by Deborah Volk on December 24th, 2009

There was a jolly man named St. Nick
Who didn't know which IDM stack to pick
By the yule log
He read our blog
That well-rounded cheeky man named St. Nick

Happy Holidays!

by Deborah Volk on October 21st, 2009

More coverage of Oracle IAM 11g suite based on OpenWorld sessions. If Oracle Identity Manager 11g is an evolutionary step and Oracle Identity Analytics 11g is fresh air then OAM 11g is a shot heard round the world. Changes, they're a comin'.

The current release of Oracle Access Manager is based on the 2005 acquisition of Oblix. The Oblix product is written in C++ and is comprised of a number of independent components that all function, well, independently! In the late 90s-early 00s world of enterprise applications where CORBA was still considered a viable deployment option, J2EE was learning how to walk and .NET was yearning for acceptance, apps that could run on a particular platform without a container were still popular. Today, container-less apps are certainly still around but they're not a frequent occurrence in the enterprise landscape. Recognizing that the internal architecture of OAM was getting long in the tooth and chanting its Weblogic uber alles mantra, Oracle transmogrified Oracle Access Manager into a J2EE app.
I didn't ask whether 11g was a rewrite from scratch or a port of C++ codebase to Java; if I had to guess, I'd say the latter. Regardless of how the guts were engineered, the access management UI in 11g reflects the same asset taxonomy as the current 10g release. There are webgates, resources, resource types, host identifiers, policy domains (renamed to application domains), authentication and authorization schemes, and so on. Conceptually, the OAM policy universe and (broadly speaking) its access management pieces are still in place. The identity side of OAM is no longer there, it's been subsumed by OIM. No more Identity Server, funky workflow applets, IdentityXML interface and other identity-related stuff in OAM. Poof! (There are backward compatibility options available, see the end of this blog). Now OIM and OAM are clearly and cleanly separated, there's no longer any sizeable overlap between two products. Identity Administration is in the top drawer (OIM), Access Management is in the bottom drawer (OAM). (Why does OIM get the top drawer? This must be my subconscious speaking).

Being a J2EE app gives OAM a number of immediate advantages, the first and foremost being the ability to reuse a large swath of Oracle J2EE tech. The distributed cache housing stateful sessions is courtesy Coherence (ex-Tangosol), the UI is based on Oracle's Application Development Framework (ADF), the app server is obviously Weblogic with rock-solid J2EE app hosting/management features. When you align your products with your platform strategy, not only technology can be reused at a product level but a lot of development effort can be cross-sourced and shared. This goes for both internal Oracle development effort as well as effort expended by customers when customizing Oracle products. The knowledge gained when learning how to customize UI via ADF in OIM should carry over to OAM and to other Oracle products. Same goes for Weblogic and other pieces. Wunderbar!
Aside from JEEification of OAM, there have been a number of other significant changes and enhancements in 11g:
LDAP scoped to authN scheme is a nice enhancement, it allows for authentication against different directories, e.g. internal users against Active Directory and external users against, say, Oracle Internet Directory (OID). It's worth noting that segmenting user population and authenticating these segments against different directories is possible in OAM 10g with Oracle Virtual Directory (OVD). In general, we recommend that OVD is deployed alongside OAM. OVD is an elegant solution for a number of issues having to do with heterogeneous identity stores (directories, databases, Toys R Us) and by using OVD you automatically become part of the COOL crowd.
Agents are an interesting story. As y'all know, today Oracle ships two identity management stacks - a legacy stack based on Oracle App Server and the "current" stack with OIM, OAM et al. In the legacy stack, web SSO is engineered in a manner somewhat similar to OAM in that there's a front-end component that plugs into the web server and intercepts requests. In the legacy stack the web server is Oracle HTTP Server (OHS) that is based on Apache. Apache plugins are called modules and prefixed with mod, thus mod_osso. Despite being a few generations behind the curve, the legacy stack features prominently in one area: as an SSO solution for Oracle's e-Business Suite (aka Oracle ERP). Even though one can deploy OAM together with legacy SSO (OSSO) and hide OSSO behind OAM, you still need OSSO underneath the hood. Oracle ERP isn't the only product where OSSO is deployed, there are others but ERP deployments with OSSO is where the impact will be the greatest.

