Architecture for Identity Management

I have to install the sun identity management platform and configure it.
Is there a recommended architecture for the installation of components in high availability?
Thanks in advance

There is some advice in the documents. I'd look through the Installation Guide and the Deployment Guide.
At a very high-level, to achieve high-availability, you want to make both the REPO (data tier) layer highly available and make the Application tier (e.g. IdM in an App Server) highly-available.
There are many questions you have to ask yourself in doing this. Are you making the solution highly-available against the loss of a Data Center, the loss of a Server or some thing else entirely. This also plays into how you want to size the servers.
Net -- I'd poke through the documents to educate yourself, but would engage someone who has "been there, done that" a few times to make sure you're approaching it correctly and such that you can make simple adjustments in the future based on load predictions.
Good Luck!

Similar Messages

  • Using SPML for Identity Management in EJB WebService

    Dear All,
    I have a requirement af using SPML(Service Provisioning Markup Language) for Identity management. Identity management is used to manage the user like deleting a user, modifying, adding a user etc for a application.For that the request for all these functions need to be made using the SPML. The idea is that first the data used to make any request will come from the SAP R3 using an EJB which will retrieve that data by calling a BAPI via JCO and then it is needed to be passed to the entitlement system using the SPML.Thus I have to publish a web service which will get data by calling BAPI and give it to entitlement system using SPML and how can I achieve it?. I have less knowledge about SPML, your guidence will help.
    Thanks & Regards,
    Samir

    There is a document on the SAP Service Market Place that covers the SPML in the UME APIs. This quote is from the [UME documentation|http://help.sap.com/saphelp_nw04s/helpdata/en/5b/5d2706ebc04e4d98036f2e1dcfd47d/frameset.htm]:
    SPML Support
    The UME APIs support access using the Service Provisioning Markup Language (SPML). For more information, see service.sap.com/security > Security in Detail > Secure User Access > Identity Management > SAP Identity Management APIs.
    -Michael
    Edited by: Michael Shea on Jan 17, 2008 9:01 AM

  • Error in RCU for Identity Managment

    I am trying to create the schema for Oracle Identity Managment using RCU utility and I am getting following error:
    RCU-6083:Failed - Check prerequisites requirement for selected component:OIM
    Please refer to RCU log at C:\Oracle\Middleware\rcuHome\rcu\log\logdir.2010-09-16_23-36\rcu.log for details.
    Error: JVM is not installed on the Database.
    RCU-6092:Component Selection validation failed. Please refer to log at C:\Oracle\Middleware\rcuHome\rcu\log\logdir.2010-09-16_23-36\rcu.log for details
    I have Sun JDK 1.6 installed on the system.
    Please help in this.

