oracle applications users group - atlanta...
TRANSCRIPT
![Page 1: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/1.jpg)
PA
GE
1
Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group
![Page 2: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/2.jpg)
PA
GE
2
Agenda
• Organization
• Speakers
Introduction
• Information Security Spectrum
• Oracle Identity Management Platform
Security Spectrum
• Access Management Framework
• Oracle Access Management System Architecture
• Oracle Access Management Integration Architecture
• Benefits – Access Control System
Access Control
• Support Architecture
• Integration Flow
• Integration of OID and E-Biz (GUID)
• Access Gate integration
• Third-party directories integration (AD)
• Deployment Topology
• Best Practices
Oracle Applications (E-Business) Integration
![Page 3: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/3.jpg)
PA
GE
3 P
AG
E 3
Introduction
![Page 4: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/4.jpg)
PA
GE
4
About BIAS Corporation
• Founded in 2000
• Distinguished Oracle Leader
– Technology Momentum Award
– Portal Blazer Award
– Titan Award – Red Stack + HW Momentum Awards
– Excellence in Innovation Award
• Management Team is Ex-Oracle
• Location(s): Headquartered in Atlanta; Regional office in Washington
D.C.; Offshore – Hyderabad and Chennai, India
• ~250 employees with 10+ years of Oracle experience on
average
• Inc.500|5000 Fastest Growing Private Company in the U.S.
for the 5th Time
• Voted Best Place to work in Atlanta for 2nd year
• 30 Oracle Specializations spanning the entire stack
Who We Are…
![Page 5: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/5.jpg)
PA
GE
5
• Practice Director, Identity Management and Data Security
• Enterprise and Solution Architect
• 15+ years of experience in delivering solutions around middleware technologies including Security, SOA , Portal and Custom developed solutions
• 7+ years with BIAS Corporation and Previously held positions at Oracle and IBM
• Focused on delivering solutions to provide best practices and industry standards based solution to BIAS customers
• Leading team of solution and technical architects for delivery of solutions across multiple industries
Kashif Dhatwani
• Solution Architect, Identity Management & Data Security
• 15+ years of experience in middleware technologies
• 3+ years with BIAS Corporation
• Solution Architect, Technical Architect – Middleware Technologies including Java / J2EE, Portals, Data Security and Identity & access Management
• Leading Development teams to deliver Solutions for Identity & Access Management and Data Security
• Oracle Access Management Suite Plus 11g Certified Implementation Specialist and Oracle Database 11g Security Certified Implementation Specialist
Madan Shah
Speakers Profile
![Page 6: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/6.jpg)
PA
GE
6
BIAS Practice Areas
![Page 7: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/7.jpg)
PA
GE
7 P
AG
E 7
BIAS Corporation is a recognized leader in Identity & Access Management system assessment,
design and implementation. As an Oracle Platinum partner, BIAS Corporation’s IDM Practice
provides experienced architects who have expertise in assessment of environments, building
roadmaps, design systems with deep technical experience and implementing solutions using
experienced developers part of BIAS IDM practice.
![Page 8: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/8.jpg)
PA
GE
8 P
AG
E 8
Security Spectrum
![Page 9: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/9.jpg)
PA
GE
9
Information Security Spectrum
Identity Management
• Governance
• Compliance
• Single Source of Truth
• Provisioning / De-provisioning
• SoD – Separation of Duties
Access Management
• Access Control
• Authentication
• Authorization
• Single Sign-On
• Multi-Factor Authentication
Mobile Security
• Security Container
• Single Sign-On
• Application Management
Data Security
• Protect your data at Rest and in Transit
• Data Access - Authentication
• Data Access – Fine Grained Control
• Auditing
![Page 10: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/10.jpg)
PA
GE
10
Governance
• Oracle Identity
Manager (OIM)
• Oracle Privileged
Account Manager
(OPAM)
Access
• Oracle Access
Manager (OAM)
• Oracle Adaptive
Access Manager
(OAAM)
• Oracle API Gateway
(OEG)
• Oracle Identity
Federation (OIF)
• Oracle Security
Token Services
(OSTS)
• Oracle Entitlement
Server (OES)
• Oracle Enterprise
SSO (OeSSO)
Directory
• Oracle Unified
Directory (OUD)
• Oracle Virtual
Directory (OVD)
• Oracle Internet
Directory (OID)
Platform Security Services
Identity Management Portfolio – 11gR2 Modern, Innovative & Integrated
Mobile Security
• Oracle Mobile
Security Suite
(OMSS)
• Oracle Access
Manager (OAM)
• Oracle Identity
Manager (OIM)
![Page 11: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/11.jpg)
PA
GE
11
• Database Activity Auditing
• Database Firewall Monitoring
• Centralized Audit Data Warehouse
Audit Vault, Database
Firewall
• Transparent Data Encryption
• Network Encryption/Strong Auth
• Data Masking for Non-Production
Advanced Security, Data
Masking
• Separation of Duties for DBAs
• Protection Realms & Rules
• Label Based Access Control
Database Vault, Label
Security
Maturity of Database Environment
Oracle Database Security Solutions
![Page 12: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/12.jpg)
PA
GE
12 P
AG
E 12
Access Control
![Page 13: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/13.jpg)
PA
GE
13
Access Management Framework
Cloud Providers
Internal
External
(partners, vendors)
Web Applications
LDAP
Sin
gle
User
accou
nt
Sin
gle
Lo
go
n
Web Applications
Web Applications
Single User account
Single Logon
![Page 14: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/14.jpg)
