The Oracle Identity Management products enable you to manage data about users, devices, and services in an accurate, secure, and cost-effective manner. You use these products to configure and manage the identity data, to synchronize or combine data from different sources, and to share data between domains. These products also enable you to ensure that only users with valid credentials can access online resources.Oracle offers a variety of Identity Management products. Four of these products are included in Oracle Fusion Middleware 11g Release 1.

 

What do you want to do?

  • Learn the basics
  • Learn to administer the Oracle Identity Management products.

If you are new to Oracle Identity Management, be sure to visit theLearn the basics about Oracle Identity Management 11g Release 1 section. It will introduce you to terms and concepts essential to using the Suite.

Getting Started with Oracle Identity Management_ide

The following Identity Management products are included in Oracle Fusion Middleware 11g Release 1 and can be installed and set up using one installation CD:

  • Oracle Internet Directory: Add, find, and manage information about users, groups, and other objects.
  • Oracle Directory Integration Platform: Share data in Oracle Internet Directory with other directory servers and applications.
  • Oracle Virtual Directory: Enable applications to make use of data from different vendors' enterprise data sources, including directory servers and databases, as if only one type was in use.
  • Oracle Identity Federation: Access protected services provided by your partners while retaining full control over your users' identities. Enable your authenticated users of partner sites to access your protected services.

Getting Started with Oracle Identity Management_git_02


An online directory is a specialized database that stores and retrieves collections of information about objects. The information can represent any resources that require management, for example:

  • Employee names, titles, and security credentials
  • Information about partners
  • Information about shared resources such as conference rooms and printers.

The information in the directory is available to different clients, such as single sign-on solutions, email clients, and database applications. Clients communicate with a directory server by means of the Lightweight Directory Access Protocol (LDAP). Oracle Internet Directory is an LDAP directory that uses an Oracle Database for storage.

 


Administrators and users can manage specific types of directory data. For example, an HR database administrator can manage users' titles and salaries. By using a self-service administration system, end users can also update their own addresses, phone numbers, and other personal information in the directory. This information is immediately available to applications that derive data from the directory.


 


Entries in an LDAP directory are arranged in a hierarchy known as a directory information tree (DIT). Each individual entry in the directory has a specific location in the DIT that is uniquely identified by a distinguished name (DN). The distinguished name tells you exactly where the entry resides in the directory hierarchy. The graphic shows a DIT with two users named Anne Smith. The DN for the Anne Smith on the left is:

 

cn=Anne Smith, ou=Sales, c=us

The DN for the Anne Smith on the right is:

cn=Anne Smith, ou=Sales, c=uk


In an LDAP directory, entry attributes contain specific pieces of information about the entry. Attributes for an employee can include, for example, name, employee ID, phone number and e-mail address.


You can store password policies as entries in Oracle Internet Directory. Then single sign-on solutions that use LDAP adhere to those policies.

 

There are many password policy attributes you can specify. For example:

  • Maximum length of time a given password is valid
  • Minimum and maximum time between password changes
  • Grace period for logins after password expiration
  • Whether to lock out a user after a certain number of invalid login attempts

In the example, a user attempts to access an application that is protected by a single sign-on solution that uses passwords stored in Oracle Internet Directory. If the password has expired or the account is locked, the login attempt will fail.

 

Oracle Internet Directory can contain connection information for all the databases. Users and applications use this information to access Oracle databases. Having this information in one place provides consistency across all hosts in an enterprise.

 

For distributed environments, an administrator can configure replication. Replication is the process of copying and maintaining the same information on multiple directory servers. Replication can improve performance by providing more servers to handle queries and by bringing the data closer to the client. It improves reliability by eliminating risks associated with a single point of failure.

 

To achieve a very comprehensive high availability configuration, you can configure Oracle Internet Directory to run on an Oracle RAC environment. This involves running Oracle Internet Directory instances and the Oracle Internet Directory-designated database on all the Oracle RAC nodes.

 

The Oracle Directory Integration Platform enables you to synchronize Oracle Internet Directory data with other data sources. You save time and resources by using Oracle Internet Directory as the central repository for different LDAP-enabled applications and connected directories. Synchronization can be one-way or two-way.

 

Oracle Directory Integration Platform enables you to develop and deploy connectivity agents to perform tasks such as synchronizing employee records in an HR database with Oracle Internet Directory.

