Oracle Identity Management 11g What's New in PS1

<Insert Picture Here>

Oracle Identity Management 11g

What’s New in PS1March 2011

This document is for informational purposes. It is not a

commitment to deliver any material, code, or

functionality, and should not be relied upon in making

purchasing decisions. The development, release, and

timing of any features or functionality described in this

document remains at the sole discretion of

Oracle. This document in any form, software or printed

matter, contains proprietary information that is the

exclusive property of Oracle. This document and

information contained herein may not be disclosed,

copied, reproduced or distributed to anyone outside

Oracle without prior written consent of Oracle. This

document is not part of your license agreement nor can

it be incorporated into any contractual agreement with

Oracle or its subsidiaries or affiliates.

2 Copyright © 2011, Oracle. All rights reserved

Agenda

• IDM 11gR1 Overview

• What’s New in PS1

• Release Themes

• Product updates

• Release Themes

• Key features & Use cases

• Feature Summary


Oracle Identity Management

Provisioning &

Identity

Administration

Access

Management

Directory

Services

Roles-based User Provisioning

Password Management

Self Service Request & Approval

Authentication, SSO & Fraud Prevention

Authorization & Entitlements

Web Services Security

Information Rights Management

LDAP Storage

Virtualized Identity Access

Platform Security ServicesIdentity Analytics

Reporting Attestation SoD Mining Identity Services for Developers


Core Principles

Suite Wide Integration

Hot-Pluggable

Service-Oriented Security

Entitlements Centric


Identity Management 11g Key Capabilities

Oracle Identity

Manager

Oracle Access

Manager

Adaptive Access

Manager

Oracle Identity

Analytics

• Integrated Self-service/Request with BPEL Workflow, Extranet-ready

Identity Administration, OES-based authz policies for delegation, ADF

UI, Tight integrations with all major Apps and GRC, Native SSO and

KBA through OAM/OAAM

• OSSO Upgrades, Session Management, Authz based on OES

kernel, True Java architecture, ADF UI, Tight integrations with

major Apps and FMW

• Simplified Security Administration, One Time Passwords for

Secondary User Challenges, System Snapshots of Security

Data

• Role Mining, Role and Entitlement Attestation & SoD,

Compliance Dashboarding and Charting, Tight Integration with

OIM, Oracle Waveset and OAM


Oracle Identity Management Roadmap Timelines

11gR1+

Identity ManagerAccess ManagerAdaptive Access

Manager

Authorization Policy Manager

July 2010 H2CY2011

CY2012

Hundred Day ReleaseDirectory Server EE

Identity Analytics

Oracle Waveset

Oracle OpenSSO

H1CY2011

11gR1+ PS1

Identity Manager

Identity AnalyticsAccess Manager

Security Token ServiceAdaptive Access

Manager

Entitlements Server

PS1 Porting

IBM WebSphereApplication Server

11gR1+ PS2

Identity Manager

Identity AnalyticsAccess Manager

Security Token ServiceAdaptive Access

Manager

Entitlements Server


IDM 11gR1 Patchset 1

IDM 11gR1 PS1Themes

• Extensibility and developer enablement

• Interoperability

• 3rd party integrations

• Fusion Middleware, Fusion Apps support


IDM 11gR1 PS1Release Objectives

• Upgrades, migrations, and coexistence

• Simplified install, configuration, deployment

• More integrations delivered out-of-the-box

• Functional innovations and enhancements


Oracle Access Manager 11gR1

Patchset 1

Oracle Access Manager 11gR1 PS1Release Themes

• Integrated Security Token Services

• OAM server extensibility

• SDK-based application integration

• Functional enhancements

• Improved Session Management

• Extranet SSO


• Integrated suite of access and security token services

• Enable all services to enable integrated capabilities

• Disable services to use in standalone mode or integrate with

analogous 3rd party services

OAM 11gR1 PS1Integrated Security Token Services


OAM 11gR1 PS1 Security Token Service Overview

• WS-Trust token service• Validate and Issue security tokens

• Policy-driven token issuance as Identity propagation controls

• Standard Token support• Username, X.509, Kerberos, SAML 1.x, SAML 2.0, OAM

• Oracle Platform integration• Deployed on Weblogic Managed Server

• Integrated with a Oracle Access Manager to support OAM token propagation

• OWSM integration for WS-Security, WS-Policy.

