1. Oracle Single Sign-On to Oracle Access Manager Migration Rob Otto – Oracle Consulting Services UK1

2. The following is intended to outline our general product direction
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle. 2 2 2

3. Agenda Access Management introduction
Oracle Access Manager 11gR2 Overview
Oracle SSO v OAM 11gR2
OAM 11gR2- Migration and Coexistence with OSSO
Q&A 3

4. <Insert Picture Here>
Access Management Introduction 4 4

5. Platform Security Services
Identity Management Portfolio – 11gR2 Modern, Innovative & Integrated
Governance
Password Reset
Privileged Accounts
Access Request
Roles Based Provisioning
Role Mining
Attestation
Separation of Duties
Access
Web Single Sign-on
Federation
Mobile, Social & Cloud
External Authorization
SOA Security
Integrated ESSO
Token Services
Fraud Detection
Directory
LDAP Storage
Virtual Directory
Meta Directory
Platform Security Services 5

6. Taking a Platform Approach Building on Components of Fusion Middleware
WebCenter
ADF
Workflow
SOA
User Interface
Coherence
CAF
Customization
Performance
Fusion Middleware 6

7. Oracle Access Management
Comprehensive security for applications, data, and web services
End-to-end authentication, single sign-on, and fine grained application protection
Innovative anomaly detection, transaction security, and multi-factor authentication
Extensive 3rd party integrations
Access Management
Authentication
Single Sign-On
Federation
Fraud Prevention
Authorization & Entitlements
Web Services Security
Secure Token Services 7

8. Adaptive Access Manager
Oracle Access Management Suite Plus
Entitlements Server
Adaptive Access Manager
Entitlements Management
Fine Grained Authorization
Risk-based Authentication
Real-time Fraud Prevention
Access Manager
Identity Federation
Secure Token Services
Web Access Control
Single Sign-On
Partner SSO & Identity Federation
Fedlet SP integration
Security Token Management
Identity Propagation 8

9. Oracle Access Management
Blueprint Architecture

10. <Insert Picture Here>
Oracle Access Manager 11gR2 Overview 10 10

11. Oracle Access Manager 11g Objectives
Provide foundation for Access Management Suite
Converge OAM, OSSO, and OpenSSO
Provide new and advanced functionality to customers
Tighten integrations 11

12. Oracle Access Manager 11g
Key Features
Benefits
Modular Architecture
Separated admin and runtime server to enable independent operations
Secure Policy Model
Access is denied by default until policies are created to allow access
Simplified Install & Config
One package to install and one series of steps to configure a simple working environment
Session Management
Allows admin tracking and termination of user sessions
Diagnostics & Monitoring
Allows administrators to monitor key operational metrics in real-time
Central Agent Management
Administration console provides a holistic view of all agents and shows the server they are connected to
Backwards Compatibility
Compatible with 10g webgates and 10g mod_osso
Windows Native AuthN
Enables Windows desktop to web single sign-on
Improved Utilities
Remote registration utility, remote access tester, and WLST cmds for policy operations 12

13. Oracle Access Manager 11g Architecture – Runtime Server
Protocol Compatibility Framework
Credential Collector
SSO Engine
AuthN Service
AuthZ Service
OAM Server
Session Management
Identity Provider
Token Processing
Partner & Trust
Policy Service
Configuration Service
Coherence Distributed Cache
Oracle Platform Security Services 13

14. Oracle Access Manager 11g Administration Console
Integrated Security Administration, Agent Administration 14

15. Access Manager 11gR2 Deployment Overview15 15

16. Access Manager 11gR2 Deployment Detail
External Client
Internet
Firewall (Web Tier)
Protected
Load Balancer
WebHosts
Web Hosts
OHS
OHS
WebGate
WebGate
Firewall (App Tier)
AppHosts
IAM Hosts
IDMHosts
WLS
WLS_OAM
Admin Server
Admin Server
WLS_ODSM
AccessGate
OAM
Admin Console
Admin Console
ODSM EM
Firewall (Data Tier)
LDAP Hosts
DB Hosts
RAC
OVD
OID
Metadata DB (OAM, OID, Schema) 16

