Scribd
Upload
10 views

OCI-IAM Overview

Uploaded by

Luis Jalys
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views

OCI-IAM Overview

Uploaded by

Luis Jalys
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

OCI Identity & Access Management

Introduction and Overview

Alexandre Fagundes
Cloud Architect | Oracle Latin America
IDC Worldwide IAM Market Shares, 2022 (June 2023)

2 Copyright © 2024, Oracle and/or its affiliates


IDC Worldwide Identity and Access Management Forecast

Key Advice for Technology Suppliers 23.0


20.3
17.8
 Half the total market will be placing 15.5

long-term bets in the next two to three


years as they migrate away from clunky
on-premises systems and replace
inadequate homegrown solutions.
 Add AI/ML technology everywhere it
makes sense, driving value from risk-
based analytics… Pinpoint where
people are involved and strive to
replace them with supervised logic.

(full section text in slide notes)

3 Copyright © 2024, Oracle and/or its affiliates


20+ years of leadership in IAM

4 Copyright © 2021, Oracle and/or its affiliates


There’s a high-pressure system developing…

Zero Trust Assume Breach

Distributed IT across User credentials IAM is too complex


on-prem, SaaS, and among top targets to manage; there are
multiple clouds. for hackers. multiple IAM silos.

Distributed stakeholders Lack of visibility across


with limited control over 100’s of apps that may
devices, networks, etc. include shadow IT

IAM is the New Perimeter

5 Copyright © 2024, Oracle and/or its affiliates


Oracle Identity & Access Management Portfolio

Strong and Adaptive Access Identity Lifecycle Access


Authentication Management Store Management Governance

OCI IAM Oracle Cloud Identity Platform Access Governance

Oracle Access Oracle Directory Oracle Identity Oracle Identity


Management Services Oracle IAM Suite Governance Role Intelligence

6 Copyright © 2024, Oracle and/or its affiliates


OCI
Identity and Access
Management

Oracle Cloud Oracle Cloud


Applications Infrastructure
Complete suite of Secure, high-performance
integrated applications platform for all your workloads

7 Copyright © 2024, Oracle and/or its affiliates


OCI IAM Identity Domains
Oracle is merging IDCS and OCI IAM services under the OCI IAM brand

OCI IAM will provide a single, unified IDaaS for Oracle and non-Oracle apps across hybrid
cloud environments with robust MFA options, Adaptive Access, and Lifecycle Management

On-Prem
OCI Apps 3rd-Party
Apps
Apps

 Easier identity service management and config


 Reduced architectural complexity
 Simplified identity and access administration
 Enhanced features for included tiers OCI


Broader flexibility of use-cases
Improved OCI experience; single entry point
IAM IDCS
 Unified view of access and risk
 Unified platform for innovation and growth

8 Copyright © 2024, Oracle and/or its affiliates


Built for Scale and Performance

102K 450M 30+


Customer Accounts Identities Commercial regions
globally

Oracle’s Internal Deployment

140K 4500
Employees Applications

Copyright © 2024, Oracle and/or its affiliates


OCI IAM Functional Overview

10 Copyright © 2024, Oracle and/or its affiliates


OCI Identity & Access Management (OCI IAM)
Key Functional Pillars

Enterprise Identity Developer-friendly


Access Control Plane
& Access Management IAM engine
for Oracle Cloud
for complex, hybrid IT for custom and
and SaaS applications
environments consumer applications

11 Copyright © 2024, Oracle and/or its affiliates


OCI Identity & Access Management (OCI IAM)
Enterprise Identity & Access Management

OCI IaaS and PaaS


IAM Policies

***

External
Id Providers Federated
Social SaaS Apps
Logon SSO

Oracle Sign-In

External Federated VPN Clients


MFA Providers Logon RADIUS Oracle Databases
Proxy
OCI IAM
Outbound Authentication
MFA Inbound Authentication and SSO
External and SSO Linux PAM Linux Hosts
Risk Providers ! Module
? 
Adaptive
Security Identity Store and
Lifecycle Management Enterprise Apps
Microsoft
App
Active Directory Gateway
Active Directory Provisioning User & Access App
Bridge Bridge Management Catalog
12 Copyright © 2024, Oracle and/or its affiliates
OCI Identity & Access Management (OCI IAM)
For Application Developers

OCI IDENTITY & ACCESS MANAGEMENT (IAM)

Social Logon Adaptive Security Self-Registration Terms of Use


and MFA Self-Service Consent

OATH OAuth FIDO2 REST APIs SAML OIDC SCIM

Authentication Policies Authentication and User Management


and Configuration Fully Customizable User Interfaces

SDKs and
Sample Code Custom App

13 Copyright © 2024, Oracle and/or its affiliates


Getting Started with OCI IAM

OCI Account

 All access is denied by default except Administrators (full access).


