Introduction
Many organizations are realizing they can differentiate and expand their core businesses by reaching out to partners to create valuable online services. But, they must do so without exploding IT budgets or
disrupting their regulatory controls, while at the same time keeping the end user experience as seamless as possible. The solution is to use
federation, which leverages existing IT services, security mechanisms, and identity infrastructures to link together diverse networks of partners.
- Create tighter relationships with partners
- Deliver higher value services to consumers
- Simplify the process of on boarding new partners
- Deliver greater value from line of business applications
- Reduce the complexity of entperprise application outsourcing
- Ensure business and regulatory compliance
Using standards-based federation protocols, customers can extend valuable services to partners and consumers without taking on the cumbersome task of managing redundant identity information. Instead, partners manage their own user identities. This allows everyone to focus on the task at hand, offering valuable business services in a secure, reliable, repeatable fashion.
Oracle
Identity Federation is a complete and powerful federation solution that enables organizations to extend the boundaries of their enterprise to seamlessly integrate partner and supplier applications by establishing security and trust across security domains.
Oracle Identity Federation is a self-contained, standalone federation server supporting the broadest set of federation standards. It can be deployed as a multi-protocol hub acting as both an Identity Provider (IdP) and Service Provider (SP). Acting as an SP, Oracle Identity Federation enables you to manage your resources while offloading actual authentication of users to an IdP, without having to synchronize users across security domains out of band. Once authenticated at the IdP, the SP can allow or deny access to users for the SP’s applications depending upon the local access policies. If a user no longer has an account with the IdP, the federation is terminated and cross-domain single sign-on for that user is automatically disabled. As an IdP, Oracle Identity Federation allows you to manage and authenticate local users based upon federated requests from trusted providers.
Key Benefits of Oracle Identity Management:
- Multi-standard support: Implementation of the broadest set of federation standards
- Interoperability: Interoperable with 3rd party standards-compliant products
- Heterogeneous architecture: Integrates with common identity repositories and identity and access management systems
- Increased security and regulatory compliance: Mitigate security risks and comply with regulations around identities and access privileges
- Reduced user management costs: Provide a smooth user experience while reducing help desk calls and user administration costs
- Ease of installation: Designed to be installed in a matter of hours not weeks or months
Overview of Oracle Identity Features and Functionality
Multiple Federation Protocol Support
Oracle Identity Federation supports the major federation protocols and has proven interoperability with 3rd party vendors, participated in vendor neutral conformance events and has achieved Liberty Alliance certification for Liberty ID-FF and SAML 2.0.
Oracle Identity Federation supports the following protocols:
- OASIS SAML 1.0, 1.1 & 2.0
- Liberty Alliance ID-FF 1.1 & 1.2
- WS-Federation
Oracle Identity Federation implements protocol-specific profiles to define constraints, extensions and/or assertions to use when exchanging messages for a specific use-case. This ensures a higher level of interoperability with 3rd party federation products for federation-specific transactions including, but not limited to, cross-domain single sign-on (Browser Artifact/POST, X.509 Based Authentication Attribute Sharing profiles), single logout, termination of user federations, and automatic account linking.
Heterogeneous Architecture
Oracle Identity Federation integrates with 3rd party identity and access management solutions so organizations do not need to rip out the existing infrastructure. Acting as an IdP, Oracle Identity Federation can authenticate users to an LDAP-compliant directory server or to a database. Oracle Identity Federation also makes direct calls to these repositories for user attributes for higher performance. If a supported authentication or authorization system is already deployed, Oracle Identity Federation can leverage it to authenticate users and create authentication assertions to be passed on to partner applications. Acting as an SP, Oracle Identity Federation will communicate with a supported authentication or authorization system to determine the access privileges of authenticated users, locating the attributes of the user from the data repository.
Bulk Federation
Oracle Identity Federation includes a tool that enables administrators to bulk load user federation records. As a federation represents an account linking between a user and two providers, the two providers agree to identify an individual using the data contained in the federation. Therefore, when a federation is created the providers will have agreed to use some specific piece of information to identify that user. As the tool does not directly interact with the user data repository, changes that will be made can be reviewed and analyzed by the administrator prior to the actually bulk loading the data.
Lightweight
Oracle Identity Federation is a self-contained, turnkey solution which is ready to integrate with a broad variety of identity and access management infrastructure; at the same time it provides simplified programmatic interfaces to allow customers to directly integrate with specific applications or homegrown solutions, thus requiring no additional operational footprint.
