Oracle Single Sign-On to Oracle Access Manager Migration – Rob Otto

<Insert Picture Here>
Oracle Single Sign-On to Oracle Access Manager
Migration
Rob Otto – Oracle Consulting Services UK
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remain at the sole discretion of Oracle.
-2-
Agenda
•
•
•
•
•
Access Management introduction
Oracle Access Manager 11gR2 Overview
Oracle SSO v OAM 11gR2
OAM 11gR2- Migration and Coexistence with OSSO
Q&A
-3-
<Insert Picture Here>
Access Management Introduction
-4-
Identity Management Portfolio – 11gR2
Modern, Innovative & Integrated
Governance
Access
Directory
Password Reset
Web Single Sign-on
LDAP Storage
Privileged Accounts
Federation
Virtual Directory
Access Request
Mobile, Social & Cloud
Meta Directory
Roles Based Provisioning
External Authorization
Role Mining
SOA Security
Attestation
Integrated ESSO
Separation of Duties
Token Services
Fraud Detection
Platform Security Services
-5-
Taking a Platform Approach
Building on Components of Fusion Middleware
User Interface
Customization
Performance
Fusion Middleware
-6-
Oracle Access Management
Access Management
• Authentication
• Single Sign-On
• Federation
• Fraud Prevention
• Authorization & Entitlements
• Web Services Security
• Secure Token Services
• Comprehensive security for
applications, data, and web
services
• End-to-end authentication,
single sign-on, and fine
grained application protection
• Innovative anomaly detection,
transaction security, and
multi-factor authentication
• Extensive 3rd party
integrations
-7-
Oracle Access Management Suite Plus
Entitlements Server
Adaptive Access Manager
• Entitlements
Management
• Risk-based
Authentication
• Fine Grained
Authorization
• Real-time Fraud
Prevention
Access Manager
• Web Access Control
• Single Sign-On
Identity Federation
Secure Token Services
• Partner SSO & Identity
Federation
• Security Token
Management
• Fedlet SP integration
• Identity Propagation
-8-
Oracle Access Management
Blueprint Architecture
-9-
<Insert Picture Here>
Oracle Access Manager 11gR2
Overview
- 10 -
Oracle Access Manager 11g
Objectives
• Provide foundation for Access Management Suite
• Converge OAM, OSSO, and OpenSSO
• Provide new and advanced functionality to customers
• Tighten integrations
- 11 -
Oracle Access Manager 11g
Key Features
Benefits
Modular Architecture
Separated admin and runtime server to enable
independent operations
Secure Policy Model
Access is denied by default until policies are created to
allow access
Simplified Install & Config One package to install and one series of steps to
configure a simple working environment
Session Management
Allows admin tracking and termination of user sessions
Diagnostics & Monitoring
Allows administrators to monitor key operational
metrics in real-time
Central Agent
Management
Administration console provides a holistic view of all
agents and shows the server they are connected to
Backwards Compatibility
Compatible with 10g webgates and 10g mod_osso
Windows Native AuthN
Enables Windows desktop to web single sign-on
Improved Utilities
Remote registration utility, remote access tester, and
WLST cmds for policy operations
- 12 -
Oracle Access Manager 11g
Architecture – Runtime Server
Protocol Compatibility Framework
Credential
Collector
SSO Engine
Session
Management
Identity
Provider
AuthN
Service
OAM Server
Token
Processing
AuthZ
Service
Partner &
Trust
Policy Service
Configuration Service
Coherence Distributed Cache
Oracle Platform Security Services
- 13 -
Oracle Access Manager 11g
Administration Console
• Integrated Security Administration, Agent Administration
- 14 -
Access Manager 11gR2
Deployment Overview
- 15 -
Access Manager 11gR2
Deployment Detail
Internet
External
Client
Firewall
(Web Tier)
Protected
Load Balancer
WebHosts
OHS
WebGate
Web Hosts
OHS
WebGate
Firewall
(App Tier)
AppHosts
IAM Hosts
WLS
AccessGate
WLS_OAM
OAM
IDMHosts
