Thursday Feb 28, 2013

Standards Corner: Tokens. Can You Bear It?

Author: Phil Hunt

This week's post is all about tokens. What are the different types of tokens that may be used in RESTful services? How are they the same/different from browser cookies? What are access tokens, artifacts, bearer tokens, and MAC tokens? 

If I asked you what are tokens used for, many of you would answer authentication. But there is a bit more to it than that. First, I'd like to point you to a post I wrote on my personal blog called "3 Parts to Authentication"

In this post, authentication is described as a process broken down into 3 parts:
1. Registration
2. Credential Presentation
3. Message Authentication

What's important here is that many often confuse the process of credential presentation with message authentication. Credential presentation is the process where a user or an HTTP client application demonstrate (with one or more factors), that the user or HTTP client application in question is the same one that was previously registered. Having successfully completed the credential presentation process, the authenticator issues a cookie or token which can be used for a period of time, as a means of message authentication -- creating a single-sign-on session.

Today's post focuses on step 3, using cookies or tokens to access web resources. In browsers, cookies are added to requests in order to allow web sites to perform message authentication -- in effect creating the effect of single-sign-on. HTTP client applications use tokens in much the same way. They pass tokens, given to them by an authorization server, in the HTTP Authorization header of requests to achieve the same thing cookies do for browsers. In the case of tokens issued by an OAuth2 Authorization server (as with Kerberos and others), we call these tokens "access tokens" because they are used to access web resources.

Broadly speaking, there are 2 categories of tokens web sites may accept: bearer tokens and proof tokens.  Bearer tokens work very much like browser cookies. They can be a simple unique identifier (aka artifact), or they can be encoded strings that have meaning to the web sites they are intended for. However to the client, these cookies are just random (opaque) text strings that need to be passed to the web site in order to access a resource (message authentication). Because the client doesn't have to do anything but merely attach a bearer token to its request, bearer tokens are very simple for client developers to use. For more details on bearer tokens, check out RFC 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage.

While bearer tokens are incredibly simple and easy to use, there is a downside. Any client that obtains a copy of the bearer token may use it.  Simple possession is enough to access the web resource (hence the term bearer). So, a critical limitation of bearer tokens is they SHOULD NOT be used over plain HTTP since they can be sniffed and copied.  Web sites, accepting tokens should consider whether there is a possibility that access tokens could be sniffed or otherwise shared and does that impose a risk. Because of this, the IETF OAuth Working Group is now working on requirements for Holder-of-Key tokens (aka proof tokens).This document describes in detail the kinds of problems that could be solved and attempts to get to a set of use case requirements for a final token specification.

Proof tokens require an HTTP client to perform some kind of calculation that shows that only it could have used the token (such as with a private key or other shared secret). In a HoK token, a client could be required to generate a request signature, and even add a counter in order to prevent play-back attacks in addition to simple proof of a client's right to use a token. An example of this is the MAC token draft.  The OAuth2 Working Group is debating whether this specification should move forward or whether a simpler specification based on JSON Tokens (JWT) should be developed.

So, in many ways, tokens build on the experience industry has had for many years with browsers and single-sign-on cookies. Tokens wielded by HTTP clients accessing RESTful web resources achieve the same feature we've taken for granted with browsers. Bearer tokens are easy for most clients to use, but require secure connections when used to prevent sniffing. Proof/HoK tokens can be used to where web resources are either unprotected, or further proof of the right to use a token is needed.

About the Writer:

Phil Hunt joined Oracle as part of the November 2005 acquisition of OctetString Inc. where he headed software development for what is now Oracle Virtual Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards group at Oracle where he developed the Kantara Identify Governance Framework and provided significant input to JSR 351. Phil participates in several standards development organizations such as IETF and OASIS working on federation, authorization (OAuth), and provisioning (SCIM) standards.  Phil blogs at and a Twitter handle of @independentid.

Previous Posts:

2012: No Time to REST for the Holidays
Standards Corner: A Look at OAuth2
A Look at OAuth2 - A Follow-Up to the Reader's Comments
Is OAuth the End of SAML? Or a New Opportunity?

Wednesday Feb 27, 2013

User Management for Databases (UM4DB)

Author: Kevin Moulton

You are responsible for managing accounts in the databases. You have lots of databases from lots of vendors. Oracle Database, SQL Server, Sybase, DB2. You manage the DBAs, so you have to give them privileges. In turn, they grant privileges to the user community. Some applications are off the shelf, and others are home grown, but they all store data in one of your databases. Some store their users in a directory, some use a user table in a database, and some use standard database users. In other words, you have a management mess on your hands!

