This post covers overview of Oracle Access Manager (Oracle’s main Single Sign-On solution for Oracle Fusion Middleware 11g ) which is one of main component from Oracle’s Identity Management stack
.
1. Oracle Access Manager (OAM) mainly consists of two main systems
a) Identity System – to create/manage users & groups, self registration and password management.
b) Access System – to configure single/multi domain SSO solution for Web and non-Web based applications, web pages and other resources. To configure access management (authentication and authorization) to various type of resources (applications – web or non-web based, web pages)
2. It is possible to implement only Identity System or only Access Systemor both components of Access Manager.
3. Using Access Manager’s Identity System you can –
i) Create, remove or manage identity information related to users or groups.
ii) provide delegated administration and self service on identity (users/groups/resources)
iii)use workflow engine to automate requests and approvals related to identity data
iv)Password Management – Define multiple password policy, change passwords, lost password management…
v) configure auditing and reporting on identity events
.
A. Oracle Access Manager – Identity System
1. Oracle’s Access Manager Identity system mainly contains four applications to provide above functionality (mentioned in step 3 above)
i) User Manager – Application to add, remove or manage users.
ii) Group Manager – Application to add, delete, manage groups (static, dynamic, nested). use this application to Add/remove users from group or search members in group.
iii) Organization Manager– to manage system rules, access privileges and workflows for entire Organizations.
iv) Identity System Console – to create administrators and delegated administrator for identity system and setup identity system application including object classes and attributes.
.
2. Oracle Access Manager’s Identity System has two sub components
i) Identity Server – stand-alone server process that communicates with Directory Server (AD, OID, Sun Directory server..)
ii) WebPass – is webserver plug-in that communicates between webserver (Apache, OHS, IIS..) and Identity Server.
– Identity Server is to manage information about users, groups, and other objects stored in Directory Server.
– There can be one or more identity server in Access Manager solution.
– WebPass receives requests from users and forwards to identity server. After processing that request by identity server, WebPass receives reply from Identity Server and passes it to Webserver.
– WebPass can connect to one to more Identity Server
– Communication between WebPass and Identity Server is via Oracle’s proprietary protocol i.e. “Oracle Identity Protocol”
– Communication between Identity Server and Directory server is using LDAP (Light weight Directory Access Protocol)
.
B. Oracle Access Manager – Access System
1. Consists of following four subcomponents
i) Access Server– provides dynamic policy evaluation service for web-based and non-Web resources and applications. Access server receives request from webgate or custom AccessGate, Access Server then queries LDAP server for authentication , authorization and auditing rules.
ii) WebGate – is a webserver plug-in that intercepts HTTP requests from users for web resource and forward them to access server for authentication and authorization.
iii) Policy Manager– Administrators use policy manager to define resources to be protected by Access System. Policy Manager is implemented on WebServer with WebPass and Communicates with directory server (OID, AD or iPlanet) to write policy data. Policy Manager Communicates with Access Server (using Oracle Access Protocol) to update access server for any policy modification.
– Policy Manager contains following modules
a) Authentication Module
b) Authorization Module
c) Auditing Module
d) Session Management Module
iv) Access System Console – is used to configure access server and has following tabs – System Configuration, System Management and Access System Configuration
i) System Configuration – To define
a) Master and Delegated Access Administrator
b) Resource type, Policy domain, authentication and authorization schemes
ii) System Management – to manage diagnostics, reports
iii) Access System Configuration –
a) To view, add, modify or delete Access Server, Access Gate or Access Server cluster.
b) To view and modify authentication/authorization parameters ….
.
– There can be one or more Access server in Access Manager solution.
– WebGate receives requests from users and forwards to Access server;After processing that request by Access Server, WebGate receives reply from Access Serverand passes it to Webserver.
– WebGate can connect to one or more Access Server
– Communication between WebGate and Access Server is via Oracle’s proprietary protocol i.e. “Oracle Access Protocol”
– Communication between Access Server and Directory Server is using LDAP (Light weight Directory Access Protocol)