Oracle Identity Management products can be categorized in following components, providing services of Identity/Access management, governance, and directory services:
Identity Administration: Oracle Identity Manager (OIM)
Access Management: Oracle Access Manager (OAM), Oracle Identity Federation (OIF), Oracle Enterprise Single Sign-On (eSSO), Oracle Adaptive Access Manager (OAAM), Oracle Entitlement Server (OES), Oracle OpenSSO Fedlet, and Oracle OpenSSO Security Token Service
Identity & Access Governance: Oracle Identity Analytics (OIA)
Directory Services: Oracle Internet Directory (OID), Oracle Directory Server Enterprise Edition (ODSEE), and Oracle Virtual Directory (OVD)
Platform Security Services: Oracle Platform Security Services (OPSS), Oracle Authorization Policy Model (OAPM), and Oracle Web Services Manager (OWSM)
Operations Management: Oracle Identity Navigator (OIN) and Oracle Enterprise Manager Management pack for Identity management
This chapter provides an overview of Oracle Identity Management products, including:
Identity Manager and Access Manager components
Architecture of Oracle Access Manager and Oracle Identity Manager
In this section I'll briefly cover the following identity and access manager products:
Oracle Identity Manager (OIM): It is an identity lifecycle management software that includes provisioning, reconciliation and administration tools. Oracle Identity Manager comes as part of Identity Management and Access Management Software.
Oracle Identity Federation (OIF): It is a multi-protocol federation software, used to share identities across enterprises, partners, and vendors. Oracle Identity Federation simplifies the process of enabling a federated single sign-on.
Oracle Enterprise Single Sign-On (eSSO): It is an access management software which provides authentication and single sign-on across all enterprise resources, including desktops, client-server, and host-based mainframe applications:
Oracle Adaptive Access Manager (OAAM): It is a strong and proactive authentication and, real-time fraud prevention software. Oracle Adaptive Access Manager comes as part of Identity Management and Access Management software.
Oracle Virtual Directory (OVD): It virtually aggregates identity information from multiple identity sources (directory server or databases) and presents a real-time unified view, thus eliminating the need to synchronize or move identity data across multiple sources.
Oracle Platform Security Services (OPSS): It is a portable, integrated, enterprise-grade platform for Java applications. Java EE and Java SE applications can use OPSS. OPSS is installed/configured by default with Fusion Middleware components including OIM and OAM.
Oracle Web Services Manager (OWSM): It is a J2EE application designed to define and implement web services security in heterogeneous environments. OWSM is available both as a standalone product and as part of the SOA suite.
Oracle Identity Navigator (OIN): It is an administrative portal which acts as a launch pad for Oracle Identity Management components. It allows access to all identity management consoles from a single page.
OEM Grid Control Management pack for Identity Management: Proactively manages performance, availability, and service levels for identity and access management services.
WebLogic Server is a J2EE application server on which both Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) are deployed. The following diagram and sections cover the WebLogic domain and the key WebLogic components respectively:
WebLogic Server Domain
WebLogic Admin Server
WebLogic Managed Server
Weblogic JDBC Datasource
WebLogic Administration (Admin) Server: Administration server is a WebLogic server that maintains configuration data for a domain. There is always one and only one administration server in a Weblogic domain.
WebLogic Managed Server: Any WebLogic server other than the Admin server is called a Managed server. When you configure both OAM and OIM in same domain, domain creation creates three Managed servers one for OAM (
oam_server1); the second for OIM (
oim_server1); and the third for SOA (
WebLogic Cluster: WebLogic cluster is a group of WebLogic Servers (Admin or Managed) that work together to provide high availability and scalability for applications. WebLogic Servers within a cluster can run on the same machine or on different machines. WebLogic Cluster comprised of just Managed Server is also known as Managed Server Cluster.
The previous screenshot shows a WebLogic domain consisting of one Admin server, five Managed servers, and two clusters. Managed servers
oim_server2are deployed in a cluster named
oim_clusterwhile Managed servers
oam_server2are deployed in second cluster, named oam_cluster. Finally, the domain also contains a fifth managed server (
soa_server1) that is not in a cluster.
WebLogic JDBC Datasource: WebLogic uses JDBC data sources to connect to databases. JDBC resources are deployed to servers or clusters within a domain. Application deployed on servers (Admin/Managed server) can then use the deployed JDBC data source to a connect to database. The following screenshot represents default JDBC data sources created after creating a domain with OIM (including SOA) and OAM.
Nod e Manager: Node manager is a Java utility that runs as a separate process from WebLogic server and allows common operational tasks for a Managed server. Node Manager can also be configured to automatically restart the Admin or Managed servers in case of unplanned outage, and is used to start/stop Managed servers from the WebLogic console. Use of Node Manager in OIM/OAM deployment is optional.
