Identity and Access Management, Identity Governance

How to create a user in Oracle Identity Manager (OIM)/Oracle Identity Governance (OIG) with a future "Start Date" and ensure user account is only enabled on the "Start Date" User accounts are created in Oracle Identity Manager (OIM) as users are on-boarded or join the organization. There are typical use cases when users are given a joining date or the day when a user reports to duty. The user should be able to login to the systems when he starts his duties. Hence, the user account and login should be enabled for the user so that they can successfully login to the systems. The user account should only be in the enabled or in Active state on the day user is officially supposed to start. In other words the account which has been created for the user should be in a Disabled state until the day of start. The security rule is n ever to have an active account or Entitlements for Users who are not active in the system. The user account is Active on the day user joins the or

Understanding WebLogic Server Clustering and WebLogic Domain This post gives an overview of WebLogic Server Clustering and Domains. A WebLogic architecture is composed of an Admin Server and a Managed Server. When you install WebLogic server you create a domain which has resources and the Admin server acts the admin instance which will manage, monitor, configure the resources in this domain. Each Domain can have one or more Managed servers. Managed servers are the instances where you deploy your applications. For example Oracle Identity Manager (OIM) is a J2EE application deployed on a WebLogic Managed server. So at a minimum the architecture will be composed of a WebLogic Admin server and a WebLogic Managed server on which the OIM is deployed. However for practical implementations, you would have at least two Managed servers hosting the deployed Application for high availability. The 2 Managed servers will provide continuity of operations in case one of the Managed servers is unavaila

What is Identity Assurance Level (IAL) The NIST 800-63-3 publication defines Identity Assurance Level (IAL) as the robustness of the identity proofing process to confidently determine the identity of an individual. There are 3 different levels of IAL, viz. IAL1, IAL2, and IAL3. The 800-63-3 publication sets the requirements to achieve a given IAL. The three IALs reflect the options agencies or organizations may select in their respective environments to suit their risks. The risk being the potential harm that could be caused by an adversary making a successful false claim of an identity. The three IALs are as follows IAL1 : There is no requirement to link the applicant to a specific real-life identity. Any attributes provided in conjunction with the authentication process are self-asserted or should be treated as such (including attributes a Credential Service Provider, or CSP, asserts to an RP). IAL2 : Evidence supports the real-world existence of the claimed identity and verifies tha

WebGate A WebGate is a web-server plug-in for Oracle Access Manager (OAM) that intercepts HTTP requests and forwards them to the Access Server for authentication and authorization. Specifically an OHS WebGate, i.e. Oracle HTTP Server WebGate is a Web server plug-in that intercepts HTTP requests and forwards them to an existing Oracle Access Manager (OAM) instance for authentication and authorization. Installing WebGate There are two important steps for installing OHS WebGate, first is configuring the OHS WebGate and then Registering the OHS WebGate with OAM. See below  Configuring Oracle HTTP Server WebGate Registering the Oracle HTTP Server 12c WebGate with Oracle Access Manager Since 12c version, there is no need for installing WebGate separately. If you have installed OHS 12c server then WebGate comes pre-bundled with it. (In prior versions, 11g and 10g one had to first install WebGate binaries.) For overview of register/manage webgate in 12c, read   For 12c version  - Registe

Oracle EBS integration with Oracle IDCS Oracle E-Business Suite (EBS) can now be easily integrated with Oracle Identity Cloud Service (IDCS). You can read the earlier blog which provided EBS integration with OAM and OID here . However, when using Oracle Identity Cloud Service (IDCS) there is no requirement of using OAM or OID. You can integrate your on-premise EBS deployment with Oracle Cloud Identity Service. Here is a side by side comparison of the two deployment architectures - Oracle EBS integration with IDCS on left and with OAM/OID on right You don't need to configure Oracle E-Business Suite with Oracle Access Manager (OAM) Access Gate or OAM for integration with the Oracle Identity Cloud Service. Identity Cloud Service E-Business Suite Asserter replaces OAM Access Gate as the authentication mechanism for your Oracle E-Business Suite. Note: Your Oracle E-Business Suite must not be integrated with Oracle Access Manager, Oracle Internet Directory, or using any other SSO profil

Services or Applications need to be available to end users. Any interruption of services or outages needs to be minimized or if possible provide maximum availability.  Any outage of services to end users is disruptive to Business.  Outages may be Planned outages or Unplanned.  Unplanned outages can occur due to Network issues, Data corruption, Application issues etc, whereas Planned outages are typically for Application updates or patching, Data migration etc. Highly available (HA) architectures are key in providing uninterrupted or maximum available services to end user and business. Below are some references and guides that provide detailed information as to how to implement Highly available architectures or across Multiple Data Centers for Oracle Identity Governance, Oracle Identity and Access Management. Also at the end their is a guide for Disaster Recovery (DR) for Oracle Fusion Middleware 12c. Configure High Availability for Oracle Identity Governance   (OIG) Prerequisites for C

What is UPN User Principal Name (UPN) attribute in Microsoft Active Directory is userPrincipalName, and its value may be set as user's email address, though not necessarily. You can view UPN via the AttributeEditor property of a user's account in Active Directory, see below screenshot that shows Attribute name as userPrincipalName and its Value set as testuser1@DC1.example.com You can also derive the UPN from the user's Account - User logon name, in Active Directory. See below concatenation of user logon name and domain suffix - testuser1 and DC1.example.com. Concatenating these two (as shown in the screenshot below) yields testuser1@DC1.example.com which is the email address of the user. (Note in Pre-Windows 2000 the User logon name is DC\testuser1) How to view Attribute Editor in Active Directory You have to select Advanced Features (right click on the Domain Controller DC1.example.com on the left pane, click on View and then click Advanced Features) in o

CyberArk Privileged Access Solution provides a utility PAReplicate that can be used to copy and backup the Safe files from the CyberArk Vault to a specified computer on the network. The backed files are in the same structure as that in the Safes folder See below a typical High Level Design for CyberArk Privileged Access Management and CyberArk Backup process and file structure. High Level Design for CyberArk Privilege Access Management CyberArk Backup Process The PAReplicate utility copies the Safe files from the Vault to a specified computer on the network in a similar structure to that in the Safes folder. Any User who has the ‘Backup All Safes’ user authorization and the ‘Backup Safe’ authorization in specific Safes can issue this command for those Safes. Use the Backup User to replicate the entire Vault. You can use PAReplicate to backup a specific Safe or a group of Safes. When using the specific backup, the requested Safe data files are copied to the specif

Knowledge areas Project Integration Management Project Scope Management Project Time Management Project Cost Management Project Quality Management Project Human Resources Management Project Communication Management Project Risk Management Project Procurement Management Knowledge areas Project Integration Management Project Scope Management Project Time Management Project Cost Management Project Quality Management Project Human Resource Management Project Communications Management Project Risk Management Project Procurement Management Project Stakeholder Management The processes that belong in each process group - Initiating, Planning, Executing, Monitoring & Control, and Closing, what they do and which knowledge area they represent can be confusing. This post (based on the info in PMBOK) discusses about each process group and briefly explains the processes that belong in each process group. The knowledge area they represent is indicated in brackets after