Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Partner Webcast – Single Sign-on to Applications in Oracle Identity Cloud Service

273 Aufrufe

Veröffentlicht am

Cloud adoption promises the benefit of increased flexibility, agility, and significant cost savings, so migrating more and more applications including business-critical applications to the cloud is becoming a growing priority for companies of all sizes. Oracle gives you more options for where and how you make your journey to the cloud. Single Sign On is not a new concept and has more or less been rolled out in almost every organization. Oracle Identity Cloud Service enables employees, customers, and partners to access all of their applications seamlessly using a single authentication.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Partner Webcast – Single Sign-on to Applications in Oracle Identity Cloud Service

  1. 1. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Single Sign-on to Applications in Oracle Identity Cloud Service Mihai Dragomir Cloud Adoption and Implementation Consultant OPN Innovation and Modernization Center, EMEA A&C April, 2019
  2. 2. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3
  3. 3. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Program Agenda Introducing Oracle Identity Cloud Service Identity Cloud Service Features Understanding Oracle and Custom Applications Understanding Authentication and Authorization Use-cases and Demo Summary – Q&A 1 2 3 4 4 5 6
  4. 4. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Program Agenda Introducing Oracle Identity Cloud Service Identity Cloud Service Features Understanding Oracle and Custom Applications Understanding Authentication and Authorization Use-cases and Demo Summary – Q&A 1 2 3 4 5 5 6
  5. 5. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Introducing Oracle Identity Cloud Service 6
  6. 6. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 7 • Oracle Identity Cloud Service is Oracle’s next-generation IDaaS platform built on modern cloud principles using open identity standards to address these challenges. • This platform delivers innovative and fully integrated IAM capabilities through a multitenant cloud that can be leveraged by other cloud-based services Why Oracle’s next-generation IDaaS platform?
  7. 7. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | How? Consolidated Identities Hybrid Identity Management Defense in Depth Business Value • Reduce risk from security and compliance challenges • Reduce the cost and complexity of user, app, device and data security • Protect your brand reputation from data breaches • Enhance data privacy and win your customers trust
  8. 8. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 9 • Oracle IDCS provides security to protect all IaaS, PaaS, and SaaS applications. • Customers can define their own security controls by setting authentication and authorization policies. • Integration-ready with behavioral risk analytics, and audit logging - via API layers. • Manage On-Premise Applications – Reuse your on-premise connectors and extend to the cloud. Defense in Depth
  9. 9. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 10 Hybrid Identity Management • Oracle IDCS seamlessly integrates with on- premises identities in Active Directory. • Single Sign On capabilities can be used across cloud and on-premises applications. • IDCS provides one click management to users and services, simplifying IT administration and reducing cost. • Customers can modernize applications in the cloud. Build them quickly and secure them with IDCS in minutes.
  10. 10. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 11 Consolidated Identities • Oracle IDCS provides a fully integrated service that delivers a single point of management for identity and access. • Using Single-sign on and user self service enhances user experience while keeping helpdesk costs low. • Automated provisioning and deprovisioning expedites processes and keeps organizations on track for digital innovation. • Further secure users with Multi Factor Authentication.