Access Policies
 Use Administrator to configure the OCI account; then protect it.
Administrators
Group
Compartment 1  Compartments provide security
Compartment 2 boundaries within accounts.
Access Policies
 Organize access by resource type,
Compartment Resource 1 Resource 2 Resource 3 business unit, or project.
Administrators Tags Tags  Policies support tag-based access
Administrator Resource control for groups and/or resources
Administrators Identity Identity  A default identity domain provides
Domain 1 Domain 2 an IAM service to manage access.
 Additional identity domains support
additional IAM use-cases.

Simple policy syntax is flexible and easy to understand::


Allow <identity_domain>/<subject> to <verb> <resource-type> in <location> where <conditions>

14 Copyright © 2024, Oracle and/or its affiliates


OCI IAM Features and Functionality
Oracle Cloud Infrastructure Identity & Access Management

22 Copyright © 2024, Oracle and/or its affiliates


Inbound Authentication and SSO

Strong, flexible authentication options Leverage open standards for easy


Federated configuration of inbound SSO.
 Supports basic authentication via username and SSO

password
Native support for popular social
 Supports common federation protocols and Social Identity Providers.
social logon with multiple identity providers Logon
SAML, OpenID Connect, OAuth
Numerous options for MFA including a
 Numerous options for Multi-Factor mobile app, Email, SMS, KBA, third-
Authentication (MFA) MFA party and FIDO2 authenticators.
Included mobile app supports passwordless logon
!
Evaluates risk based on several factors
 Adaptive security evaluates risk in real-time ?  including device, network, location, and
based on context and session awareness Adaptive
Security
user behavior.

 Delegated Authentication to Active Directory


Enables delegated authentication to
Active Directory (leverage AD
Active Directory credentials).
Bridge

23 Copyright © 2024, Oracle and/or its affiliates


Inbound Authentication and SSO

Adaptive Security Sign-On Policies and Entitlements Multi-Factor Authentication

Device Trust Group


Memberships

Failed Logons Device


Anomalous Behavior
Access Velocity Groups
User
Impossible Travel
Behavior

Apps
Network
Geographic Location Network App Risk
IP Reputation External App Policies
Feeds

External Risk Sources


Threat Intelligence
CASB

Risk Scoring

FIDO2

24 Copyright © 2024, Oracle and/or its affiliates


Inbound Authentication and SSO
Multi-Factor Authentication (MFA) Factors

 FIDO2 Authenticators
 Voice Phone Call
 Mobile App Passcode or Notification
 SMS Text
 Security Questions
 Email
 Bypass Code
 Third-Party Authenticators
Duo, Yubico, etc.

 Trusted Devices

25 Copyright © 2024, Oracle and/or its affiliates


Inbound Authentication and SSO
Passwordless Authentication

1. User creates profile at first logon

2. User enrolls device and MFA app

3. When user attempts to authenticate, they can


logon via a push notification in the MFA app –
no password required!

26 Copyright © 2024, Oracle and/or its affiliates


Identity Store and User Lifecycle Management

Automate user lifecycle management


Manage users manually via console,
 Manage via console, CLI, APIs, or automation User & Access
CLI, or APIs. Bulk imports available with
full or incremental updates.
Management
 Custom schema support
Pre-configured automation of
 Auto- and Just-in-Time (JIT) provisioning onboarding, offboarding, and
synchronization flows for numerous
 Auto-manage entitlements for Oracle apps and App apps. Generic templates support
Catalog virtually any other apps.
databases
Provisioning to/from virtually unlimited
 User self-service enrollment and management apps hosted on-prem or in the cloud
of profile, password, and terms-of-use consent Provisioning
using ICF connectors. Supports heavy
customization as-needed. Supports
Bridge
 Support for virtually any SaaS, cloud-hosted, or High Availability.

