Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar

Architecting a Complete Solution for the Cloud EconomyDelivering Standards-Based Access Control

Marc ChanliauOracle Identity Management

Bernard DiwakarIntuit

October 02, 2014

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 3

Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Program Agenda

Introduction

Oracle Access Management and the Cloud

Access Management Services for the Cloud

Intuit Presentation

1

2

3

4


Program Agenda

Introduction


Access Management services for the Cloud

Intuit Presentation

1

2

3

4

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Combined On-Premise and Cloud DeploymentsAccess Management in the New Digital Economy

Seamless Multi-ChannelAccess

Access Any Application,From Any Device, Anywhere

Scalable for Today’sInternet and Cloud Needs

Standards-Based, ModularArchitecture

Integrated, Risk-aware, Strong Auth, and Fraud Prevention

AppAdvantage: Increased Agility with Enterprise Apps

6


Oracle Access Management

• Complete functionality

• Standards-based and modular

• Content-aware, context-aware, risk-aware

• Scalable, deployable across multiple data centers

• Automated upgrades, patching, and migration

• Support for hybrid environments (on-premise, Cloud)

Introduction

Web Authentication, SSO

Adaptive Access and Fraud Prevention

Identity Federation

Secure Token Service

Mobile Security and Social Identity

Cloud SSO

Enterprise SSO

External, Fine-Grained Authorization

Web Services Security

API Security


Oracle Access Management Logical Deployment View

Mobile Devices

Mobile and Social SDK

HTTP/S - REST OAuth JMS - SOAP

AM W

ebG

ates

WS

and

API G

atew

ay

Load

Bal

ance

r

Oracle Directory Services

Third-Party Directory Services

Enterprise Applications

Web Services – Web APIs

On Premise or in the Cloud Application

Data

Oracle Metadata

Public Zone (Internet) Web Tier (DMZ) Application Tier (Intranet) Data Tier

Oracle Access Management Suite Plus

Laptop / Desktop

Enterprise SSO

Web Services

Web Services Security Client


Program Agenda

Introduction



Intuit Presentation

1

2

3

4


Cloud Identity ManagementDeployment Options

Private Cloud

Managed Cloud

Public Cloud

• Customer owns, customer operates

• Extends Access Management and Identity Governance to Cloud applications

• Customer owns, Oracle operates

• Avoid on-premise infrastructure costs by outsourcing management to experienced team

• Oracle owns, Oracle operates

• Subscription-based, elastic Access Management for Cloud environments


Access Management in the Cloud

• Primary web authentication, web SSO, coarse-grained authorization (optionally, Mobile and Social service if mobile clients are involved)

• Lightweight Cloud SSO proxy

• Identity Federation: Support for SAML, OAuth, OpenID

• Web services and API security: First line of defense on-premise and / or in the Cloud

• SOA Security: First-mile and last-mile security on-premise and / or in the Cloud

Services Involved


• Access management is on premise or in the Cloud

• Applications are deployed in a public or private Cloud

• Clients (requesting parties) use laptop or mobile device browsers only

• Access management is on premise, some enterprise web applications are on premise, others are in a private Cloud

• SSO must be provided among applications deployed on premise

• Federation must be provided between applications deployed on premise and in the Cloud

• Clients (requesting parties) use laptop or mobile device browsers or native apps

Cloud Access Management Use-Case Scenarios


• Clients (requesting parties) use Oracle web services or applications deployed in the Cloud

• Requests are first intercepted in the DMZ and passed on to the Intranet resources for processing

• Responses returned to requesting parties must obfuscate selected private information

• Clients (requesting parties) located on-premise or in the Cloud send web services or web API requests to SaaS applications deployed in a public Cloud

Cloud Access Management Use-Case Scenarios (cont’d)


Program Agenda

Introduction



Intuit Presentation

1

2

3

4


Need for Access Portal Services

• Simplify the user experience to access corporate web and Cloud resources

• Adapt to different PC and mobile form factors

• Enable integration with existing corporate portals

• Provide wizard-driven tools to accommodate integration with SaaS, partner, and Cloud applications

Customer Challenges

Access Portal Service

User Portal

SSO to SaaS

SSO to Corporate Web Apps

Integrate and

Customize

SSO to Partner Apps


Oracle Access Portal

• Hosted single sign-on (SSO) proxy service– Secure way for users to access

enterprise applications from any device supporting a browser

– Support intranet and extranet applications, on-premise or hosted in the Cloud, using Oracle's form-fill SSO technology

