Identity Management

With the proliferation of applications and application users, the computing industry has recognized the need for a way to manage the user-application relationship. Creating user accounts, resetting passwords, and assigning application privileges consumes an enormous amount of administrative cycles. With so many applications and users, the job of managing all the accounts can be onerous.

To relieve this challenge, identity management solutions are being developed and deployed. Identity management (IM) provides complete services for the administration of users within an organization. IM offers the ability to create users, manage their authentication credentials (passwords and digital certificates), assign privileges and authorizations, and suspend or delete user accounts. IM is the complete ability to do everything that is needed with regard to managing user accounts.

IM is becoming increasingly important today because many organizations are feeling the stress of implementing numerous applications for numerous users. IM allows centralized administration for user management tasks and provides the single source of truth for the enterprise applications that need access to user authorizations and other credentials.

Centralization is the critical factor to providing the benefits. When the user credentials are centralized, the user only has to be created once. Any modifications, including account deletions, will be handled once. All applications will be referencing the same user, which alleviates any inconsistencies that typically are associated with redundant user information.

For example, the user password is stored once and will be the same authenticator for every application that participates in the IM implementation. Because users can generally remember a single password better than multiple passwords, they’re less likely to write their passwords on paper and leave it by their computer. If the user’s password has to be reset or changed, it can be done once for all applications. Authorizations and other data about the user will also be consistent across the enterprise.

IM reduces administration tasks, increases overall usability, and provides better security.

Directory Services

In efforts to solve the IM challenges, the industry has gravitated to the use of directories as the single point of storage and access for information about their employees and application users. The first digital directories were built to handle the management of e-mail addresses. The value of a digital directory was quickly realized and a standard—ISO X.500—was developed to allow any application access to the directory. The ISO X.500 standard represents a standard protocol and hierarchical categorization of data that is needed to allow applications a consistent and well-defined method for accessing information. ISO X.500 was comprehensive but it also was considered too complex to be practical for many implementations.

The LDAP (Lightweight Directory Access Protocol) standard was subsequently developed by the University of Michigan as a practical alternative to X.500. LDAP provides much of the same functionality as X.500 but without all the complexity and overhead. LDAP Version 3 is the current industry-wide directory standard.

The concept of a directory is congruent with the role it serves in IM. That is, it provides the common user information that is needed by applications throughout the enterprise. It’s common to use directories as the information providers for many of an organization’s entities. Physical devices and available services such as locations of servers, network routers, and printers can also be stored in a directory. Applications and users then have a single place to reference when they need this information.

A common use of LDAP directories today is to provide publicly available user information, such as office phone numbers and e-mail addresses. Many commercially available e-mail programs allow you to configure an LDAP server to look up other users’ e-mail addresses. The e-mail program can log on to the LDAP directory anonymously and conduct searches. Most of this happens transparently to the e-mail user. This works because the directory is built on a standard protocol.

From a security perspective, directories are becoming the de-facto authentication engines for the enterprise applications. User passwords are centrally stored in the directory, along with the other user information, which provides a single place and process for authenticating application users.

IM Components

The directory is one piece of the identity management infrastructure. Other components, which provide the services or capabilities needed to actually manage the identity information, are also required. The Oracle IM infrastructure consists of these components:

• Oracle Internet Directory This is an LDAP-compliant directory that allows storage and retrieval of information about the various entities (users, applications, groups, privileges, and so on) that wish to participate in IM. This is discussed in more detail in the section “Oracle Internet Directory (OiD)” later in this chapter.

• Oracle Delegated Administration Services These are the services needed to support IM functions, such as creating users, assigning privileges to users, and deleting users. The administration duties can be distributed, or delegated, to multiple administrators within an organization. A self-service capability is also provided, which allows users to change their passwords and update other personal information.

• OracleAS Single Sign-On This is a single sign-on solution for web applications.

• OracleAS Certificate Authority This offers the services required for creating, distributing, and revoking user and server Public Key Infrastructure credentials (digital certificates).

• Oracle Directory Integration Service This provides infrastructure and APIs for integrating and synchronizing information in the Oracle Internet Directory with other sources, such as HR applications and other directories. These services are generally integrated into the user management features so that changes to user accounts are automatically synchronized.

Discussing all the IM components in detail is beyond the scope of this book. They are referenced because it’s helpful in understanding how Oracle EUS works with respect to the other Oracle products and technologies. Further information on each of these components can be found in the Oracle Application Server 10g Security Guide.

Oracle’s IM is primarily constructed to support the Oracle Application Server 10g. The database, however, is also an indirect participant in the IM scheme. You’ll see how this relationship exists and why it’s important in deploying effective security as you read the upcoming sections.

Oracle Internet Directory (OiD)

Oracle, recognizing the value of centralizing information as well as the value of the LDAP standard, built its own LDAP server, the Oracle Internet Directory (OiD), which is at the heart of Oracle’s IM solution.

The IM components—an administration service, a digital certificate authority, a single sign-on server, and an integration service—all use OiD as the reference and storage engine. OiD also allows Oracle databases to operate in a similar manner to that of other LDAP clients. That is, the database supports LDAP as a mechanism for centralizing user authentication and authorization functions.

OiD is an implementation of the LDAP Version 3 standard that uses an Oracle database for storage and retrieval of the directory data. To fulfill its LDAP duties, OiD utilizes several operating system processes to translate client requests from the standard LDAP format to SQL queries in the database. This translation is hidden; applications interact with the directory only via the standard LDAP protocols. OiD includes software development kits (SDK) for Java, C, and PL/SQL programs. The database structure is proprietary, and direct access is unsupported.

Oracle chose to build its LDAP implementation on the database so it could leverage the already proven benefits that accompany an Oracle database such as portability, high availability, and scalability—all of which are requirements for a centralized directory server.