  11. 11. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 12 Identity Cloud Service Concepts • Single Sign-On – Allow users to log in once and use the same account everywhere – Stops at Enterprise boundaries – Kerberos, Propietary Solutions • Federated Single Sign-On – Combines Single Sign-On of distinct entities (enterprises) – SAML 2.0, OpenID Connect 12
  12. 12. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 13 Identity Cloud Service Concepts • Identity Provider (IdP) - provides identifiers for users who want to interact with Oracle IDCS using a website that's external to it • Service Provider (SP) - a website, such as IDCS, that hosts applications. 13
  13. 13. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 14 Identity Cloud Service Concepts • User Account – A user's account allows a user to authenticate to a system and potentially to receive authorization to access resources provided by or connected to that system; however, authentication does not imply authorization. • Role – an identity with permission policies that determine what the identity can and cannot do in IDCS 14
  14. 14. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 15 Identity Cloud Service Concepts 15 • Identity Store - Stores user identities and their roles. • Synchronization - Pull information from the target • Provisioning - Push information to the target
  15. 15. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Program Agenda Introducing Oracle Identity Cloud Service Identity Cloud Service Features Understanding Oracle and Custom Applications Understanding Authentication and Authorization Use-cases and Demo Summary – Q&A 1 2 3 4 16 5 6
  16. 16. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Identity Cloud Service Features 17
  17. 17. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 18 Oracle Identity Cloud Service (IDCS) Identity Management Manage user credentials across cloud, mobile and on-premises applications– quickly, easily and from only one place SSO & Authorization Use SSO and authorization to access applications on-premises and in the cloud from any device, everywhere Hybrid Identity Management Synchronize your users and SSO between Microsoft Active Directory or your Oracle Identity Management Suite and the cloud Open Standards Leverage the power of open standards to deliver highly flexible integrations with other applications Identity Cloud
  18. 18. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 19 Open Standards Leverage an API-first and open-standards solution. Oracle Identity Cloud Service is built on an APl-first architecture that leverages the power of open standards to deliver highly flexible and portable integrations: • SAML 2.0: Security Assertion Markup Language (SAML is an XML-based standard that provides federated SSO compatibility with most on-premises applications) • OAuth 2.0: A REST-based standard that provides authorization between cloud services. OAuth is implemented by most of the cloud services to securely delegate authorizations via tokens. • OpenlD Connect: An identity layer standard that sits on top of OAuth 2.0 to provide federated SSO. OpenlD Connect is compatible with most of the social identity providers in the cloud. • SCIM: System for Cross-Domain Identity Management (SCIM) is a REST-based standard that defines schemas for managing identities across cloud services. With SCIM, you can synchronize identities between different IAM services and applications
  19. 19. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 20 • Synchronize or Federate Identities from On- premises to the Cloud without the need of extensive re-factoring or re-writing • Only IDaaS that can automatically provision and de-provision users to Oracle Public CLoud • Identity Management for on-premises applications (EBS, PeopleSoft, etc) • Pre-Integrated with on-prem Oracle IAM enabling a single pane of glass Hybrid Identity Management
  20. 20. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 21 Identity Management With Oracle Identity Cloud Service, you have a robust set of tools to manage your identities in the cloud: • REST APIs: Use the SCIM-based REST APIs for managing identities and configurations from custom applications. • Administrative user interface: Use this interface for user, group, application, and policy lifecycle management, to bulk load identities, and to download software development kits (SDKs). • Self-service user interface: End users can leverage this interface to request access to groups and applications, manage their applications, profiles, and passwords, set their primary and recovery email addresses, activate and unlock their accounts, and link their social login accounts to their Oracle Identity Cloud Service user accounts through social identity providers, such as LinkedIn, Facebook, Twitter, Google and Microsoft.
  21. 21. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 22 SSO & Authorization With Oracle Identity Cloud Service, you can implement federated SSO with other solutions. With this integration, your on-premises users, partners, and cloud users can access on-premises and cloud applications with a single login from anywhere, at any time: • SAML SSO: Implement federated SSO with SAML Identity Providers located on your premises or on your partners’ premises. • OpenID Connect SSO: Configure OpenID Connect and Oauth 2.0-based SSO with trusted cloud providers. • Social Account SSO: Use federated SSO and social identity providers to link social accounts with user accounts in Oracle Identity Cloud Service. Oracle Identity Cloud Service supports its native authentication in parallel with federated SSO. You can take advantage of this feature to implement heterogeneous authentication for each type of user.
  22. 22. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 23 Oracle Identity Cloud Service 23 Oracle OIM On-premises Cloud Oracle Identity Cloud Service
  23. 23. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Program Agenda Introducing Oracle Identity Cloud Service Identity Cloud Service Features Understanding Oracle and Custom Applications Understanding Authentication and Authorization Use-cases and Demo Summary – Q&A 1 2 3 4 24 5 6
  24. 24. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Understanding Oracle and Custom Applications 25
  25. 25. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 26 Oracle Identity Cloud Service and Applications Oracle Identity Cloud Service: • Provides a secure and centralized cloud service • Helps manage the relationship that users and groups have with applications • Enables granting user access to applications
  26. 26. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 27 Understanding Cloud Applications Cloud Applications • Web-based applications • Access over the web Oracle Applications • Complete and modular set of enterprise applications, engineered to be cloud-ready Custom Applications • Applications that you can integrate with Oracle Identity Cloud Service
  27. 27. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 28 Relationship between IDCS and Applications • Application template: the configuration template used to define the identity, access, and configuration information that IDCS requires to communicate with the application. • Applications page: Applications that show in the My Apps page are applications to which the administrator has granted you access. • Grant user and group access: You can use IDCS to grant users access to applications • Entitlements: each entitlement in an Oracle application is represented by an application role.