In 11g, Oracle wants to (finally!) kill the legacy identity management solution. If this was done as a straightforward hatchet job (no more mod_osso, migrate or die), Oracle ERP customers with OSSO would have screamed so there is a soft landing. OAM 11g will support three types of agents that intercept requests and forward them onto OAM for access decisions: "traditional" access gates (a webgate is a pre-fabricated access gate) from OAM 10g, same from 11g and mod_osso.

Sessions are now stateful. This is a huge change which has tremendous performance repercussions. When OAM starts an SSO session on the user's behalf, it will keep track of the conversational state between OAM and the user, i.e. there will be a concrete chunk of memory on the server that knows about you. Stateful sessions are highly problematic when it comes to scaling an application to higher transaction volumes. Oracle's solution to scaling with stateful sessions is embedding Coherence into OAM, an industrial strength distributed cache acquired from Tangosol. One of Identigral's partners spent part of his misbegotten youth working with various caches and he says Coherence as a session cache can certainly handle just about any kind of load but tuning the distributed cache is akin to black magic. (I must mention that Identigral has certified black magic experts. We know voodoo!) .

One benefit of stateful sessions is that use cases such as "login is allowed only from a single location" (think Yahoo Messenger) or "maximum number of concurrent sessions" can be implemented out of the box. The long-term vision for stateful sessions is to allow the session to be exposed to other Oracle IAM products, notably Oracle Identity Federation (OIF) that could populate the session with their own attributes. If so, OAM could then use these "foreign" attributes to make authorization decisions. This is a lightweight example of data virtualization at the session level (front-end) versus data virtualization at the directory level via Oracle Virtual Directory (back-end).

The policy model change from a default of "allow all" to "deny all" is to be applauded. If you have OAM and your default is allow all, I highly recommend changing it to a deny.

One of the more welcome changes dragged in by the new UI is the introduction of a built-in mechanism for promoting assets across environments, e.g. from Test to Production, a niche previously (and temporarily) occupied by OAM Configuration Manager (OAMCM). Oracle also promised an ability to templatize environments so that topology "definitions" can be reused in different promotion contexts. Along with that a mention was made of incremental promotion of policy changes. Anything that helps with a promotion of assets in a controllable fashion is good in my book.

If you squint at the architecture diagram, you'll notice a Token Processing component. I interpret this as a Security Token Service (STS), a future capability. No mention of that was made during OpenWorld session but I wouldn't be surprised if the STS that ships with Sun's OpenSSO served as the inspiration or basis for Oracle's implementation. The beauty (and weakness) of Open Source... Squinting at the OAM portion of product strategy diagram in the OIM 11g blog entry, I also noticed that OAM box contains services that are now represented by separate products. I take this as an indication that all of these currently separate products - OIF (federation), OAAM (adaptive access / strong authentication), OES (fine-grained authorization) will become services/modules that are part of a single OAM product. Smells like OpenSSO to me! In my Suncle access management blog entry, I said that I don't see this convergence happening at Oracle but I may have been wrong. (My time machine ran out of gas...). There are pros and cons to both approaches; sooner or later we shall see what OAM will have become. As for the rest of OpenSSO vs OAM debate, I stand by my initial assessment.

During the Q&A portion of the session, a number of questions were asked about "..but what about X" where X was custom plugins, IdentityXML, identity workflows and more. Front-end agents aside, I did not fully understand how backward compatibility with OAM 10g is supposed to work but something to the effect of "OAM 10g and 11g can coexist and run side-by-side" was discussed. The coexistence strategy was represented by the following diagram:
The OAM release plan is spread across multiple 11g waves (my term). OAM 11gR1 will target feature parity with legacy Oracle SSO stack and supporting mod_osso agents. If you want to rip out legacy stuff, 11gR1 is your ticket. 11gR2 is supposed to provide for feature parity with OAM 10g agents and deal with coexistence of 10g/11g services. 11gR3 will be convergence of R1 and R2 into a nice and shiny product. As is true for other 11g products, the only release date made available was "somewhere in calendar year 2010".

by Deborah Volk on October 19th, 2009

UPDATE (Feb 2010): The product described in this post is dead. Sun Role Manager has been renamed to Oracle Identity Analytics and the end result is NOT the same as the product announced at OpenWorld. Stay tuned for more details in another blog post.