    Here is the content of the log file:
    2010-09-22 22:31:45.562 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Executing Task: Check requirement for specified database
    2010-09-22 22:31:45.562 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Prereq taskId = PREREQ_GLOBAL_CHECK
    2010-09-22 22:31:47.703 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Execution time for Check requirement for specified database : 2141 milliseconds
    2010-09-22 22:31:47.718 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Executing Task: Execute pre create operations
    2010-09-22 22:31:47.718 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.CustomCompManager::getActionList: CustomCompManager.getActionList: CUSTOM_COMP_PRELOAD_SETUP
    2010-09-22 22:31:47.828 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.AbstractCompTask::execute: ValidIf result was false. Skipping Action: oracle.ias.version.SchemaVersionUtil:utilCreateRegistryAndCopyData
    2010-09-22 22:31:47.859 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.AbstractCompTask::execute: ValidIf result was false. Skipping Action: oracle.ias.version.SchemaVersionUtil:utilCreateRegistryTable
    2010-09-22 22:31:47.859 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Execution time for Execute pre create operations : 141 milliseconds
    2010-09-22 22:32:00.734 NOTIFICATION rcu: oracle.sysman.assistants.common.task.ProgressPanel::progressToNextTask: waiting for delegate to be visible
    2010-09-22 22:32:00.750 NOTIFICATION rcu: oracle.sysman.assistants.common.task.ProgressPanel::progressToNextTask: waiting for delegate to be visible
    2010-09-22 22:32:00.765 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Executing Task: Metadata Services
    2010-09-22 22:32:00.765 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Prereq taskId = MDS
    2010-09-22 22:32:00.765 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Starting component prereq check
    2010-09-22 22:32:00.812 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Execution time for Metadata Services : 47 milliseconds
    2010-09-22 22:32:00.812 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Executing Task: Audit Services
    2010-09-22 22:32:00.812 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Prereq taskId = IAU
    2010-09-22 22:32:00.812 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Starting component prereq check
    2010-09-22 22:32:00.843 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Execution time for Audit Services : 31 milliseconds
    2010-09-22 22:32:00.843 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Executing Task: Oracle Internet Directory
    2010-09-22 22:32:00.843 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Prereq taskId = OID
    2010-09-22 22:32:00.843 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Starting component prereq check
    2010-09-22 22:32:00.890 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Execution time for Oracle Internet Directory : 47 milliseconds
    2010-09-22 22:32:00.890 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Executing Task: Oracle Identity Federation
    2010-09-22 22:32:00.890 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Prereq taskId = OIF
    2010-09-22 22:32:00.890 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Starting component prereq check
    2010-09-22 22:32:00.921 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Execution time for Oracle Identity Federation : 31 milliseconds
    2010-09-22 22:32:00.921 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: Executing Task: Oracle Identity Manager
    2010-09-22 22:32:00.921 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Prereq taskId = OIM
    2010-09-22 22:32:00.921 NOTIFICATION rcu: oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator::executePrereqTask: Starting component prereq check
    2010-09-22 22:32:01.093 ERROR rcu: oracle.sysman.assistants.rcu.backend.task.PrereqTask::execute: Prereq Evaluation Failed
    oracle.sysman.assistants.rcu.backend.validation.PrereqException: RCU-6083:Failed - Check prerequisites requirement for selected component:OIM
    Please refer to RCU log at C:\Oracle\Middleware\rcuHome\rcu\log\logdir.2010-09-22_22-31\rcu.log for details.
         at oracle.sysman.assistants.rcu.backend.validation.PrereqEvaluator.executePrereqTask(PrereqEvaluator.java:642)
         at oracle.sysman.assistants.rcu.backend.task.PrereqTask.execute(PrereqTask.java:68)
         at oracle.sysman.assistants.rcu.backend.task.ActualTask.run(TaskRunner.java:306)
         at java.lang.Thread.run(Thread.java:619)
    2010-09-22 22:32:01.093 ERROR rcu: oracle.sysman.assistants.rcu.backend.task.ActualTask::run: RCU Operation Failed
    oracle.sysman.assistants.common.task.TaskExecutionException: RCU-6083:Failed - Check prerequisites requirement for selected component:OIM
    Please refer to RCU log at C:\Oracle\Middleware\rcuHome\rcu\log\logdir.2010-09-22_22-31\rcu.log for details.
    Error: JVM is not installed on the Database.
         at oracle.sysman.assistants.rcu.backend.task.PrereqTask.execute(PrereqTask.java:76)
         at oracle.sysman.assistants.rcu.backend.task.ActualTask.run(TaskRunner.java:306)
         at java.lang.Thread.run(Thread.java:619)

  • UME authorizations for Identity Management

    HI:
    In order to set up access to allow users to access RAR, I have been placed in GROUP: Administrators in the UME.  This provides me the access to go to the Identity Management area and administer users.  However, it also allows me acces to EVERYTHING in the SAP Netweaver (WAS).
    I would like to create a group called "Security Admin" and restrict it so that I can only access the User Management link.  Does anyone know how to do this?  I can create the group and assign it to myself, but where do I define what actions are allowed....based on group?
    It is very different than adding or removing "actions" from a Role. 
    When I look at the Administrator group - I do not see where the access is defined so I assume it is hardcoded somewhere.
    Thanks,
    Margaret

    Question figured out.  Please ignore.

