Access Manager 11gR2

Report
R2
Access Manager 11gR2 (11.1.2.0.0) Technical Presentation
Venu Shastri
Senior Principal Product Manager
Identity Management, Oracle
Agenda
• Overview
• Key Features
• Architecture & Deployment
• Extensibility & Integrations
• Q&A
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
2
Agenda
• Overview
• Key Features
• Architecture & Deployment
• Extensibility & Integrations
• Q&A
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
3
Access Management Platform – 11gR2
Complete & Scalable
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
4
Access Manager 11gR2
Objectives
• Provide scalable foundation for Access Management Platform
• Converge OAM10g, OSSO, and OpenSSO
• Provide new and advanced functionality to customers
• Tighten integrations
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
5
Access Manager 11gR2
Key Features
•
•
•
•
•
•
•
•
Simplified Web Single Sign On (SSO)
Authentication and Authorization
Centralized Policy Administration
Advanced Session Management
Centralized Agent Management
Native Password Management
Windows Native Authentication
Comprehensive Auditing and Logging
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
6
Access Manager 11gR2
Benefits
• Centralized policy management and auditing reduces cost and improves
compliance.
• Support for access management in a complex, heterogeneous
environment reduces total cost of ownership and accelerates deployment.
• Flexible and powerful policy model allow organizations to meet complex
access management needs.
• Scalable deployment model supports most demanding, internet scale
deployments.
• Extensible architecture enables easy customization to meet organization
specific requirements.
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
7
Access Manager 11gR2
Deployment Overview
Copyright © 2011, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
8
Agenda
• Overview
• Key Features
• Architecture & Deployment
• Extensibility & Integrations
• Q&A
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
9
Access Manager 11gR2
Policy Model
• Enhanced security
• Closed world – access is denied to resources unless a policy
specifically allows access
• Resource simplification
• No URL Prefixes – resources are defined as complete URL
patterns (“*” and “…”) associated with host id and used to
determine the sole policy applicable to a request
• Responses
• Expression based responses that are powerful
• Ability to return user, request, and session information
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
10
Access Manager 11gR2
Policy Model
Access
Manager
Authentication
Schemes
Resource Types
Application Domains
Host
Identifiers
Authentication Modules
Policies
Resources
Legend
Authentication Policies
Authorization Policies
- Relationship: One-to-Many
- Relationship: Many-to-Many
- External Dependencies
- Relationship: Containment
Identity Store
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
11
Access Manager 11gR2
Policy Model Enhancements
•
•
•
•
Multiple IP Ranges
Wildcard enhancements
Resource Operation/Custom Types
Authorization expressions
• AND, OR, NOT
• ( and ) – precedence indicators
• User Attribute Condition
• LDAP Filter / Search
• Enables creation of more complex and flexible authorization
constraints that deals only with LDAP attributes
• Session Attribute Condition
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
12
Access Manager 11gR2
Policy Model Enhancements – LDAP Query/Filter Condition
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
13
Access Manager 11gR2
Policy Model Enhancements – Complex Expressions
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
14
Access Manager 11gR2
Session Management
• Stateful sessions with detailed security context information that can be further
propagated
• Tracks active user sessions using a high performance distributed cache
• Admin can specify Session Lifetime & Idle Timeout globally
• Admin can limit the number of concurrent sessions a user can have at one time
• Out-of-band session termination
• Prevents unauthorized access to systems when a user has been terminated
• Can be done with or without persistent storage
• Provides automatic session failover
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
15
Access Manager 11gR2
Session Management
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
16
Access Manager 11gR2
Windows Native Authentication
• SPNEGO based credential validation for true Windows desktop to
web single sign-on
• Allows single sign-on for WebGate and Oracle SSO protected
applications simultaneously
• Does not need IIS based solution for WebGate
• WebGates and Oracle SSO protected applications need not run
on Windows platform
• Can be enabled for a subset of protected applications
• Internal vs External websites
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
17
Access Manager 11gR2
Embedded Credential Collection
• OAM 11g collects credentials at the runtime server
• Login pages are presented by the OAM runtime servers
• OAM runtime servers can redirect to login pages located
in a separate web server
• Regardless of where the login pages are, credentials are
sent to the OAM runtime servers for collection
• Sample Login pages are provided out-of-the-box
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
18
Access Manager 11gR2
Detached Credential Collector
• Extends 11g Webgate with an option to enable Credential Collection capability
(Authentication Gate)
• Back Channel communications use OAP protocol whilst Front channel uses HTTPS
• Decouples credential collection from Server
• Provides flexibility to place DCC anywhere in the DMZ
• More security. End-user HTTP sessions get terminated at DMZ
• Reduces overhead on server. Improves performance
Oracle Confidential – Do Not Distribute
19
Access Manager 11gR2
Detached Credential Collector
Oracle Confidential – Do Not Distribute
20
Access Manager 11gR2
Password Management
• Native password management for simple password mgmt requirements
• In-band Password Capability
• Password Warning
• Forced Password Reset(expired / reset)
• Password Policy Enforcement
• Password Composition Rules
• Password History
• Account Lockout
• OAM – OIM Password Integration still supported
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
21
Access Manager 11gR2
Password Management
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
22
Access Manager 11gR2
Centralized Agent Management