Another session at Oracle OpenWorld I attended was for Oracle Identity Analytics (OIA), a new product Oracle built from existing parts for 11g. The product was first announced in early summer of 2009 but if you were reading Oracle tea leaves, you knew about it even before that.

Oracle Identity Analytics is a "classic" BI solution circa 2009 with features specific to identity and access universe sprinkled throughout. Oracle calls it a "unique, BI-centric approach" to identity and audit compliance. The ingredients of this cake are:

1) a slick BI front-end (thank you, Oracle BI suite)
2) a data warehouse (read: Oracle database optimized for reporting and analysis)
3) a way to extract and transform data from various sources for loading into OIA (thank you, Oracle Data Integrator)
4) a way to make sense of the data and discover hidden patterns (thank you, Oracle Data Mining)
5) tight(er) integration with neighbor products in the IAM suite, namely Oracle Identity Manager

Functionally OIA is a mashup of three slices: reporting, analytics and attestation. Segregation of duties is also part of OIA and it could be considered a fourth slice but let's pretend it's part of analytics. (If we wanted to be classification purists, we'd note that reporting is also an analytical feature, usually referred to as descriptive analytics. Attestation, on the other hand, doesn't fit as neatly into an analytics sandbox). A picture is worth (less than) a thousand words in the previous paragraph:
Reporting, analytics and attestation deliver on challenges surfaced in Governance and Risk areas of IT. Is OIA then a GRC product? Well, it's 2/3 of one! If you consider attestation a compensating control, then one could say it's a narrowly defined GRC solution. Furthermore, OIA took over role mining and some other features of Oracle Role Manager (ORM) that were left on the floor after identity administration aspects of ORM were surgically removed and donated to Oracle Identity Manager 11g.

From the reporting perspective, OIA's raison d'etre is easy to grasp. All Oracle IAM products have reporting features yet reporting on identity or access events in a silo fashion (each product does its own thing on top of its own data store) is not the best solution. It's a good solution in that it meets the needs of many customers, especially customers who start with a particular product such as Oracle Identity Manager and may not deploy other pieces of the Oracle IAM suite. While it is true that there are single-product customers out there, it is also true that there are plenty of customers who own and deploy more than one Oracle IAM product. Comparing the number of single- vs multi-product deployments, multi-product installs win, at least this has been our experience. For customers deploying multiple Oracle IAM products the question of consolidating reports and making sense of data across products is a very real one.

Oracle acknowledged this issue in 10g by providing for an optional consolidation of reporting across IAM stack via BI Publisher. The reporting slice of Oracle Identity Analytics is a direct evolution of this need. For an enterprise-wide take on reporting, you have to have both appropriate infrastructure (e.g. star schema, ETL tools, etc) and, more importantly, data collected from various operational stores. Having properly denormalized data from everywhere is necessary but not sufficient to be useful by itself. You need domain-specific interpretation of this data. In the IAM world, this is bubbled up via two intertwined aspects: compliance / audit and risk mitigation. In plain English: stop the auditors or regulators from fining us for having poor controls that may lead to attacks/breaches OR reduce the likelyhood of attacks/breaches so that auditors and regulators will have a chance to fine us for something else.

In the analytics context, correlation across identity and access events in various silos creates the coveted synergistic effect where 1+1 = 3. As Security and Information Event Management (SIEM) vendors will tell you, successful correlation is 80% perspiration of having to come up with rules / criteria for correlation and associated alarms (is it a malicious attacker or merely a clueless user who can't remember his password, forgot his door access code and borrowed a card key from a friend) and 20% of having the data in one place. Thus, having some pre-packaged correlation reports covering Oracle IAM suite products as data sources would be nice to have.