  28. 28. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 29 Managing Applications using IDCS • Oracle applications that are part of a subscription-based service are cloud-ready. • You can use Oracle Identity Cloud Service to add custom web, browser, or mobile device applications. User and Group Assignments Application Configuration Access Tokens Activation/Deactivation/Re moval
  29. 29. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Program Agenda Introducing Oracle Identity Cloud Service Identity Cloud Service Features Understanding Oracle and Custom Applications Understanding Authentication and Authorization Use-cases and Demo Summary – Q&A 1 2 3 4 30 5 6
  30. 30. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Understanding Authentication and Authorization 31
  31. 31. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 32 Authentication vs. Authorization Authentication Who you are Authorization What you can do • Authentication is the process of validating whether a person (or system) is actually who they say they are. • Authorization is the process of determining what actions you are allowed to perform once you have been authenticated. • Security Assertion Markup Language (SAML) is an XML-based system for authentication and authorization between a Service Provider (SP) and an Identity Provider (IdP). • OAuth 2.0 protocol is an authorization protocol and not an authentication protocol. Because of this, OAuth 2.0 alone cannot provide federated identity.
  32. 32. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 33 SAML integration with IDCS SAML Authentication includes three important roles: • Oracle Identity Cloud Service as the Identity Provider • Pre-integrated Cloud Services as the Service Provider • User (Web Browser/ Mobile Device) Oracle Identity Cloud Service SAML integration currently supports the following features: • SP initiated Web SSO • IdP initiated Web SSO • SP initiated Single Logout • IDP initiated Single Logout
  33. 33. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 34 OAuth And OpenID Connect Oracle IDCS supports the following frameworks for federated SSO and authorization integration with applications: • OAuth 2.0: Framework for authorization, commonly used for thrd-party authorization requests • https://oauth.net/2/ • OpenID Connect: Authentication protocol that provides federated SSO, leveraging the OAuth 2.0 authorization framework • https://openid.net/connect/ • Use Oracle IDCS as the authentication server for apps that support the OpenID Connect standard • Use Oracle IDCS as the authorization server for apps that support the OAuth 2.0 standard
  34. 34. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 35 Authorization Code Grant Type Use this grant type when you want to obtain an authorization code by using an authorization server as an intermediary between the client application and the resource owner. Data flow: 1. The user requests the protected URL. 2. Oracle IDCS displays the Sign in page 3. The user submits their login credentials. 4. Oracle IDCS issues an authorization code to the web application through the browser. 5. The web application uses the SDK to exchange the authorization code for a user access token. 6. The web application displays content for the user.
  35. 35. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 36 Client Credentials Grant Type Use this grant type when authorization scope is limited to the protected resources under the control of the client or to protected resources registered with the OAuth Authorization Server. Data flow: 1. The user requests the protected URL. 2. The request is forwarded to the web application. 3. The web applications uses the SDK to submit the Client ID and Secret to Oracle IDCS for validation. 4. Oracle IDCS issues an access token to the web application. 5. The web application displays content for the user.
  36. 36. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 37 Resource Owner Grant Type Use this grant type when the resource owner has a trust relationship with the client, such as a computer operating system or a highly privileged application, because the client must discard the password after using it to obtain the access token. Data flow: 1. The user requests the protected URL. 2. The application displays the Sign in page. 3. The user submits their login credentials. 4. The client application exchanges those credentials for an access token from the Oracle IDCS 5. Oracle IDCS issues a user access token to the app. 6. The application displays content for the user.