• One administration console to manage all agents within the deployment
• Simultaneously manage and configure mod_osso, OAM 10g webgates, OpenSSO
Agents and OAM 11g webgates
• Operational status of each individual agent can be monitored
• Agent hostname, IP address, connected server, number of active connections,
average operation latency, and more…
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
23
Access Manager 11gR2
Centralized Agent Management
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
24
Access Manager 11gR2
11g WebGate
• 11g Cookie is hosted scoped
• Cookie Encryption for each 11g WebGate is unique to that
WebGate
• Authorization Caching
• Resource to Authorization Policy
• Authorization Result
• Diagnostic page
• OUI Installer that lays out a WebGate package depending on
platform used
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
25
Access Manager 11gR2
Utilities
• Remote Registration Tool
• Application administrators can register agents without the help of
the Security team
• Policy objects can be automatically created to protect resources of
a given application at registration time
• Access Tester Tool
• Simulates resource requests to ensure policy evaluates correctly
• Uncovers network issues that impact webgates or mod_osso
agents due to the tool’s remote nature
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
26
Access Manager 11gR2
Access Tester Tool
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
27
Access Manager 11gR2
Logging and Auditing
• Logging
• Centralized log management via Enterprise Manager (EM)
• Graphical tools for configuring and viewing logs (EM)
• Multiple logging levels
• Auditing
• Standardized auditing across FMW components
• Common Audit Framework allows audit logs to be directed and
persisted into an audit database
• Reports generated via Oracle BI Publisher
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
28
Agenda
• Overview
• Key Features
• Architecture & Deployment
• Extensibility & Integrations
• Q&A
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
29
Access Manager 11gR2
Internal Architecture
Protocol Compatibility Framework
Credential
Collector
Session
Management
SSO Engine
AuthN Service
OAM Server
Identity Provider
Token
Processing
AuthZ Service
Partner & Trust
Policy Service
Configuration Service
Coherence Distributed Cache
Oracle Platform Security Services
Copyright © 2011, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
30
Access Manager 11gR2
Installation and Configuration
• Installation process
• OAM 11g installs using Oracle Universal Installer (OUI)
• The installation process copies all the software bits to the host
machine
• OUI does not perform product configuration
• Configuration process requires 2 steps
• Database schema configuration using Repository Creation Utility
(RCU)
• Product configuration and deployment using WebLogic
Configuration Wizard
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
31
Access Manager 11gR2
Deployment on WebLogic Cluster
Copyright © 2011, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
32
Access Manager 11gR2
Multi-data-center Deployment
• Supporting Active - Active, Active - Passive or Active - Hot Standby
deployments
• Enables seamless user SSO across data centers with session
continuity
• Follows Master-Slave configuration for Access Manager deployment
across Data-Centers. Policy and configuration keeps in sync via T2P
processes.
• Behavior is configurable based on Session Adoption Policy
• Re-authentication Required – True/False
• Remote Session Invalidation - True/False
• On-Demand Session Data Retrieval - True/False
Oracle Confidential – Do Not Distribute
33
Access Manager 11gR2
Multi-data-center Deployment – Active/Active
User 1
User 2
(Geo-location 1)
(Geo-location 2)
OAM Cookie
OAM Cookie
DC=DC1
DC=DC2
Global Load Balancer
Active
Active
Stand-by
Stand-by
Access Manager Cluster in
Data-Center 1
(Master)
Access Manager Cluster in
Synchronized using T2P
Process
Oracle Confidential – Do Not Distribute
Data-Center 2
(Slave)
34
Access Manager 11gR2
Multi-data-center Deployment – Active/Active
User 2
User 1
(Geo-location 2)
(Geo-location 1)
OAM Cookie
OAM Cookie
DC=DC1
DC=DC2
DC=DC2
Global Load Balancer
Re-authenticate User
Data-Center 1 is down or
over-loaded
Access Manager Cluster in
Back-channel OAP call
Data-Center 1
(Master)
Access Manager Cluster in
Data-Center 2
Retrieve Remote Session Data
(Slave)
Invalidate Remote Session
Oracle Confidential – Do Not Distribute
35
Agenda
• Overview
• Key Features
• Architecture & Deployment
• Extensibility & Integrations
• Q&A
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
36
Access Manager 11gR2
Extensibility
• Authentication Extensibility Framework
• Allows for customized authentication modules to be plugged into
the system
• Includes Java SDK tooling for users to create customized
modules
• Pure Java based ASDK
• Includes authentication services and authorization services
• One platform independent package
• Includes APIs for the extended protocol-level op codes
• Backward compatible against OAM 10g
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
37
Access Manager 11gR2
Key IDM Integrations
OAM
OAM
Copyright © 2011, Oracle and/or its affiliates. All right
OSTS
Federation
Identity
Propagation
Federated
SSO
Oracle Confidential – Do Not Distribute
• SSO to web services
• Issuance and validation of web service
tokens
• Identity propagation from federated
partners into the local environment
• Simplify authentication flows
38
Access Manager 11gR2
Key IDM Integrations
OAM
OAM
OAAM
Copyright © 2011, Oracle and/or its affiliates. All right
OAAM
OIM
Authentication
End-to-End
Oracle Confidential – Do Not Distribute
• Reinforce password Authentication
• Risk-based authentication
• Secure self-service flows
• Increase security and usability
• Consistent user experience
39
Access Manager 11gR2
New Platform and Integration Support
• New platform support
• Solaris x64, AIX 7.1, and Oracle Linux 6.x / RHEL 6.x
• 3rd party integrations
• Microsoft SharePoint 2010
• RSA Authentication Manager 7.1
• JBoss 5.1.0
• Microsoft Outlook Web Application (OWA) 2010 – Post R2
• Microsoft Forefront TMG 2010 – Post R2
• SAP Portal 7.0 – Post R2
• IBM WebSphere Portal 7.0 – Post R2
Oracle Confidential – Do Not Distribute
40
Copyright © 2012, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
41
Copyright © 2011, Oracle and/or its affiliates. All right
Oracle Confidential – Do Not Distribute
42

similar documents