Admin Server
Admin Console
Admin Server
Admin Console
WLS_ODS
M
ODSM
EM
Firewall
(Data Tier)
LDAP Hosts
OVD
DB Hosts
RAC
OID
Metadata DB
(OAM, OID, Schema)
- 16 -
Access Manager 11gR2
Installation and Configuration
• Installation process
• OAM 11g installs using Oracle Universal Installer (OUI)
• The installation process copies all the software bits to the host
machine
• OUI does not perform product configuration
• Configuration process requires 2 steps
• Database schema configuration using Repository Creation
Utility (RCU)
• Product configuration and deployment using WebLogic
Configuration Wizard
• Oracle Support Note 340.1 provides a good starting point
- 17 -
Oracle Access Manager 11g
Windows Native Authentication
• SPNEGO based credential validation for true Windows
desktop to web single sign-on
• Allows single sign-on for WebGate and Oracle SSO protected
applications simultaneously
• Does not need IIS based solution for WebGate
• WebGates and Oracle SSO protected applications need
not run on Windows platform
• Can be enabled for a subset of protected applications
• Internal vs External websites
- 18 -
Oracle Access Manager 11g
Windows Native Authentication - Setup
• Basic steps are as follows:
• Edit /etc/krb5.conf file
• Create Service Principal Name
• Obtain Kerberos Ticket
• Set-up OAM Kerberos AuthN Module
• Configure Kerberos AuthN Scheme for WNA
• Register AD as OAM User Store
• Verify OAM configuration (oam-config.xml)
• Enable Kerberos in Web Browser
• Test
• See OAM Admin Guide, Chapter 7 (link here)
- 19 -
<Insert Picture Here>
Oracle SSO v OAM 11gR2
- 20 -
Oracle Access Manager
Sample Oracle SSO Architecture
Oracle HTTP Server
Deployed
Application
MOD_OSSO agent
Local User
Store
Authentication
End User
Authentication
Decisions
LDAP
Authentication
OC4J Application
Server
User
Authentication
Oracle Single Sign-On
Server
User Synchronization
User Data
Oracle Internet Directory
Directory Integration
Platform or Oracle
Identity Manager
Oracle Confidential – For Internal Use Only
Enterprise
User Store
Enterprise User Store
21- 21
Oracle Access Manager
Key differences v OSSO
OAM 11gR2
OSSO
SSO, policy-based AuthN & AuthZ
SSO and simple AuthN only
WebLogic Server-based
OC4J-based
3rd-Party LDAP server support
Dependence on OID
Support for OSSO, OAM 10g, OAM
11g and OpenSSO agents via PCL
Support for only OSSO agents
(mod_osso)
Server-based session management
Sessions via client cookies only
Cross-domain SSO is native
Single network domain only
Native password policy (R2+)
OIDDAS for password policy
Integration with OIM (optional) for User
Self-Service
OIDDAS for user self-service
- 22 -
<Insert Picture Here>
OAM 11gR2- Migration and
Coexistence with OSSO
- 23 -
Oracle Access Manager 11g
OSSO 10g Upgrade
• Facilitated through AS Upgrade Assistant
• Process:
• Install OAM 11g
• Run Upgrade Assistant pointing to Oracle AS Single-On
10.1.4.3
• Two modes:
• Retain Ports: no changes required on partner sites
• Change Ports: partner sites need new osso.conf which is
generated by the Upgrade Assistant
• See Support Migration Advisor (note 343.1) and upgrade
viewlet (note 1230123.1)
- 24 -
Co-existence: OAM11g & SSO 10g
Supports OracleAS SSO 10g Release (10.1.2.0.2) through
OracleAS SSO 10g Release (10.1.4.3.0)
Co-existence requires same back-end user identity store:
Oracle Internet Directory (OID)
- 25 -
Co-existence: OAM11g & SSO 10g
• mod_osso redirects requests to the 11g OAM Server for authentication
through a proxy.
• mod_wl replaces mod_oc4j. mod_wl enables SSO to work without any
changes on the OHS
Without Proxy
- 26 -
Co-existence: SSO between Partner
Applications
App1 upgraded to OAM11g
User accessing App1
OAM sets the SSO cookie and
updates session information
accordingly.
The cookie includes a flag
indicating that an OSSO
cookie must also exist for this
cookie to be valid.
- 27 -
- 28 -
- 29 -