Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
This section describes the components involved in Oracle Identity Management integration. It contains these topics:
Oracle Internet Directory is the repository in which Oracle components and third-party applications store and access user identities and credentials. It uses the Oracle directory server to authenticate users by comparing the credentials entered by users with the credentials stored in Oracle Internet Directory. When credentials are stored in a third-party directory and not in Oracle Internet Directory, users can still be authenticated. In this case, Oracle Internet Directory uses an external authentication plug-in that authenticates users against the third-party directory server.
The Oracle directory integration and provisioning server is the shared server process that provides functionality for the Oracle Directory Synchronization Service and the Oracle Provisioning Service.
The directory integration and provisioning server performs these services:
Oracle Directory Synchronization Service:
Scheduling—Processing a synchronization profile based on a predefined schedule
Mapping—Executing rules for converting data between connected directories and Oracle Internet Directory
Data propagation—Exchanging data with connected directories by using a connector
Error handling
Oracle Provisioning Service:
Scheduling—Processing a provisioning profile based on a predefined schedule
Event Notification—Notifying an application of a relevant change to the user or group data stored in Oracle Internet Directory
Error handling
In the Oracle Directory Integration and Provisioning environment, the contents of connected directories are synchronized with Oracle Internet Directory through the Oracle Directory Synchronization Service.
For Oracle Application Server components, Oracle Internet Directory is the central directory for all information, and all other directories are synchronized with it. This synchronization can be:
One-way: Some connected directories only supply changes to Oracle Internet Directory and do not receive changes from it. This is the case, for example, with Oracle Human Resources, the primary repository and "source of truth" for employee information.
Two-way: Changes in Oracle Internet Directory can be exported to connected directories, and changes in connected directories can be imported into Oracle Internet Directory.
Certain attributes can be targeted or ignored by the synchronization service. For example, the attribute for the employee badge number in Oracle Human Resources may not be of interest to Oracle Internet Directory, its connected directories or client applications. You might not want to synchronize it. On the other hand, the employee identification number may be of interest to those components, so you might want to synchronize it.
Figure 1-2 shows the interactions between components in the Oracle Directory Synchronization Service in a sample deployment.
The central mechanism triggering all such synchronization activities is the Oracle Internet Directory change log. It adds one or more entries for every change to any connected directory, including Oracle Internet Directory. The Oracle Directory Synchronization Service:
Monitors the change log
Takes action whenever a change corresponds to one or more synchronization profiles
Supplies the appropriate change to all other connected directories whose individual profiles correspond to the logged change. Such directories could include, for example, relational databases, Oracle Human Resources, Microsoft Active Directory, or SunONE Directory Server. It supplies these changes using the interface and format required by the connected directory. Synchronization through the Directory Integration and Provisioning connectors ensures that Oracle Internet Directory remains up-to-date with all the information that Oracle Internet Directory clients need.
The Oracle Provisioning Service ensures that each provisioned application is notified of changes in, for example, user or group information. To do this, it relies on the information contained in a provisioning integration profile. Each provisioning profile:
Uniquely identifies the application and organization to which it applies
Specifies, for example, the users, groups, and operations requiring the application to be notified
The profile must be created when the application is installed, by using the Provisioning Subscription Tool.
See Also: The chapter on Oracle Directory Integration and Provisioning tools in the Oracle Identity Management User Reference for information about the Provisioning Subscription Tool |
When changes in Oracle Internet Directory match what is specified in the provisioning profile of an application, the Oracle Provisioning Service sends the relevant data to that application.
Note: A legacy application—that is, one that was operational before the Oracle Provisioning Service was installed—would not have subscribed in the usual way during installation. To enable such an application to receive provisioning information, a provisioning agent, in addition to the provisioning profile, must be developed. The agent must be able to translate the relevant data from Oracle Internet Directory into the exact format required by the legacy application. |
Figure 1-3 shows the interactions between components in an Oracle Provisioning Service environment, including the special case of a provisioning agent for a legacy application.
Figure 1-3 Interactions of the Oracle Provisioning Service
Oracle Application Server Single Sign-On enables users to access Oracle Web-based components by logging in only once.
Oracle components delegate the login function to the OracleAS Single Sign-On server. When a user first logs into an Oracle component, the component redirects the login to the OracleAS Single Sign-On server. The OracleAS Single Sign-On server authenticates the user by verifying the credentials entered by the user against those stored in Oracle Internet Directory. After authenticating the user, and throughout the rest of the session, the OracleAS Single Sign-On server grants the user access to all the components the user both seeks and is authorized to use.
See Also: Oracle Application Server Single Sign-On Administrator's Guide for information about OracleAS Single Sign-On |