Академический Документы
Профессиональный Документы
Культура Документы
Page | 1
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
Table of Contents
Table of Contents
1. Version History..................................................................................................................................... 2
2. Introduction......................................................................................................................................... 3
2.1) Background................................................................................................................................. 3
2.2) Purpose of the project................................................................................................................. 3
2.3) Intended Audience...................................................................................................................... 3
2.4) Project Scope............................................................................................................................... 3
2.4.1) In-Scope..................................................................................................................................... 3
2.4.2) Out of scope............................................................................................................................... 4
3) Architecture Overview............................................................................................................................. 5
3.1) Oracle Access Manager Overview..................................................................................................... 5
3.1.1 OAM Components....................................................................................................................... 5
4) Logical Deployment Architecture............................................................................................................. 7
5) Physical Deployment Architecture........................................................................................................... 7
6) OAM Solution Architecture...................................................................................................................... 8
6.1) User Request Data Flow.................................................................................................................... 8
7.2) Authentication and Authorization..................................................................................................... 9
6.2.1) Authentication sequence for EBS Access Gates:.........................................................................9
7) Glossary................................................................................................................................................. 10
1. Version History
Version Date of Description of Reason for Affected Prepared by Approved
revision change change sections by
1.0 6/2/2017 Initial draft Initial draft All Kapstone
Team
2. Introduction
2.1) Background
Page | 2
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
Currently Health, Ontario is using Oracle Adaptive Access Manager (OAAM) 11gR1 as risk profiling and
multifactor authentication solution. MFA solution is built on windows platform. The purpose of OAAM
migration is
Migrate adaptive services from Windows to Linux platform
OAAM 11gR1 is not supported version by Oracle, hence migrating OAAM to 11gR2 PS3 version
3. Build new Production environment in a load balanced configuration using internal HA.
5. All existing federated policies and partners should be established in the new environments.
6. The implementation should be deployed such that there is minimal disruption to users and
existing operations.
2) Fine grained access control - The OAM solution will enforce the user access control based on
the existing infrastructure OAM Policies.
4) Hardware infrastructure setup and the required network device changes to support OAM
implementation.
Page | 3
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
Page | 4
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
3) Architecture Overview
The architecture overview describes the high-level elements of the solution and how they interact with
each other.
The access management solution delivered by the IAM Delivery Team for Southwestern Energy
(SWN) is Oracle Access Manager (OAM), part of the Oracle Identity Management Suite. The OAM
access management solution consists of the following major components.
Weblogic
OAM 11g is a 100% java application. Weblogic acts as a container for the OAAM admin
server,OAAM Server ,OAAM offline Server and the OAAM admin console.
OAAM Server
This component contains the OAAM Admin and OAAM Server sub-components within a single
web application. The OAAM_SERVER component is packaged as an EAR file and is composed of
Servlets and JSPs in addition to Java classes.
Database
OAAM stores session information & policies in a database.
OHS
Oracle HTTP Server is the Web server component for Oracle Fusion Middleware .
Page | 5
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
ADMIN Server
OAM/OIF Managed Server
OAM/OIF Managed Server OAM Policy
OID Server 1 Store
ID
UserUSER
– O
Identity
ADMIN Server Details
Store
ODSM Managed Server
OID Instance
3131
NETAPP
etScalarGlobal VIP
OID Server 2
N
USER
ODSM Managed Server Details
OID Instance
Page | 6
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
The Production OAAM infrastructure will be deployed in the EHealth Ontario environment with high-
availability.
1) Multiple Web servers are load balanced for high-availability.
2) Two OAAM Access Servers are deployed in a clustered mode on Weblogic in Ehealth Ontari
environment . Session management within the cluster is managed by the Coherence layer in the
Weblogic server. If one adaptive access server becomes unavailable for any reason the access will
fallback on the second server.
3) Two OHS instances will be deployed on each of the 2 Weblogic nodes to host the login page. This
model ensures that the servers are isolated from the login page load and that the two OHS
instances in each node will ensure high-availability and load balancing for the login page.
4) The database instances at Southwestern Energy (SWN) are deployed on Netapp .
5) Design and implementation of OAAM in PROD and DEV environments are going to be identical.
Page | 7
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
When a user logs into an OAM protected application, the user will be redirected to an OAM login page for
credentials. After submitting valid credentials, the user will be redirected back to the OAM protected
application.
Below diagram the user request data flow:
END USER
FEDERATED APPLICATIONS
SERVERS
From Load
Balancer
Traffic Comes
To OHS Servers
OAM
CLUSTER
EBS AG Servers
DATABASE SERVER
NETAPP
Page | 8
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
A user logging into an OAM protected application may encounter four possible basic events.
Successful authentication
Failed authentication
Successful authorization
Failed authorization
1) User Accessing SSO login URL of E-Business Suite and EBS redirects the request to EBS
AccessGate URL protected using OAM.
2) Webgate challenges the user to provide credentials and user submits the user credentials.
Webgate passing user credentials to OAM.
3) OAM validates the user credentials with SSO user store. OID returns authentication status and
OAM policy returns value of attributes storing EBS username and orclguid to Webgate.
4) Webgate sets EBS Username and orclguid in header variables USER_NAME, USER_ORCLGUID
respectively.
5) Webgate redirects the request to protected EBS AccessGateURL.
6) EBS AccessGate links local user in FND_USER table in DB and adds subscription for local user to
SSO in OID.
7) AccessGate redirects the authenticated user to E-Business Suite.
8) User session is created in EBS with the details supplied by OAM and user will be able to access
EBS.
Page | 9
Confidential and proprietary information. For internal use only.
eHealth Ontario Enhanced Authentication
Detailed Design Document
7) Glossary
Acronym Description
OAM Oracle Access Manager
SSO Single Sign On
EBS E-Business Suite
OID Oracle Internet Directory
DB Database
PEP Policy Enforcement Point
PDP Policy Decision Point
PAP Policy Administration Point
OHS Oracle HTTP Server
Page | 10
Confidential and proprietary information. For internal use only.