on-prem apps Synchronize AD Users and leverage AD


 Generic SCIM support enables integration with most apps Security Groups to manage IAM
Active Directory permissions.
 400+ SaaS apps natively supported via partner gateways Bridge

27 Copyright © 2024, Oracle and/or its affiliates


OCI IaaS and PaaS IAM Policies

Control who has access to OCI cloud resources


 Easy to understand policy syntax
 Authentication policy can restrict by IP address
 Group-based entitlement management
 Compartments provide security boundaries
inside of OCI tenancies
 Time- and Location-based restrictions
 IAM auto-replication to subscribed regions
 Supports Tagging for groups and/or resources

28 Copyright © 2022, Oracle and/or its affiliates


Outbound Authentication and SSO

Easy Single Sign On (SSO) experience across Federated


Leverage open standards for easy
configuration.
extended, hybrid enterprises SSO

 Support common federation protocols Pre-configured SSO and Just-in-Time


SAML, OpenID Connect, OAuth App provisioning for numerous apps.
Catalog
 App catalog provides out-of-the-box
integrations with 1000+ apps SSO to virtually unlimited apps hosted
on-prem or in the cloud that may not
 Generic and custom templates support any App support open standards.
Gateway
other apps that support federation protocols
 Password vaulting (form-fill) for apps that don’t Support SSO to VPN clients and Oracle
support federation protocols RADIUS Databases.
Proxy
 Just-in-Time provisioning to target applications
Support SSO to Linux hosts running on
 Gateways and Proxies support SSO to hybrid OCI
environments. Linux PAM
Module

29 Copyright © 2022, Oracle and/or its affiliates


OCI IAM Best Practices

 Create a security model (tenancy, compartments, tagging) before adding users, resources.
 Enforce Least Privilege; gradually add permissions as needed.
 Do not use OCI default Administrator or Administrators group after initial account setup.
 Leverage situational permissions (time- or location-based) where possible.
 Leverage compartments and tagging to simplify access management. Align your OCI
compartment design with your department or project structures.
 Use instance principals and dynamic groups to manage machine access to APIs.
 Enforce multi-factor authentication and leverage adaptive security whenever possible.
 Use different identity domains for each user population.
 Whitepaper: Best practices for identities and authorization.

30 Copyright © 2024, Oracle and/or its affiliates


OCI IAM High Availability (HA)
and Disaster Recovery (DR)
OCI Identity and Access Management
OCI Identity & Access Management (OCI IAM)
High Availability Architecture
Cross-Region Disaster Recovery

OCI Region (Primary) OCI Region (Secondary)

Load Load
Balancer Balancer
Availability Domain 1 Availability Domain 2 Availability Domain 1
(or Fault Domain)

VCN Subnet A Subnet C VCN


Subnet A

High
Availability
OCI IAM OCI IAM OCI IAM

HTTPS Security Security


Lists Lists

OCI Internet Subnet B Primary Subnet D Standby Internet Subnet B


DNS Gateway Database Database Gateway

ADG Automatic
Exadata Replication Exadata Cross-Region Exadata
Replication for DR
Security Security
Lists Lists

32 Copyright © 2024, Oracle and/or its affiliates. For authorized use only. Do not distribute. Diagram is representative and for discussion only.
Common Hybrid IAM Use-Cases
OCI Identity and Access Management

34 Copyright © 2024, Oracle and/or its affiliates


OCI IAM Provisioning Bridge

Oracle Cloud Infrastructure or On-premises

Provisioning
OCI
IAM
Provisioning
Bridge ICF
ICF
ICF

Enterprise Apps

35 Copyright © 2024, Oracle and/or its affiliates


OCI IAM App Gateway

Oracle Cloud Infrastructure or On-premises

SSO
OCI
IAM Supports
HTTP Headers
App Gateway

Enterprise Apps

36 Copyright © 2022, Oracle and/or its affiliates


OCI IAM Support for E-Business Suite (EBS)

Oracle Cloud Infrastructure or On-premises

SSO

OCI
IAM EBS Asserter

SSO
Provisioning

Provisioning
Supports Federated SSO!
Bridge OAM
OID
Supports Application Roles!