  • Problem Web Services for Identity Manager deployed on WebSphere

    Hi, I've a problem with the Web Services. I'm tryng to lunch a JAVA class that execute this called: "http://localhost:9080/idm/servlet/rpcrouter2". This error return me: "No registered SPML handler".
    Identity Manager 5.0 sp4 is deployed on WebSphere 5..1
    I've just configured the SPML importing the spml.xml file and I've added tha jar package "openspml.jar" to WEB-INF/lib directory. I've also added to the CLASSPATH the link to this jar and the link to WEB-INF\lib.
    How can I do??

    You will have to include the servlet(SPML Handler) in your web.xml.

  • Solution architecture for Time Management US

    Hi All,
    I am looking out for approach for capturing a time data & also to capture expenses.
    Also looking out for a solution approach & documents pertaining to Time management ( US scenario )
    Client : Want to capture a time data and pay salaries based on the No of hour they have worked for the week & they are also looking out for capturing a expenses as well.
    Currently : Tey are planning to go for US roll out & also looking out for above requirement & this requirement is main criteria for the roll out.
    Solution & documents for the above is greatly appriciated.
    Looking forward for the earliest replay from the fellow member of SDN Community.
    With Regards,
    Abhishek

    Dear Expert,
    My client has specific rule that on every 3rd Late coming half CL should get deduct from quota.
    I wrote PCR and have value in daily balance for deduction from cl quota. now what to do to deduct from quota. the deduction should revert if the data is regularise through 2001/2002/2011 .
    I tried to use through function UPDTQA.. but this is deduction every time if i force run the employee.
    Any valuable input will be helpful.
    Regards
    Ajay Kumar
    Edited by: Ajay Kumar on Feb 8, 2011 2:36 PM

  • What are you using for identity managment--windows?

    We have windows iis, active directory. if anyone has developed detailed instsructions for this it would be greatly appreciated.

    If you search this discussion for "C#" you will find some example code for a C# based transfer script. I'm not sure its specific to Active Directory, but it should get you started.
    I don't know much about Active Directory, but I assume that it has APIs that you can call from C# to get authorization information.

  • Advantage and disadvantages of SAP IDM & Microsoft Identity management Tool

    Hi Folks,
    I am looking some points on SAP IDM and Microsoft tool for Identity Management. I am looking below mention points.
    1. Difference in the feature and prize.
    2. Limitation
    3. Solution architecture for both
    Relevant answers will be rewarded.
    Regards,
    Akshay Shail

    Hi,
    I can add some points about SAP NW IdM. Regarding your question about the prize: If you only connect SAP systems (it can handle all types of SAP ABAP and SAP Java Systems) they don't charge you extra, because it's already in the NetWeaver license. Furthermore, if you use the SAP Central User Administration: It isn't further developed and will be replaced by SAP NW IdM.
    The systems you mentioned can be connected, I think these are basics for everey IdM solution. HR interation is possible with SAP IdM, don't know about the other solution in this point.
    There are some whitepapers and presentations about SAP NW IdM: https://www.sdn.sap.com/irj/sdn/nw-identitymanagement?rid=/webcontent/uuid/f0b68fb1-d8af-2a10-2a8e-cc431c15bb39&anchor=section2.
    Nevertheless, your question about limitations and solution architecture probably needs a PoC if you want to answer them in deep.
    Best regards,
    Nils

  • Identity Management Prod Setup

    Hi All,
    I wanted to design a production architecture for Identity Mgmt setup using latest 11g middleware with implementation of products OID,OAM,OIM .
    I am going through all the available documentation but Can somebody help me in understanding the below:
    1)Can I place all the application components  under the same middleware home (OID,SOA,OIM,Weggate,Access Gate) i,e three to four oracle_homes for OH_IDM1 , OH_IDM2, OH_Web, OH_SOA  and configure web logic domains for all of them under the same middleware home . What is the ideal case for a prod configuration
    2) Is Installation of Webtier Utilities / Access Gates a mandatory thing for Identity Management Setup
    2)Can I use a common database for all metadata schemas (OID,OAM,OIM etc...) . I understood I can but is it an ideal prod configuration
    The general assumption is one host for database and  another for application but having so many products here, I am looking for helpful suggestions for an efficient desgin .
    Your help is greatly appreciated.

