Oracle® Identity Management Concepts and Deployment Planning Guide
10g Release 2 (10.1.2) B14084-02 |
|
Previous |
Next |
This chapter introduces identity management, describes components of an identity management system, and provides an overview and objectives of Oracle Identity Management.
This chapter contains the following topics:
Identity management is the process by which user identities are defined and managed in an enterprise environment. Specifically, identity management describes the process by which:
User identities are provisioned and coordinated.
Application provisioning is automated.
User roles, privileges, and credentials are managed.
Administrators delegate responsibility.
Administrators deploy applications easily and securely.
Users self-manage their preferences and passwords.
Users have single sign-on access.
Steps in the security lifecycle include account creation, suspension, privilege modification, and account deletion.
An identity management system can include users outside an enterprise, such as customers, trading partners, or Web services, as well as users inside an organization. In addition, an identity management system can manage network entities other than users, such as devices, processes, and applications.
By using an identity management system, an enterprise can:
Reduce administration costs through centralized account management and automated tasks
Accelerate application deployment by enabling new applications to use the existing infrastructure to provision user accounts and privileges
Reduce the time it takes to give new users access to applications
Improve security and usability by centrally managing user passwords and security credentials
A complete identity management system includes the following components:
A scalable, secure, and standards-compliant directory service for storing and managing user information.
A provisioning framework that can either be linked to the enterprise provisioning system, such as a human resources application, or operated in standalone mode.
A directory integration platform that enables the enterprise to connect the identity management directory to legacy or application-specific directories.
A system to create and manage public key infrastructure (PKI) certificates.
A run time model for user authentication.
A delegated administration model and application that enables the administrator of the identity management system to selectively delegate access rights to an administrator of an individual application or directly to a user.
Figure 1-1 shows an overview of an identity management system.
Oracle Identity Management is an integrated infrastructure that provides distributed security to Oracle products. Oracle Identity Management is included with Oracle Application Server, as well as Oracle Database and Oracle Collaboration Suite.
The Oracle Identity Management infrastructure includes the following components:
Oracle Internet Directory: A scalable, robust LDAP V3-compliant directory service implemented on the Oracle Database
Oracle Directory Integration and Provisioning Platform: A component of Oracle Internet Directory that consists of two parts:
Directory Provisioning Integration Service, which notifies to target applications of changes to a user's status or information
Directory Integration, which enables:
Synchronization of data between Oracle Internet Directory and other connected directories
Development and deployment of custom connectivity agents
Oracle Application Server Certificate Authority: A component that issues, revokes, renews, and publishes X.509v3 certificates to support PKI-based strong authentication methods
Oracle Application Server Single Sign-On (OracleAS Single Sign-On): A component that provides single sign-on access to Oracle and third-party Web applications
Oracle Delegated Administration Services: A component of Oracle Internet Directory that provides trusted proxy-based administration of directory information by users and application administrators
Many different applications, including third-party applications, Oracle E-Business Suite, Oracle Application Server, Oracle Database and Oracle Collaboration Suite, can use the Oracle Identity Management infrastructure, as shown in Figure 1-2.
While Oracle Identity Management provides an enterprise infrastructure for Oracle products, it can also be a general-purpose identity management solution for custom and third-party enterprise applications.
In addition, third-party application vendors certify with Oracle Identity Management infrastructure to ensure proper operation.
Oracle Identity Management is designed to meet three key architectural objectives:
Oracle Identity Management is a shared infrastructure for all Oracle products and technology stacks, including Oracle Application Server, Oracle Database, Oracle E-Business Suite, and Oracle Collaboration Suite.
Oracle Identity Management provides a consistent security model among all Oracle products and technology stacks. Oracle Identity Management infrastructure is planned for and deployed once, to support any current or future deployment of Oracle products.
Oracle Identity Management provides a secure, efficient, and reliable way to use and extend your investment in an existing third-party identity management infrastructure.
Within a third-party identity management environment, Oracle Identity Management provides a single consistent point of integration for the entire Oracle technology stack, eliminating the need to configure and manage integration of various individual Oracle products with the third-party environment
By using Oracle Directory Integration and Provisioning, Oracle Identity Management takes advantage of the investment made in planning and deployment of a third-party enterprise directory. This provides a way to map and inherit major considerations such as directory naming, directory tree structure, schema extensions, access control, and security policies. Established procedures in an existing framework for user enrollment can be seamlessly incorporated into the corresponding operations of Oracle Identity Management.
If a third-party authentication service is in use, OracleAS Single Sign-On provides a way to integrate with the service and provide a seamless single sign-on experience to users accessing the Oracle environment. Certified interoperability solutions exist for leading third-party authentication platforms, and well-defined interfaces are available for implementing similar solutions for any new product.
The Oracle Identity Management infrastructure can be an enterprise-wide foundation for identity management, to support other Oracle products and third-party products deployed in the enterprise.
Oracle Identity Management can lower ownership costs by streamlining the maintenance of account information for all Oracle and third-party products. It also offers high levels of security and scalability, and provides numerous features. By supporting industry standards in all relevant interfaces, Oracle Identity Management can be customized and used in many different application environments.