17. Access Manager 11gR2 Installation and Configuration
Installation process
OAM 11g installs using Oracle Universal Installer (OUI)
The installation process copies all the software bits to the host machine
OUI does not perform product configuration
Configuration process requires 2 steps
Database schema configuration using Repository Creation Utility (RCU)
Product configuration and deployment using WebLogic Configuration Wizard
Oracle Support Note provides a good starting point 17 17

18. Oracle Access Manager 11g Windows Native Authentication
SPNEGO based credential validation for true Windows desktop to web single sign-on
Allows single sign-on for WebGate and Oracle SSO protected applications simultaneously
Does not need IIS based solution for WebGate
WebGates and Oracle SSO protected applications need not run on Windows platform
Can be enabled for a subset of protected applications
Internal vs External websites 18

19. Oracle Access Manager 11g Windows Native Authentication - Setup
Basic steps are as follows:
Edit /etc/krb5.conf file
Create Service Principal Name
Obtain Kerberos Ticket
Set-up OAM Kerberos AuthN Module
Configure Kerberos AuthN Scheme for WNA
Register AD as OAM User Store
Verify OAM configuration (oam-config.xml)
Enable Kerberos in Web Browser
Test
See OAM Admin Guide, Chapter 7 (link here) 19

20. <Insert Picture Here>
Oracle SSO v OAM 11gR2 20 20

21. Oracle Access Manager Sample Oracle SSO Architecture
Deployed Application
Oracle HTTP Server
MOD_OSSO agent
Authentication
Local User Store
End User
Authentication Decisions
OC4J Application Server
LDAP Authentication
User Authentication
Oracle Single Sign-On Server
User Data
User Synchronization
Enterprise User Store
Oracle Internet Directory
Directory Integration Platform or Oracle Identity Manager
Enterprise User Store
Oracle Confidential – For Internal Use Only

22. Oracle Access Manager Key differences v OSSO
OAM 11gR2
OSSO
SSO, policy-based AuthN & AuthZ
SSO and simple AuthN only
WebLogic Server-based
OC4J-based
3rd-Party LDAP server support
Dependence on OID
Support for OSSO, OAM 10g, OAM 11g and OpenSSO agents via PCL
Support for only OSSO agents (mod_osso)
Server-based session management
Sessions via client cookies only
Cross-domain SSO is native
Single network domain only
Native password policy (R2+)
OIDDAS for password policy
Integration with OIM (optional) for User Self-Service
OIDDAS for user self-service

23. OAM 11gR2- Migration and Coexistence with OSSO
<Insert Picture Here>
OAM 11gR2- Migration and Coexistence with OSSO 23 23

24. Oracle Access Manager 11g OSSO 10g Upgrade
Facilitated through AS Upgrade Assistant
Process:
Install OAM 11g
Run Upgrade Assistant pointing to Oracle AS Single-On
Two modes:
Retain Ports: no changes required on partner sites
Change Ports: partner sites need new osso.conf which is generated by the Upgrade Assistant
See Support Migration Advisor (note 343.1) and upgrade viewlet (note )

25. Co-existence: OAM11g & SSO 10g
Supports OracleAS SSO 10g Release ( ) through OracleAS SSO 10g Release ( )
Co-existence requires same back-end user identity store: Oracle Internet Directory (OID) 25 25

26. Co-existence: OAM11g & SSO 10g
mod_osso redirects requests to the 11g OAM Server for authentication through a proxy.
mod_wl replaces mod_oc4j. mod_wl enables SSO to work without any changes on the OHS
Without Proxy 26

27. Co-existence: SSO between Partner Applications
App1 upgraded to OAM11g
User accessing App1
OAM sets the SSO cookie and updates session information accordingly.
The cookie includes a flag indicating that an OSSO cookie must also exist for this cookie to be valid. 27 27

28. Q
& A

29. 29 29