Wednesday Jul 31, 2013

Oracle Waveset to Oracle Identity Manager: A Case Study in Higher Education (Deloitte)

Deloitte is excited about the opportunity to introduce the first blog in a series of four blogs that will look at real world case studies involving Oracle Identity and Access Management (IAM). Our future blogs will expand on relevant IAM topics including: 1) Oracle Waveset to Oracle Identity Manager, 2) Oracle IAM in Telematics, 3) Oracle IAM with Governance Risk and Compliance, and 4) Oracle Identity & Access Governance with Database Security. Throughout this blog series, readers are encouraged to submit questions or comments which will feed into a roundtable type Q&A blog responding to selected comments and questions received.

In this edition of the Oracle IAM blog, we’ll look at a case study for migration from Oracle Waveset to Oracle Identity Manager for a higher education statewide system of community colleges, state universities and technical colleges. This also highlights how the flexibility of Oracle’s IAM product landscape contributed to creating a dynamic and sustainable solution for a public-facing system with nearly 500,000 users.

Current State Evaluation and Replication

The legacy Oracle Waveset instance connected to numerous institutional directories and provided end-user functionalities such as user self-service, account activation and password management as well as administrative help-desk functions with a highly customized interface and set of workflows.

As we analyzed these functions, we identified that a majority of these were available within Oracle Identity Manager (OIM) 11g R2 which simplified their replication. Further, the User Interface (UI) enhancements in OIM 11g R2 allowed for significant customization to the end-user pages, such as the ‘My Information’ page, with minimal custom code.  Initial replication of the core functionalities was crucial to the overall project and allowed for the replacement of Waveset as an end-user facing solution on Day 1 of the OIM go-live. However, this did not cover the numerous resource integrations that Waveset had behind the scenes that would also need to be migrated. Several functionalities such as account activation and password reset/forgot password that required specific workflows and service integration were replicated in separate Oracle ADF-based applications that were split away from the OIM managed servers. This allowed for the highly used end-user functions to run separate of the OIM instances to provide for increased flexibility in load management and tuning.

Resource Migration Approach

As the numerous resources requiring migration would take significant time and effort, it was decided that these resources would be moved over in a phased manner requiring both OIM and Waveset to operate in parallel for a period of time. This approach reduced risk, as a single cutover would have been highly complex with multiple moving parts across colleges and campuses. To enable this to be possible, OIM and Waveset would need to operate together as we migrated each campus from the old Waveset platform to the new OIM platform. To help accomplish this, a custom connector between OIM and Waveset was built to synchronize certain user attributes so that Waveset could update and maintain those attributes on the resources that remained to be managed by it.

Overall, this approach turned out to be highly beneficial as it allowed the team time to ease into using the new identity solution, reduced the risks that would have been present in a single “big bang” cutover event and allowed for a quick win which displays critical progress and success to solution stakeholders. 

Figure A – Oracle Waveset to Oracle Identity Manager resource migration approach

Additional Important Success Factors

Throughout the migration, we encountered a number of items that were deemed critical for meeting project goals that primarily focused on the following:

User Experience

As the solution’s primary users were public individuals that would likely not have significant training or usage guidance, focusing on a refined and calculated user experience such as clear verbiage, font sizing and coloring as well as succinct and detailed error messages was important. While these items may seem minor or insignificant to some readers, they, as expected, ended up being extremely beneficial to end-users and reduced support needs.

Performance and Tuning

With our highly active user-base, performance of the solution was critical to success. Use of the existing Oracle Fusion Middleware Performance and Tuning Guide as well as the OIM 11g R2 Reconciliation Tuning Whitepaper were critical for maintaining performance and ongoing stability of a solution with this size. Also important were key architectural decisions around load balancing, managed server clustering, as well as database clustering (e.g. RAC). Providing enough horsepower behind the solution and conducting due diligence around performance testing will reduce the amount of performance-related issues encountered in production.

In Conclusion

The phased migration of Oracle Waveset to Oracle Identity Manager 11g R2 allowed for a quick win in the initial cutover of end-user functions, a lower risk migration path and well as constant stream of “good news” as various campuses were migrated from the old solution to the new one in a phased manner. A focus on user experience and performance tuning also helped to create an effective environment for end-user interaction and contributed to achieving the goals of the initiative. Finally, the new OIM architecture will provide a solid infrastructure for future enhancements and a greatly increased user base that the prior Waveset environment could no longer support.

About the Author

Derek Dahlen is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with over eight years of experience in information security. He specializes in managing, designing and architecting large-scale identity and access management projects with a focus on the Oracle product stack. He has worked with various clients across the financial services and state government sectors.

Tuesday Jul 23, 2013

No Where to Go but Up: Extending the Benefits of Accelerated IAM by Nish Patel (Accenture)

For a number of years the innovation for corporate applications revolved around functionality drivers such as better user interfaces, interoperability with legacy systems, and web enablement.  The next wave of innovation is being driven by enhancing the customer experience, data analytics, business responsiveness, and the integration of systems in the company’s business ecosystem.  All of this is occurring in a demanding economic climate—where speed is of the essence to help meet revenue and profitability targets— with an ever-demanding and  increasingly sophisticated user base.

What does the changing face of corporate applications look like and how does security play a role?  You can start by looking at Oracle’s own strategy with Fusion Applications.  The Fusion Apps integrate business processes, complex workflows, web services, business intelligence, and analytics.  This amalgamation has seemingly endless data points and touch points utilized by an ecosystem of users, consumers, providers, and so on.  This is all secured using Oracle’s own IAM stack.  Hence, the Fusion Apps security model is a very different approach from the old E-Business, PeopleSoft, and JD Edwards security models.  This adds security complexity, yet also adds security value.  However, to obtain the value, you have to understand how to take a highly flexible solution and cater it to your business’s needs.  So how do you configure it the right way quickly?  We’ll get to that later.

