architecting a complete solution for the cloud economy delivering standards-based access control...
TRANSCRIPT
Architecting a Complete Solution for the Cloud EconomyDelivering Standards-Based Access Control
Marc ChanliauOracle Identity Management
Bernard DiwakarIntuit
October 02, 2014
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 3
Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 4
Program Agenda
Introduction
Oracle Access Management and the Cloud
Access Management Services for the Cloud
Intuit Presentation
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 5
Program Agenda
Introduction
Oracle Access Management and the Cloud
Access Management services for the Cloud
Intuit Presentation
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Combined On-Premise and Cloud DeploymentsAccess Management in the New Digital Economy
Seamless Multi-ChannelAccess
Access Any Application,From Any Device, Anywhere
Scalable for Today’sInternet and Cloud Needs
Standards-Based, ModularArchitecture
Integrated, Risk-aware, Strong Auth, and Fraud Prevention
AppAdvantage: Increased Agility with Enterprise Apps
6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 7
Oracle Access Management
• Complete functionality
• Standards-based and modular
• Content-aware, context-aware, risk-aware
• Scalable, deployable across multiple data centers
• Automated upgrades, patching, and migration
• Support for hybrid environments (on-premise, Cloud)
Introduction
Web Authentication, SSO
Adaptive Access and Fraud Prevention
Identity Federation
Secure Token Service
Mobile Security and Social Identity
Cloud SSO
Enterprise SSO
External, Fine-Grained Authorization
Web Services Security
API Security
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 8
Oracle Access Management Logical Deployment View
Mobile Devices
Mobile and Social SDK
HTTP/S - REST OAuth JMS - SOAP
AM W
ebG
ates
WS
and
API G
atew
ay
Load
Bal
ance
r
Oracle Directory Services
Third-Party Directory Services
Enterprise Applications
Web Services – Web APIs
On Premise or in the Cloud Application
Data
Oracle Metadata
Public Zone (Internet) Web Tier (DMZ) Application Tier (Intranet) Data Tier
Oracle Access Management Suite Plus
Laptop / Desktop
Enterprise SSO
Web Services
Web Services Security Client
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 9
Program Agenda
Introduction
Oracle Access Management and the Cloud
Access Management Services for the Cloud
Intuit Presentation
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 10
Cloud Identity ManagementDeployment Options
Private Cloud
Managed Cloud
Public Cloud
• Customer owns, customer operates
• Extends Access Management and Identity Governance to Cloud applications
• Customer owns, Oracle operates
• Avoid on-premise infrastructure costs by outsourcing management to experienced team
• Oracle owns, Oracle operates
• Subscription-based, elastic Access Management for Cloud environments
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 11
Access Management in the Cloud
• Primary web authentication, web SSO, coarse-grained authorization (optionally, Mobile and Social service if mobile clients are involved)
• Lightweight Cloud SSO proxy
• Identity Federation: Support for SAML, OAuth, OpenID
• Web services and API security: First line of defense on-premise and / or in the Cloud
• SOA Security: First-mile and last-mile security on-premise and / or in the Cloud
Services Involved
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 12
• Access management is on premise or in the Cloud
• Applications are deployed in a public or private Cloud
• Clients (requesting parties) use laptop or mobile device browsers only
• Access management is on premise, some enterprise web applications are on premise, others are in a private Cloud
• SSO must be provided among applications deployed on premise
• Federation must be provided between applications deployed on premise and in the Cloud
• Clients (requesting parties) use laptop or mobile device browsers or native apps
Cloud Access Management Use-Case Scenarios
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 13
• Clients (requesting parties) use Oracle web services or applications deployed in the Cloud
• Requests are first intercepted in the DMZ and passed on to the Intranet resources for processing
• Responses returned to requesting parties must obfuscate selected private information
• Clients (requesting parties) located on-premise or in the Cloud send web services or web API requests to SaaS applications deployed in a public Cloud
Cloud Access Management Use-Case Scenarios (cont’d)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 14
Program Agenda
Introduction
Oracle Access Management and the Cloud
Access Management Services for the Cloud
Intuit Presentation
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 15
Need for Access Portal Services
• Simplify the user experience to access corporate web and Cloud resources
• Adapt to different PC and mobile form factors
• Enable integration with existing corporate portals
• Provide wizard-driven tools to accommodate integration with SaaS, partner, and Cloud applications
Customer Challenges
Access Portal Service
User Portal
SSO to SaaS
SSO to Corporate Web Apps
Integrate and
Customize
SSO to Partner Apps
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 16
Oracle Access Portal
• Hosted single sign-on (SSO) proxy service– Secure way for users to access
enterprise applications from any device supporting a browser
– Support intranet and extranet applications, on-premise or hosted in the Cloud, using Oracle's form-fill SSO technology
A Mobile and Cloud Solution for the Enterprise