• Enterprise Manager based Monitoring


OAM 11gR1 PS1Server Extensibility

15 Oracle Restricted and Confidential

• Pre/Post Authentication Plug-ins

• Custom Authentication modules

• Plug-in orchestration

Authentication Engine

Extensibility FrameworkOracle Access Manager

OAM 11gR1 PS1SDK-based integration


Web Application

Web Application

10g Native ASDK

Oracle Access

Manager

11g Java ASDK

OAM 11gR1 PS1Feature Summary

• Extensibility Framework• Enable extensibility in OAM

servers to support custom authentication plugins

• Include plugin orchestration to form complex authentication flows defined for custom authentication schemes

• Pure Java ASDK• Provide Pure Java ASDK that

can be platform independent• Java ASDK will include some

session management calls

• Session Management Engine Enhancement• Wildcard in username search

• Impersonation Support• Allows for impersonation of

users for help desk support

• Agent-side Decision Caching• Webgate support for decision

caching

• Exclusion List Support• Provide policy elements to

define resources to be excluded from policy evaluation altogether

• Oracle STS Integration• Unified user interface with

OSTS• OOTB co-installation and

deployment of OAM and OSTS


OAAM 11gR1 Patchset 1

Adaptive Access Manager 11gR1 PS1Release Themes

• Enhance Fraud Detection and Investigation

• Support Asynchronous Use Cases

• Further Simplify Deployment

• Mobile Extensibility


• Predictive Risk Analytics

• Identifies statistical anomalies

• Learns from investigator feedback

• Extensible custom modeling

• Security/Compliance Investigation Tools

• Forensic analysis of alerts

• Rich data relationship views

• Intuitive white/black listing workflow

• Mark confirmed fraud and false postiives

OAAM 11gR1 PS1Key Capabilities


OAAM 11gR1 PS1Innovation

• Simplified OTP Anywhere Deployment

• Bundled UMS client libraries

• OOTB OTP challenge processors

• OTP API for native integration

• Open Device ID Framework

• Implement client based device ID

• Pull device data from a service into OAAM

• Task Scheduler

• Batch risk analysis on multiple data sources

• Automates some DB maintenance process

• Simplified Admin user experience


Predictive Risk Analysis

• Anomaly detection – find unknown fraud

• Investigator feedback loop – detect similar known

fraud and discount known false positives


Oracle Entitlements Server 11g

Oracle Entitlements Server 11gWhat’s New : Highlights

Next generation Oracle Entitlements Server !!The authz engine for Oracle’s Fusion Middleware and packaged Applications

• Fine grained Authorization Anywhere

• For Java EE, Java SE, Web Services, and .NET applications

• Massively scalable with extreme performance

• Highly optimized & configurable caching

• Embedded & centralized PDP’s for both JSE & JEE environments

• New “headless” deployment mode

• Enterprise Authorization standards

• XACML, ABAC, Java2 / JAAS, NIST RBAC, Enterprise RBAC

• OpenAZ PEP, checkPermission, isAccessAllowed APIs

OracleEntitlements

Server

WebLogicCoherence

Oracle RDBMS

WebCenterPortal

ContentManagement

Enterprise Performance Management

SOA

BusinessIntelligence

Identity Management

VerticalApplications

Fusion Applications



• New Admin Console• Rich JSF/ADF Faces based UI with desktop like capabilities

• Completely declarative Policy Authoring

• Extensible

• Enhanced Policy Model• Completely externalized ID store

• Distributed inheritance across ID and Policy store

• Code based policies

• Structured Resource Catalog

• Resource & Permission based policies

• Hierarchical Policy Domains with Delegated Administration controls

• Extended Role Catalog

• Oracle Platform Security Services• OES now the default OPSS authorization provider

• OPSS services delivered with the OES PDP and available to applications



• Native JDeveloper and ADF integration• Declarative, highly productive design time environment

• JDeveloper wizards for policy authoring*

• Automated population of the OES Resource Catalog

• Automated packaging of security artifacts with the application

• E2E Lifecycle Management

Design Develop Package Deploy Test Migrate Monitor Patch

• Automated deployment of security artifacts

• New & improved T2P migration, patch, upgrade tools

• Streamlined Install & Configuration• Aligned with FMW + IDM standards and processes

• And much more…


Oracle ESSO Suite Plus 11g

ESSO Suite Plus 11gR1PS1

• Addition of Universal Authentication Manager to Suite• Strong Authentication for Network Logon leveraging existing devices

• Biometrics

• Prox Cards

• Smart Cards

• Simple easy to use interface

• Seamless integration with Logon Manager for application access

• Logon Manager Enhancements• Silent Credential Capture for Windows, Web and Java application