Oracle Access Manager (OAM) provides centralized, policy-driven services for authentication, single sign-on (SSO), and identity assertion. The following diagram shows the Oracle Access Manager Component Architecture:
User Agents: These include Web servers, Java applications, and Web service applications with OAM agents (10g/11g WebGates, OSSO, AccessGate). Client accesses the OAM Administration Console server (a.k.a OAM Console) via HTTPs.
Protected Resources: These include the application or webpage which you wish to protect by OAM agents (10g/11g WebGates, OSSO, AccessGate). OAM agents act as plug-ins between user agents and the OAM server (a.k.a Access Server). OAM 10g/11g WebGate and AccessGate communicate with the OAM server (Access server) with the help of a proprietary protocol – Oracle Access Protocol (OAP). Oracle as Single Sign-On (OSSO) 10g Agent communicates with OAM server on HTTPs.
OAM Administration Console: OAM administration console is a Web application deployed on WebLogic's Administration server that is used to manage and configure OAM server, authentication/authorization policies, and OAM Agents. Some configuration can also be achieved via WebLogic Scripting Tool (WLST) commands.
Coherence Distributed Object Cache: It is used to propagate configuration changes and session information between OAM servers in high-availability deployments. Coherence is installed as part of WebLogic installation as shown in the following screenshot:
FMW Grid Control: It is a Java application (/em) deployed on a WebLogic Admin server and used to manage logging in Oracle Access Manager. It is also used for monitoring status, performance management, and to enable/disable logging or diagnostics.
Data Store (File, LDAP and RDBMS): OAM requires data stores for:
By default in OAM 11g:
User Identity Store is WebLogic's embedded LDAP server.
OAM policy data is stored in the database under OAM schema configured during Repository Creation Utility (RCU). In previous versions, the OAM policy store could be an LDAP. In 11g it must be an RDBMS.
OAM configuration data is stored in a file-based repository, specifically an XML file (
oam-config.xml) containing all OAM-related system configuration data.
Oracle Access Manager Administration Console (a.k.a Oracle Access Manager Admin server or in short OAM Console) runs on WebLogic Admin server and is used to manage OAM server properties, create policies, define agents, and manage user sessions. You can access OAM Administration Console using the URI
/oamconsoleon the Admin server.
Oracle Access Manager Server is a runtime engine used to provide shared services for access such as Authentication/Authorization service, session management, token processing, and single sign-on. OAM Server runs on one of WebLogic's Managed servers, such as
Oracle Identity Manager 11g is a Java application deployed on Oracle WebLogic server for identity and user provisioning. Oracle Identity Manager (OIM) 11g provides user administration, password management, workflow and policy, audit and compliance management, user provisioning and organization, and role management functionalities.
Oracle Identity Manager is a three tier J2EE application that consists of—presentation tier, business services tier, and data tier.
Oracle Identity Manager Administrative and User Console: It is a thin client that is accessible via a web browser. The console provides self-service and delegated administration features.
Oracle Identity Manager Design Console: It is a thick (Java) client which is installed on a client machine. The console provides system configuration and development capabilities, and connects directly to Business Service Tier.
Core Services: User management, provisioning and reconciliation.
Oracle Identity Manager consists of the following components:
OIM Server: It is a Java EE application that is stored on a WebLogic Managed server and uses a database to store runtime and configuration data. OIM server includes a Quartz-based scheduler (for job scheduling), Oracle Entitlement Server (OES) microkernel for authorization checks, Message Driven Beans (MDB), and a message producer.
Design Console: It is a thick client (Java Application) that runs on the client machine and connects to the OIM business tier directly. The console provides system configuration and development capabilities.
SOA: OIM server connects to SOA Managed server over RMI (using SOA RmiURL) to invoke SOA EJBs. OIM connects to SOA web services using SOAP (using SOA SoapURL). SOA Managed server connects to OIM using the SOA Callback web service (using OimFrontendURL).
SPML Client: SPML client connect to OIM using the SPML web service (via OimFrontEndURL), whereas OIM server connect to SPML client using the SPML callback web service (via PolicyConfigURL).
OAM Server: OIM integrates with OAM for single sign-on configuration.
Database: OIM uses a database to store runtime, user, and configuration data. Configuration information is stored in MDS schema, whereas runtime and user information is stored in OIM schema.
In this chapter, we discussed an overview of Oracle Identity Management 11g. We also briefly covered the various Identity Management components, WebLogic server and the architecture of Oracle Access Manager and Oracle Identity Manager 11g in detail.
In the next chapter, we are going to install Oracle WebLogic and Oracle Identity Management 11g. We will also cover Identity and Access Management High Availability deployment (Active-Active Cluster) for resilience and performance.