Oracle Single Sign-On to Oracle Access Manager Migration – Rob Otto
<Insert Picture Here> Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle. -2- Agenda • • • • • Access Management introduction Oracle Access Manager 11gR2 Overview Oracle SSO v OAM 11gR2 OAM 11gR2- Migration and Coexistence with OSSO Q&A -3- <Insert Picture Here> Access Management Introduction -4- Identity Management Portfolio – 11gR2 Modern, Innovative & Integrated Governance Access Directory Password Reset Web Single Sign-on LDAP Storage Privileged Accounts Federation Virtual Directory Access Request Mobile, Social & Cloud Meta Directory Roles Based Provisioning External Authorization Role Mining SOA Security Attestation Integrated ESSO Separation of Duties Token Services Fraud Detection Platform Security Services -5- Taking a Platform Approach Building on Components of Fusion Middleware User Interface Customization Performance Fusion Middleware -6- Oracle Access Management Access Management • Authentication • Single Sign-On • Federation • Fraud Prevention • Authorization & Entitlements • Web Services Security • Secure Token Services • Comprehensive security for applications, data, and web services • End-to-end authentication, single sign-on, and fine grained application protection • Innovative anomaly detection, transaction security, and multi-factor authentication • Extensive 3rd party integrations -7- Oracle Access Management Suite Plus Entitlements Server Adaptive Access Manager • Entitlements Management • Risk-based Authentication • Fine Grained Authorization • Real-time Fraud Prevention Access Manager • Web Access Control • Single Sign-On Identity Federation Secure Token Services • Partner SSO & Identity Federation • Security Token Management • Fedlet SP integration • Identity Propagation -8- Oracle Access Management Blueprint Architecture -9- <Insert Picture Here> Oracle Access Manager 11gR2 Overview - 10 - Oracle Access Manager 11g Objectives • Provide foundation for Access Management Suite • Converge OAM, OSSO, and OpenSSO • Provide new and advanced functionality to customers • Tighten integrations - 11 - Oracle Access Manager 11g Key Features Benefits Modular Architecture Separated admin and runtime server to enable independent operations Secure Policy Model Access is denied by default until policies are created to allow access Simplified Install & Config One package to install and one series of steps to configure a simple working environment Session Management Allows admin tracking and termination of user sessions Diagnostics & Monitoring Allows administrators to monitor key operational metrics in real-time Central Agent Management Administration console provides a holistic view of all agents and shows the server they are connected to Backwards Compatibility Compatible with 10g webgates and 10g mod_osso Windows Native AuthN Enables Windows desktop to web single sign-on Improved Utilities Remote registration utility, remote access tester, and WLST cmds for policy operations - 12 - Oracle Access Manager 11g Architecture – Runtime Server Protocol Compatibility Framework Credential Collector SSO Engine Session Management Identity Provider AuthN Service OAM Server Token Processing AuthZ Service Partner & Trust Policy Service Configuration Service Coherence Distributed Cache Oracle Platform Security Services - 13 - Oracle Access Manager 11g Administration Console • Integrated Security Administration, Agent Administration - 14 - Access Manager 11gR2 Deployment Overview - 15 - Access Manager 11gR2 Deployment Detail Internet External Client Firewall (Web Tier) Protected Load Balancer WebHosts OHS WebGate Web Hosts OHS WebGate Firewall (App Tier) AppHosts IAM Hosts WLS AccessGate WLS_OAM OAM IDMHosts Admin Server Admin Console Admin Server Admin Console WLS_ODS M ODSM EM Firewall (Data Tier) LDAP Hosts OVD DB Hosts RAC OID Metadata DB (OAM, OID, Schema) - 16 - Access Manager 11gR2 Installation and Configuration • Installation process • OAM 11g installs using Oracle Universal Installer (OUI) • The installation process copies all the software bits to the host machine • OUI does not perform product configuration • Configuration process requires 2 steps • Database schema configuration using Repository Creation Utility (RCU) • Product configuration and deployment using WebLogic Configuration Wizard • Oracle Support Note 340.1 provides a good starting point - 17 - Oracle Access Manager 11g Windows Native Authentication • SPNEGO based credential validation for true Windows desktop to web single sign-on • Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously • Does not need IIS based solution for WebGate • WebGates and Oracle SSO protected applications need not run on Windows platform • Can be enabled for a subset of protected applications • Internal vs External websites - 18 - Oracle Access Manager 11g Windows Native Authentication - Setup • Basic steps are as follows: • Edit /etc/krb5.conf file • Create Service Principal Name • Obtain Kerberos Ticket • Set-up OAM Kerberos AuthN Module • Configure Kerberos AuthN Scheme for WNA • Register AD as OAM User Store • Verify OAM configuration (oam-config.xml) • Enable Kerberos in Web Browser • Test • See OAM Admin Guide, Chapter 7 (link here) - 19 - <Insert Picture Here> Oracle SSO v OAM 11gR2 - 20 - Oracle Access Manager Sample Oracle SSO Architecture Oracle HTTP Server Deployed Application MOD_OSSO agent Local User Store Authentication End User Authentication Decisions LDAP Authentication OC4J Application Server User Authentication Oracle Single Sign-On Server User Synchronization User Data Oracle Internet Directory Directory Integration Platform or Oracle Identity Manager Oracle Confidential – For Internal Use Only Enterprise User Store Enterprise User Store 21- 21 Oracle Access Manager Key differences v OSSO OAM 11gR2 OSSO SSO, policy-based AuthN & AuthZ SSO and simple AuthN only WebLogic Server-based OC4J-based 3rd-Party LDAP server support Dependence on OID Support for OSSO, OAM 10g, OAM 11g and OpenSSO agents via PCL Support for only OSSO agents (mod_osso) Server-based session management Sessions via client cookies only Cross-domain SSO is native Single network domain only Native password policy (R2+) OIDDAS for password policy Integration with OIM (optional) for User Self-Service OIDDAS for user self-service - 22 - <Insert Picture Here> OAM 11gR2- Migration and Coexistence with OSSO - 23 - Oracle Access Manager 11g OSSO 10g Upgrade • Facilitated through AS Upgrade Assistant • Process: • Install OAM 11g • Run Upgrade Assistant pointing to Oracle AS Single-On 10.1.4.3 • Two modes: • Retain Ports: no changes required on partner sites • Change Ports: partner sites need new osso.conf which is generated by the Upgrade Assistant • See Support Migration Advisor (note 343.1) and upgrade viewlet (note 1230123.1) - 24 - Co-existence: OAM11g & SSO 10g Supports OracleAS SSO 10g Release (10.1.2.0.2) through OracleAS SSO 10g Release (10.1.4.3.0) Co-existence requires same back-end user identity store: Oracle Internet Directory (OID) - 25 - Co-existence: OAM11g & SSO 10g • mod_osso redirects requests to the 11g OAM Server for authentication through a proxy. • mod_wl replaces mod_oc4j. mod_wl enables SSO to work without any changes on the OHS Without Proxy - 26 - Co-existence: SSO between Partner Applications App1 upgraded to OAM11g User accessing App1 OAM sets the SSO cookie and updates session information accordingly. The cookie includes a flag indicating that an OSSO cookie must also exist for this cookie to be valid. - 27 - - 28 - - 29 -
© Copyright 2024