The mention of SIEM is not entirely accidental. Oracle Data Integrator is a general-purpose ETL tool and as such it can be used to grab data from any target be it an Oracle IAM product, an Oracle application or a 3rd party app. The target doesn't even have to be a database, the data could come from flat files offloaded from a mainframe, for example. This 'digest and correlate all data' approach is reminiscent of SIEM products and someone in the audience at OpenWorld asked if Oracle is moving into SIEM territory with OIA. The answer was no or, to be more precise, the answer was "not now". OIA won't deal with data sources that have tradtionally been part of the SIEM landscape, e.g. network devices. Nevertheless, the distinction seems to be purely technical to me since OIA is clearly capable of dealing with any kind of data.
Attestation is the second slice of OIA and it's probably the slice that's going to be the driver for deploying this product. With attestation targets covering the entire range of possibilities - user accounts, roles, entitlements, membership sets (both role and group) - and attestation workflow appearing to be quite flexible (multi-level AND event-based with advanced support for reminders, escalations and delegation), on paper OIA meets 80% of attestation requirements out of the box. This is a shot across the bow of vendors such as Aveksa and Sailpoint as well as many other identity audit / compliance solutions that have been sold to the line of business.

It's worth noting that attestation generates actionable events, i.e. if an employee left the company but his account and associated access is still alive and well, attestation could kick-off a de-provisioning workflow. With entirely contained in Oracle Identity Manager, both reporting and action steps of attestation process were in OIM. In 11g, reporting side of attestation will be in OIA but action will remain in OIM. Oracle promises to have 2-way integration so that when someone attests in OIA, OIA will call OIM to execute an appropriate action on the target of attestation.

Segregation of Duties (SoD) is another interesting piece of OIA. OIA will have its own SoD engine which could be used to centralize an entire SoD policy lifecycle in OIA, including policy definition, preventive SoD simulation (detect conflicts at design-time), detective SoD check (detect conflicts at run-time), and mitigation. SoD checks and violations are recorded as events in OIA data store so that they could be reported on or sliced and diced along with other data. Since Oracle owns a powerful SoD capability from its acquisition of Logical Apps, the distinction between OIA SoD (aka SoD for Enterprise IT) and Logical Apps SoD (aka SoD for Oracle e-Business Suite) was carefully painted. (Another reason for this distinction is OIM 10g integration with Logical Apps).
If I read between lines, the SoD engine in OIA may be used by other IAM products in the Oracle stack for, well, dealing with SoD issues. If OIA contains data from many apps in the IAM suite, then SoD could be truly a killer app since (perhaps for the first time) one can truly consider toxic policies or business rules based on events that span IAM products. I suppose there's nothing to prevent any app from querying OIA's SoD engine so that OIA may eventually morph into more of a decision engine rather than just an analytics app.

Release date of OIA 11g is calendar year 2010. It will be aligned 11g releases of OIM and OAM.

by Deborah Volk on October 14th, 2009

Hot off the Oracle OpenWorld presses, I give you OIM 11g:
To expand a bit on the above highlights:

1) Shiny new web UI based on Oracle's Application Development Framework (ADF).

2) BPEL-based request/approval workflows. By using inference and set algebra, I can claim that provisioning workflows will stay "as is" (if there can be such a state as "as is" in 11g). To see is to believe so we shall see.

3) Embedded Oracle Entitlement Server (OES) that will deliver enough semantic firepower in rules that make up various authorization pieces. I am calling this an OES microcontainer (please send me a royalty check if you use the term). This should make it easier to implement real-world business processes in OIM. The primary use case enabled by this is attribute-level delegated administration where you can say that all users with department="Engineering" and cost center="123" can do or have access to function blah in OIM.

