Inside Identity and Access Control products

Hello,
For the past few months I was working on a blog which can help understanding under the hood of identity and access control products. Please have a look into it and let me know how to improve the contents.
http://identitycontrol.blogspot.com

Latest Topics
1) Video of Federated Access Control
2) RSA Conference 2007

Similar Messages

Inside identity and access control products : blog

Frinends,
Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
Latest topic i added is "SAML in action"
Please post your comments also so I can improve the contents.
Thanks

Thanks a lot idmguru!!
your efforts are simply awesome..
-Yash Bansal

Inside of idm and access control products

Hello Friends,
For the past few months I was working on a blog where I shared my past experiences with the IAM products, New technologies and problems faced in the products at a conceptual level. I thought of sharing that with experienced team of technocrats like you. Please have a look into this and let me how how can I improve this.
blog URL --> http://identitycontrol.blogspot.com/
Thanks
idmguru

Frinends,
Visit my blog http://identitycontrol.blogspot.com to get inside working of the identity and access control products. My efforts here is to explain insides in a simple language.
Latest topic i added is "SAML in action"
Please post your comments also so I can improve the contents.
Thanks

Fusion Middleware Control "Identity and Access" menu missing

Hi.
I have a problem with one of the fussion middleware control menus which is missing.
The environment is as follows:
- One server with OVD + OID
- One server with Weblogic + ODSM + Fussion Middleware Control
(All idm fmw 11.1.1.2.0)
ODSM can connect to OVD / OID on the other server without any problems.
On Fussion middleware Control I can not see the menu "Identity and Access". In previous installations where all the components where installed together in the same server, that menu appeared without any extra configuration.
The menu i'm talking about is the one referred here: http://download.oracle.com/docs/cd/E15523_01/oid.1111/e10046/basic_started.htm#CIHHAJJH
"2.In the left panel topology tree, expand the farm, then Identity and Access. Alternatively, from the farm home page, expand Fusion Middleware, then Identity and Access. Oracle Virtual Directory components are listed in both places"
Which are the steps to get that menu back? How do i get "linked" fusion middleware control with ovd/oid from the other server?
Any extra configuration, any steps during installation...
There's something probably very simple i'm missing but i haven't found any reference about creating/configuring that menu...
Thanks in advance.

Hi. i tried what i posted on my last message but i can't pass next step of the installation.
If i try to install oid+ovd in <host 2> i can select "extend existing domain" and it connects correctly to the weblogic domain (IDMDomain creating during installation of odsm & em fmw control) that is up un running on <host 1>.
But on the next step it asks for the "Weblogic Server Directory"... If i enter the path where weblogic resides on <host 1> it fails because it looks for it in the host i'm installing oid+ovd <host 2>.
- First of all, is it really possible to have oid+ovd on one host and weblogic+odsm+enterprise manager fmw control in a different host in a way that makes possible to manage oid+ovd with enterprise manager fmw control?
- Is it possible to tell the installer that the path for the weblogic server is in a different host? something like host:path?
- If it's not possible, is it documented anywhere? i haven't found anything regarding that possible limitation.
Please, any help would be appreciated as this is becoming critical for us.

Discuss Identity and Access Management in the Cloud

Identity and access management in the cloud refers to the processes, technologies, and policies for managing cloud systems identities and controlling how these identities can be used to access cloud resources. Three separate processes are used in most cloud
identity and access management solutions:
Identity provisioning and storage
Authentication
Authorization
Identity management in a cloud system requires a complex collection of technologies to manage authentication, authorization and access control across distributed environments. These environments might include assets both on the internal cloud, which would
be an on-premises private cloud, and services accessed on the public cloud. These environments can also cross-security domains, as when two enterprise-level organizations collaborate and enable cross-domain access to users from the partner security domain.
You can learn more about these topics in the article Identity and Access Management in the Cloud.
Let's talk about that article and the topics of identity and access management in the cloud! Use this thread to get it started.
Thanks!
Tom
Learn more about Private Cloud at the
Private Cloud Solutions Hub

Tom,
I am a novice and attempting to achieve a proof of concept of single sign on. One example I read stated one should install Identity and Access on VS2012. I did this on two different machines. One was in the office domain and it shows the
item "Identity and Access..." in the context menu of the MVC project I created. The other machine is my laptop. I followed the same procedure that worked on the desktop, yet the Identity and Access item in the project context menu does not show.
One difference is that the laptop is not part of a domain, but I am attempting this proof of concept in Windows Azure with the laptop, since we do not have a test AD in our corporate domain.
Is this the right forum to inquire about this issue? Do you have a recommendation about a better forum?
Stephen Pidgeon

User management and Access Control in HCM Cloud

Hello,
Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
- How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
- Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
Best regards,

OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet).