 

Oracle Virtual Directory is an LDAP service that provides a single, abstracted view of enterprise directory servers and databases from a variety of vendors. Oracle Virtual Directory can serve as a single source of truth in an environment with multiple data sources.

 

Oracle Virtual Directory minimizes or eliminates the need to change existing infrastructure or applications when you add new ones, saving the time and expense.

Data translation and joining capabilities allow you to create an integrated view of multiple data sources without changing their structure. This enables organizations to share the data that resides in their own repository while retaining full control of it and monitoring its usage. The sources can be separately owned and need not be synchronized. Users see only a single, logical LDAP tree, although there may be multiple data sources.

Oracle Virtual Directory provides adapters for connecting to a variety of data sources, including Oracle Internet Directory, other directories, and databases.

 

Oracle Identity Federation enables companies to provide services and share identity information across their respective security domains. The end user does not need to log in again to access a remote entity where business is conducted. Users authenticate at their local sites, and the federation mechanism enables this information to be shared. Enterprises do not need to manage the identities of users who are already known to a partner organization.

 


In this example, MyCorp and TravelClub have established a federated relationship. TravelClub is a partner organization providing access to travel services for employees of MyCorp corporation.


Mary, an employee of MyCorp, is planning a business trip. She accesses MyCorp's employee portal in her browser and logs in, and selects MyTravel Planner. The portal returns her personal page. Mary selects a link in the MyTravel Planner for TravelClub. TravelClub requests authentication for Mary from MyCorp, which returns the necessary identity information to the travel site. Mary is then automatically authenticated to the TravelClub site. TravelClub returns a page with Mary's travel account information.

When Mary is done, she can log out of both her TravelClub and MyCorp sessions using a single global logout feature at the MyCorp home page.


Oracle Identity Managements components can be configured in a high-availabillity configuration.


In the configuration shown here, the Oracle HTTP Server instance installed on WEBHOST1 and the Oracle HTTP Server instance installed on WEBHOST2 are configured as a cluster. A load balancing router routes requests to the Oracle HTTP Server instances on WEBHOST1 and WEBHOST2.

The ODSM and DIP instances in the server WLS_ODS1 on IDMHOST1 and the ODSM and DIP instances in the server WLS_ODS2 on IDMHOST2 are configured as the CLUSTER_ODS cluster.

The Oracle Identity Federation instances in WLS_OIF1 on IDMHOST1 and in WLS_OIF2 on IDMHOST2 are configured as the CLUSTER_OIF cluster.

On OIDHOST1, a high availability solution connects the Oracle Internet Directory and Oracle Virtual Directory instances with the Real Application Cluster (RAC) database. The same is true on OIDHOST2.


The Oracle Internet Directory instances on OIDHOST1 and OIDHOST2 are configured as a cluster. The Oracle Virtual Directory instances on OIDHOST1 and OIDHOST2 are also configured as a cluster.


 


The following Oracle Identity Management products are packaged and installed separately:  



  • Oracle Identity Manager is a provisioning system for automatically granting and revoking access to enterprise applications and managed systems.
  • Oracle Role Manager is an enterprise-class application for managing business and organizational relationships, roles, and entitlements.
  • Oracle Enterprise Single Sign-On is an access management system for delivering enterprise authentication and single sign-on for mainframe, client/server and Web applications
  • Oracle Access Manager is a management system for configuring digital identities and controlling access to protected applications and content, primarily on the Web.
  • Oracle Adaptive Access Manager is the solution for web access real-time fraud detection and multi-factor online authentication security for the enterprise.
  • Oracle Entitlements Server is a fine-grained entitlements management solution that externalizes and centralizes administration of enterprise entitlements, simplifies authorization policies, and enforces security decisions in distributed, heterogeneous applications.
  • Oracle Platform Security Services is a security framework that runs on Oracle WebLogic Server. It combines the security features of the WebLogic Server and the Oracle Application Server to provide application developers, system integrators, security administrators, and independent software vendors with a portable, integrated, and comprehensive security platform framework for Java SE and Java EE applications.
  • Oracle Identity Analytics is a compliance-focused product that uses a warehouse to consolidate, correlate, optimize, and protect identity data across all identity management components. It provides a transparent view of identity data and activities through dashboards, reports, and alerts, providing highly flexible analysis.


This topic has provided an overview of the Identity Management products in Oracle Fusion Middleware 11g Release 1. Click the Next button to go to the next topic, Administering Oracle Identity Management.

For more information, see the Oracle Technology Network.