Posts

Showing posts from November, 2016

Security Architecture for Oracle Identity Management

Image
Oracle recommended 3-Tier architecture  for Identity Management and Fusion Middleware applications The standard 3 Tier architecture provided by Oracle for Fusion, is Tier 1 being the Web servers facing the Internet, Tier 2 hosting the middleware, i.e. WebLogic infrastructure (Admin Server, Managed Server, Domain) and Tier 3, the Database layer. Below is the Identity Management architecture from Oracle that shows all components in Highly available production environment. Highly available components shown is 2 hosts for each of the components in a cluster - ie 2 OAM server, 2 OIM servers to ensure availability in case one of the host is unavailable.Highly available clusters are preferred for production environments but if you do not have any such requirement then go for a single instance for each component (OAM, OIM, OUD etc). -------------------------------------------------------------------------------------------                                     INTERNET TIER 1      OHS/Webgate

How to create Entitlement in OIM

How to create Entitlement in OIM In OIM R2PS3 how to provide a user with high risk entitlements. 1.  Access Identity self service console as an admin. 2.  Clicked on Manage > Users. 3.  Searched for users with an organization "Foo". 4.  I found "TestUser123" and clicked on user login. 5.  Navigate to Entitlements sub tab and there is nothing listed. 6. Clicked on Request Entitlements. 7. Searched for "Foo" or "*" to find anything  however nothing is returned. 8. Under Categories I was hoping to find entitlement but none is found. How can I create one so that I could add to cart and complete the process of providing high risk entitlement to a user "TestUser123"? Answer:  Go with basic entitlement in OIM doc.  High level overview :   -- You can make resource child table data  (if the child form exist ) as entitlement -- then you need to run entitlement list schedule job Question: Is entitlement the same as LDAP group

OAM Sessions and Cookies

Image
(Taken from oam-idm blog) OAM Session and OAM Cookies OAM Session Session is an object which represent an authenticated user. It contains authenticated user details. No it does not contain user credentials but it keeps track of the important things like when was the last resource accessed, from which IP it was accessed and to which authentication scheme level the user is authenticated etc. Session is stored on server memory. If Database session persistence is enabled then the sessions object is maintained in database. Why session is so important? A valid session means a user is authenticated. If the session is not found in memory then user will be challenged by OAM. A session can attain 3 states:  - active  - inactive  - expired When a session is created it is in active state. If no activity is detected, after idle timeout the session is marked as inactive. The sisson existed in the serve

Oracle Document Cloud Service

Oracle Document Cloud service  provides easy access to documents that can be stored by users and shared for collaboration.

Install software on PaaS

Image
Question : I have a basic question. Is it possible to install any other software apart from the ones we register for. Example : Is it possible to install ODI on Oracle SOA Cloud (Paas). Or is it I should register for Iaas and install complete set of software that I am interested in. You have two options, either PaaS or Iaas option here. This is with regards to your scenario for installing ODI. However In cloud environments, there are 3 types of service models, IaaS, PaaS and SaaS. First let me provide you a high level for the three cloud services and then we will discuss your scenario. IaaS provides the bare host where you can choose to install your OS and then other software, whereas the hardware, networking, power etc are taken care by the provider. In PaaS you are provided with a complete server, networking, storage etc and you manage the software stack and application code. In SaaS you get the complete application configured and you login and ready to use and upload the require

Difference between Java based and .NET based connectors in OIM

Image
When to use a Java based connector for Oracle Identity Manager (OIM) or a .Net based connector. This post will go over the difference between these two types of OIM connectors. There are two types of connector servers: .NET based and Java based. For example for Microsoft Active Directory User Management connector , a .Net connector is required (not a java based connector). In order to run the AD User Management connector, first make sure you have a .NET connector server running on a windows host, which is typically a host joined to the domain. It is not necessary to install the .Net connector server on a Domain Controller. Here in you deploy your AD connector and do the Trusted Recon or Provisioning etc jobs/operations. See below Connector Architecture for .Net based connector. .Net based connector Architecture As shown in the above Connector Architecture for Microsoft Active Directory connector, the Connector bundle which is the main connector software is deployed on a server

Oracle IAM installation steps

Refer following links for Oracle IAM installation  LINK  (this is for PS2) This is linux install example    LINK   and this is PS3 install  LINK Steps will be same for windows operating system. Ensure you have enough RAM 16 GB.

When to use Oracle STS

Image
When to use Oracle STS (OSTS)? By Prakash Yamuna-Oracle on  Feb 07, 2013 I have been meaning to do a blog post on this front for quite sometime but just haven't had the cycles. So this a very rushed blog post - please excuse typos!! The basic question that seems to come up is when to use an STS in general and OSTS in particular. So here are my thoughts on the matter. To me there are - three main scenarios for using a STS: Token Exchange/Conversion Federation Centralized Trust In this post I will cover Token Exchange and Federation very briefly. Token exchange/conversion So the first set of scenarios is around the need to be able to exchange one kind of token with another type of token. Ex: You want to exchange a Kerberos Token with a SAML token. Here is a picture that demonstrates this scenario (click on the image for a large image): In the  above scenario a customer has a Desktop Application (ex: Say Outlook or some other .NET Web Service) that is talk

Oracle Identity Federation OFMW Admin Guide Chapter 31

Image
31  Managing Federation-related Schemes and Policies  Using Oracle Access Management Console This chapter introduces the federation-related authentication schemes and policies that must be configured for Oracle Access Management Identity Federation. This chapter includes the following sections: Prerequisites Introduction to Using Identity Federation and Access Manager in Concert Together Using Authentication Schemes and Modules for Identity Federation 11g Release 2 (11.1.2.1) Using Authentication Schemes and Modules for Oracle Identity Federation 11g Release 1 Managing Access Manager Policies for Use with Identity Federation Testing Identity Federation Configuration Using the Default Identity Provisioning Plug-in Configuring the Identity Provider Discovery Service Configuring the Federation User Self-Registration Module 31.1  Prerequisites You define one or more authentication schemes to enable Oracle Access Management Access Manager to work with federation pro