PA
GE
14
Oracle Access Management System Architecture
![Page 15: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/15.jpg)
PA
GE
15
Access Management Integration Architecture Cloud Providers
On Premise Apps
Internal
External
(partners, vendors)
Web Applications
LDAP
Web Applications
Web Applications
Access G
ate
Web
ga
te
Oracle Access Manager
Authentication / SSO
Authentication / SSO
Federation / SSO
![Page 16: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/16.jpg)
PA
GE
16
Identity Management Overview
![Page 17: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/17.jpg)
PA
GE
17
Benefits
Centralized Access Management
• A centralized security enforcement
• A centralized policy control on application access
Single Sign-On
• Use one (1) set of credentials to access all your applications
• No need to remember multiple user-IDs and passwords
• Reduced risk to compromise credentials
• One Time login to your first application
• Navigate securely to multiple applications
Federation
• Single Sign-On for Third-Party application partners
• Single Sign-On for Cloud based applications
User Repositories
• Integration with multiple user repositories
• Support for commonly used LDAPs and Microsoft Active Directory
Productivity
• Increase productivity of employees
• Maintain compliance standards
• Capability to self service such as self password management
![Page 18: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/18.jpg)
PA
GE
18 P
AG
E 18
Oracle e-Business Application
Single Sign-On
![Page 19: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/19.jpg)
PA
GE
19
Oracle E-Business and Access Manager Support Architecture
11.5.10.2
12.1.3
12.2
E-Business Suite 12.2.2+
Oracle Access Manager 11.1.2.2
Oracle Identity Management 11.1.1.7
Oracle Web Gate 11.1.2.2
E-Business Suite 12
Oracle Access Manager 11.1.2.2
Oracle Identity Management 11.1.1.7.0
Oracle Access Manager Webgate 11.1.2.2.0
Oracle E-Business Suite Access Gate 1.2.3.4
![Page 20: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/20.jpg)
PA
GE
20
Integration Architecture
Oracle
E-Business
Suite
Oracle
E-Business
Suite
1. User Requests protected resource
WebServer
Webgate
E-Business Suite
Access Gate
4. Webgate connects user to EBS Access Gate
To collect credentials
8. EBS access gate identifies the
EBS user linked to authenticated OID user
Oracle
Internet
Directory
Oracle
Access
Manager
3.
Web
gat
e In
terc
epts
Per
OA
M p
oli
cies
5. User Submits Credentials to OAM Server
2. User redirected to
EBS Access Gate
Protected by OAM
6. OAM verifies credentials against user repository
7. OAM returns user identifier to EBS
access gate
![Page 21: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/21.jpg)
PA
GE
21
EBS Access Gate
Oracle E-Business Suite AccessGate
E-Business Suite Instance Database
FND_USR LinkOracle Access Manager Web GateUID +
ORCLGUIDUID +
ORCLGUID
Oracle Internet Directory
FND_USR Link
JAVA EE Application
Deployed on WebLogic Domain
Every User record has
unique ORCLGUID
![Page 22: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/22.jpg)
PA
GE
22
Deployment Topology (Clustered)
Oracle E-Business Suite Release 12.2 single sign-on
User
OAM Server1OID 1
Oracle E-BusinessSuite Release 12.2.2+
Load Balancer
Oracle Access Manager Server
Oracle HTTP Server
Oracle Internet Directory
Load Balancer
EBS
AccessGateWebGate
Web Server 1Web Server 2
OAM Server 2OID 2
Oracle Database
![Page 23: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/23.jpg)
PA
GE
23
Third-Party LDAP Integration
![Page 24: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/24.jpg)
PA
GE
24
Third-Party Access Management
![Page 25: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/25.jpg)
PA
GE
25
Architectural Considerations
• Unidirectional Provisioning
• From Oracle Internet Directory to Oracle E-Business Suite only
• From Oracle E-Business Suite to Oracle Internet Directory only
• Bi-Directional Provisioning
• From Oracle Internet Directory to Oracle E-Business Suite
• From Oracle E-Business Suite to Oracle Internet Directory
Provisioning
• Microsoft Active Directory
• LDAPs
• Databases
Corporate User Repositories
• EBS responsibilities are managed within EBS
Authorization
• Existing environment can upgrade from OSSO to OAM
Upgrade
• Multiple E-Business systems using same Security Framework (Access Manager)
Co-Existence
Key Decisions
![Page 26: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/26.jpg)
PA
GE
26
Best Practices
• High Availability
• Disaster Recovery Environment
• Performance Considerations
• OAM Detached Credential Collector vs Embedded Credential Collector
• Multi Factor Authentication and Risk-based Authentications
SSO Infrastructure
• Encrypt all HTTP and LDAP Traffic
• TLS 1.2/TLS 1.1
End To End SSL
• Out of the Box Auditing functionality provided by OAM for User Authentications
• BI Publisher Reports
Auditing
![Page 27: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/27.jpg)
PA
GE
27
Oracle created the OPN Specialized Program to showcase the Oracle partners who have achieved expertise in Oracle product areas and reached
specialization status through competency development, business results, expertise and proven success. BIAS is proud to be specialized in 30
areas of Oracle products, which include the following:
![Page 28: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/28.jpg)
PA
GE
28
Contact Us
Kashif Dhatwani
Practice Director - Identity Management & Data Security
770-685-6240
![Page 29: Oracle Applications Users Group - Atlanta OAUGatloaug.communities.oaug.org/multisites/atloaug/media/Documents/... · Enabling Single Sign-On for Oracle Applications Oracle Applications](https://reader033.vdocument.in/reader033/viewer/2022042620/5ab589017f8b9ab47e8cf926/html5/thumbnails/29.jpg)
PA
GE
29