Oracle Identity and Access Management (11.1.1.3.0) and IM difference?

What is difference between Oracle Identity and Access Management (11.1.1.3.0) and Identity Management (11.1.1.3.0) ?
From
http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html

When you run the config, you are asked to add some product. Have checked the "Oracle Access Manager with Database Policy Store" product?
If not, you can add it by extending the domain. Once done you have to start two WLS servers (AdminServer and oam_server1):
Start AdminServer with $DOMAIN/bin/startWebLogic.sh
Start oam_server1 with $DOMAIN/bin/startManagedWebLogic.sh oam_server1
It might be that oam_server1 asks for username and password. This is fine for the first time. During the first start the necessary directory structure is created. Once it came up and enters RUNNING state, kill it and create a file boot.properties in $DOMAIN/servers/oam_server1/security with the entries username=name and password=pw in two lines and start oam_server1 again.
Starting oam_server1 is recommend to get proper values in the oamconsole.
HTH,
--olaf

Oracle Identity and Access Management Suite Plus Integration with Oracle ADF

Hi All,
Kindly advice if Oracle Identity and Access Management Suite Plus can be integrated with Oracle ADF based applications to manage the end-to-end lifecycle of user accounts specifically addressing to roles/priviledges and security.
Request you to share links to documentation where I can study the steps to integrate both the frameworks.
Looking forward to hear from you soon.
Best Regards,
Ankit Gupta

Hi Sébastien,
I came across the below link for the required integrations -
Oracle&reg; Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2) - …
Oracle&reg; Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2) - Co…
Best Regards,
Ankit Gupta

Realm of my application for identity and access

I plan to replace Azure cloud services’ provided subdomain (myapp.cloudapp.net) with our own domain, customDomain.com. I eventually find out that I cannot do that. I have to configure a custom domain name to route traffic to myapp.cloudapp.net. Why does
not Azure allow me to replace myapp.cloudapp.net with my own custom domain? I end up having two domains for one site. Please look at this site:
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-custom-domain-name/
That custom domain name also has an SSL certificate from a CA. In addition to that, I also use single sign on for my application (Identity and Access). In this case, I configure the Identity and Access (realm of my application) with my custom domain name.
Is this the right way? It does not make sense to configure this with myapp.cloudapp.net. I currently have issues with ADFS but I could not figure out why.

Hi,
Here providing article might helpful for your case.
Domain mapping, Domain forwarding, SSL certificate for Windows Azure
http://blogs.msdn.com/b/sriharsha/archive/2012/02/25/domain-mapping-on-windows-azure.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Error in OAM Identity and Access Servers login pages

Hi All,
I am trying to install OAM I completed all installations . But now am getting error as invalid "*Invalid credential*". IS there any process to know what the userid and password for the both Identity and Access Servers . Please tell me if there is any process. It very helpful to me .
Thank u & Regards
Pokuri

Hi Pokuri,
Could be that the searchbase is wrong, so that OAM is not finding the user whose credentials you are entering. Or, maybe OAM is using a different attribute as the login attribute (for example, you could be entering the cn when OAM is expecting the uid).
Try binding to ldap with another utility (such as ldapbind or ldapsearch) to see if this gives any indications. You may need to reconfigure the Identity Server to verify/correct the searchbase (for this, follow note 730376.1) and to check which attribute has the "Login" semantic type in OAM.
Regards,
Colin

Identity and Access Management Training in Bangalore

Hi,
I need information if there are any institutes who provide training on Identity and Access Management in Bangalore or Pune? Whats is the basic requirement for starting IAM. I have SQL knowledge.
Thank you
[email protected]

You can check out this link for Oracle University in India:
http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3
-Kevin

Domain and realm of my application for identity and access

I plan to replace Azure cloud services’ provided subdomain (myapp.cloudapp.net) with our own domain, customDomain.com. I eventually find out that I cannot do that. I have to configure a custom domain name to route traffic to myapp.cloudapp.net. Why does
not Azure allow me to replace myapp.cloudapp.net with my own custom domain? I end up having two domains for one site. Please look at this site:
http://azure.microsoft.com/en-us/documentation/articles/cloud-services-custom-domain-name/
That custom domain name also has an SSL certificate from a CA. In addition to that, I also use single sign on for my application (Identity and Access). In this case, I configure the Identity and Access (realm of my application) with my custom domain name.
Is this the right way? It does not make sense to configure this with myapp.cloudapp.net.