• Administrative Improvements

• Simplified template creation and testing

• Test facility in the Admin Console

• Application Enablement and responses

• Manage Multiple sets of credentials in a credential sharing group


Oracle Identity Manager 11gR1

PS1

Oracle Identity Manager 11gR1 PS1Release Themes


• Lifecycle Management

• Server Migration from 9.x to 11gR1 PS1 and 11gR1 to PS1

• Connector Upgrade and Uninstall

• Object Deletion

• Supporting Complex Deployments

• Fine grained Access Policy Definition

• Bulk Attribute Updates Support

• Improvements to Access Policy Retrofit

Oracle Identity Manager 11gR1 PS1Making Deployments Easier


• Faster On-boarding

• Reconciliation post-Processing

• Username Generation

• Policy-based Password generation with notification

• Improved bulk load capabilities including role, role hierarchy

and membership

• Capacity and Performance

• Improved archival and purge scripts

• Purge automation

Oracle Identity Manager 11gR1 PS1Continuing Innovation


• Compliance integration

• Configurable Request-based Role grants

• OOTB integration with OAACG and OIA for Role SoD

• Getting ready for the Cloud

• Identity Connector Framework –based Connectors

• Enhanced integration for key Connectors with more on the

way

• Identity consolidation

• Improved Ldap Synchronization

• New certifications for 3rd party Ldap Servers

Oracle Identity Manager 11g PS1Key Release Themes

• Upgrade from 9.x to 11gR1 PS1 and 11gR1 to 11gR1 PS1

• New Purge and Archival capabilities and Purge automation

• Enhanced bulk load capabilities

• Connector Upgrade

Lifecycle Management

• Improved Access Policy Definition

• Identity Connector Framework-based Connectors

• Feature enhancements to Connectors

• Improved Reconciliation post-processing

Supporting Complex Deployments

• New certification of ODSEE and MS AD for Ldap ID Provider

• Upcoming WebSphere certification (as part of a WAS Porting release)

Platform


Oracle Identity Analytics 11gR1

PS1

Oracle Identity Analytics 11gR1 PS1Release Themes

• Enterprise readiness

• Millions of Users & Multi-Level Entitlements

• Published Benchmarks

• Next generation certification experience

• Identity Risk Analytics

• Certification UI Enhancements


OIA 11gR1 PS1Certification Sign-off Experience

• Usability enhancements

• Tabular/Spreadsheet Format

• Sorting, Filtering & Searching on all Columns

• Present critical Information in Table Columns as opposed to

“additional information” drill downs

• Quick access to specific users, roles, accounts & entitlements

• New Features

• New “Checkbox” Approach for Bulk Operations

• Transform “Reports to” into Delegation Feature

• Eliminate Mandatory “Works for me” into “Auto-Claim”

• Introduce User Level “% Completion” Status


Oracle Identity Analytics 11g PS1Risk-based Certifications

• Based on Audit Violations, Last Certification Result and Provisioning Methods

• Risk Levels for users assigned roles, accounts & entitlements

• Risk Score = {Risk Level, Audit Violations, Last Certification and Provisioning Context }

Identity Risk Analytics

• Visual Risk Indicators

• Advanced Sorting/Filtering capabilities

• Focus on “What Matters Most”, but scale for 1000s of apps and millions of entitlements

• Quick access to specific users, roles, resources or entitlements

Improved Certification User Interface

• Certification Creation based on Risk

• Risk-based filtering and risk-based sign-off methodology

• Customizable in accordance to business & compliance requirements

Risk-based Scoping Methodology


Improved Integration with OIM“Provisioned By” Risk Controls

• Reconciliation in OIM (orphan or rogue accounts)

• Direct assignment by Delegated Administrators

• Access Policy or Rule based assignment

• Approval Workflow and SLA information

Risk Monitoring & Configuration

• Accurately identify the origins of every role, account and entitlement assignment in the enterprise

• Sorting & Filtering based on configured Risk Levels for quicker attestation sign-off

• Integrated as part of Cert 360 view for all roles, accounts & entitlements

Intelligent & Actionable Decisions


Oracle Identity Analytics 11g PS1

Feature Summary

Automated risk assignment and aggregation

Risk-based certification generation

Quick access to high-risk items during certification

Detailed Risk Analysis through Cert360

Quick toggle to lower-risk items

Easy searching through advanced search criteria

Bulk Operations for efficient sign-off

Delegation and auto-handling of self-certification

Risk-driven Certification User Experience



<Insert Picture Here>

Documents

Oracle Identity Management 11g What's New in PS1