Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
<Insert Picture Here>
Oracle Identity Management 11g
What’s New in PS1March 2011
This document is for informational purposes. It is not a
commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described in this
document remains at the sole discretion of
Oracle. This document in any form, software or printed
matter, contains proprietary information that is the
exclusive property of Oracle. This document and
information contained herein may not be disclosed,
copied, reproduced or distributed to anyone outside
Oracle without prior written consent of Oracle. This
document is not part of your license agreement nor can
it be incorporated into any contractual agreement with
Oracle or its subsidiaries or affiliates.
2 Copyright © 2011, Oracle. All rights reserved
Agenda
• IDM 11gR1 Overview
• What’s New in PS1
• Release Themes
• Product updates
• Release Themes
• Key features & Use cases
• Feature Summary
3 Copyright © 2011, Oracle. All rights reserved
Oracle Identity Management
Provisioning &
Identity
Administration
Access
Management
Directory
Services
Roles-based User Provisioning
Password Management
Self Service Request & Approval
Authentication, SSO & Fraud Prevention
Authorization & Entitlements
Web Services Security
Information Rights Management
LDAP Storage
Virtualized Identity Access
Platform Security ServicesIdentity Analytics
Reporting Attestation SoD Mining Identity Services for Developers
4 Copyright © 2011, Oracle. All rights reserved
Core Principles
Suite Wide Integration
Hot-Pluggable
Service-Oriented Security
Entitlements Centric
5 Copyright © 2011, Oracle. All rights reserved
Identity Management 11g Key Capabilities
Oracle Identity
Manager
Oracle Access
Manager
Adaptive Access
Manager
Oracle Identity
Analytics
• Integrated Self-service/Request with BPEL Workflow, Extranet-ready
Identity Administration, OES-based authz policies for delegation, ADF
UI, Tight integrations with all major Apps and GRC, Native SSO and
KBA through OAM/OAAM
• OSSO Upgrades, Session Management, Authz based on OES
kernel, True Java architecture, ADF UI, Tight integrations with
major Apps and FMW
• Simplified Security Administration, One Time Passwords for
Secondary User Challenges, System Snapshots of Security
Data
• Role Mining, Role and Entitlement Attestation & SoD,
Compliance Dashboarding and Charting, Tight Integration with
OIM, Oracle Waveset and OAM
6 Copyright © 2011, Oracle. All rights reserved
Oracle Identity Management Roadmap Timelines
11gR1+
Identity ManagerAccess ManagerAdaptive Access
Manager
Authorization Policy Manager
July 2010 H2CY2011
CY2012
Hundred Day ReleaseDirectory Server EE
Identity Analytics
Oracle Waveset
Oracle OpenSSO
H1CY2011
11gR1+ PS1
Identity Manager
Identity AnalyticsAccess Manager
Security Token ServiceAdaptive Access
Manager
Entitlements Server
PS1 Porting
IBM WebSphereApplication Server
11gR1+ PS2
Identity Manager
Identity AnalyticsAccess Manager
Security Token ServiceAdaptive Access
Manager
Entitlements Server
7 Copyright © 2011, Oracle. All rights reserved
IDM 11gR1 Patchset 1
IDM 11gR1 PS1Themes
• Extensibility and developer enablement
• Interoperability
• 3rd party integrations
• Fusion Middleware, Fusion Apps support
9 Copyright © 2011, Oracle. All rights reserved
IDM 11gR1 PS1Release Objectives
• Upgrades, migrations, and coexistence
• Simplified install, configuration, deployment
• More integrations delivered out-of-the-box
• Functional innovations and enhancements
10 Copyright © 2011, Oracle. All rights reserved
Oracle Access Manager 11gR1
Patchset 1
Oracle Access Manager 11gR1 PS1Release Themes
• Integrated Security Token Services
• OAM server extensibility
• SDK-based application integration
• Functional enhancements
• Improved Session Management
• Extranet SSO
12 Copyright © 2011, Oracle. All rights reserved
• Integrated suite of access and security token services
• Enable all services to enable integrated capabilities
• Disable services to use in standalone mode or integrate with
analogous 3rd party services
OAM 11gR1 PS1Integrated Security Token Services
13 Copyright © 2011, Oracle. All rights reserved
OAM 11gR1 PS1 Security Token Service Overview
• WS-Trust token service• Validate and Issue security tokens
• Policy-driven token issuance as Identity propagation controls
• Standard Token support• Username, X.509, Kerberos, SAML 1.x, SAML 2.0, OAM
• Oracle Platform integration• Deployed on Weblogic Managed Server
• Integrated with a Oracle Access Manager to support OAM token propagation
• OWSM integration for WS-Security, WS-Policy.
