Friday, June 17, 2011

Oracle Identity Manager Academy from the Fusion Security Blog

Index to the Oracle Identity Manager Series from the Fusion Security Blog Team

OIM 11g is the current release of the Oracle provisioning tool, this post is to be used as basis for all the other OIM related posts in this blog. Through the posts we try to help OIM customers and developers by things like giving technical and architectural recommendations, discussing specific implementation topics and their caveats, giving tips about problems we face in our daily work and much more.

OIM Concepts

OIM Tips & Examples


OIM & LDAP Synch

OIM Integration

 Patches and Patching


  1. Hi Daniel,

    Hope you are doing well!

    This is Mahendra, experienced in Oracle Access Management products. I need some help from you on OIM 11g and I hope you don't mind spending few mins for this :). Basically, I am working on a new Oracle IAM proposal and customer has a high level architecture diagram. The Oracle products in the picture are OVD 11g, OIM 11g and OIA 11g at this moment. OVD has OID 11g and AD underneath, OID stores external users and AD stores internal users.

    The question is: The high level architecture shows OIM talking to OVD, not sure in what sense it was given. Before facing the customer, I wanted to find out how and in what scenarios OIM can talk to OVD for prov and recon purpose?

    Is that a best practice? If not, is it ideal to have two seperate connectors for OID and AD? Have you heard any customers using OVD for prov and recon with combination of OIM?

    I have read Oracle documentation about LDAP sync feature in OIM 11g, with a note saying that Password feature cannot be used if LDAP sync is enabled. Do you have any idea what it means? Just in case, if we are asked to use password features using OIM, then should it be customized when LDAP sync is enabled?

    Please let us know your thoughts. Thanks in advance for your help. Have a nice day!!


    1. Hi Mahendra,I agree with Daniel. to add to it...if your requirement is that you want to make OID as centralized repository containing all user and also if you are authenticating against OID for SSO then it is recommended to go with ldap sync withOVD . As a best practice Oracle recommends to have ldap sync. to get entire password management cycle in place. .

      Hope this might be useful.



  2. Mahendra,
    I apologize for the late response.

    OIM 11g provides a new feature called LDAP Synch. LDAP Synch basically synchs users and roles to LDAP users and groups. The synch is two ways. There is NO connector here; it is purely ‘data oriented’ synchronization. As LDAP for this synch, you can use AD, OID, ODSEE and OVD (virtualizing other LDAPs).

    LDAP Synch is a required piece when integrating OIM 11g and OAM 11g. Only with the LDAP synch in place, the integration between OIM and OAM will give you FULL password life cycle management. If you have other SSO tool than OAM, then you will need to verify what can be done to integrate this tool with OIM.

    Regarding the use of LDAP Synch and OVD or connectors pointing to AD and OID: the decision has to be made based on product features (like the integration between OAM and OIM) and also on customer’s requirement. LDAP Synch is data oriented (behind the scenes data synch), connectors are process oriented (you can have requests, approvals, rules, and other OIM features).

    I hope this helps.

  3. Hi Daniel,

    I work with an IT dept of a manufacturing company and planning to upgrade to Oracle IAM 11g suite.

    AFAIK, with 11g release delegated administration funtionality that was present in OAM 10g is no more available and Identity adminstration is centralized with OIM 11g. We have a set of external users and need to expose the delegated admin and self service functionality over internet. It is a obvious security concern to expose the OIM app as such to the internet users to achieve the same.

    Considering this scenario, what should be the ideal approach/best practice to expose these services to external users over internet?


  4. Bedanta,

    OIM APIs are always an option. Most of the features that are available through the out-of-the-box OIM UI are also available through the APIs. The advantage here is that an external application will not directly impact OIM application, in other words, you will not have end users directly using OIM resources (but, of course, it will have an indirect impact depending on the operations that are being executed by the APIs).

    I’ve seen some companies exposing OIM UI (or part of it) to the internet and for them; this is not a security concern (that doesn’t mean they do not worry about security, but just that they are ok with the inherent risks of exposing applications to the Internet).

    The best practices should take place no matter the solution you pick: if you go custom, you will need a good and well coded application, with all the security measures around it, if you go OOTB, you also need to think about all the security around the application.

    It is really hard to say go custom or go OOTB, there is a lot of others factors apart from security.

    Hope this helps


  5. Thanks a lot Daniel.
    It was indeed informative and helpful.


  6. Daniel,
    Thanks a lot for your reply. I have few more questions. You said that OIM LDAP Sync is just data oriented. So can we customize the Directory Server connector just like Traditional OID connector? We would need to use password feature in our implementation and have OAM 11g also in place. However, we are using OIM 11g/10g API for logging into client application where all identity management functionality will be invoked from Java application and not using OIM console. Does this mean that we can still use password features integrating OIM-OAM with LDAP sync in place? We have a requirement where we need to create Organizations/Containers in OID when we create Organizations in OIM through API. I don't think we will be able to do this using Pre-built LDAP connector with LDAP Sync, can we? Please let me know your thoughts. Thanks in advance for your help.


  7. LDAP Synch does not synch Organizations. It synchs Roles and Users ONLY.

    LDAP Synch runs behind the scenes, so it does not matter how you are creating users and roles and assigning roles to the users. So you should be ok even if you don't use the OIM UI. And all the password features are available to you through the APIs.

    I would not recommend to use the connector and LDAP Synch at the same time to manage users in the same LDAP. Perhaps in your case, you can deploy the connector and configure it to provision organizations only. Having that said, if you need to have different users in different OUs in the LDAP based in your organization structure, you will have some trouble because the mapping between OIM and LDAP containers (when you have LDAP Synch) has to be manually done in a XML file in the MDS database.

    Hope this helps


Note: Only a member of this blog may post a comment.