Hi,
If you want to configure SSL for azure cloud service, I think this article will help you:
http://azure.microsoft.com/en-gb/documentation/articles/cloud-services-configure-ssl-certificate/, if you want to ask some issues related to Identity and Access, I would suggest you move to azure Active Directory forum:
https://social.msdn.microsoft.com/Forums/en-US/home?forum=WindowsAzureAD
Best Regards,
Jambor
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

War file and access control with WebLogic

I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
This is how my weblogic.properties file looks like:
weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
weblogic.password.koko=kokokoko
weblogic.password.arnebelinda=arne1234
weblogic.security.group.ppuseradmins=arnebelinda
and my weblogicURL.policy:
deny Principal weblogic.security.acl.GroupImpl "everyone" {
Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
and finally, my web.xml-file:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
     <session-config>
          <session-timeout>30</session-timeout>
     </session-config>
     <welcome-file-list>
          <welcome-file>index.jsp</welcome-file>
     </welcome-file-list>
     <security-constraint>
          <web-resource-collection>
               <web-resource-name>admin</web-resource-name>
               <url-pattern>index.jsp</url-pattern>          </web-resource-collection>
          <auth-constraint>
               <role-name>ppuseradmins</role-name>
          </auth-constraint>
     </security-constraint>
     <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>WebLogic Server</realm-name>
     </login-config>
     <security-role>
          <role-name>ppuseradmins</role-name>
     </security-role>
</web-app>
it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
Does anybody have a clue? I would really appreciate it!
I am using WebLogic 5.1 sp 9
best regards,
PJ

In you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ?

War file and access control

          I am trying to put some access control on different files in my war-file, but just
          can't get it to work... It seems like all roles defined in weblogic.properties
          gives the user access to all files in the war. I just don't understand the connections
          between the security realm, the weblogicURL.policy file and the web.xml file...
          If I do not specify a weblogic.security.URLAclFile, no access control is done
          at all.
          This is how my weblogic.properties file looks like:
          weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
          weblogic.password.koko=kokokoko
          weblogic.password.arnebelinda=arne1234
          weblogic.security.group.ppuseradmins=arnebelinda
          and my weblogicURL.policy:
          deny Principal weblogic.security.acl.GroupImpl "everyone" {
          Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
          and finally, my web.xml-file:
          <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
          "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
          <web-app>
          <session-config>
          <session-timeout>30</session-timeout>
          </session-config>
          <welcome-file-list>
          <welcome-file>index.jsp</welcome-file>
          </welcome-file-list>
          <security-constraint>
          <web-resource-collection>
          <web-resource-name>admin</web-resource-name>
          <url-pattern>index.jsp</url-pattern> </web-resource-collection>
          <auth-constraint>
          <role-name>ppuseradmins</role-name>
          </auth-constraint>
          </security-constraint>
          <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>WebLogic Server</realm-name>
          </login-config>
          <security-role>
          <role-name>ppuseradmins</role-name>
          </security-role>
          </web-app>
          it does not matter which user is part of the ppuseradmins group. The user koko
          is not a member, but is given access to my whole .war anyway (after submitting
          correct username/password). Omitting the <realm-name> does not seem to work either;
          the default realm is not used, instead null is used.
          Does anybody have a clue? I would really appreciate it!
          I am using WebLogic 5.1 sp 9
          best regards,
          PJ


In you pocily file entry, you have specified "/admin/-"
However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
Could that be the problem ?

Computer Lists and Access Control

Hi
I've got OS/X Server 10.4.6 setup to a be an OD master and have several linux boxes authenticating to it using kerberos.
Currently, all OD users can login to all the linux boxes, but I'm trying to restrict access to some boxes to a group of users.
I've tried creating a computer list and putting a linux server in this list, then adding entries to the 'access tab' but this doesn't seem to work.
All users can still login to these 'access controlled' servers, in effect the list is ignored.
Has anyone got this working or can shed some light on what I'm doing wrong ?
Thanks,
Mac OS X (10.4.6)

Hi, Tropic
You must to load the class into an jar file
Then you must to sign out the jar file by means of th jarsigner utility provided bye java SDK
Hear a sample script to do it.
javac SomeApplet.java
jar cvf SomeJarFile.jar SomeApplet.class
keytool -genkey -keystore SomeStoreFile -keyalg rsa -dname "CN=May BeYour Name, OU=IT Dept., O=Company Name, L=Your Location, ST=Your State, C=Your Country" -alias YourAlias -validity 365 -keypass YourPassowrd -storepass storePasswd
jarsigner -keystore SomeStoreFile -storepass storePasswd -keypass YourPassowrd -verbose SomeJarFile.jar YourAlias
Regards,

Inside Identity and Access Control products

Similar Messages

Maybe you are looking for