Skip Headers
Oracle® Identity Management Application Developer's Guide
10g Release 2 (10.1.2)
B14087-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

1 Developing Applications for Oracle Identity Management

Oracle Identity Management provides a shared infrastructure for all Oracle applications. It also provides services and interfaces that facilitate third-party enterprise application development. These interfaces are useful for application developers who need to incorporate identity management into their applications.

This chapter discusses these interfaces and recommends application development best practices in the Oracle Identity Management environment.

There are two types of applications that can be integrated with Oracle Identity Management:

This chapter contains the following topics:

1.1 Benefits of Integrating with Oracle Identity Management

Enterprise applications integrating with the Oracle Identity Management infrastructure receive the following benefits:

1.2 Oracle Identity Management Services Available for Application Integration

Custom applications can use Oracle Identity Management through a set of documented and supported services and APIs. For example:

1.3 Integrating Existing Applications with Oracle Identity Management

An enterprise may have already deployed certain applications to perform critical business functions. The Oracle Identity Management infrastructure provides the following services that can be leveraged by the deployment to modify existing applications:

1.4 Integrating New Applications with Oracle Identity Management

Application developers can use the services provided by the Oracle Identity Management infrastructure more extensively if they are developing a new application or planning a new release of an existing application. Application developers should consider the following integration points:

1.5 Oracle Internet Directory Programming: An Overview

This section introduces you to the Oracle Internet Directory Software Developer's Kit. It provides an overview of how an application can use the kit to integrate with the directory. You are also acquainted with the rest of the directory product suite.

The section contains these topics:

1.5.1 Programming Languages Supported by the Oracle Internet Directory SDK

The SDK is for application developers who use C, C++, and PL/SQL. Java developers must use the JNDI provider from Sun Microsystems to integrate with the directory.

1.5.2 Oracle Internet Directory SDK Components

Oracle Internet Directory Software Developer's Kit 10g Release 2 (10.1.2) consists of the following:

  • A C API compliant with LDAP Version 3

  • A PL/SQL API contained in a PL/SQL package called DBMS_LDAP

  • Sample programs

  • Oracle Identity Management Application Developer's Guide (this document)

  • Command-line tools

1.5.3 Application Development in the Oracle Internet Directory Environment

This section contains these topics:

1.5.3.1 Architecture of a Directory-Enabled Application

Most directory-enabled applications are backend programs that simultaneously handle multiple requests from multiple users. Figure 1-1 shows how a directory is used by such applications.

Figure 1-1 A Directory-Enabled Application

Description of Figure 1-1  follows
Description of "Figure 1-1 A Directory-Enabled Application"

As Figure 1-1 shows, when a user request involves an LDAP-enabled operation, the application processes the request using a smaller set of pre-created directory connections.

1.5.3.2 Oracle Internet Directory Interactions During the Application Life Cycle

Table 1-1 walks you through the directory operations that an application typically performs during its lifecycle.

Table 1-1 Interactions During Application Lifecycle

Point in Application Lifecycle Logic

Application Installation

  1. Create an application identity in the directory. The application uses this identity to perform most of its LDAP operations.

  2. Give the application identity LDAP authorizations by making it part of the correct LDAP groups. These authorizations enable the application to accept user credentials and authenticate them against the directory. The directory can also use application authorizations to proxy for the user when LDAP operations must be performed on the user's behalf.

Application Startup and Bootstrap

The application must retrieve credentials that enable it to authenticate itself to the directory.

If the application stores configuration metadata in Oracle Internet Directory, it can retrieve that metadata and initialize other parts of the application.

The application can then establish a pool of connections to serve user requests.

Application Runtime

For every end-user request that needs an LDAP operation, the application can:

  • Pick a connection from the pool of LDAP connections.

  • Switch the user to the end-user identity if the LDAP operation needs to be performed with the effective rights of the end-user.

  • Perform the LDAP operation by using either the regular API or the API enhancements described in this chapter.

  • Ensure that the effective user is now the application identity once the LDAP operation is complete.

  • Return the LDAP connection back to the pool of connections.

Application Shutdown

Abandon any outstanding LDAP operations and close all LDAP connections.

Application Deinstallation

Remove the application identity and the LDAP authorizations granted to it.


1.5.3.3 Services and APIs for Integrating Applications with Oracle Internet Directory

Application developers can integrate with Oracle Internet Directory by using the services and APIs listed and described in Table 1-2.