The IT department is implementing some kind of automation and workflow tool, and they tell you that managing the database users is on their roadmap, but it’s buried way down the list. Of course it is! IT is not responsible for the databases. You are!

Budgets are tight, and you’re not getting the headcount you need to manually create and manage users, maintain the databases, and troubleshoot application problems when users don’t see the data they expect. That shouldn’t even be your problem, but of course they come to your team for everything. The auditors are after you about your costly and inconsistent manual processes and lack of controls, and demanding that you bring your environment into compliance with SOX, PCI, HIPAA, or whatever. Your users have to remember a different password for every database. Your DBAs use shared accounts that everyone knows the password to, including about 10 people that don't even work there anymore, but you're afraid to change it because you don't know what might break.

So, what can you do?

Oracle User Management for Databases (UM4DB) could be exactly what you are looking for. Oracle UM4DB is simply components of the Oracle Identity Governance Suite configured specifically for managing your heterogeneous database environment.

UM4DB will allow you to automate the management of access to your databases. If a new user needs access to a database, that user or the user's manager would request access through a simple web GUI to a database or an application, and then the UM4DB connectors would create the required accounts with the appropriate privileges based on your rules. For compliance purposes, you could include a management approval step before access is granted.

You could even configure UM4DB to take a feed from HR, or take a feed from multiple sources of new employees and contractors, and then grant these users the access they require based on rules that you configure. In my experience, these rules are easy to create, because your DBAs have all of the rules in their heads. You just need to translate their experience into simple access rules. For example, a rule may be created where everyone in HR gets access to the employee database, along with certain roles they need.

Figure 1 End Users can request application access via a self-service GUI

Once these rules are in place, your auditors will be happy, because not only will the appropriate access to your databases and applications be granted automatically and consistently, but that access would be appropriately modified when that user's position changes, and taken away automatically when that user leaves your organization. This is the least privilege model you've always hoped for.

Reports within UM4DB will show you who has access to what, when they got it, who requested it, and who approved it. UM4DB could also be easily configured to perform recertification/attestation jobs at a frequency you determine, to make your auditors even happier. Your end users will be happier too, because UM4DB will maintain a record of all of the access they have, allowing them to change their password in one place. That password change would then be propagated to all of the databases they have access to. There go all of those annoying help desk calls. The days of your DBAs spending all of their time on account management and password resets are over! Don’t they have better things to do?

Your DBAs don’t need the headaches of user management, password management, and compliance. UM4DB can make them go away.

About the Writer:

Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East Enterprise Security Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.

Previous Posts from the Writer:

Grow your Business with Security

The Unintended Consequences of Sound Security Policy

Bang for the Buck

Tuesday Feb 26, 2013

Let's Talk Security at HIMSS 13: UPMC, University of Louisville Are In!

In my last post on HIMSS, I talked about the various activities that Oracle is participating in or hosting at HIMSS 13. This post will focus on all things Security at HIMSS 13.

As you know, the annual HIMSS Conference this year takes place in New Orleans from March 4 – 7 (next week!) and if Security is of interest to you, you should take note of the following events. Oracle has teamed up Security experts at well known healthcare organizations including UPMC and University of Louisville to build an agenda geared towards security/IT professionals.

Security Breakfast
Tuesday, March 5, 2013, 7:00 a.m. – 8:00 a.m.
Hotel St. Marie, New Orleans

Enabling the Sharing of Medical Records Through Identity ManagementHealthcare Organizations Share Their Perspectives

Patients, doctors and  clinicians all need rapid access to ePHI whether it is delivered through a patient portal, a clinical application a mobile device or all of the above.  The fluid access and movement of data in a secure, monitored and protected environment is the goal and challenge of all Healthcare IT departments.  

Join the Oracle Security Breakfast to learn from UPMC, the University of Louisville and Oracle security professionals how enterprise identity, access and data security solutions can enable your facility to provide secure delivery of ePHI in all modalities within the context of meeting federal regulations, patient confidentiality and at the speed of efficient patient care.

Register Now: Send an email with your name, title, phone number, company name, and email address to or call +1 781-565-1708 to reserve a seat at this exclusive, invitation-only event. Event registration is free, compliments of Oracle.*

Learn how: 
• University of Louisville quickly and securely provides healthcare knowledge workers with near real-time clinical data and easy-to-understand-and-access metrics that they can use to engage patients in a meaningful way.

• UPMC rapidly provisions users into multiple clinical and administrative systems across multiple facilities within hours of a new employee joining the organization;  enforcing enterprise security, reducing risk and delving cost-effective compliance management.

• Oracle Mobile and Social Access technology can instantly provide social log in capabilities to existing patient and customer facing web services and provide enterprise class access management protection for mobile apps developed on iOS or Android platforms.