Certificate Validation Support
Security is a critical aspect of any enterprise architecture and digital certificates are an important part of validation and authentication. Oracle Identity Federation provides a certificate validation store to support X.509 certificates for digital signatures and encryption. It enables you to manage trusted certificate authorities (CA) and certificate revocation lists (CRL) in an easy to user interface in the administration console. Administrators can sign and encrypt outgoing SAML assertions as well as validate and authenticate messages received from trusted providers.
Load Balancing and Failover Support
Oracle Identity Federation is designed to support mission critical applications through load balancing and failover support. To enable load balancing and failover of multiple instances, Oracle Identity Federation allows customers to set up a system with shared database instances, which multiple servers can access. Oracle Identity Federation servers can be also configured to support specific load distribution algorithms and remove configured servers from service if particular machines go down.
Federation Deployment Architecture
The "Hub and Spoke" and "Identity Gateway" models are two common models that have been seen in federated environments. The Hub and Spoke model is a federated system where a service provider ("hub") provides applications/resources to users of identity providers ("spokes"). The spokes provide local authentication to the users and typically these users will login through a local portal. Once authentication has been established, the user, assuming the user has the proper credentials and the account has already been federated, will be able to access the hub's resources.
In the Identity Gateway model there is a central identity provider and distributed service providers. Users authenticate at the identity gateway and then are able to access resources at the various service providers in the network. The goal is to provide central authentication and enable service providers to leverage the identity provider user base. Typical examples of this model are government or citizen portals.
Oracle Identity Federation provides the services that send and receive authenticated assertions and identity attributes, maps this to a local user, and additionally supports multiple federation standards. Customers implementing federation standards still need a way to authenticate users at the source sites and determine if the user is authorized to access the requested resource at the destination sites.
As an identity provider, Oracle Identity Federation can be deployed quickly and securely with a minimum requirement of a supported LDAP to obtain user profile attributes to populate the protocol assertions. Oracle Identity Federation includes all the components required to integrate with existing identity and access management systems to authenticate users, build and send assertions, manage domains and manage certificates. No coding is required. As a service provider, Oracle Identity Federation can utilize an authorization or authentication system for policy-driven user decisions. In this environment, the Oracle Identity Federation includes all the components and logic to receive assertions, verify assertions, set a session cookie, manage domains, manage certificates and redirect users to the requested resource.
Supported Platforms and Integration
Supported Platforms
- AIX
- HP-UX
- Red Hat Linux
- SUSE Linux
- Solaris
- Windows
Supported Directory Servers and Databases
- Oracle Database
- Microsoft SQL Server
- Microsoft Active Directory
- Oracle Internet Directory
- Sun Java System Directory Server
Supported Identity & Access Management Systems
- Oracle Access Manager
- Oracle AS Single Sign-On
- Oracle COREid Access & Identity
- CA eTrust SiteMinder
Supported Protocols
Oracle Identity Federation Operational Modes, Profiles, and Bindings for SAML v2.0
|
Feature
|
Bindings
|
IdP
|
SP
|
|
Web SSO
|
HTTP Redirect
|
X
|
X
|
|
|
HTTP POST
|
X
|
X
|
|
|
HTTP Artifact
|
X
|
X
|
|
Single Logout
|
HTTP Redirect
|
X
|
X
|
|
|
HTTP POST
|
X
|
X
|
|
Name Identifier Management
|
HTTP Redirect
|
X
|
X
|
|
|
SOAP
|
X
|
X
|
|
Artifact Resolution
|
SOAP
|
X
|
X
|
|
IdP Discovery
|
|
X
|
X
|
|
Metadata Exchange
|
|
X
|
X
|
|
Feature
|
Bindings
|
SAML Attribute Authority
|
SAML Requester
|
|
Attribute Query
|
|
X
|
X
|
Oracle Identity Federation Profiles, Bindings, and NameID Updates for Liberty1.1 and
1.2
|
Feature
|
Profiles/Bindings
|
Liberty 1.1
|
Liberty 1.2
|
|
Single Sign On
|
Artifact
|
X
|
X
|
|
|
HTTP POST
|
X
|
X
|
|
Logout
|
HTTP Redirect
|
X
|
X
|
|
Name Id Registration
|
HTTP Redirect
|
X
|
X
|
|
|
SOAP
|
X
|
X
|
|
Federation Termination
|
HTTP Redirect
|
X
|
X
|
|
|
SOAP
|
X
|
X
|
Oracle Identity Federation Profiles, Bindings, and NameID
Updates for SAML 1.x and WS-Federation
|
Feature
|
Profiles/Bindings
|
SAML 1.0/1.1
|
WS-Federation
|
|
Single Sign On
|
Artifact
|
X
|
|
|
|
HTTP POST
|
X
|
X
|
|
Logout
|
HTTP Redirect
|
|
X
|
Top of Page |
Bookmark