• Enterprise Manager based Monitoring
14 Copyright © 2011, Oracle. All rights reserved
OAM 11gR1 PS1Server Extensibility
15 Oracle Restricted and Confidential
• Pre/Post Authentication Plug-ins
• Custom Authentication modules
• Plug-in orchestration
Authentication Engine
Extensibility FrameworkOracle Access Manager
OAM 11gR1 PS1SDK-based integration
16 Oracle Restricted and Confidential
Web Application
Web Application
10g Native ASDK
Oracle Access
Manager
11g Java ASDK
OAM 11gR1 PS1Feature Summary
• Extensibility Framework• Enable extensibility in OAM
servers to support custom authentication plugins
• Include plugin orchestration to form complex authentication flows defined for custom authentication schemes
• Pure Java ASDK• Provide Pure Java ASDK that
can be platform independent• Java ASDK will include some
session management calls
• Session Management Engine Enhancement• Wildcard in username search
• Impersonation Support• Allows for impersonation of
users for help desk support
• Agent-side Decision Caching• Webgate support for decision
caching
• Exclusion List Support• Provide policy elements to
define resources to be excluded from policy evaluation altogether
• Oracle STS Integration• Unified user interface with
OSTS• OOTB co-installation and
deployment of OAM and OSTS
17 Oracle Restricted and Confidential
OAAM 11gR1 Patchset 1
Adaptive Access Manager 11gR1 PS1Release Themes
• Enhance Fraud Detection and Investigation
• Support Asynchronous Use Cases
• Further Simplify Deployment
• Mobile Extensibility
19 Copyright © 2011, Oracle. All rights reserved
• Predictive Risk Analytics
• Identifies statistical anomalies
• Learns from investigator feedback
• Extensible custom modeling
• Security/Compliance Investigation Tools
• Forensic analysis of alerts
• Rich data relationship views
• Intuitive white/black listing workflow
• Mark confirmed fraud and false postiives
OAAM 11gR1 PS1Key Capabilities
20 Copyright © 2011, Oracle. All rights reserved
OAAM 11gR1 PS1Innovation
• Simplified OTP Anywhere Deployment
• Bundled UMS client libraries
• OOTB OTP challenge processors
• OTP API for native integration
• Open Device ID Framework
• Implement client based device ID
• Pull device data from a service into OAAM
• Task Scheduler
• Batch risk analysis on multiple data sources
• Automates some DB maintenance process
• Simplified Admin user experience
21 Copyright © 2011, Oracle. All rights reserved
Predictive Risk Analysis
• Anomaly detection – find unknown fraud
• Investigator feedback loop – detect similar known
fraud and discount known false positives
22 Copyright © 2011, Oracle. All rights reserved
Oracle Entitlements Server 11g
Oracle Entitlements Server 11gWhat’s New : Highlights
Next generation Oracle Entitlements Server !!The authz engine for Oracle’s Fusion Middleware and packaged Applications
• Fine grained Authorization Anywhere
• For Java EE, Java SE, Web Services, and .NET applications
• Massively scalable with extreme performance
• Highly optimized & configurable caching
• Embedded & centralized PDP’s for both JSE & JEE environments
• New “headless” deployment mode
• Enterprise Authorization standards
• XACML, ABAC, Java2 / JAAS, NIST RBAC, Enterprise RBAC
• OpenAZ PEP, checkPermission, isAccessAllowed APIs
OracleEntitlements
Server
WebLogicCoherence
Oracle RDBMS
WebCenterPortal
ContentManagement
Enterprise Performance Management
SOA
BusinessIntelligence
Identity Management
VerticalApplications
Fusion Applications
24 Copyright © 2011, Oracle. All rights reserved
Oracle Entitlements Server 11gWhat’s New : Highlights
• New Admin Console• Rich JSF/ADF Faces based UI with desktop like capabilities
• Completely declarative Policy Authoring
• Extensible
• Enhanced Policy Model• Completely externalized ID store
• Distributed inheritance across ID and Policy store
• Code based policies
• Structured Resource Catalog
• Resource & Permission based policies
• Hierarchical Policy Domains with Delegated Administration controls
• Extended Role Catalog
• Oracle Platform Security Services• OES now the default OPSS authorization provider
• OPSS services delivered with the OES PDP and available to applications
25 Copyright © 2011, Oracle. All rights reserved
Oracle Entitlements Server 11gWhat’s New : Highlights
• Native JDeveloper and ADF integration• Declarative, highly productive design time environment
• JDeveloper wizards for policy authoring*
• Automated population of the OES Resource Catalog
• Automated packaging of security artifacts with the application
• E2E Lifecycle Management
Design Develop Package Deploy Test Migrate Monitor Patch
• Automated deployment of security artifacts
• New & improved T2P migration, patch, upgrade tools
• Streamlined Install & Configuration• Aligned with FMW + IDM standards and processes
• And much more…
26 Copyright © 2011, Oracle. All rights reserved
Oracle ESSO Suite Plus 11g
ESSO Suite Plus 11gR1PS1
• Addition of Universal Authentication Manager to Suite• Strong Authentication for Network Logon leveraging existing devices
• Biometrics
• Prox Cards
• Smart Cards
• Simple easy to use interface
• Seamless integration with Logon Manager for application access