• Group Managers, Administrators and Team leads can easily confirm appropriate employee access to applications and systems with ePHI; quickly and efficiently improving compliance, securing sensitive data and reducing costs.

In addition, we have created more opportunities for you to engage with security professionals in your peer organizations and connect with Oracle executives and security experts in exclusive settings. To make it convenient, we are hosting encore sessions on different dates and times. Registration is free for the following sessions, compliments of Oracle.

Security Sessions

Monday, March 4, 2013

  • 3:00 p.m. – 4:00 p.m. : Enabling Rapid, Secure Access to Epic
  • 4:00 p.m. – 5:00 p.m. : Addressing the Final HIPAA OMNIBUS Rule’s Data Security Requirements

Tuesday, March 5, 2013

  • 10:00 a.m. – 11:00 a.m. : Enabling Rapid, Secure Access to Epic
  • 1:00 p.m. – 2:00 p.m. : How UPMC is Delivering Identity Management Services for Healthcare in the Cloud
  • 3:00 p.m. – 4:00 p.m. : Implementing Identity Management Services for Cerner
  • 4:00 p.m. – 5:00 p.m. : Addressing the Final HIPAA OMNIBUS Rule’s Data Security Requirements

Wednesday, March 6, 2013

  • 9:00 a.m. – 10:00 a.m. : Addressing the Final HIPAA OMNIBUS Rule’s Data Security Requirements
  • 11:00 a.m. – 12 noon: How UPMC is Delivering Identity Management Services for Healthcare in the Cloud
  • 3:00 p.m. – 4:00 p.m. : Implementing Identity Management Services for Cerner

If you would like to schedule meetings with our security experts in advance, simply send us a comment with your discussion topic and 3 preferred time slots and we will get back to you with a confirmation. Look forward to hearing from you at HIMSS 13.

Oh, and while on the topic of HIPAA compliance, be sure to tune into the webcast with Trizetto this Thursday (Feb 28 at 10 am PST/ 1 pm EST) as they discuss the roadmap to achieving HIPAA Compliance!

Webcast: Trizetto Achieves HIPAA Compliance with Identity Management
Thurs., February 28, 2013
10 a.m. PT / 1 p.m. ET
Register Here
Join Q&A live via twitter using #IDMTalk

* We are pleased to provide attendance at this event at no cost to government personnel when appropriate under applicable laws and agency policies. Oracle is committed to high standards of ethical conduct and does not intend to offer an inappropriate gift or create even the appearance of impropriety.

By attending this event and accepting any gifts which may be offered, the attendee certifies that he/she is able to do so in compliance with applicable laws and the internal rules of his/her organization. Oracle reserves the right to limit attendance accordingly and pursuant to Oracle policy.

The items available without charge at this event are valued at Breakfast $25 per person. We are pleased to accept payment for any portion of this event to facilitate compliance with applicable gift and ethics requirements.  Please contact Ben Robinson at with any questions or concerns about this disclosure.

Monday Feb 25, 2013

You Are Invited: Trizetto Discusses HIPAA This Thursday

Oracle Corporation
Webcast Trizetto Achieves HIPAA Compliance with Identity Management. Oracle Identity Management.

Learn How Oracle Identity Management Can Lower Compliance Costs and Reduce Audit Exposure

Securing patient information means controlling user access to data and applications. Unfortunately, without automation access controls can quickly erode. And the cost of maintaining user access can be expensive—in some organizations, compliance costs are consuming up to 40% of their IT budget.

As Trizetto embarked on a project to streamline HIPAA compliance, Oracle Identity Management provided a foundation for streamlining the audit process and reducing the cost of manual controls.

Join This Important Security Webcast

You’ll hear Darrel Carson, Trizetto Program Manager for Identity and Access, discuss how Trizetto took a platform approach to identity management as part of a long-term plan to streamline HIPAA compliance and secure user access.

You’ll learn how to:

  • Automate rigorous and intrusive government controls
  • Provide faster results with automated remediation
  • Streamline access management through service desks
  • Create a foundation for scale using a platform approach to identity management

Oracle Identity Management helped Trizetto reduce the password footprint and service desk costs while improving the end user experience. Join us and find out how.

Register now for this Webcast, “Trizetto Achieves HIPAA Compliance with Identity Management.”

Join us for this Webcast, Trizetto Achieves HIPAA Compliance with Identity Management.
Thurs., February 28, 2013
10 a.m. PT / 1 p.m. ET
Presented by:
Darrel Carson
Darrel Carson
Program Manager for Identity and Access, Trizetto
Naresh Persaud
Naresh Persaud
Director Product Marketing, Oracle
Hardware and Software, Engineered to Work Together
Copyright © 2013, Oracle and/or its affiliates.
All rights reserved.
Contact Us | Legal Notices and Terms of Use | Privacy Statement

Friday Feb 22, 2013

Globe Trotters Edition: SERPRO Implementation in LAD Takes Shape

SERPRO (Serviço Federal de Processamento de Dados) is the biggest public company to provide IT services in Brazil. Created in 1964 to modernize and to offer pace to the strategic sectors of the public administration, SERPRO is responsible for customer data security as well as for recommending best practices and developing programs and services that allow greater control and transparency on public revenue and expenses.

As the largest public IT services company in Brazil, SERPRO had exacting requirements for their identity management and security needs. After all, the company needed control over and insight into data access by users, such as customers (government entities) and citizens, and other groups, including public employees, taxpayers, the tax collection agency, and ministries. SEPRO also needed to create an environment that conformed to federal government security standards, such as Instruction GSI/PR no. 1 of June 13, 2008 and others as set by the Brazilian president’s institutional security cabinet.

The other requirements included the need to:

  • Standardize and organize access controls and identity management for employees and government entities that use the system to improve the provision of services across 60% of Brazil’s public administration, which needs to guarantee the availability, integrity, confidentiality and authenticity of the services and products it delivers to its customers
  • Unify and implement rigorous access controls for data related to government entities, employees, taxpayers, and ministries for the company’s 8,000 users to avoid unauthorized access
  • Automate account access revocation in case of employee vacation, termination, et al

After careful evaluation of available technologies, SERPRO selected and implemented Oracle Identity Manager (OIM). The implementation allowed the company to streamline the user administration process and have a single source of truth for all user access management records. Automated provisioning of user accounts eliminated administration overhead while automated deprovisioning and account linking significantly reduced security gaps from orphaned accounts or accounts created in manual errors. And of course, compliance being a key driver, the OIM implementation allowed SERPRO to manage and audit data access across all its user constituents.

For more information on SERPRO’s implementation and realized benefits, click here.

Wednesday Feb 20, 2013

See you at HIMSS 2013?

As you know, Healthcare Information and Management Systems Society (HIMSS) is the healthcare industry's membership organization exclusively focused on providing global leadership for the optimal use of healthcare information technology (IT) and management systems for the betterment of healthcare. HIMSS frames and leads healthcare public policy and industry practices through its advocacy, educational and professional development initiatives designed to promote information and management systems’ contributions to ensuring quality patient care.

The annual HIMSS Conference this year takes place in New Orleans from March 4 – 7 and much like the years past, Oracle will have a significant presence there.

If you plan to be at HIMSS 2013, we would like to connect with you. Here is a quick summary of some of the Oracle activities at HIMSS including dedicated Oracle security sessions featuring experts from both Oracle and major healthcare organizations. We hope to catch you at one, few or all of these!

Oracle Booth on the Exhibit Floor

Visit us at booth #4627 to learn how Oracle can help you to "Navigate the Future of Healthcare." Find out how our complete suite of healthcare solutions can benefit your organization by improving quality of care and the patient experience, lowering costs and enhancing insight, and building collaborative relationships across the ecosystem. Solutions presented in the Oracle booth will include a wide range of topics addressing the areas of Operational Efficiency, Analytics and Connected Health.

Our solution experts will be on-hand to walk you through the features of our products, answer questions, and set up follow up discussions post event.

Exhibit Hours


Exhibit Hours

Monday, March 4, 2013

1:00 p.m. – 6:00 p.m. CT

Tuesday, March 5, 2013

9:30 a.m. – 1:00 p.m. CT and 2:30 p.m. – 6:00 p.m. CT

Wednesday, March 6, 2013

9:30 a.m. – 1:00 p.m. CT and 2:30 p.m. – 6:00 p.m. CT

Interoperability Showcase
Location: La Nouvelle Ballroom on Level 2

Oracle is participating in the HIMSS13 Interoperability Showcase, which provides a full landscape of health IT solutions, live demonstrations of interoperability, and educational opportunities for healthcare organizations. Catch Oracle Health Information Exchange (HIE) solution live in action at the interoperability showcase.

Oracle session in the Interoperability Showcase
Title: Incorporating IHE in National and Regional Health Information Exchange Solutions
Presenter: John Hatem, Director, Healthcare Product Strategy
Date: Tuesday March 5th, 2013 – 1.30 p.m. to 2.00 p.m.

Interoperability Showcase hours:
Monday, March 4th, 2013 9:30 a.m. - 1:00 p.m. CT & 2:15 p.m. - 6:00 p.m. CT

Tuesday, March 5th, 2013 9:30 a.m. - 1:00 p.m. CT & 2:15 p.m. - 6:00 p.m. CT

Wednesday, March 6th, 2013 9:30 a.m. - 1:00 p.m. CT & 2:15 p.m. - 6:00 p.m. CT

Oracle Security Sessions at HIMSS
Prince Conti Hotel, 830 Conti Street – Room 2A

We have created additional opportunities for you to engage with Oracle Security team and the security stakeholders at other healthcare organizations. Join us at these sessions to learn how your peers are addressing their security, compliance and even business needs today. No registration required for any of these sessions.

Monday, March 4, 2013

  • 3:00 p.m. – 4:00 p.m. : Enabling Rapid, Secure Access to Epic
  • 4:00 p.m. – 5:00 p.m. : Addressing the Final HIPAA OMNIBUS Rule’s Data Security Requirements

Tuesday, March 5, 2013

  • 10:00 a.m. ��� 11:00 a.m. : Enabling Rapid, Secure Access to Epic
  • 1:00 p.m. – 2:00 p.m. : Delivering Identity Management Services for Healthcare in the Cloud
  • 3:00 p.m. – 4:00 p.m. : Implementing Identity Management Services for Cerner
  • 4:00 p.m. – 5:00 p.m. : Addressing the Final HIPAA OMNIBUS Rule’s Data Security Requirements

Wednesday, March 6, 2013

  • 9:00 a.m. – 10:00 a.m. : Addressing the Final HIPAA OMNIBUS Rule’s Data Security Requirements
  • 11:00 a.m. – 12:00 p.m.: Delivering Identity Management Services for Healthcare in the Cloud
  • 3:00 p.m. – 4:00 p.m. : Implementing Identity Management Services for Cerner

If you would like to schedule meetings with our security experts in advance, simply send us a comment with your discussion topic and 3 preferred time slots and we will get back to you with a confirmation.

Hope to see you at HIMSS 2013.

Oracle at HIMSS13 Annual Conference & Exhibition

March 4 – 7, 2013

The Ernest N. Morial Convention Center

900 Convention Center Boulevard
New Orleans, LA 70130

Booth # 4627

Monday Feb 18, 2013

BAE Systems Maritime – Submarines Division Builds Security with Oracle Enterprise Single Sign-On

The Company:

BAE Systems is one of world’s largest global defense, aerospace, and security companies, employing approximately 93,500 people. BAE Systems Maritime – Submarines division designs and manufactures submarines for the United Kingdom Ministry of Defense and the Royal Navy.

Business Challenges:

  • Automate user authentication across their entire application environment as part of a wider program to implement a new enterprise resource planning (ERP) system
  • Improve and strengthen security and user efficiency throughout the 20-year development and build cycle for submarines
  • Enable simplified single sign-on across all systems including legacy applications
  • Enforce segregation of duty (SoD) among staff by restricting and controlling application access to better meet financial regulatory guidelines
  • Improve employee on-boarding and off-boarding to optimize application licenses


BAE Systems worked with Oracle partner, aurionPro SENA to implement Oracle Enterprise Single Sign-On Suite to enable secure, simplified access for employees required for designing and building submarines over a 20-year lifecycle. The implementation allowed BAE Systems to secure user access to critical systems and enforce segregation of duties.

Additional benefits included improved user efficiency and reduced service-desk requests by eliminating the need for employees to remember passwords for 20 to 30 key applications, in addition to an array of periphery systems required to develop submarines. The company was also able to better manage regulatory requirements now having just a single source of truth to determine user access.

For more information on BAE Systems’ implementation, check out the case study.

Wednesday Feb 13, 2013

Standards Corner: Is OAuth the End of SAML? Or a New Opportunity?

Author: Phil Hunt

I mentioned in my year in review post that rather then spell the end of SAML, OAuth2 might in fact greatly expand SAML's adoption. Why is that?

The OAuth2 Working Group is nearing completion on the OAuth2 SAML Bearer draft which defines how SAML Bearer assertions can be used with OAuth2 essentially replacing less secure user-id and passwords with more secure federated assertions.

Before I describe how this works, here is some quick terminology:
* Resource Service - A service offering access to resources, some or all of which may be "owned" or "controlled by" users known as "Resource Owners".
* Resource Owner - An end user, who is authorizing delegated scoped access by a client to resources offered by a Resource Service
* Client - An application (e.g. mobile app, or web site) that wants to access resources on a Resource Service on behalf of a Resource Owner.
* Authorization Service - A service authorized to issue access tokens to Clients on behalf of a resource server.