    Hi All,
    I wanted to design a production architecture for Identity Mgmt setup using latest 11g middleware with implementation of products OID,OAM,OIM .
    I am going through all the available documentation but Can somebody help me in understanding the below:
    1)Can I place all the application components  under the same middleware home (OID,SOA,OIM,Weggate,Access Gate) i,e three to four oracle_homes for OH_IDM1 , OH_IDM2, OH_Web, OH_SOA  and configure web logic domains for all of them under the same middleware home . What is the ideal case for a prod configuration
    2) Is Installation of Webtier Utilities / Access Gates a mandatory thing for Identity Management Setup
    2)Can I use a common database for all metadata schemas (OID,OAM,OIM etc...) . I understood I can but is it an ideal prod configuration
    The general assumption is one host for database and  another for application but having so many products here, I am looking for helpful suggestions for an efficient desgin .
    Your help is greatly appreciated.

  • Unlocking the AD account through Oracle Identity Manager 9.1.0.2

    Hi friends,
    I have a question about Oracle Identity Manager 9.1.0.2, I have configured the Active Directory connector for Identity Manager, you can perform the unlock process when the account was blocked by Active Directory failed attempts at authentication to a workstation .
    Very grateful for your support

    Hello,
    As Sagar suggested, you could -
    (1) write a task "Unlock AD account" - write code to unlock an user account in AD. Check if any such task is existing in the connector. You might be able to reuse it. If not, write your own task for this purpose.
    (2) Based on your implementation, choose "Changed Password" or "Password Updated" task in your process definition. And on success of this task, add "unlock AD account" task to invoke.
    (3) "self-management account unlock" will work automatically as soon as a user will reset his password. You don't have to implement anything else here.
    That's it !!!
    Hope this helps,

  • Forms 11gR2 & Identity Management?

    Has anyone installed Forms 11g R2 with Identity Management? Does anyone have some good instructions (installers, versions, scripts, etc) for Identity Management in preperation for a Forms R2 installation?
    We keep running into issues trying to get Identity Management (IDM,OAM,SOA) installed that we are now considering just staying on 10g with SSO.

    If you install the versions deemed certified with FMw11R2 prior to installing FMw, the integration will be easier as the FMw installer will prompt you for the necessary info during the process. Either way, refer to the product documentation for the details. The doc includes info about which versions of IM are supported for use with this FMw release. Understand that these versions may not be compatible with other products which you may be using, so review and choose carefully.
    http://docs.oracle.com/cd/E24269_01/doc.11120/e24477/sso.htm

  • Microsoft Dynamics GP and Identity Management

     
    Am planning to host Microsoft Dynamics GP on Azure IaaS, and thinking of using WAAD for identity management instead of Windows Active Directory on IaaS VM... Is that possible solutions?

    Hello,
    The following option might be helpful to integrate Dynamics and SSO with Azure AD
    http://azure.microsoft.com/en-us/marketplace/partners/microsoft-corporation/crm/
    We would also research more on the same and get back to you if we get more information.
    Regards,
    Neelesh

  • Customizing the Identity Manager UI

    We are planning on upgrading to IDM 8; our user were not happy with the IDM 6 UI which we used pretty much out of the box - the customization were in the workflow and backend.
    I am trying to gauge how much work would it take redesign the UI for Identity Manager to one specified by our usability team; the proposed UI looks similar to the 'Advanced Google Search' feature, the results will appear under the search boxes.
    Is this doable in IDM; anyone has a gut feel in how much work hours this can involve?
    Edited by: lozlow on Aug 8, 2008 10:42 AM

    Hi lozlow
    I would personally limit the UI mods to what is supported by Sun. To take it any further may make some users happy but may cause significant issues for yourself as you may have to redo all the modifications every time there is a patch or update to IDM. In addition when there is a patch or update you will need to ensure that your modifications to the UI do not have any adverse impact on the operation of IDM.
    If you have a lot a free time then go for it.

