Вы находитесь на странице: 1из 4

Who, what, where, why and how?

Oracle Identity Management Solutions

Manpreet Singh Johal, Inatech Solutions Limited

T his article gives an overview of Oracle Identity Management solutions

and how to quickly deploy Oracle Enterprise Single Sign-On, using
Oracle Internet Directory as a user profile and credential repository.
Oracle Identity and Access
Management Suite
Oracle Identity and Access Management
Suite allows enterprises to manage end-to-
Identity management is the process by Benefits end lifecycle of user identities across all
which the complete security lifecycle for enterprise resources within and beyond the
end-users and network entities is managed • Identity management saves money. firewall. Administrators can deploy
for an organisation. Identity management For most enterprises, application user applications faster, apply the most granular
most commonly refers to the management administration is a very expensive, protection to enterprise resources, and
of an organisation’s users, where steps in laborious and error-prone process automatically eliminate latent access
the security life cycle include account privileges. The Oracle Identity and Access
creation, deletion, suspension, privilege • Identity management enables faster Management Suite is a member of Oracle
modification, and attribute management. deployments. Typically, provisioning Fusion Middleware family of products,
The network entities managed include of a new application means creating and which brings greater agility, better decision-
devices, processes, applications, servers, managing separate user accounts and making, and reduced cost and risk to
or anything else that needs to interact in a their privileges. Identity Management diverse IT environments. (See Figure 1.)
networked environment. Entities managed enables the new applications to leverage
by an identity management process may the existing infrastructure for its user The Oracle Identity and Access
also include users outside of the organisa- management, and thus reduces the Management Suite include the following
tion, for example customers, suppliers, or time it takes to deploy and manage components:
trading partners. new applications
• Oracle Access Manager delivers critical
Identity Management System • Identity management improves the functionality for access control, single
Components end-user experience. An identity sign-on, and user profile management in
management strategy allows new users to heterogeneous application environments
A complete identity management solution gain access to their applications quickly,
includes the following components: eliminating wasted employee time. • Oracle Identity Manager is a powerful
It also allows the users to modify any of and flexible enterprise identity provision-
• Scalable, secure, and standards complaint their attributes or preferences at only one ing and compliance monitoring solution
directory service for storing and place, instead of changing it for every that automates the creation, updating,
managing the user information application and removal of users from enterprise
systems such as directories, email,
• User-provisioning framework that can • Identity management improves databases and so on
either be linked to the enterprise provi- application security. An identity
sioning system (such as HR application), management strategy allows users to • Oracle Identity Federation enables
or that can be operated stand-alone have their passwords and security cross-domain single sign-on with the
credentials managed centrally industry’s only identity federation server
• Delegated administration model and that is completely self-contained and
application that allows the administrator ready to run out-of-the box
of the identity management system to
selectively delegate access rights to the
administrator of the individual Figure 1: The Oracle Identity
application or to the end-user directly. and Access Management Suite
An appropriate security model, and user-
interface model that can support various
requirements is critical

• Directory integration platform that

enables the enterprise to connect the
Identity Management directory with
legacy or application specific directory

• Run-time model and application for user


• System to create and manage

PKI certificates

OracleScene Issue 36 Winter 2008 13

• Oracle Internet Directory, a scalable, iv) Oracle Enterprise Single Sign-On
robust LDAP V3-compliant directory Provisioning Gateway: enables
service that leverages the high availability organisations to distribute single sign-
capabilities of the Oracle 10g Database on credentials to Oracle eSSO Manager
platform based on provisioning instructions

from Oracle Identity Manager.

• Oracle Virtual Directory provides
internet and industry standard LDAP and v) Oracle Enterprise Single Sign-On Kiosk
XML views of existing enterprise identity Manager: allows users to securely
information, without synchronising or access enterprise applications at
moving data from its native locations distributed workstations.

• Oracle Web Services Manager is a For the purpose of this article, we shall Figure 2
comprehensive solution for adding demonstrate how to deploy Oracle
policy-driven security and management Enterprise Manager Single Sign-On 3. Connect to Oracle Internet Directory by
capabilities to existing or new Logon Manager (eSSO-LM), using entering following information, and click
Web services Oracle Internet Directory as user OK.
profile and credential repository at Server Name: lon-int-lap0586 or name
• Oracle Enterprise Single Sign-On Windows environment. of the server where OID is running.
provides users with unified single sign-on Repository Type: Oracle Internet
and authentication across all their Step 1: Enterprise Single Sign-On Directory.
enterprise resources, including desktops, Logon Manager (eSSO-LM) Admin Port: 389
client-server, and custom and host-based Console Setup Use secure channel (SSL): Uncheck
mainframe applications Username/ID: cn=orcladmin
This section assumes that Oracle Internet Password: <orcladmin password>
• Oracle Adaptive Access Manager Directory is already installed and functional (See Figure 3.)
provides web access real-time fraud in your network.
detection and multifactor online
authentication security for the enterprise 1. Download Oracle Enterprise Manager
Single Sign-On (eSSO) Suite from
• Oracle Role Manager is an authoritative Oracle Technology Network
source for role lifecycle management (http://www.oracle.com/technology/soft
that leverages business policy and ware/products/ias/htdocs/101401.html)
organisational data to automate role
based provisioning and access control 2. Extract the software at C:\esso directory.
Extraction will create sub-directories for
Oracle Enterprise Single Sign-On each of Oracle eSSO sub-components
(eSSO) Example Deployment under C:\esso directory.

