Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK 1

The following is intended to outline our general product direction The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle. 2 2 2

Agenda Access Management introduction Oracle Access Manager 11gR2 Overview Oracle SSO v OAM 11gR2 OAM 11gR2- Migration and Coexistence with OSSO Q&A 3

<Insert Picture Here> Access Management Introduction 4 4

Platform Security Services Identity Management Portfolio – 11gR2 Modern, Innovative & Integrated Governance Password Reset Privileged Accounts Access Request Roles Based Provisioning Role Mining Attestation Separation of Duties Access Web Single Sign-on Federation Mobile, Social & Cloud External Authorization SOA Security Integrated ESSO Token Services Fraud Detection Directory LDAP Storage Virtual Directory Meta Directory Platform Security Services 5

Taking a Platform Approach Building on Components of Fusion Middleware WebCenter ADF Workflow SOA User Interface Coherence CAF Customization Performance Fusion Middleware 6

Oracle Access Management Comprehensive security for applications, data, and web services End-to-end authentication, single sign-on, and fine grained application protection Innovative anomaly detection, transaction security, and multi-factor authentication Extensive 3rd party integrations Access Management Authentication Single Sign-On Federation Fraud Prevention Authorization & Entitlements Web Services Security Secure Token Services 7

Adaptive Access Manager Oracle Access Management Suite Plus Entitlements Server Adaptive Access Manager Entitlements Management Fine Grained Authorization Risk-based Authentication Real-time Fraud Prevention Access Manager Identity Federation Secure Token Services Web Access Control Single Sign-On Partner SSO & Identity Federation Fedlet SP integration Security Token Management Identity Propagation 8

Oracle Access Management Blueprint Architecture

<Insert Picture Here> Oracle Access Manager 11gR2 Overview 10 10

Oracle Access Manager 11g Objectives Provide foundation for Access Management Suite Converge OAM, OSSO, and OpenSSO Provide new and advanced functionality to customers Tighten integrations 11

Oracle Access Manager 11g Key Features Benefits Modular Architecture Separated admin and runtime server to enable independent operations Secure Policy Model Access is denied by default until policies are created to allow access Simplified Install & Config One package to install and one series of steps to configure a simple working environment Session Management Allows admin tracking and termination of user sessions Diagnostics & Monitoring Allows administrators to monitor key operational metrics in real-time Central Agent Management Administration console provides a holistic view of all agents and shows the server they are connected to Backwards Compatibility Compatible with 10g webgates and 10g mod_osso Windows Native AuthN Enables Windows desktop to web single sign-on Improved Utilities Remote registration utility, remote access tester, and WLST cmds for policy operations 12

Oracle Access Manager 11g Architecture – Runtime Server Protocol Compatibility Framework Credential Collector SSO Engine AuthN Service AuthZ Service OAM Server Session Management Identity Provider Token Processing Partner & Trust Policy Service Configuration Service Coherence Distributed Cache Oracle Platform Security Services 13

Oracle Access Manager 11g Administration Console Integrated Security Administration, Agent Administration 14

Access Manager 11gR2 Deployment Overview 15 15

Access Manager 11gR2 Deployment Detail External Client Internet Firewall (Web Tier) Protected Load Balancer WebHosts Web Hosts OHS OHS WebGate WebGate Firewall (App Tier) AppHosts IAM Hosts IDMHosts WLS WLS_OAM Admin Server Admin Server WLS_ODSM AccessGate OAM Admin Console Admin Console ODSM EM Firewall (Data Tier) LDAP Hosts DB Hosts RAC OVD OID Metadata DB (OAM, OID, Schema) 16

Access Manager 11gR2 Installation and Configuration Installation process OAM 11g installs using Oracle Universal Installer (OUI) The installation process copies all the software bits to the host machine OUI does not perform product configuration Configuration process requires 2 steps Database schema configuration using Repository Creation Utility (RCU) Product configuration and deployment using WebLogic Configuration Wizard Oracle Support Note 340.1 provides a good starting point 17 17

Oracle Access Manager 11g Windows Native Authentication SPNEGO based credential validation for true Windows desktop to web single sign-on Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously Does not need IIS based solution for WebGate WebGates and Oracle SSO protected applications need not run on Windows platform Can be enabled for a subset of protected applications Internal vs External websites 18

Oracle Access Manager 11g Windows Native Authentication - Setup Basic steps are as follows: Edit /etc/krb5.conf file Create Service Principal Name Obtain Kerberos Ticket Set-up OAM Kerberos AuthN Module Configure Kerberos AuthN Scheme for WNA Register AD as OAM User Store Verify OAM configuration (oam-config.xml) Enable Kerberos in Web Browser Test See OAM Admin Guide, Chapter 7 (link here) 19

<Insert Picture Here> Oracle SSO v OAM 11gR2 20 20

Oracle Access Manager Sample Oracle SSO Architecture Deployed Application Oracle HTTP Server MOD_OSSO agent Authentication Local User Store End User Authentication Decisions OC4J Application Server LDAP Authentication User Authentication Oracle Single Sign-On Server User Data User Synchronization Enterprise User Store Oracle Internet Directory Directory Integration Platform or Oracle Identity Manager Enterprise User Store Oracle Confidential – For Internal Use Only 21

Oracle Access Manager Key differences v OSSO OAM 11gR2 OSSO SSO, policy-based AuthN & AuthZ SSO and simple AuthN only WebLogic Server-based OC4J-based 3rd-Party LDAP server support Dependence on OID Support for OSSO, OAM 10g, OAM 11g and OpenSSO agents via PCL Support for only OSSO agents (mod_osso) Server-based session management Sessions via client cookies only Cross-domain SSO is native Single network domain only Native password policy (R2+) OIDDAS for password policy Integration with OIM (optional) for User Self-Service OIDDAS for user self-service

OAM 11gR2- Migration and Coexistence with OSSO <Insert Picture Here> OAM 11gR2- Migration and Coexistence with OSSO 23 23

Oracle Access Manager 11g OSSO 10g Upgrade Facilitated through AS Upgrade Assistant Process: Install OAM 11g Run Upgrade Assistant pointing to Oracle AS Single-On 10.1.4.3 Two modes: Retain Ports: no changes required on partner sites Change Ports: partner sites need new osso.conf which is generated by the Upgrade Assistant See Support Migration Advisor (note 343.1) and upgrade viewlet (note 1230123.1)

Co-existence: OAM11g & SSO 10g Supports OracleAS SSO 10g Release (10.1.2.0.2) through OracleAS SSO 10g Release (10.1.4.3.0) Co-existence requires same back-end user identity store: Oracle Internet Directory (OID) 25 25

Co-existence: OAM11g & SSO 10g mod_osso redirects requests to the 11g OAM Server for authentication through a proxy. mod_wl replaces mod_oc4j. mod_wl enables SSO to work without any changes on the OHS Without Proxy 26

Co-existence: SSO between Partner Applications App1 upgraded to OAM11g User accessing App1 OAM sets the SSO cookie and updates session information accordingly. The cookie includes a flag indicating that an OSSO cookie must also exist for this cookie to be valid. 27 27

Q & A

29 29