Introduction To Oracle Access Manager (OAM), Oracle Identity Manager (OIM) And Oracle Internet Directory (OID)
Oracle Access Manager (OAM)
Oracle Access Manager is a J2EE application typically deployed on a dedicated managed server in a Weblogic (Application Server) clustered environment. An enterprise typically has many applications for different purposes. Each application typically has its own authentication and authorization functionality.
OAM provides a single point to control all resource grants in an enterprise where multiple applications exist on different platform.
OAM provides:
-Single Sign On (SSO)
-Authentication
-Authorization
-Real time session management
-Auditing
-Policy Administration
-Flaws in conventional security model.
Individual authentication/authorization for each independent application in the enterprise. .net, J2EE, SAP, WebCenter etc. All application have their own authentication and authorization mechanism.
-Effective Security
-Cost
-Inconsistence
-Security Complainces
-Ease for users (Single Sign On)
-Governance, Support and Management
-One of the web server will have OAM-Agent. Other web servers will be redirected to this OAM-Agent via a reverse proxy. Hence, we don't need OAM-Agent on each Web Server.
The request goes to the OAM agent which redirects the request to OAM which in turn challenges the user for user/pwd. Once user/pwd is provided the OAM goes to the LDAP (AD or OID) to authenticate the user. Once the user is authenticated the webgate opens the gate to the underlying corresponding web server.
Oracle Identity Manager (OIM)
An Oracle identity management (OIM) provides a mechanism for implementing the user management aspects of a corporate policy. It can also be a means to audit users and their access privileges. The OIM enables enterprises to manage the entire user life cycle across all enterprise resources both within and beyond a firewall.
OIM application is deployed on Weblogic Managed Server in domain and There is second managed server for SOA Infra on same domain. OIM utilizes this SOA to process User Provisioning for workflow based approval. In real world all User provisioning has approval chain.
OIM server is a J2EE application. User provisioning is done in OIM. The OIM integrates this with all the other applications.
OIM does life cycle management of an identity (generally a user, e.g employee).
Lets take an example of an employee joining an organizaiton. He/She needs access to various applications in the organization. The HR typically creates the employee in HRMS on the joining date. The manager raises various user ids creations for this new employee for email, timesheet app, crm, leave mgmt app etc. With OIM this provisionting can be done automatically or manually at single point.
OIM provides a unified access control for all the applications in the enterprize. Once the employee quits, the manager need only to log onto OIM and delete (soft/hard) the employee from various applications.
OIM integrates with other application using SOA suite with respective JCA adapters.
Oracle Internet Directory (OID)
This is a directory of objects. For e.g in case of employees in an organization, this directory will hold employees details like name, designation, enterprize roles, applicaiton specific roles, security credentials like password, password reminder questions etc. An online directory is a specialized database that stores and retrieves collections of information about objects. The information can represent any resources that require management
-This is typically a single source of truth for information about employees in an organization.
-Various applications access OID to authenticate and authorize users. Typically, OID is integrated with OAM.
-OID is Oracle's LDAP implementation. Active Directory or AD is similar implementation for the same solution from Microsoft.
-OID generally uses oracle database for storage of all the said information above.
-The information in the directory is available to different clients, such as single sign-on solutions, email clients, and database applications. Clients communicate with a directory server by means of the Lightweight Directory Access Protocol (LDAP). Oracle Internet Directory is an LDAP directory that uses an Oracle Database for storage.
No comments:
Post a Comment