Oracle Enterprise Single Sign-On (eSSO) 3. Go to C:\esso\ESSO Logon Manager Figure 3

provides single sign-on functionality for all and click on “ESSO-LM
the enterprise applications i.e. web based, Admin Console.exe”. 4. After successful extension of OID
client-server and legacy applications. Users schema, following dialog will appear.
are able to use eSSO functionality whether 4. At Welcome screen, click Next. Click on Close.
they are connected to corporate network,
traveling, or roaming between workstations. 5. At License Agreement screen, accept 5. In order to store user credentials under
the agreement and click Next. respective OID user objects, an addition-
Oracle Enterprise Single Sign-On uses any al schema change and rights assignment
LDAP directory or any SQL database as its 6. At Setup Type screen, select Complete is required. The OID user object needs
user profile and credential repository. option and click Next. to allow the creation of a child object of
It accepts primary authentication from type eSSO-LM. A user also needs the
Windows logon. 7. At Ready to Install screen, click at right to create this object and credential
Install. objects under their own OID user
Oracle Enterprise Single Sign-On has the object. Click at Repository link at left
following components: 8. Click Finish, once installation is navigation of eSSO-LM Admini
completed. Console, and click on the link Click here
i) Oracle Enterprise Manager Single Sign- to connect in right hand side pane.
On Logon Manager: allows users to Step 2: Extend Oracle Internet (See Figure 4.)
securely use a single login credentials Directory schema for eSSO-LM
for all web based, client-server and
legacy applications. 1. Launch eSSO-LM Administration
ii) Oracle Enterprise Single Sign-On Start -> Programs -> Oracle -> ESSO-
Password Reset: helps in reducing LM -> ESSO-LM Console
helpdesk calls by enabling users to
manage Microsoft Windows password 2. Click on Repository -> Extend Schema
through self-service interfaces. menu option. (See Figure 2.)

iii) Oracle Enterprise Single Sign-On

Authentication Manager: allows
organisations to use a combination of
tokens, smart cards, biometrics and Figure 4
password for strong authentication.

14 A UK Oracle User Group publication

6. Enter OID connection information, as backup. Administrators can 5. Navigate to Global Agent Settings ->
specified in Step 3. After successful deploy configuration overrides Live -> Synchronisation ->
authentication, OID schema information to provide new registry, applica- LDAPEXT -> Required. Select
will appear in eSSO-LM Admin Console tion template, and first-time use Directory Type check box and specify
as following: (See Figure 5.) settings or to update existing set- value as Oracle Internet Directory.

tings. eSSO-LM synchronises Select check box named Servers and
credentials to a central repository specifies OID server hostname/IP
i.e. OID, in this example. address along with Port.
v. Expand Event Manager and (See Figure 7.)
choose Windows Event
Extension. This plug-in
supports logging of events to
Windows Event Manager.
d. Languages: provides localised
language support for various
international languages.

6. At Ready to Install screen, click Install.

Figure 5
7. Click Finish, once installation
Step 3: Install eSSO-LM Agent is completed.
Figure 7
1. Go to C:\esso\ESSO Logon Manager Step 4: Configuring OID and click on “ESSO-LM.exe”. with eSSO-LM
6. After configuring the eSSO-LM agent,
2. At Welcome screen, click Next. This section contains steps that enable we need to configure OID to store
credentials to be stored in and retrieved eSSO-LM application templates and
3. At License Agreement screen, accept from Oracle Internet Directory. configuration settings in OID. Login
the agreement and click Next. This section includes: into Repository by clicking at link in
- Configure logon manager agent to left pane.
4. At Setup Type screen, select Custom connect to OID
option and click Next. - Create a container in OID for 7. Right click on container named
storing SSO information dc=lon-int-lap0586, dc=com and
5. At Custom Setup screen, four options - Configure a test application select New Container. Specify container
will appear. - First time agent setup and name as SSOConfig and click OK.
a. Application: installs all necessary confirmation of OID sync New container will appear in OID
files and settings that serve as the schema as following.
core foundation of the application. 1. Start the eSSO-LM Admin Console (See Figure 8.)
b. Logon Methods: This option
provides plug-ins for different 2. Right click Global Agent Settings from
methods of logging on to eSSO- left hand pane of Administrative
LM. Choose Windows Logon. Console. Select Import, and select
c. Extensions: This option provides From Live HKLM. This step imports
plug-ins that enhance and extend current configuration from the local-
the functionality of eSSO-LM. machine registry entry on your system.
i. Backup/Restore Manager: allows Additional entries will appear in
a user or administrator to Administrative Console
backup a user’s passwords and
settings to file and restore, if 3. Expand Live -> Synchronisation
required. This feature should not
be used along with synchroniser, 4. Set Enable role/group security
due to conflicts in credentials support by checking the appropriate box Figure 8
time stamp. and selecting Use role/group security
ii. Logon Manager: this is a required from the appropriate drop down box. 8. Update the eSSO-LM agent
component for credential Set Sync Order to LDAPEXT and configuration to make use of container
management, request and Interval for automatic re-sync to 5. defined in earlier step to store applica-
delivery. It includes support for (See Figure 6.) tion templates and configuration infor-
web application accessed mation. Navigate to Global Agent
through Internet Explorer or Settings -> Live -> Synchronisation
Firefox. Mainframe applications, -> LDAPEXT -> Advanced.
console window applications
such as Telnet and JAVA 9. Check the check box next to
applications. Configuration Objects Base
iii. Setup Manager: This plug-in Locations, and click on button on
provides the initial first time use right hand side of field. Specify
experience when setting up the container location as
SSO application. ou=SSOConfig,dc=lon-int-
iv. Expand Extensions -> lap0586,dc=com and click OK.
Synchronisation Manage ->
LDAP Synchroniser.
It will allow eSSO-LM to Figure 6
synchronise administration
configuration, mobility and