4) The identity administration pieces of Oracle Role Manager (ORM) will move to OIM. Management of roles, their relationship to various entities and associated lifecycle will be in OIM. To help with role-based stuff, a few classification nodes in the overall OIM asset taxonomy will be introduced, namely role categories, namespaces and owners. Since roles are now part and parcel of OIM, their membership can be managed via requests and there's a bunch of role-based use cases sprinkled throughout the product.

5) New reconciliation engine. Performance was Oracle's top goal when rewriting the recon engine. This was achieved by pushing a (larger) portion of the transaction to the database via stored procedures and horizontal table partitioning. For a performance-starved and scale-hungry customer, this is a declaration of love. Only time (and millions of reconciliation events banging against the glass) will tell. (Better get some DBAs on your team now!) As a bonus, reconciliation event manager is now available on the web, no need for Operations people to use Design Console. It's been improved as well with an eye toward helping out Operations. For example, it. allows the capture of justification for manual operations such as manual/ad-hoc linking of events.

6) SPML-based web services for identity administration. This is already available in 10g. I don't know if the guts have been changed but 11g reads like an expansion of the current SPML web service interface with coverage for operations new in 11g, e.g. role admin. This was touted as an example of "Identity as a Service" with OIM acting as an authoritative source of identity info for the rest of the products in IAM stack and beyond (collective moniker: Fusion Middleware and Apps)

Some of the request workflow gaps that currently require a bit more engineering than expected by customers from an out-of-the-box-product have also been fixed. Namely, account modification requests (generically "modify requests") are now available thanks to BPEL workflow (ok, human tasks in a BPEL process). Thanks to BPEL engine being quite a bit more flexible than the current "homegrown" workflow engine in OIM, a slew of workflow features are available when dealing with requests, including dynamic routing, retraction, bulk actions, assignment to groups and more.

So the SOA/BPM and IAM worlds have finally collided. I predicted as much all the way back in April (Yes, my crystal ball is very special) If I look at my crystall ball now, I think eventually OIM may be nothing more than a specialized application running on top of a SOA/BPM platform.

Oracle Role Manager has been sent to sleep with the fishes. Its turf is going to be taken over by OIM on the identity administration side and by Oracle Identity Analytics (OIA) on the reporting/analytics side.
It'll be interesting to see the deployment requirements. OES microcontainer is embedded but will the same be true of SOA Suite components necessary for BPEL workflows to work? I doubt it. We'll probably witness the pull-through conquest model employed by legacy Oracle Identity Management stack. OIM will drag SOA pieces along and plant the Oracle SOA Suite seeds whether you like it or not.

Connectors have been mentioned briefly as in "there will be new connectors". On the reconciliation side, backward compatibility was highlighted ("no change to existing connectors or existing reconciliation config data") but I wonder about the rest of the APIs and backward compatibility in general. I am sure there will be lots of twists and footnotes to this story as it develops.

Release date of OIM 11g is calendar year 2010, somewhere between January 1st and December 31st. Apparently all Oracle PMs have been threatened with the worst punishment imaginable - exile to Support - if they narrow it down to a time period less than a year wide.

Last but not least, I don't see any room for Sun Identity Manager or Sun Role Manager in this new world order. Perhaps certain pieces could be extracted from Sun products and dropped into OIM 11g but off the top of my head, I can't think of any. If someone knows better, please leave a comment. Although we're far from seeing the curtain rise (or fall) on the Sun/Oracle deal, when it comes to combining the identity administration products (identity and role managers), I can claim to be at least 50% correct in my Suncle forecast.

by Deborah Volk on October 9th, 2009

Come see us at the Oracle OpenWorld 2009 Unconference on Monday Oct 12th at 4pm. We will be in Moscone West on 3rd floor in Overlook II. Our talk is entitled "Everything You Wanted to Know About Managing Entitlements with Oracle Identity Manager (OIM) But Were Afraid to Ask". Following our session, we'll be hosting a cocktail reception between 5:30pm-7pm. Please RSVP if you'd like to stop by and have a drink with us.

Naturally, we think our session will be very interesting but in case you want to see what else is out there, Oracle IDM marketing folks put together a nice "cheatsheet" that collects all IDM-related OpenWorld content in one place.

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)