While the resource service and the authorization service may be authenticated by means of TLS domain name certificate, both the client application and the end-user often need to be authenticated. In "classic" OAuth, you can use simple user-id's and passwords for both. The SAML2 Bearer draft describes how federated SAML assertions can be used instead.

A typical scenario goes much like this.

1. Alice (resource owner) accesses a corporate travel booking application.
2. In order to log into the corporate travel application, Alice is redirected to her employer's Identity Provider to obtain a SAML Authentication Assertion. 
3. Upon logging in to the Corporate Travel Application, Alice wishes to update her seat preferences with her selected airline. In order to do this, the corporate travel application goes to the authorization server for the airline. The travel application provides two SAML authentication assertions: 1) An assertion representing the identity of the client application, and 2) an assertion representing Alice.  The scope requested is "readProfile seat".
4. Upon verifying the SAML assertions and delegated authority requested, the authorization server issues an access token enabling the corporate travel application to act on behalf of Alice.
5. Upon receiving the access token, the corporate travel app is then able to access the frequent flyer account web resource by passing the token in the header of the HTTP Request. The Access token, acts as a session token that encapsulates the fact that the travel app is acting for Alice with scope read & seat update. 

This SAML Bearer flow is actually very similar to the classic OAuth 3-leg flow. However instead of redirecting the user's browser to the authorization server in the first leg, the corporate travel app works with the user's IDP to obtain a delegation (or simple authentication) assertion direct from the IDP. Instead of swapping a code in the second leg, the client app now swaps a SAML Bearer assertion for the user.

OAuth2's ability to leverage different authentication systems makes it possible for SAML to enhance OAuth2 security going even further to eliminate the propagation of dreaded user-ids and passwords in much the same way SAML did for classic federate web sign-on. Rather than making SAML redundant, OAuth2 has in fact increased SAML's utility.

About the Writer:
Phil Hunt joined Oracle as part of the November 2005 acquisition of OctetString Inc. where he headed software development for what is now Oracle Virtual Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards group at Oracle where he developed the Kantara Identify Governance Framework and provided significant input to JSR 351. Phil participates in several standards development organizations such as IETF and OASIS working on federation, authorization (OAuth), and provisioning (SCIM) standards.  Phil blogs at and a Twitter handle of @independentid.

Previous Posts:
2012: No Time to REST for the Holidays
Standards Corner: A Look at OAuth2
A Look at OAuth2 - A Follow-Up to the Reader's Comments

Saturday Feb 09, 2013

Five Steps Toward Achieving Better Compliance with Identity Analytics

Vadim Lander is Oracle's Chief Identity Strategist and has been thinking a lot about how organizations can be compliant with industry and government regulations, and at the same time, become more secure

His recent article featured in Sys-Con's Web Security Journal discusses how organizations that are dynamic and have matrixed work forces can not only maintain compliance, but also improve overall security by using Identity Analytics.  Vadim breaks the strategy down into five key points.

See the full article here:

Wednesday Feb 06, 2013

Partner Perspective: aurionPro SENA Discusses: OIM 11gR2 - IAM Implementation Simplified

Authored By: Kunwar Nitesh, aurionPro SENA

Oracle Identity Manager Release 11gR2, released in summer last year, is a great leap forward in terms of providing the platform to build world class Identity and Access Management infrastructure. The next generation of Oracle Identity Manager i.e. 11gR2 has been developed with primary focus on allowing the end user and platform support team to develop and fulfill the needs of business friendly interface. This process in the past was complex with significant dependency on engineers, resulting in longer implementation time span and herculean efforts.

Oracle has taken a big step forward with their Oracle Identity Manager 11gR2, providing customers with highly desirable features like catalog, personalization and extensible UI, to mention a few.

In this post we would cover some of the new features that aim at helping our customer base simplify IAM implementation and improve efficiencies across the board.

My users need shopping cart experience

Customers looking to rollout provisioning solution are often met with the challenges of providing user friendly interface that fits into their existing landscape and processes. Most of the products use very IT centric terminologies like Resource objects, IT Resources and a rigid request UI framework that can result in lower acceptance from end business users. Today the end business user is looking for simple shopping cart like experience with the ability and capability to provide intuitive end user experience without much iteration.

With OIM 11gR2, a centralized catalog framework of access rights, including enterprise and application roles, application accounts, and entitlements is available out of the box. OIM 11gR2 can now automatically synchronize privileges into request catalog when new entitlement is added into target system. Application instance or roles defined in OIM 11gR2 environment are automatically harvested into catalog by OOTB backend task. These Catalog items can be enriched by providing user-friendly information like display name, risks, audit levels and search tags. An easy wizard request submission process with shopping cart like experience is a leap forward in simplifying implementation and cost saving on implementation and maintenance

Less cost to implement and maintain interface customization

In almost all the IDM implementation customers go from easy to complex interface customization to enhance end users experience and meet organizations interface standards. Due to the limited out of box customization capability in the previous generations of OIM, dedicated development and engineering skills was needed to develop more business aware user interface.