  • VERY URGENT - Identity Management Error

    Hi,
    When I run the User Administration --> Identity Management  --> it is giving an error :
    A required service for Identity management user interface is not available .  Contact  System Admistrator .
    In SAP NOTE 869852 , pg 6 :  to reploy the UMEADMI*.SDA .
    Will it be the correction of reploying ?
    As this is occuring in production server , if i apply any other affects will cause to the server.
    Thanks ,
    Srini

    Srinivas,
    Perhaps some of the portal application hasn't started. Perform the following steps:
    To restart all the portal apps, telnet to the portal server:
    telnet portal.mycompany.com 50108
    // If your port is 50000, then the telnet portal becomes 50008.
    Login as administrator and then run the following commands:
    jump 0
    add deploy
    list_app
    start_app-all
    If portal runs on a cluster, follow these steps as well:
    jump 1
    add deploy
    list_app
    start_app-all
    Hope this helps.

  • Using Identity Management for Securing Web Services

    My goal is to associate my services with an Oracle Internet Directory. I made some attempts to set up SAML authentication for the web services, but it didn't have the right outcome.
    (My identity management server and OID is up and running and I have successfully made authentication modules for other web applications)
    Here is what I did:
    1. I wrote a simple java file, used jdeveloper tools to create and deploy it as a web service to OC4J. I associated an identity management server with this service through OC4J web tools as security provider.
    2. I made a data control for the web service and put it in an ADF application . (client)
    3. I deployed the client project(2) to OC4J.
    I could use the web service through the page.
    Then
    I secured the webservice to expect SAML for authentication.
    Surprisingly, the client could still communicate with the webservice, Why? Shouldn't it have rejected the request because of the problem in SAML token? (The proxy and the data control were not secured, and didn't provide any SAML tokens)
    4.
    I added login page to my client project (through ADF security wizard). It used idenity management for authentication successfully. login process completes and web service data control is displayed.
    5. I want the authentication information to be propagated through the page so that the web service receives the data and uses Identity Management.
    I know I should add <property name="oracle.security.wss.propagate.identity" value ="true"/>
    to one of the configuration files, but don't know where exactly.
    Best Regards,
    Farbod

    It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
    The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
    Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
    If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
    Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
    You can enforce rules at your network layer to allow access to the App server only from Gateway.
    When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
    The next BPEL developer in your project may not be aware of Security extensions
    Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
    Thanks
    Ram

Maybe you are looking for

  • [SOLVED] Xorg doesn't start after upgrade to 1.17.1

    Archlinux i686 Intel Core 2 Duo 6600 01:00.0 VGA compatible controller: NVIDIA Corporation G71 [GeForce 7900 GT/GTO] (rev a1) After following upgrades: [2015-02-26 03:27] [PACMAN] Running 'pacman -S mesa mesa-demos mesa-libgl' [2015-02-26 03:27] [ALP

  • How to check where a table is used in other programes

    Hi all, I am facing one problem... there is a z-table created long back and still being used to store data. There may be some transactions to fill / update this table. Those programs are not coming in where-used list. As per the requirement, i alread

  • Autosuggest and select box

    I was wondering how to update a select box with data relevant to a selection made on a suggest box, something similar to this, but with a spry suggest box instead of the first select box on the example. I tried the example (two select boxes using two

  • IC clients and CTI integration

    guys, I am new to CRM and need some clarification on the web/Win IC clients and the CTI integration. My questions are as follows: 1) Do I have to have a java stack of the CRM sytem to use the Web IC client ? 2) Is it possible to use the Web IC client

  • SMC in Solaris 9 not starting

    Hi I have installed Solaris 9 12/04 on E450 Server . when i try to start SMC from /etc/init.d/init.wbem i am getting a message " Exception in thread "main" java.lang.NoClassDefFoundError : com/sun/management/viperimpl/server/ViperServer.I have Solari