Archive

Posts Tagged ‘Oracle Identity Management’

Integrating Oracle Apps 11i with MS AD 2008

December 24, 2009 4 comments

After the release of MS Windows 2008, customers are planning to upgrade their MS AD 2003 deployments to MS AD 2008 (as part of OS upgrade to MS Windows 2008) to achieve the benefits provided by MS Windows 2008. For the companies, which are using Oracle Applications 11i or Oracle Internet Directory 10g products, and have integrated these products with MS AD 2003 to achieve Single Sign-On will not be able to keep the certification intact, after upgrade of MS AD 2003 to MS AD 2008. Reason being, Oracle Apps 11i or Oracle Internet Directory 10g are not certified with MS AD 2008 as of now.

Metalink Note – Is OID 10g Compatible with Microsoft Active Directory 2008 [ID 944298.1] states that OID 10g is not certified with MS AD 2008. However, OID 11g is certified with MS AD 2008.

So, as OID 11g is not yet certified with Oracle Apps 11i, integration deployments with Oracle Apps 11i/OID 10g cannot be integrated with MS AD 2008.

Well, there is a way around to achieve this. However, that will involve introduction of additional component I.e. Oracle Identity Manager (OIM), a component of Oracle Identity Management Suite, provides a identity provisioning solution for Oracle and non-Oracle products. Oracle Identity Manager is certified to use with Oracle Internet Directory 10g and MS Active Directory 2008.

Oracle Identity Manager provides connectors for OID 10g and MS AD 2008, which allows users created in MS AD 2008 to be reconciled into OIM, which in turn will propogate user information to OID. In turn, OID will propagate those changes to Oracle Apps 11i FND_USER table.

References:

Categories: General, Identity Management, Oracle Applications Tags: ,

Which Single Sign-On?

August 21, 2008 2 comments

In this post, I am discussing about current Single Sign-On products available from Oracle, as a part of Oracle Identity Management (IDM) Suite, and plus OracleAS Single Sign-On.

IDM Suite comprises of more than dozen products to manage end-to-end lifecycle management for user identities. There are two different products that are available in Oracle IDM Suite to provide Single Sign-On functionality for web and desktop application resources:

Oracle Access Manager (OAM) : This is a identity management solution for web applications (legacy and custom applications) and user identity administration. OAM secure applications by providing centralized authentication, authorization and auditing to enable single sign-on for enterprise web applications. It also provides delegated administration and self-registration options with approval workflows.

OAM can use any LDAP-based directory as its backend repository to store policy, configuration, workflow, user, group and organization data.

OAM supports following authentication methods:

  • Basic Username/Password
  • X.509 Certificates
  • Smart cards
  • Two Factor Tokens
  • Form-based
  • Custom authentication via Authentication APIs

Oracle Enterprise Single Sign-On Suite: Oracle Enterprise Single Sign-On (eSSO) provides single sign-on functionality for all the enterprise applications i.e. web based, client-server and legacy applications. Users are able to use eSSO functionality whether they are connected to corporate network, traveling, or roaming between workstations. Oracle eSSO uses any LDAP directory or any SQL database as its user profile and credential repository. It accepts primary authentication from Windows logon. It acts as a Password Manager and provides n-level of authentication.

So where does OracleAS Single Sign-On fits into current identity management solution offering? or when I can’t use OracleAS Single Sign-On?

OracleAS Single Sign-On is a single sign-on solution available for Oracle Application Server 10g applications e.g. Portal, Discoverer, Forms, Reports etc. It also provides Single Sign-On functionality for Oracle Applications 11i/R12.

OracleAS Single Sign-On (SSO) has few limitations as far as OAM and eSSO is concerned:

  • It needs Oracle Internet Directory as a authentication and authorization source, whereas OAM and eSSO can use any LDAP-based directory as a backend repository.
  • OracleAS SSO cannot talk directly to any other directory service e.g. Active Directory or Sun LDAP. To achieve this, Oracle Internet Directory need to integrate with 3rd party directory service. It means customers ending up with one more directory service as a part of solution, even when they don’t need it.
  • It has a limited auditing capabilities.
  • OracleAS SSO provides a Windows Native Authentication (WNA) option for Windows users, which allows users to login seamlessly to OracleAS SSO applications e.g. Portal, Oracle Applicatons 11i/R12 etc., once they have logged in successfully into Windows domain. However, it provide single sign-on functionality for applications, which are integrated with OracleAS SSO only. Whereas, Oracle eSSO provides single sign-on functionality for all web and desktop applications (majority of them) that are running at user’s desktop, with minimal deployment effort.

To summarize, customer should use Oracle Access Manager to provide single sign-on functionality for web applications, and Oracle Enterprise Single Sign-On Suite to provide single sign-on functionality for desktop+web applications.

Stay tuned for more discussion on Oracle Identity and Access Management technologies and deployment scenarios.

References:

Categories: Identity Management Tags: , , ,
Follow

Get every new post delivered to your Inbox.