OracleScene Issue 36 Winter 2008 15

10. Update the configuration information 1. Launch Internet Explorer and open 8. Similarly, users can add other desktop
to OID. Click on Repository entry in http://metalink.oracle.com and web applications to Logon
left window pane. In right window Manager.
pane, right click on container 2. Click at Login to Metalink link.
ou=SSOConfig and choose (See Figure 10.) Conclusion

Configure SSO Support option.

Oracle Identity Management enables
11. At Configure SSO Support screen, customers to manage life cycle of user
select Administrative Console as data identities by providing products which
source, as we are uploading application manage different stages of user identity life
template defined in eSSO-LM cycle. Customers can choose the products
Administrative Console. that fulfill their business requirement and
integrate with existing in-house identity
12. Choose configuration mode as management products. Thus, providing
Advanced, and click Next. a unified and integrated identity manage-
ment solution.
13. Click Next. Figure 10
Inatech Value Add
14. At Global Agent Settings screen,
choose Live and click Next. 3. eSSO-LM will automatically detect The following services can be provided for
web login page and will prompt user to Identity Management Solution:
15. At summary screen, review the enable ESSO-LM to remember the
• Enterprise Single Sign On for Web
information and click Finish. login details. Click Yes.
Yahoo! Messenger application tem-
plate information is uploaded in OID. 4. A New Logon for Login dialog will • Single Sign On integration with
appear. Provide Metalink Microsoft Active Directory
16. To update the client systems registry Username/Password details and
entries with updated information from click Finish. (See Figure 11.) • Synchronisation of Users’ Account from
OID container, choose menu option Microsoft Active Directory to Oracle
Tools -> Write Global Agent Internet Directory and vice versa
Settings to HKLM. • Integration functionality with 3rd party
Directory Services using out-of-box with
17. Restart client desktop. available Integration Functions, and
using LDAP APIs where standard
Step 5: First Time Use (FTU) integration function is not available
Agent Setup (provided Directory Service should
support LDAP interface)
1. After the system restart, login into your
desktop/laptop. Since this is first time • Available directory connectivity solutions
we are logging in after installing eSSO- for Peoplesoft and Oracle Human
LM Agent, First Time Use (FTU) Resources
wizard will appear and prompt for Figure 11
• High Availability and Scalability
OID username/password to update the deployment and support
user information. (See Figure 9.) 5. ESSO-LM will implicitly login
user into Metalink with credentials
provided. About the Author
Manpreet Singh
6. Next time, whenever the user will
Johal, Solution
access Metalink Login page, ESSO-LM
will login user with credentials provid- Architect –
ed during application registration. Inatech Solutions
2. Next Limited
Figure 9 screen will show the actions that
wizard can perform. Click Next. 7. User can view the registered applica- Manpreet Singh
tions information by right clicking at Johal is an
3. At Primary Logon screen, click Next ESSO-LM icon, which appears in sys- Oracle Certified
and at next screen, choose Windows tem tray and choose Configuration-> Associate – AS
Logon and click Next. It will prompt Logon Manager. (See Figure 12.) 10g with nearly 8 years of cumulative
for user’s Windows credentials. work experience. He has excellent
technical experience in Oracle
4. Provide the credentials and click Next. Applications 11i/R12; Fusion
Middleware - Application Server,
5. Click Finish and eSSO-LM is ready
Identity Management, Enterprise
for use.
Management, OCS Implementation,
Portal Administration/Development,
Step 6: Add applications to eSSO-LM
and Software Development/System
In this section, we will demonstrate that Analysis. He has worked with various
how we can add a web application to teams successfully across multiple
eSSO-LM. projects globally. He has also conduct-
Figure 12
ed a presentation at UKOUG 2007 on
“Designing Disaster Recovery Site with
OracleAS Guard 10g”.

16 A UK Oracle User Group publication