Table 1-2 Services and APIs for Integrating with Oracle Internet Directory

Service/API Description More Information

Standard LDAP APIs in C, PL/SQL and Java

These provide basic LDAP operations. The standard LDAP API used in Java is the JNDI API with the LDAP service provider from Sun Microsystems.

Chapter 2, "Developing Applications with Standard LDAP APIs"


Oracle Extensions to Standard C, PL/SQL and Java APIs

These APIs provide programmatic interfaces that model various concepts related to identity management.

Chapter 3, "Developing Applications with Oracle Extensions to the Standard APIs"


Oracle Delegated Administration Services


Oracle Delegated Administration Services consists of a self-service console and administrative interfaces. You can modify the administrative interfaces to support third-party applications.

Oracle Directory Provisioning Integration Service


You can use the Oracle Provisioning Integration System to provision third-party applications and integrate other provisioning systems.

Oracle Internet Directory Plug-ins

You can use plug-ins to customize directory behavior in certain deployments.


Figure 1-2 shows an application leveraging some of the services illustrated in Table 1-2.

Figure 1-2 An Application Leveraging APIs and Services

This illustration is described in the text.

As Figure 1-2 shows, the application integrates with Oracle Internet Directory as follows:

  • Using PL/SQL, C, or Java APIs, it performs LDAP operations directly against the directory.

  • In some cases, it directs users to self-service features of Oracle Delegated Administration Services.

  • It is notified of changes to entries for users or groups in Oracle Internet Directory. The Oracle Directory Provisioning Integration Service provides this notification.

1.5.3.4 Integrating Existing Applications with Oracle Internet Directory

Your enterprise may already have deployed applications that you may have wanted to integrate with the Oracle identity management infrastructure. You can still integrate these applications using the services presented in Table 1-3.

Table 1-3 Services for Modifying Existing Applications

Service Description More Information

Automated User Provisioning

You can develop an agent that automatically provisions users when provisioning events occur in the Oracle identity management infrastructure. You use interfaces of the Oracle Directory Provisioning Integration Service to develop this agent.

Chapter 6, "Developing Provisioning-Integrated Applications"


User Authentication Services

If your user interface is based on HTTP, you can integrate it with the Oracle HTTP Server. This enables you to use mod_osso and OracleAS Single Sign-On to protect the application URL.

Oracle Application Server Single Sign-On Administrator's Guide


Centralized User Profile Management

If your user interface is based on HTTP and is integrated with OracleAS Single Sign-On, you can use the Oracle Internet Directory Self-Service Console to manage user profiles centrally. You can tailor the console to the needs of your application.


1.5.3.5 Integrating New Applications with Oracle Internet Directory

If you are developing a new application or planning a new release of an existing application, you have many directory integration options at your disposal. Table 1-4 lists and describes these.

Table 1-4 Application Integration Points

Integration Point Available Options More Information

User Authentication Services

If your application is based on J2EE, it can use the JAZN interface to authenticate users. If it relies on OC4J, it can use mod_osso for the same purpose. The second option enables the application to obtain information about the user from HTTP headers.

If your application is Web based and standalone, it can still integrate with OracleAS Single Sign-On, then it can still leverage Oracle Application Server Single Sign-On by becoming a partner application using the single sign-on APIs.

Finally, if the application provides a non-Web user interface, it can use the Oracle Internet Directory LDAP APIs to integrate users.

User Authorization Services

If your application is based on J2EE, it can use the JAZN interface to implement and enforce user authorizations for application resources. The application can define authorizations as groups in Oracle Internet Directory and can then check the authorizations of a user by checking his or her group membership. It can use the Oracle Internet Directory LDAP APIs for this purpose.

Centralized Profile Management

You can define application-specific profiles and user preferences as attributes in Oracle Internet Directory.

If your user interface is based on HTTP and is integrated with OracleAS Single Sign-On, you can use the Oracle Internet Directory Self-Service Console to manage user profiles centrally. You can tailor the console to the needs of your application.

Additionally, you can use the Oracle Internet Directory LDAP APIs to retrieve user profiles at runtime.

Automated User Provisioning

If your user interface is based on HTTP and it is integrated with OracleAS Single Sign-On, you can implement automated user provisioning the very first time a user accesses the application.

You use the Oracle Directory Provisioning Integration Service to integrate the application with the Oracle identity management infrastructure. Once integrated, the application can provision or deprovision user accounts automatically when an administrator adds, modifies, or deletes an identity.

Chapter 6, "Developing Provisioning-Integrated Applications"



1.5.4 Other Components of Oracle Internet Directory

The SDK is just one component in the directory suite. Here are the others: