Oracle Identity Management (OIM) Tech Day

Download Report

Transcript Oracle Identity Management (OIM) Tech Day 

Kerry Osborne
Senior Oracle Guy
Caveats

The opinions expressed are mine …

I’m an old guy

I am biased towards Oracle technology

I have not drunk too much of the Kool-Aid
Why Identity Management?
My Totally Unscientific Survey



~40 companies
~90% public
~40% over $1B
~95% are interested in Identity Management
Why Identity Management?
Users
are frustrated
SOX is Scary
Need to Reduce Costs
It’s Complicated
Why Oracle Identity Management?
OID
Oracle
Identity
Management
Oracle
Database
Oracle Internet Directory (OID)

v3 compliant LDAP server

Built on Oracle Database



Scalable
Performant
Highly Available
Speaking of eggs

Is it better to have all your eggs in one basket, or
not?
Squirrel and Fort Knox
Squirrel and Fort Knox

Squirrel’s Approach




He puts nuts in lots of places.
They are totally insecure. Therefore, he needs lots of holes.
He has lots of nuts. Therefore, he doesn’t care if he loses some.
Fort Knox Approach



Put all the gold bullion in one place and lock it down.
Can’t afford to loose any.
Not enough man power to guard many locations.
Back to the Future
Traditional Database Systems

Usually authenticated by the database

Yielded lots of silos

Usually not directly associated with a person
Two Common Security Models

Every user has his own database account




Full access to base tables must be granted
Access to ad-hoc tools must be limited
Can make use of advanced Oracle features
OR
Users log on to a proxy account



Better approach generally (see caveat 1.0)
Not necessary for user to know the actual account
Easier to convert to centralized authentication
Case Study #1
Document Management / Workflow Application
Problem:



Build a document management system capable of handling millions of
documents from paper to searchable XML database.
The application should support multiple groupings of users with
multiple responsibilities.
Provide a very flexible routing/approval infrastructure.
Case Study #1
Architecture:




Oracle Database using Oracle Text
Java application to access the final database
Oracle Forms
Oracle Workflow
Case Study #1
Solution:

Use proxy security model where by all users log on to a
common database account.





Use OID for authentication
Create a table of users
Synchronize application users table with OID via triggers
No need for password field in users table
Create view of users table for Workflow
Case Study #1
OID/SSO
Authentication
Forms
App
Workflow
Workflow_users_view
Database Trigger
App_users
Workflow_users
Username
Email
Username
Email
Case Study #2
Consolidation of Security Models / Authentication
Problem:

Numerous custom Oracle based applications all with their own security
components makes compliance with government regulations difficult.
Architecture:





Numerous applications all accessing Oracle.
Each application uses individual database account security model.
The applications use database roles for security.
The client uses Oracle’s Internal Controls Management product.
The client plans to implement Oracle Financials.
Case Study #2
Solution:

Convert custom applications to “Bolt On” applications in
Oracle Financials.




Provides
Provides
Provides
Provides
a common security model
auditing capability
a common user interface
out of the box integration with OID/SSO
Case Study #2
OID/SSO
XX1
Fin Apps
Apps
Users
GL
AP
XX1
XX2
GL_User1
AP_User1
XX1_User1
XX1_User2
…
…
Responsibilites
AP Clerk
AP Super User
XX1 Clerk
XX1 Super User
…
Users
Roles
Menus
XX2
Users
Roles
Menus
Case Study #3
Active Directory Sync / .Net Application
Problem:
 The users wish to have centralized authentication

This will provide users with access to the application, whether they
are defined in AD, OID or the application.
Architecture:
 .Net application

The application uses the Proxy Security Model with an internal
table of application users.
Case Study #3
Solution:




Use OID as the central repository
Synchronize OID with AD and the Internal Users Table
AD sync accomplished with DIP on timed basis
Database users table sync is bi-directional


To OID via database triggers
From OID with timed job using function based view (ldap search)
Case Study #3
.net application
IIS
Oracle Database
AD
Oracle SSO
Plug In
OID/SSO
Sync
via
trigger
App_users
timed
event
Ldap$users
Questions?
www.enkitec.com
[email protected]