By decoupling UI and Functional layer in OIM 11gR2, Oracle has given strong tool to the customer to design and develop a business friendly user interface with limited knowledge of the development technologies like ADF. OIM 11gR2 supports out of the box customization ranging from simple branding to customization existing task flows or adding new task flows. Most of the customizations like inter-dependent fields, hiding or showing fields logically and changing label, help text, search criteria, search results which required non-trivial time and effort can now be performed using simple web interface. This helps customers to extend the OIM functionality and make it more user friendly for their organizations in a short time. In addition, the support for personalization of home page and search results allows end users to perform task quickly without adding significant cost to the implementation. The next generation of OIM is built on an advanced web UI framework using ADF and Webcenter. The concept of “Sandbox” allows for easy customization and packaging of skins and stylesheet without impacting existing deployment. This centralizes and simplifies the management of the stylesheet changes. The Sandbox allows you to isolate and experiment with customizations without affecting the environment of others, any changes made to a sandbox is visible only to the user for whom the sandbox is active. The sandbox can be published once the customization is complete. This process makes the customizations available to other users. The capability to export and import the sandbox makes the process of change migration easier than before. The UI customizations done using the sandbox are stored separately from the out of box code/UI metadata. This allows customizations to be patch/upgrade safe and reduces the impact analysis and post upgrade retrofitting effort thereby reducing maintenance effort and cost.

Implementation Simplified

The next generation of Oracle Identity Manager is primarily focused on simplifying the process of setting up basic customizations like UDF creation, workflow registration, and resource form creation, plug-in, new application on boarding by reducing the number of steps. This equates to reduced dependence on the technical team to effect minor changes. Enhanced features of web based form designer, disconnected resource, application instance and out of box Service Oriented Architect (Workflow) integration reduces the dependency on technical team after implementation during the application on-boarding process. This not only results in reducing implementation and deployment efforts but also helps customer to continually enhance end user experience and support more applications without significant dependency on technical team. The OIM 11gR2 interface allows customers to onboard new applications without the need to write code or having significant dependency on the technical team. Using application instance concepts, new application instance can be created from UI and easily harvested into catalog. The policy administrator can use the UI to change the approval routing logic to answer ever-changing approval processes. This makes application on-boarding process quick and simple.

Enhancement to existing product features

In the older versions, for some of the features like intuitive request tracking, fine grained authorization policy, better delegated administrations, target accounts password reset,at times, an organization would have had to develop a customized implementation process to fulfill the business requirements resulting in increased cost and duration of implementation.

With the introduction of standard ADF security model for functional security and Oracle Entitlement Server (OES) for transactional and data security, OIM 11gR2 can support sophisticated delegated administration and data visibility requirements. Introduction of workflow visualization, help desk and password reset are minor yet very desirable features that help to reduce the complexity of implementation and organization costs.


With the new release, Oracle Identity Manager provides flexible and scalable enterprise identity administration and user provisioning solution. The significant focus towards developing a more business user friendly user model and customizable interface allows enterprise reduce the time and cost of long term support and enhancement of the solution once developed.

About the Writer:

Kunwar Nitesh is a Sr. Architect and Member of Center of Excellence Team within AurionPro SENA. Kunwar has been designing and implementing medium to large scale Identity Management solutions across multiple industries. Kunwar has more than 7 years of experience, specializing in Oracle's Identity and Access Management products stack.

Tuesday Feb 05, 2013

Oracle at RSA Conference 2013

Oracle is exhibiting at RSA Conference 2013. The RSA Conference 2013 is a premier security conference that gives attendees a chance to learn about IT security's most important issues through first-hand interactions with peers, luminaries, and emerging and established companies.

Here’s a quick run-down of all things Oracle at this year’s RSA Conference.

Mark your Calendars:

Conference Session:
PNG F43: Waiter, There's a Fly in My Code

Mary Ann Davidson, Chief Security Officer, Oracle and Joshua Brickman, Program Director, CA Technologies
Friday, March 1, 11:40-12:00 in Room 131

Oracle Solution Showcase:
While at the conference, catch the latest Database Security and Identity Management product demonstrations at Oracle Booth # 1941.

