Oracle® Identity Management Application Developer's Guide
10g Release 2 (10.1.2) B14087-02 |
|
Previous |
Next |
Oracle Identity Management provides a shared infrastructure for all Oracle applications. It also provides services and interfaces that facilitate third-party enterprise application development. These interfaces are useful for application developers who need to incorporate identity management into their applications.
This chapter discusses these interfaces and recommends application development best practices in the Oracle Identity Management environment.
There are two types of applications that can be integrated with Oracle Identity Management:
Existing applications already used in the enterprise. The enterprise might have already invested in such applications and would benefit from their integration with the Oracle Identity Management infrastructure.
New applications being developed by corporate IT departments or ISVs that are based on the Oracle technology stack
This chapter contains the following topics:
Oracle Identity Management Services Available for Application Integration
Integrating Existing Applications with Oracle Identity Management
Integrating New Applications with Oracle Identity Management
Enterprise applications integrating with the Oracle Identity Management infrastructure receive the following benefits:
Integration facilitates faster application deployment with lower costs: Enterprises (primarily Oracle customers) already using an existing Oracle Identity Management infrastructure can deploy new applications using the self-service console of Oracle Delegated Administration Services. Delegating application administration to users reduces the deployment cost of the application.
Seamless integration with Oracle applications: Because all Oracle applications rely on the Oracle Identity Management infrastructure, new enterprise applications can use all the features Oracle Identity Management offers.
Seamless integration with third-party identity management solutions: Because the Oracle Identity Management infrastructure already has built-in capabilities for integrating with third-party identity management solutions, application developers can take advantage of the identity management features.
Custom applications can use Oracle Identity Management through a set of documented and supported services and APIs. For example:
Oracle Internet Directory provides LDAP APIs for C, Java, and PL/SQL, and is compatible with other LDAP SDKs.
Oracle Delegated Administration Services provides a core self-service console that can be customized to support third-party applications. In addition, they provide a number of services for building customized administration interfaces that manipulate directory data.
Oracle Directory Integration Services facilitate the development and deployment of custom solutions for synchronizing Oracle Internet Directory with third-party directories and other user repositories.
Oracle Provisioning Integration Services provide a mechanism for provisioning third-party applications, as well as a means of integrating the Oracle environment with other provisioning systems.
OracleAS Single Sign-On provides APIs for developing and deploying partner applications that share a single sign-on session with other Oracle Web applications.
JAZN is the Oracle implementation of the Java Authentication and Authorization Service (JAAS) Support standard. JAZN allows applications developed for the Web using the Oracle J2EE environment to use the identity management infrastructure for authentication and authorization.
An enterprise may have already deployed certain applications to perform critical business functions. The Oracle Identity Management infrastructure provides the following services that can be leveraged by the deployment to modify existing applications:
Automated User Provisioning: The deployment can develop a custom provisioning agent that automates the provisioning of users in the existing application in response to provisioning events in the Oracle Identity Management infrastructure. This agent must be developed using the interfaces of Oracle Provisioning Integration Service.
See Also: Oracle Internet Directory Administrator's Guide for more information about developing automated user provisioning |
User Authentication Services: If the user interface of the existing application is based on HTTP, integrating it with Oracle HTTP Server and protecting its URL using mod_osso
will authenticate all incoming user requests using the OracleAS Single Sign-On service.
Centralized User Profile Management: If the user interface of the existing application is based on HTTP, and it is integrated with OracleAS Single Sign-On for authentication, the application can use the self-service console of Oracle Delegated Administration Services to enable centralized user profile management. The self-service console can be customized by the deployment to address the specific needs of the application.
Application developers can use the services provided by the Oracle Identity Management infrastructure more extensively if they are developing a new application or planning a new release of an existing application. Application developers should consider the following integration points:
User Authentication Services: The application developer has the following options:
If the application is based on J2EE, it can use the services provided by the Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider interface.
If the application relies on Oracle Application Server Containers for J2EE (OC4J), it can use the services provided by mod_osso
to authenticate users and obtain important information about the user in the HTTP headers.
If the application is a standalone Web-based application, it can use OracleAS Single Sign-On as a partner application using the OracleAS Single Sign-On APIs.
If the application provides an interface that is not Web-based, it can use the Oracle Internet Directory LDAP APIs (available in C, PL/SQL and Java) to authenticate users.
Centralized Profile Management: The application developer has the following options available:
The application developer can model application-specific profiles and user preferences as attributes in Oracle Internet Directory.
If the user interface of the application is based on HTTP, and it is integrated with OracleAS Single Sign-On for authentication, the application can leverage the self-service console of Oracle Delegated Administration Services to enable centralized user profile management. The self-service console can be customized by the deployment to address the specific needs of the application.
The application can also retrieve user profiles at run time using the Oracle Internet Directory LDAP APIs (available in C, PL/SQL and Java).
Automated User Provisioning: Application developers should consider the following options:
If the user interface of the application is based on HTTP and it is integrated with OracleAS Single Sign-On for authentication, then the application developer can implement automated user provisioning the first time a user accesses the application
The application can also be integrated with the Oracle Internet Directory Provisioning Integration Service, which enables it to automatically provision or de-provision user accounts in response to administrative actions, such as adding an identity, modifying the properties of an existing identity, or deleting an existing identity in the Oracle Identity Management infrastructure
This section introduces you to the Oracle Internet Directory Software Developer's Kit. It provides an overview of how an application can use the kit to integrate with the directory. You are also acquainted with the rest of the directory product suite.