37 Copyright © 2022, Oracle and/or its affiliates


Federation from Azure AD
OCI Identity and Access Management

38 Copyright © 2024, Oracle and/or its affiliates


Azure AD Federation
via IDCS (Before)

39 Copyright © 2022, Oracle and/or its affiliates


Azure AD Federation
Via OCI IAM identity domains (After)

40 Copyright © 2022, Oracle and/or its affiliates


Before

No longer necessary

After

Remain in place

Remain in place

41 Copyright © 2022, Oracle and/or its affiliates


OCI IAM Vision and Roadmap
OCI Identity and Access Management

42 Copyright © 2024, Oracle and/or its affiliates


OCI
Identity and Access
Management

Oracle Cloud Oracle Cloud


Applications Infrastructure
Complete suite of Secure, high-performance
integrated applications platform for all your workloads

43 Copyright © 2024, Oracle and/or its affiliates


OCI IAM Vision
Simplicity, Visibility, and Automation

Enterprise Identity & Access Developer-focused Access control plane


Mgmt. for complex, IAM engine for custom and for Oracle Cloud
hybrid IT environments consumer-facing applications and SaaS applications

 High value proposition with  Integrated experience via  Zero-touch IAM integrations
more included features APEX and Visual Builder with Oracle apps for access,
 Unified IDaaS for access  Shared fabric via APIs with roles, and lifecycle mgmt.
management, governance, hooks across OCI, security  Deep security and risk
and privileged access services and apps exposing visibility, insights for OCI
 Robust set of risk indicators user, session, app, platform, and Oracle apps
and analytics and access pattern data  Improved automation for
 Far reach of control across  Leverage automation for service operations
hybrid, heterogeneous IT easier integrations  Auto-tuning security
 Enhanced ML and analytics  Enhanced risk analytics for policies based on risk
via OCI service integrations CIAM use-cases  Shared security models

44 Copyright © 2024, Oracle and/or its affiliates. For authorized use only. Do not distribute.
Why choose Oracle for IDaaS?

Strong Value Depth for Oracle Targets IAM Experience


 Strong value for cost  Reduced effort and easier  Oracle has led in IAM for
integrations for EBS, Fusion past two decades; working
 Improved user experience
Apps, Oracle Databases, etc. with the world’s largest, most
via better performance and
scale as a native OCI service  Simplified entitlement complex organizations
management via App Roles  Strong hybrid IT support
 Peace of mind that OCI IAM
will continue to incorporate  Reduced management supporting on-prem apps,
latest and best approaches overhead via strong hybrid App Gateway, Provisioning
support for apps running on- Bridge, AD Bridge, RADIUS,
 Presence across 30+ cloud Linux, etc.
premises, hosted on OCI, or
regions; meets data
residency requirements SaaS  Powerful provisioning to on-
 Migration expertise, support, prem via ICF connectors.
 World-class, global support
and discounts moving from  Easier to get support from
OAM strong SI partner ecosystem.

45 Copyright © 2024, Oracle and/or its affiliates


Customers Across Verticals and Geographies

46 Copyright © 2024, Oracle and/or its affiliates


Thank you
Alexandre Fagundes
Cloud Architect | Oracle Latin America

47 Copyright © 2024, Oracle and/or its affiliates


Appendix Content
OCI Identity and Access Management

49 Copyright © 2024, Oracle and/or its affiliates


X.509 | Common Access Card (CAC) | Personal Identity Verification (PIV)

Authority (Identity Provider) OCI IAM

Signing Certificate OCSP Validation


(Private Key)

User Enrollment

User Credential (CAC/PIV) X.509 Identity Provider


(Federation)
Digital Certificate

Signing Certificate
(Public Key)

50 Copyright © 2024, Oracle and/or its affiliates. Oracle Internal.


Using Credentials Across Multiple Tenancies

 Today, you can configure any Identity Provider (inc. OCI IAM) to federate to multiple OCI tenancies.

 OCI IAM is planning for improved use of credentials across multiple OCI tenancies. This is part of a
broader effort to create a single Oracle identity for use across all Oracle services. Timing TBD.

 Design approaches under consideration include:

 Associate DNS domain names with an identity domain making it authoritative for that DNS
domain name suffix. Users who authenticate with matching credentials see available resources.

 Authoritative identity domains with links to user identities in non-authoritative identity domains
which can exist in other tenancies. Organizations cloud leverage authoritative identity domains
making it easier to manage users across parent and child tenancies.

51 Copyright © 2024, Oracle and/or its affiliates

You might also like