Access Manager 11gR2
advertisement
R2 Access Manager 11gR2 (11.1.2.0.0) Technical Presentation Venu Shastri Senior Principal Product Manager Identity Management, Oracle Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q&A Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 2 Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q&A Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 3 Access Management Platform – 11gR2 Complete & Scalable Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 4 Access Manager 11gR2 Objectives • Provide scalable foundation for Access Management Platform • Converge OAM10g, OSSO, and OpenSSO • Provide new and advanced functionality to customers • Tighten integrations Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 5 Access Manager 11gR2 Key Features • • • • • • • • Simplified Web Single Sign On (SSO) Authentication and Authorization Centralized Policy Administration Advanced Session Management Centralized Agent Management Native Password Management Windows Native Authentication Comprehensive Auditing and Logging Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 6 Access Manager 11gR2 Benefits • Centralized policy management and auditing reduces cost and improves compliance. • Support for access management in a complex, heterogeneous environment reduces total cost of ownership and accelerates deployment. • Flexible and powerful policy model allow organizations to meet complex access management needs. • Scalable deployment model supports most demanding, internet scale deployments. • Extensible architecture enables easy customization to meet organization specific requirements. Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 7 Access Manager 11gR2 Deployment Overview Copyright © 2011, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 8 Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q&A Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 9 Access Manager 11gR2 Policy Model • Enhanced security • Closed world – access is denied to resources unless a policy specifically allows access • Resource simplification • No URL Prefixes – resources are defined as complete URL patterns (“*” and “…”) associated with host id and used to determine the sole policy applicable to a request • Responses • Expression based responses that are powerful • Ability to return user, request, and session information Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 10 Access Manager 11gR2 Policy Model Access Manager Authentication Schemes Resource Types Application Domains Host Identifiers Authentication Modules Policies Resources Legend Authentication Policies Authorization Policies - Relationship: One-to-Many - Relationship: Many-to-Many - External Dependencies - Relationship: Containment Identity Store Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 11 Access Manager 11gR2 Policy Model Enhancements • • • • Multiple IP Ranges Wildcard enhancements Resource Operation/Custom Types Authorization expressions • AND, OR, NOT • ( and ) – precedence indicators • User Attribute Condition • LDAP Filter / Search • Enables creation of more complex and flexible authorization constraints that deals only with LDAP attributes • Session Attribute Condition Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 12 Access Manager 11gR2 Policy Model Enhancements – LDAP Query/Filter Condition Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 13 Access Manager 11gR2 Policy Model Enhancements – Complex Expressions Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 14 Access Manager 11gR2 Session Management • Stateful sessions with detailed security context information that can be further propagated • Tracks active user sessions using a high performance distributed cache • Admin can specify Session Lifetime & Idle Timeout globally • Admin can limit the number of concurrent sessions a user can have at one time • Out-of-band session termination • Prevents unauthorized access to systems when a user has been terminated • Can be done with or without persistent storage • Provides automatic session failover Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 15 Access Manager 11gR2 Session Management Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 16 Access Manager 11gR2 Windows Native Authentication • SPNEGO based credential validation for true Windows desktop to web single sign-on • Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously • Does not need IIS based solution for WebGate • WebGates and Oracle SSO protected applications need not run on Windows platform • Can be enabled for a subset of protected applications • Internal vs External websites Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 17 Access Manager 11gR2 Embedded Credential Collection • OAM 11g collects credentials at the runtime server • Login pages are presented by the OAM runtime servers • OAM runtime servers can redirect to login pages located in a separate web server • Regardless of where the login pages are, credentials are sent to the OAM runtime servers for collection • Sample Login pages are provided out-of-the-box Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 18 Access Manager 11gR2 Detached Credential Collector • Extends 11g Webgate with an option to enable Credential Collection capability (Authentication Gate) • Back Channel communications use OAP protocol whilst Front channel uses HTTPS • Decouples credential collection from Server • Provides flexibility to place DCC anywhere in the DMZ • More security. End-user HTTP sessions get terminated at DMZ • Reduces overhead on server. Improves performance Oracle Confidential – Do Not Distribute 19 Access Manager 11gR2 Detached Credential Collector Oracle Confidential – Do Not Distribute 20 Access Manager 11gR2 Password Management • Native password management for simple password mgmt requirements • In-band Password Capability • Password Warning • Forced Password Reset(expired / reset) • Password Policy Enforcement • Password Composition Rules • Password History • Account Lockout • OAM – OIM Password Integration still supported Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 21 Access Manager 11gR2 Password Management Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 22 Access Manager 11gR2 Centralized Agent Management • One administration console to manage all agents within the deployment • Simultaneously manage and configure mod_osso, OAM 10g webgates, OpenSSO Agents and OAM 11g webgates • Operational status of each individual agent can be monitored • Agent hostname, IP address, connected server, number of active connections, average operation latency, and more… Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 23 Access Manager 11gR2 Centralized Agent Management Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 24 Access Manager 11gR2 11g WebGate • 11g Cookie is hosted scoped • Cookie Encryption for each 11g WebGate is unique to that WebGate • Authorization Caching • Resource to Authorization Policy • Authorization Result • Diagnostic page • OUI Installer that lays out a WebGate package depending on platform used Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 25 Access Manager 11gR2 Utilities • Remote Registration Tool • Application administrators can register agents without the help of the Security team • Policy objects can be automatically created to protect resources of a given application at registration time • Access Tester Tool • Simulates resource requests to ensure policy evaluates correctly • Uncovers network issues that impact webgates or mod_osso agents due to the tool’s remote nature Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 26 Access Manager 11gR2 Access Tester Tool Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 27 Access Manager 11gR2 Logging and Auditing • Logging • Centralized log management via Enterprise Manager (EM) • Graphical tools for configuring and viewing logs (EM) • Multiple logging levels • Auditing • Standardized auditing across FMW components • Common Audit Framework allows audit logs to be directed and persisted into an audit database • Reports generated via Oracle BI Publisher Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 28 Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q&A Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 29 Access Manager 11gR2 Internal Architecture Protocol Compatibility Framework Credential Collector Session Management SSO Engine AuthN Service OAM Server Identity Provider Token Processing AuthZ Service Partner & Trust Policy Service Configuration Service Coherence Distributed Cache Oracle Platform Security Services Copyright © 2011, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 30 Access Manager 11gR2 Installation and Configuration • Installation process • OAM 11g installs using Oracle Universal Installer (OUI) • The installation process copies all the software bits to the host machine • OUI does not perform product configuration • Configuration process requires 2 steps • Database schema configuration using Repository Creation Utility (RCU) • Product configuration and deployment using WebLogic Configuration Wizard Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 31 Access Manager 11gR2 Deployment on WebLogic Cluster Copyright © 2011, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 32 Access Manager 11gR2 Multi-data-center Deployment • Supporting Active - Active, Active - Passive or Active - Hot Standby deployments • Enables seamless user SSO across data centers with session continuity • Follows Master-Slave configuration for Access Manager deployment across Data-Centers. Policy and configuration keeps in sync via T2P processes. • Behavior is configurable based on Session Adoption Policy • Re-authentication Required – True/False • Remote Session Invalidation - True/False • On-Demand Session Data Retrieval - True/False Oracle Confidential – Do Not Distribute 33 Access Manager 11gR2 Multi-data-center Deployment – Active/Active User 1 User 2 (Geo-location 1) (Geo-location 2) OAM Cookie OAM Cookie DC=DC1 DC=DC2 Global Load Balancer Active Active Stand-by Stand-by Access Manager Cluster in Data-Center 1 (Master) Access Manager Cluster in Synchronized using T2P Process Oracle Confidential – Do Not Distribute Data-Center 2 (Slave) 34 Access Manager 11gR2 Multi-data-center Deployment – Active/Active User 2 User 1 (Geo-location 2) (Geo-location 1) OAM Cookie OAM Cookie DC=DC1 DC=DC2 DC=DC2 Global Load Balancer Re-authenticate User Data-Center 1 is down or over-loaded Access Manager Cluster in Back-channel OAP call Data-Center 1 (Master) Access Manager Cluster in Data-Center 2 Retrieve Remote Session Data (Slave) Invalidate Remote Session Oracle Confidential – Do Not Distribute 35 Agenda • Overview • Key Features • Architecture & Deployment • Extensibility & Integrations • Q&A Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 36 Access Manager 11gR2 Extensibility • Authentication Extensibility Framework • Allows for customized authentication modules to be plugged into the system • Includes Java SDK tooling for users to create customized modules • Pure Java based ASDK • Includes authentication services and authorization services • One platform independent package • Includes APIs for the extended protocol-level op codes • Backward compatible against OAM 10g Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 37 Access Manager 11gR2 Key IDM Integrations OAM OAM Copyright © 2011, Oracle and/or its affiliates. All right OSTS Federation Identity Propagation Federated SSO Oracle Confidential – Do Not Distribute • SSO to web services • Issuance and validation of web service tokens • Identity propagation from federated partners into the local environment • Simplify authentication flows 38 Access Manager 11gR2 Key IDM Integrations OAM OAM OAAM Copyright © 2011, Oracle and/or its affiliates. All right OAAM OIM Authentication End-to-End Oracle Confidential – Do Not Distribute • Reinforce password Authentication • Risk-based authentication • Secure self-service flows • Increase security and usability • Consistent user experience 39 Access Manager 11gR2 New Platform and Integration Support • New platform support • Solaris x64, AIX 7.1, and Oracle Linux 6.x / RHEL 6.x • 3rd party integrations • Microsoft SharePoint 2010 • RSA Authentication Manager 7.1 • JBoss 5.1.0 • Microsoft Outlook Web Application (OWA) 2010 – Post R2 • Microsoft Forefront TMG 2010 – Post R2 • SAP Portal 7.0 – Post R2 • IBM WebSphere Portal 7.0 – Post R2 Oracle Confidential – Do Not Distribute 40 Copyright © 2012, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 41 Copyright © 2011, Oracle and/or its affiliates. All right Oracle Confidential – Do Not Distribute 42
