5 Integrating with Other Identity Management Solutions

5.1 Reasons for Identity Management Integration

While the Oracle Identity Management infrastructure is an essential component in most Oracle deployments, it is also designed to permit integration with other identity management solutions. Integration of Oracle products around a common infrastructure provides a single point of integration with other enterprise identity management solutions, including:

• Directory services

• User authentication services

• User provisioning applications

• Third-party PKI solutions

Identity management integration allows Oracle users to use existing enterprise infrastructure components in the Oracle environment, which can provide the following benefits:

• Unified user provisioning: User provisioning refers to the process by which new users are added and deleted from the various enterprise systems. New user provisioning can be driven by a number of different sources, such as human resource (HR) systems, customer relationship management (CRM) systems, and network administration environments. When a new user is created in one system, automated user provisioning creates the required user account footprints in other enterprise applications. An account footprint is the set of application resources required by a user account.

• Centralized user administration: Once a user account is created, it must be maintained and administered. Centralized user administration ensures that all application-related information associated with a user, such as passwords, roles, and application preferences, are administered in one place.

• Runtime security service integration: Organizations want applications in the enterprise environment to be capable of using a common set of security services for authentication and data privacy.

Delivering these benefits requires tools and strategies for integrating Oracle Identity Management and third-party directory, security, and user administration environments.

5.2 Identity Management Integration Tools and Strategies

Oracle Identity Management provides a number of tools for integrating with other identity management environments, including various services and APIs, preconfigured directory connectivity solutions, and standards support, which are briefly described in this section. For additional information on their use, see the appropriate component documentation.

Oracle Directory Integration and Provisioning

Oracle Directory Integration and Provisioning consists of a set of services and interfaces built into Oracle Internet Directory that facilitate the development of synchronization and provisioning solutions between Oracle Internet Directory and other repositories, such as third-party directories (SunONE Directory and Microsoft Active Directory, for example), application user repositories (as might be stored in a flat file, for example), or database tables containing HR information.

Oracle Directory Integration and Provisioning includes a documented API and incorporates available industry standards where they exist, making it possible for Oracle, customers, and third parties to develop and deploy customized synchronization and provisioning solutions. It also facilitates interoperability between Oracle Internet Directory and third-party metadirectory and provisioning solutions.

Oracle Internet Directory Plug-In Architecture

Oracle Internet Directory supports a PL/SQL-based plug-in framework that enables you to include custom routines (Oracle, customer-written, or third-party) that can execute before, during, or after a directory operation. For example, this framework can be used to:

• Validate data before the directory server performs an operation on it

• Perform specified actions after the server performs an operation

• Define custom password policies

• Authenticate users through external credential stores such as NOS directories

Preconfigured Directory Connectivity Solutions

Oracle Internet Directory includes preconfigured connectivity solutions built on Oracle Directory Integration and Provisioning and the Oracle Internet Directory plug-in architecture, which make it possible to automatically provision users in the Oracle Identity Management space from other systems, and to administer users in the Oracle Identity Management space from those environments. Preconfigured connectivity solutions include:

• Oracle E-Business Suite

• Oracle Database tables

• SunONE and iPlanet

• Microsoft Active Directory

OracleAS Single Sign-On Partner APIs

OracleAS Single Sign-On supports a third-party authentication API that allows Oracle Application Server Single Sign-On to obtain user identities from a trusted, third-party authentication mechanism. This feature can be used to allow application users to access Web applications across the two environments, having to log in only once.

Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider Developer APIs

Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider allows user-written Java applications running in the Oracle J2EE environment to use OracleAS Single Sign-On and Oracle Internet Directory for authentication and identity services.

LDAP Standard Support

Oracle Internet Directory supports the LDAPv3 standard in accordance with the IETF RFC 2251.

Authentication Standard Support

OracleAS Single Sign-On supports user authentication using Kerberos tickets issued by a Kerberos key distribution center, which allows users who have been issued a valid Kerberos ticket (in, for example, the Windows environment) to log in to their Web applications without having to provide a username and password.

X.509v3 Certificate Standard Support

Oracle Identity Management issues and uses X.509v3 standard PKI certificates for strong authentication services. Customers with existing X.509v3 certificate authorities can use these certificates in the Oracle environment.