Exhibit Hours:
Monday, February 25, 2013 6:00 a.m. – 8:00 p.m. (Welcome Reception)
Tuesday, February 26, 2013 11:00 a.m. – 6:00 p.m.
Wednesday, February 27, 2013 11:00 a.m. – 6:00 p.m.
Thursday, February 28, 2013 11:00 a.m. – 3:00 p.m.

Book Signing with Mary Ann Davidson at Oracle Solution Showcase:
Plan to meet Mary Ann Davidson, Chief Security Officer, Oracle and receive an autographed copy of either "Outsourcing Murder" or her new book "Denial of Service", part of the Miss-Information Technology Series.

Book Signing Hours:
Monday, February 25, 2013 6:30 p.m. – 7:30 p.m.
Tuesday, February 26, 2013 1:00 p.m. – 2:00 p.m.
5:00 p.m. – 6:00 p.m.
Wednesday, February 27, 2013 1:00 p.m. – 2:00 p.m.

OASIS Security Standards Showcase:
Catch Oracle Entitlement Server (OES) in action at the OASIS XACML Interop in booth # 3012. The showcase hours are the same as the exhibit hours.

Meet Oracle Security Executives:
Oracle Security product management executives and experts will be in attendance at this year’s RSA Conference. Like to schedule a meeting? Simply send us a note with your information, areas of interest and 3 preferred time slots and we will confirm.

Get free access to the exhibit floor by registering here using the code: FXE13ORAC, compliments of Oracle. To take advantage of the complimentary code, you’d need to register by February 22.

We look forward to seeing you at RSA Conference 2013.

Monday Feb 04, 2013

Avea Customer Success story: webcast wrap-up

Thanks to everyone that joined us for the live webcast on January 31.

For those of you that missed it, the webcast was recorded and I will post the replay link here when it becomes available.

Webcast replay is now available here: click for replay (note: you may have to scroll down to find it)

We were not able to get to all the questions during the call, so I have retrieved the list of questions, and will send them to the Avea team to answer. 

I have also posted the slides below. 

Friday Feb 01, 2013

Oracle Identity Event San Francisco

Tuesday, February 05, 2013
2:00 PM – 5:00 PM
Bourbon and Branch
501 Jones Street
San Francisco, CA, 94102
In Person
Space is limited. Register today!

Take the Next Big Step in Identity Management Evolution

We call the latest release of Oracle Identity Management the evolved platform. And for good reason. It simplifies the user experience, enhances security, and allows businesses to expand the reach of identity management to the cloud and mobile environments like never before.

Join this important event to discuss the recent launch of Oracle Identity Management. You’ll learn more about the evolution of this exceptional business solution and get the unique opportunity to network with existing Oracle customers and speak directly with industry experts. The agenda includes:
  • Overview of capabilities
  • Customer and partner presentations
  • Discussion with early adopters

Register now for this event. Valet Parking is included.

Presented in participation with:

Qubera Solutions


2:00 p.m.
2:15 p.m.
Welcome Remarks
2:15 p.m. - 2:45 p.m.
Identity Access Management Platform Overview
2:45 p.m. - 3:15 p.m.
Customer Spotlight - MedicAlert
3:15 p.m. - 4:15 p.m.
Beverage Academy Hands On Cocktail Class
4:15 p.m.
Networking Reception & Cocktails
4:30 p.m.
Closing Remarks

Register Now!

Top 3 Security Trends, IDM Predictions for 2013: Security Newsletter January Edition

The January edition of the Security Inside Out Newsletter is now out. This month’s newsletter takes a look back at the top security stories from 2012 and captures experts’ opinions on security and identity management trends and predictions for 2013.

The newsletter features an interview with Graham Palmer, director of Information Security for Oracle’s EMEA Operations and Oracle’s resident expert on cyber security. In his interview, Graham discusses the top 3 security concerns that are shaping Security strategies for most organizations today. The high-profile security attacks in 2012 underscore a need for a holistic security approach. Graham shares nuggets on how best to optimize Security budget and efforts. Read the full feature here.

The writer also caught up with Vadim Lander to discuss the key trends that would shape Identity Management in 2013. Vadim is Oracle’s Chief Identity Architect and keeps the pulse on all things Identity Management. In his interview, Vadim discusses how IT trends like social, mobile and cloud are impacting Identity Management requirements. What is Vadim’s take on Identity as a Service, Authentication trends and more? Catch the full feature today.

As always, the newsletter captures both recent and upcoming Security and Identity Management events, conferences, training, industry reports, news and more. So, if you haven’t done so, we recommend you subscribe to the Security Inside Out Newsletter today.

We’d love to hear from you. Let us know some topics you’d like to see covered in the upcoming editions. Or just let us know how we are doing. We look forward to hearing from you.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« February 2013 »