• Logon Manager Enhancements• Silent Credential Capture for Windows, Web and Java application
• Administrative Improvements
• Simplified template creation and testing
• Test facility in the Admin Console
• Application Enablement and responses
• Manage Multiple sets of credentials in a credential sharing group
28 Copyright © 2011, Oracle. All rights reserved
Oracle Identity Manager 11gR1
PS1
Oracle Identity Manager 11gR1 PS1Release Themes
30 Copyright © 2011, Oracle. All rights reserved
• Lifecycle Management
• Server Migration from 9.x to 11gR1 PS1 and 11gR1 to PS1
• Connector Upgrade and Uninstall
• Object Deletion
• Supporting Complex Deployments
• Fine grained Access Policy Definition
• Bulk Attribute Updates Support
• Improvements to Access Policy Retrofit
Oracle Identity Manager 11gR1 PS1Making Deployments Easier
31 Copyright © 2011, Oracle. All rights reserved
• Faster On-boarding
• Reconciliation post-Processing
• Username Generation
• Policy-based Password generation with notification
• Improved bulk load capabilities including role, role hierarchy
and membership
• Capacity and Performance
• Improved archival and purge scripts
• Purge automation
Oracle Identity Manager 11gR1 PS1Continuing Innovation
32 Copyright © 2011, Oracle. All rights reserved
• Compliance integration
• Configurable Request-based Role grants
• OOTB integration with OAACG and OIA for Role SoD
• Getting ready for the Cloud
• Identity Connector Framework –based Connectors
• Enhanced integration for key Connectors with more on the
way
• Identity consolidation
• Improved Ldap Synchronization
• New certifications for 3rd party Ldap Servers
Oracle Identity Manager 11g PS1Key Release Themes
• Upgrade from 9.x to 11gR1 PS1 and 11gR1 to 11gR1 PS1
• New Purge and Archival capabilities and Purge automation
• Enhanced bulk load capabilities
• Connector Upgrade
Lifecycle Management
• Improved Access Policy Definition
• Identity Connector Framework-based Connectors
• Feature enhancements to Connectors
• Improved Reconciliation post-processing
Supporting Complex Deployments
• New certification of ODSEE and MS AD for Ldap ID Provider
• Upcoming WebSphere certification (as part of a WAS Porting release)
Platform
33 Copyright © 2011, Oracle. All rights reserved
Oracle Identity Analytics 11gR1
PS1
Oracle Identity Analytics 11gR1 PS1Release Themes
• Enterprise readiness
• Millions of Users & Multi-Level Entitlements
• Published Benchmarks
• Next generation certification experience
• Identity Risk Analytics
• Certification UI Enhancements
35 Copyright © 2011, Oracle. All rights reserved
OIA 11gR1 PS1Certification Sign-off Experience
• Usability enhancements
• Tabular/Spreadsheet Format
• Sorting, Filtering & Searching on all Columns
• Present critical Information in Table Columns as opposed to
“additional information” drill downs
• Quick access to specific users, roles, accounts & entitlements
• New Features
• New “Checkbox” Approach for Bulk Operations
• Transform “Reports to” into Delegation Feature
• Eliminate Mandatory “Works for me” into “Auto-Claim”
• Introduce User Level “% Completion” Status
36 Oracle Restricted and Confidential
Oracle Identity Analytics 11g PS1Risk-based Certifications
• Based on Audit Violations, Last Certification Result and Provisioning Methods
• Risk Levels for users assigned roles, accounts & entitlements
• Risk Score = {Risk Level, Audit Violations, Last Certification and Provisioning Context }
Identity Risk Analytics
• Visual Risk Indicators
• Advanced Sorting/Filtering capabilities
• Focus on “What Matters Most”, but scale for 1000s of apps and millions of entitlements
• Quick access to specific users, roles, resources or entitlements
Improved Certification User Interface
• Certification Creation based on Risk
• Risk-based filtering and risk-based sign-off methodology
• Customizable in accordance to business & compliance requirements
Risk-based Scoping Methodology
37 Copyright © 2011, Oracle. All rights reserved
Improved Integration with OIM“Provisioned By” Risk Controls
• Reconciliation in OIM (orphan or rogue accounts)
• Direct assignment by Delegated Administrators
• Access Policy or Rule based assignment
• Approval Workflow and SLA information
Risk Monitoring & Configuration
• Accurately identify the origins of every role, account and entitlement assignment in the enterprise
• Sorting & Filtering based on configured Risk Levels for quicker attestation sign-off
• Integrated as part of Cert 360 view for all roles, accounts & entitlements
Intelligent & Actionable Decisions
38 Copyright © 2011, Oracle. All rights reserved
Oracle Identity Analytics 11g PS1
Feature Summary
Automated risk assignment and aggregation
Risk-based certification generation
Quick access to high-risk items during certification
Detailed Risk Analysis through Cert360
Quick toggle to lower-risk items
Easy searching through advanced search criteria
Bulk Operations for efficient sign-off
Delegation and auto-handling of self-certification
Risk-driven Certification User Experience
39 Copyright © 2011, Oracle. All rights reserved
40 Copyright © 2010, Oracle. All rights reserved
<Insert Picture Here>