A Mobile and Cloud Solution for the Enterprise


Oracle Access Management Federation Services

• Federation Types– SAML-based federation (authentication,

attribute sharing)– OpenID-based federation (delegated

authentication)– OAuth-based federation (delegated

authorization)– Social-identity-based federation (redirected

authentication)– Form-fill-based federation (SSO proxy)

On-Premise and Cloud Deployments


Oracle Access Management Identity Federation ServicesSAML-Based Federated Authentication and Attribute Sharing

Domain A

Identity Provider (IdP)

Domain B

Service Provider (SP)

Identities

Trust

• Oracle Access Management platform provides primary web authentication

• Oracle Access Management Identity Federation generates (IdP) and/or consumes (SP) SAML assertions


Access Management Identity Federation Fedlet

• Compact, lightweight, easy-to-deploy SAML 2.0 Service Provider implementation fully integrated with Access Management Identity Federation

• Fedlet is used in multi-tenant SaaS deployments where each SaaS customer acts as an Identity Provider– Each of the tenant applications authenticates remote users coming from its own Identity Provider– In such an environment each of the Fedlet instances is configured to always communicate with the

same Identity Provider

On-Premise and Cloud Deployment Models


Cloud Security Agent

• A WebLogic-Server-embedded Java agent designed to support perimeter authentication for browser-based interactions with services hosted in Oracle Cloud – Out-of-the-box SAML-based authentication solution (service provider), extensible to support Access

Manager WebGate authentication and OAuth delegated authorization – Complements Web Services Manager which handles security requirements for all REST and SOAP

requests in the same WLS container – REST-based communications between agent and Access Manager services– Leverages on-premise Access Management to protect Cloud applications– Leverages Cloud Access Management to protect on-premise applications

Sneak Preview (To be released in 2015)


Oracle Access Management Identity Federation (OAuth)

• Extend Access Management services to provide token issuance, token validation, token revocation and user flows in accordance with the OAuth 2.0 standard

• Enhance Access Management federation use-case scenarios starting with Oracle’s own Cloud deployments– Eliminate the use of end-user passwords in service-to-service

interactions– Centralize trust policies and associations in a large deployment

• The Oracle Access Management OAuth service is extensively used by Oracle Access Management Mobile and Social

On-Premise, Cloud, Mobile Deployments


Web Services Manager

• Web services security enabler for – Oracle Fusion Applications SaaS offering– Oracle Java Cloud Service– Oracle Application Development Framework (ADF)– Oracle Service Bus (OSB) PaaS offering

• Enable secure communication between Fusion Applications, Java Cloud Service, Integration Service (SOA), and external, standards-based systems

• Simplified key store management for Cloud-centric usage

First-Mile and Last-Mile Security


API Gateway

• Secure access to web services and web APIs deployed on premise or in the Cloud

• Extend Access Management to RESTful APIs – Context-aware authentication– Content-aware authorization– Security tokens– Data redaction– Audit

• Extend access to web services and APIs from mobile devices (tablets or smartphones)

• Simplified deployment in Cloud environments

First Line of Defense• Integrate with multiple environments to

provide a complete, end-to-end solution– Oracle Access Management– Third-Party environments

• Data format transformations– XML to JSON and vice-versa

• Protocol bridging– REST, SOAP, JMS


API Gateway

• Can be deployed on premise and access web services or APIs hosted in the Cloud (top view)

• Can be deployed in the Cloud on Oracle or third-party Cloud services (bottom view)

• Functionality supported– Infrastructure as a Service (IaaS)

– Platform as a Service (PaaS) – Cloud governance

– Software as a Service (SaaS)

Support for Cloud Deployments

API Gateway (on-premise deployment)

Oracle Cloud

Microsoft Azure Force.com

Amazon Web Services

Google Apps

Oracle Cloud Amazon Web Services

Microsoft Azure

API Gateway API Gateway API Gateway

Cloud Deployment


Program Agenda

Introduction



Intuit Presentation

1

2

3

4


IntuitIdentity Management as a Managed Service

• Upgrade from Access Manager 10g to Access Management platform 11gR2 for intranet and SaaS applications

• Deployment of Access Manager and Access Management Identity Federation service with active-active configuration in two data centers managed by OMCS

• LDAP and Credential Collectors reside in Intuit’s own data centers

• Six months upgrade supporting 150+ applications


Questions


Complimentary eBook Register Now

www.mhprofessional.com/mobsec

http://www.mhprofessional.com/mobsec


Join the Community

Twittertwitter.com/OracleIDM

Facebookfacebook.com/OracleIDM

Oracle BlogsBlogs.oracle.com/OracleIDM

Oracle IdM Websiteoracle.com/Identity


Documents

Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar