platform used Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 25

Access Manager 11gR2 Utilities Remote Registration Tool Application administrators can register agents without the help of the Security team Policy objects can be automatically created to protect resources of a given application at registration time Access Tester Tool Simulates resource requests to ensure policy evaluates correctly Uncovers network issues that impact webgates or mod osso agents due to the tool’s remote nature Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 26

Access Manager 11gR2 Access Tester Tool Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 27

Access Manager 11gR2 Logging and Auditing Logging Centralized log management via Enterprise Manager (EM) Graphical tools for configuring and viewing logs (EM) Multiple logging levels Auditing Standardized auditing across FMW components Common Audit Framework allows audit logs to be directed and persisted into an audit database Reports generated via Oracle BI Publisher Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 28

Agenda Overview Key Features Architecture & Deployment Extensibility & Integrations Q&A Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 29

Access Manager 11gR2 Internal Architecture Protocol Compatibility Framework Credential Collector Session Management SSO Engine AuthN Service OAM Server Identity Provider Token Processing AuthZ Service Partner & Trust Policy Service Configuration Service Coherence Distributed Cache Oracle Platform Security Services Copyright 2011, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 30

Access Manager 11gR2 Installation and Configuration Installation process OAM 11g installs using Oracle Universal Installer (OUI) The installation process copies all the software bits to the host machine OUI does not perform product configuration Configuration process requires 2 steps Database schema configuration using Repository Creation Utility (RCU) Product configuration and deployment using WebLogic Configuration Wizard Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 31

Access Manager 11gR2 Deployment on WebLogic Cluster Copyright 2011, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 32

Access Manager 11gR2 Multi-data-center Deployment Supporting Active - Active, Active - Passive or Active - Hot Standby deployments Enables seamless user SSO across data centers with session continuity Follows Master-Slave configuration for Access Manager deployment across Data-Centers. Policy and configuration keeps in sync via T2P processes. Behavior is configurable based on Session Adoption Policy Re-authentication Required – True/False Remote Session Invalidation - True/False On-Demand Session Data Retrieval - True/False Oracle Confidential – Do Not Distribute 33

Access Manager 11gR2 Multi-data-center Deployment – Active/Active User 1 User 2 (Geo-location 1) (Geo-location 2) OAM Cookie OAM Cookie DC DC1 DC DC2 Global Load Balancer Active Active Stand-by Stand-by Access Manager Cluster in Data-Center 1 (Master) Access Manager Cluster in Synchronized using T2P Process Oracle Confidential – Do Not Distribute Data-Center 2 (Slave) 34

Access Manager 11gR2 Multi-data-center Deployment – Active/Active User 2 User 1 (Geo-location 2) (Geo-location 1) OAM Cookie OAM Cookie DC DC1 DC DC2 DC DC2 Global Load Balancer Re-authenticate User Data-Center 1 is down or over-loaded Access Manager Cluster in Back-channel OAP call Data-Center 1 (Master) Access Manager Cluster in Data-Center 2 Retrieve Remote Session Data (Slave) Invalidate Remote Session Oracle Confidential – Do Not Distribute 35

Agenda Overview Key Features Architecture & Deployment Extensibility & Integrations Q&A Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 36

Access Manager 11gR2 Extensibility Authentication Extensibility Framework Allows for customized authentication modules to be plugged into the system Includes Java SDK tooling for users to create customized modules Pure Java based ASDK Includes authentication services and authorization services One platform independent package Includes APIs for the extended protocol-level op codes Backward compatible against OAM 10g Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 37

Access Manager 11gR2 Key IDM Integrations OAM OAM Copyright 2011, Oracle and/or its affiliates. All right OSTS Federation Identity Propagation Federated SSO Oracle Confidential – Do Not Distribute SSO to web services Issuance and validation of web service tokens Identity propagation from federated partners into the local environment Simplify authentication flows 38

Access Manager 11gR2 Key IDM Integrations OAM OAM OAAM Copyright 2011, Oracle and/or its affiliates. All right OAAM OIM Authentication End-to-End Oracle Confidential – Do Not Distribute Reinforce password Authentication Risk-based authentication Secure self-service flows Increase security and usability Consistent user experience 39

Access Manager 11gR2 New Platform and Integration Support New platform support Solaris x64, AIX 7.1, and Oracle Linux 6.x / RHEL 6.x 3rd party integrations Microsoft SharePoint 2010 RSA Authentication Manager 7.1 JBoss 5.1.0 Microsoft Outlook Web Application (OWA) 2010 – Post R2 Microsoft Forefront TMG 2010 – Post R2 SAP Portal 7.0 – Post R2 IBM WebSphere Portal 7.0 – Post R2 Oracle Confidential – Do Not Distribute 40

Q& A Copyright 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 41

Copyright 2011, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 42

Back to top button