The section contains these topics:
Programming Languages Supported by the Oracle Internet Directory SDK
Application Development in the Oracle Internet Directory Environment
The SDK is for application developers who use C, C++, and PL/SQL. Java developers must use the JNDI provider from Sun Microsystems to integrate with the directory.
Oracle Internet Directory Software Developer's Kit 10g Release 2 (10.1.2) consists of the following:
A C API compliant with LDAP Version 3
A PL/SQL API contained in a PL/SQL package called DBMS_LDAP
Sample programs
Oracle Identity Management Application Developer's Guide (this document)
Command-line tools
This section contains these topics:
Oracle Internet Directory Interactions During the Application Life Cycle
Services and APIs for Integrating Applications with Oracle Internet Directory
Integrating Existing Applications with Oracle Internet Directory
Most directory-enabled applications are backend programs that simultaneously handle multiple requests from multiple users. Figure 1-1 shows how a directory is used by such applications.
Figure 1-1 A Directory-Enabled Application
As Figure 1-1 shows, when a user request involves an LDAP-enabled operation, the application processes the request using a smaller set of pre-created directory connections.
Table 1-1 walks you through the directory operations that an application typically performs during its lifecycle.
Table 1-1 Interactions During Application Lifecycle
Application developers can integrate with Oracle Internet Directory by using the services and APIs listed and described in Table 1-2.
Table 1-2 Services and APIs for Integrating with Oracle Internet Directory
Service/API | Description | More Information |
---|---|---|
These provide basic LDAP operations. The standard LDAP API used in Java is the JNDI API with the LDAP service provider from Sun Microsystems. |
Chapter 2, "Developing Applications with Standard LDAP APIs" |
|
Oracle Extensions to Standard C, PL/SQL and Java APIs |
These APIs provide programmatic interfaces that model various concepts related to identity management. |
Chapter 3, "Developing Applications with Oracle Extensions to the Standard APIs" |
Oracle Delegated Administration Services |
Oracle Delegated Administration Services consists of a self-service console and administrative interfaces. You can modify the administrative interfaces to support third-party applications. |
|
Oracle Directory Provisioning Integration Service |
You can use the Oracle Provisioning Integration System to provision third-party applications and integrate other provisioning systems. |
|
Oracle Internet Directory Plug-ins |
You can use plug-ins to customize directory behavior in certain deployments. |
Figure 1-2 shows an application leveraging some of the services illustrated in Table 1-2.
As Figure 1-2 shows, the application integrates with Oracle Internet Directory as follows:
Using PL/SQL, C, or Java APIs, it performs LDAP operations directly against the directory.
In some cases, it directs users to self-service features of Oracle Delegated Administration Services.
It is notified of changes to entries for users or groups in Oracle Internet Directory. The Oracle Directory Provisioning Integration Service provides this notification.
Your enterprise may already have deployed applications that you may have wanted to integrate with the Oracle identity management infrastructure. You can still integrate these applications using the services presented in Table 1-3.
Table 1-3 Services for Modifying Existing Applications
Service | Description | More Information |
---|---|---|
Automated User Provisioning |
You can develop an agent that automatically provisions users when provisioning events occur in the Oracle identity management infrastructure. You use interfaces of the Oracle Directory Provisioning Integration Service to develop this agent. |
Chapter 6, "Developing Provisioning-Integrated Applications" |
User Authentication Services |
If your user interface is based on HTTP, you can integrate it with the Oracle HTTP Server. This enables you to use mod_osso and OracleAS Single Sign-On to protect the application URL. |
Oracle Application Server Single Sign-On Administrator's Guide |
Centralized User Profile Management |
If your user interface is based on HTTP and is integrated with OracleAS Single Sign-On, you can use the Oracle Internet Directory Self-Service Console to manage user profiles centrally. You can tailor the console to the needs of your application. |
|
If you are developing a new application or planning a new release of an existing application, you have many directory integration options at your disposal. Table 1-4 lists and describes these.
Table 1-4 Application Integration Points
Integration Point | Available Options | More Information |
---|---|---|
User Authentication Services |
If your application is based on J2EE, it can use the JAZN interface to authenticate users. If it relies on OC4J, it can use mod_osso for the same purpose. The second option enables the application to obtain information about the user from HTTP headers. If your application is Web based and standalone, it can still integrate with OracleAS Single Sign-On, then it can still leverage Oracle Application Server Single Sign-On by becoming a partner application using the single sign-on APIs. Finally, if the application provides a non-Web user interface, it can use the Oracle Internet Directory LDAP APIs to integrate users. |
|
User Authorization Services |
If your application is based on J2EE, it can use the JAZN interface to implement and enforce user authorizations for application resources. The application can define authorizations as groups in Oracle Internet Directory and can then check the authorizations of a user by checking his or her group membership. It can use the Oracle Internet Directory LDAP APIs for this purpose. |
|
Centralized Profile Management |
You can define application-specific profiles and user preferences as attributes in Oracle Internet Directory. If your user interface is based on HTTP and is integrated with OracleAS Single Sign-On, you can use the Oracle Internet Directory Self-Service Console to manage user profiles centrally. You can tailor the console to the needs of your application. Additionally, you can use the Oracle Internet Directory LDAP APIs to retrieve user profiles at runtime. |
|
Automated User Provisioning |
If your user interface is based on HTTP and it is integrated with OracleAS Single Sign-On, you can implement automated user provisioning the very first time a user accesses the application. You use the Oracle Directory Provisioning Integration Service to integrate the application with the Oracle identity management infrastructure. Once integrated, the application can provision or deprovision user accounts automatically when an administrator adds, modifies, or deletes an identity. |
Chapter 6, "Developing Provisioning-Integrated Applications" |