  37. 37. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 38 Securing Applications Using IDCS OAuth OpenIDConnect IDCS an Identity Hub and provides Federated SSO and Identity Management for:
  38. 38. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 39 Oracle IDCS SDK • Oracle IDCS provides SDKs for authentication • SDKs are based on industry-standard protocols • SDKs wrap the REST APIs endpoint calls • Developers can use SDKs to enable: - Java, Node.js, Python web applications to authenticate with Oracle IDCS - Mobile applications to authenticate with Oracle IDCS
  39. 39. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Program Agenda Introducing Oracle Identity Cloud Service Identity Cloud Service Features Understanding Oracle and Custom Applications Understanding Authentication and Authorization Use-cases and Demo Summary – Q&A 1 2 3 4 40 5 6
  40. 40. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Use-cases and Demo Confidential – Oracle Internal/Restricted/Highly Restricted 41
  41. 41. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 42 IDCS SSO Architecture diagram Centralize the authentication mechanism of your application's ecosystem by giving you different ways to integrate your applications and IDCS. Core capabilities : • Provide a cloud-based portal for employees to access SaaS applications • IDBridge as an optional on-prem agent to use a corporate AD as user store • Support for bi-directional SAML SSO (IdP and SP initiated) and Single Logout • Support for bi-directional OpenID Connect (IdP and RP initiated) and Single Logout
  42. 42. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 43 Secure Form Fill • When none of the other authentication methods discussed apply to the apps, you can use Secure Form Fill. • Secure Form Fill is the Oracle IDCS alternative for SSO into apps that require auto-form fill. • Enter the application credentials in a form-fill-enabled application in IDCS • Oracle IDCS: - Stores and encrypts the information - Automatically fills in the login form - Submits the credentials to the application
  43. 43. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 44 Choosing the Best Integration Option
  44. 44. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 45 Use Case 1: Integrate a Catalog Application Steps to integrate your application with Oracle IDCS using the App Catalog: 1. Register your application in the App Catalog by using the IDCS administration console. 2. Download Oracle IDCS Metadata and save the XML file. 3. Activate your application in Oracle IDCS. 4. Open the application console and load Oracle IDCS Metadata into it. 5. Verify the integration to ensure that the SSO integration works from both the Identity Provider and Service Provider.
  45. 45. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 46 Use Case 2: Using OAuth and OpenID Connect Steps to use OAuth and OpenID Connect for authorization requests 1. Register your application as a client in Oracle IDCS 2. Note the Client ID and Client Secret for integrating your application with IDCS. 3. Configure the application to connect with Oracle IDCS during authentication. 4. Add the Client ID, Client Secret and URL of your Oracle IDCS to the client configuration file.
  46. 46. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 47 Use Case 2: Using OAuth and OpenID Connect Steps to use OAuth and OpenID Connect for authorization requests 1. Register your application as a client in Oracle IDCS 2. Note the Client ID and Client Secret for integrating your application with IDCS. 3. Configure the application to connect with Oracle IDCS during authentication. 4. Add the Client ID, Client Secret and URL of your Oracle IDCS to the client configuration file.
  47. 47. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 48 Use Case 3: Using SDKs Steps to integrate applications with Oracle IDCS by using SDKs: 1. Download the SDK 2. Extract the contents of the SDK zip file 3. Register the SDK web application as a client in Oracle IDCS 4. Note the Client ID and Client Secret 5. Update the application code with the Client ID and Secret to let it use IDCS’s SDK for the programming language
  48. 48. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 49 Use Case 4: Using Secure Form Fill Steps to configure applications for Secure Form Fill 1. Install the Secure Form Fill Admin Client 2. Create form-fill configuration files 3. Export the form-fill configuration file 4. Create the application in IDCS. Import the form-fill configuration file. 5. Assign users and groups to the application and the activate it. 6. Users must install the secure plug-in in order to start the form-fill application.
  49. 49. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Program Agenda Introducing Oracle Identity Cloud Service Identity Cloud Service Features Understanding Oracle and Custom Applications Understanding Authentication and Authorization Use-cases and Demo Summary – Q&A 1 2 3 4 50 5 6
  50. 50. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Q&A Oracle IMC blog: http://blogs.oracle.com/imc Oracle ECEMEA Partner Hub Homepage: http://oracle.com/goto/hub-ecemea Oracle IMC Mail: partner.imc@beehiveonline.oracle.com Twitter: http://twitter.com/oracleimc Facebook: http://facebook.com/oracleimc LinkedIn: http://linkedin.com/groups/OracleIMC-4535240 Google+: http://plus.google.com/+OracleIMC
  51. 51. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 52

×