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 17
Oracle Access Management Federation Services
• Federation Types– SAML-based federation (authentication,
attribute sharing)– OpenID-based federation (delegated
authentication)– OAuth-based federation (delegated
authorization)– Social-identity-based federation (redirected
authentication)– Form-fill-based federation (SSO proxy)
On-Premise and Cloud Deployments
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 18
Oracle Access Management Identity Federation ServicesSAML-Based Federated Authentication and Attribute Sharing
Domain A
Identity Provider (IdP)
Domain B
Service Provider (SP)
Identities
Trust
• Oracle Access Management platform provides primary web authentication
• Oracle Access Management Identity Federation generates (IdP) and/or consumes (SP) SAML assertions
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 19
Access Management Identity Federation Fedlet
• Compact, lightweight, easy-to-deploy SAML 2.0 Service Provider implementation fully integrated with Access Management Identity Federation
• Fedlet is used in multi-tenant SaaS deployments where each SaaS customer acts as an Identity Provider– Each of the tenant applications authenticates remote users coming from its own Identity Provider– In such an environment each of the Fedlet instances is configured to always communicate with the
same Identity Provider
On-Premise and Cloud Deployment Models
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 20
Cloud Security Agent
• A WebLogic-Server-embedded Java agent designed to support perimeter authentication for browser-based interactions with services hosted in Oracle Cloud – Out-of-the-box SAML-based authentication solution (service provider), extensible to support Access
Manager WebGate authentication and OAuth delegated authorization – Complements Web Services Manager which handles security requirements for all REST and SOAP
requests in the same WLS container – REST-based communications between agent and Access Manager services– Leverages on-premise Access Management to protect Cloud applications– Leverages Cloud Access Management to protect on-premise applications
Sneak Preview (To be released in 2015)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 21
Oracle Access Management Identity Federation (OAuth)
• Extend Access Management services to provide token issuance, token validation, token revocation and user flows in accordance with the OAuth 2.0 standard
• Enhance Access Management federation use-case scenarios starting with Oracle’s own Cloud deployments– Eliminate the use of end-user passwords in service-to-service
interactions– Centralize trust policies and associations in a large deployment
• The Oracle Access Management OAuth service is extensively used by Oracle Access Management Mobile and Social
On-Premise, Cloud, Mobile Deployments
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 22
Web Services Manager
• Web services security enabler for – Oracle Fusion Applications SaaS offering– Oracle Java Cloud Service– Oracle Application Development Framework (ADF)– Oracle Service Bus (OSB) PaaS offering
• Enable secure communication between Fusion Applications, Java Cloud Service, Integration Service (SOA), and external, standards-based systems
• Simplified key store management for Cloud-centric usage
First-Mile and Last-Mile Security
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 23
API Gateway
• Secure access to web services and web APIs deployed on premise or in the Cloud
• Extend Access Management to RESTful APIs – Context-aware authentication– Content-aware authorization– Security tokens– Data redaction– Audit
• Extend access to web services and APIs from mobile devices (tablets or smartphones)
• Simplified deployment in Cloud environments
First Line of Defense• Integrate with multiple environments to
provide a complete, end-to-end solution– Oracle Access Management– Third-Party environments
• Data format transformations– XML to JSON and vice-versa
• Protocol bridging– REST, SOAP, JMS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 24
API Gateway
• Can be deployed on premise and access web services or APIs hosted in the Cloud (top view)
• Can be deployed in the Cloud on Oracle or third-party Cloud services (bottom view)
• Functionality supported– Infrastructure as a Service (IaaS)
– Platform as a Service (PaaS) – Cloud governance
– Software as a Service (SaaS)
Support for Cloud Deployments
API Gateway (on-premise deployment)
Oracle Cloud
Microsoft Azure Force.com
Amazon Web Services
Google Apps
Oracle Cloud Amazon Web Services
Microsoft Azure
API Gateway API Gateway API Gateway
Cloud Deployment
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 25
Program Agenda
Introduction
Oracle Access Management and the Cloud
Access Management Services for the Cloud
Intuit Presentation
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 26
IntuitIdentity Management as a Managed Service
• Upgrade from Access Manager 10g to Access Management platform 11gR2 for intranet and SaaS applications
• Deployment of Access Manager and Access Management Identity Federation service with active-active configuration in two data centers managed by OMCS
• LDAP and Credential Collectors reside in Intuit’s own data centers
• Six months upgrade supporting 150+ applications
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 28
Complimentary eBook Register Now
www.mhprofessional.com/mobsec
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 29
Join the Community
Twittertwitter.com/OracleIDM
Facebookfacebook.com/OracleIDM
Oracle BlogsBlogs.oracle.com/OracleIDM
Oracle IdM Websiteoracle.com/Identity