What other corporate application changes are we seeing?  We’re all aware that over the last 5 years there has been a significant and growing shift in the consumerization of technology in the work place.  The bring-your-own-device or BYOD trend began shortly after the auspicious availability of the original iPhone in June of 2007 and has hit substantial strides in subsequent years with the introduction of the iPad and Android devices.  The portability and ease of use—and let’s face it, the “coolness” factor—have driven demand for applications to be readily available outside the standard company walls and desktop/laptop confines.

Looking at a graph of the pace and demand for mobile applications brings to mind Mt. Everest:  it’s steep, scary, and without the right Sherpa, you might just freeze to death from the challenge.  As the sophistication of mobile applications has improved to meet business demand, one of those Everest-like challenges is how to secure the ever increasing amount of sensitive and critical information that goes with it.

For example, we are seeing clients take applications that were typically considered “back office” and using them as a strategic driver, such as mobilizing purchasing data to provide valuable insight to buyers in the field making decisions.  We are seeing banks now allowing check deposits via mobile devices to increase customer satisfaction and decrease in-person service times and overhead.

Information that was typically within the four walls is now zipping around wherever there is a cell signal.  It is being consumed on devices that are easily passed around, shared, and lost.  It is being consumed by customers, employees, company partners, and vendors.  How do you ensure that only the right consumer, in the right context, in the right scenario, on the right device is accessing valuable company data?  Additionally, how do you rapidly secure applications to quicken deployment cycles and cut costs?

One of the common ways IT departments approach security is to take each application and bolt on its own security framework for mobility.   An example would be adding on a Spring Security framework for authentication and authorization.  Sometimes this involves a duplication of already existing authentication and authorization mechanisms in place.  If you take this approach for each application you “mobilize”, you can see how it can quickly become an administrative nightmare.  From having to provision users manually to each application, to de-provisioning for terminations or job role changes, to password management, to troubleshooting, and so on, this approach is duplicative and wasteful. 

So how do you address security adequately and rapidly across the situations and scenarios we’ve described?  Accenture utilizes Oracle’s IAM suite of products to enable security across the spectrum of our client’s needs.  For example, for mobilization of applications, we utilize Oracle’s Mobile and Social Access as part of the access management solution.  We utilize Oracle API Gateway’s numerous features for web services security.  We’ve also built many of our own proprietary Accenture Software solutions on the 11g platform, leveraging the Oracle security stack to employ a common security framework to simplify development and deployment. Furthermore, we leverage our Accenture Foundation Platform for Oracle (AFPO) to accelerate and reduce costs.
Accenture Foundation Platform for Oracle

AFPO is a reference architecture, reference implementation and a set of associated assets that provide a generic and common foundational platform based on Oracle Fusion Middleware 11g Technology.  AFPO is a jumpstart kit for Oracle IAM that accelerates delivery.  It is aligned with Oracle’s Fusion Reference Architecture (OFRA) and was built with feedback and reviews from Oracle Product Management. It’s also a combination of Oracle products & guidance with Accenture intellectual property based on project experience.

When we speak of acceleration, we are talking install: day 1; customize and integrate: day 2!  Fast enough for you? Clients have been able to trim as much as 30% off of implementation costs utilizing AFPO.  At an educational non-profit we rapidly deployed an Oracle IAM foundation leveraging AFPO to meet tight timelines required for the upcoming school year. Our client’s Release 1 deployment scope included building, testing, and deploying 5 Oracle IAM products in 5 months.  Our client’s development team needed a way to quickly learn the products in order to rapidly build extensions and customizations for these products.  AFPO provided a testing ground for rapid design prototyping and gave developers the quick, hands-on experience needed to transition to building the new infrastructure.

To learn more about Accenture, our AFPO platform, how we can help you with your security strategy and implementation, please contact

Wednesday Jul 17, 2013

Registration now open! - Managing the Healthcare IT Transformation “On the Go and In the Cloud”

Mobility, cloud-based services, healthcare reform, meaningful use, health information exchange and continued changes in privacy and security regulations has each had a profound effect on healthcare IT.  To support this transformation, it is vital that an organization effectively manages how its users are able access and use information.   Unfortunately, to date, many organizations have failed to develop the necessary foundational infrastructure.  UPMC, through its subsidiary CloudConnect Health IT, has developed a solution called CloudIdentity, which provides healthcare specific identity management capabilities that are based on Oracle technology and delivered securely via the cloud.  Join John Houston Vice President of Privacy and Information Security, Associate Counsel at UPMC & President of CloudConnect Health IT for this informative webcast, as he discusses the healthcare transformation and how healthcare organizations can securely unlock the potential of healthcare IT. Click HERE to register for this webcast, scheduled for August 20th.

Tuesday Jul 16, 2013

The Art of the Possible: Real Life Case Study in Oracle IAM 11gR2 Performance Tuning by Alex Bolante (Accenture)

In our last post, we walked through a handful of practical tips and tricks to fine tune your Oracle Identity Management 11gR2 deployment.  This week we look at a real life case study, focused on Oracle Directory Services, where we applied our pragmatic approach and solutions.

Case study: a multinational financial services corporation.  With presence in over 200 countries, this financial services company enables consumers, businesses, financial institutions and governments to use digital currency instead of cash and checks through one of the world’s most advanced processing networks, capable of handling more than 20,000 transactions per second.  Like many legacy customers, the company sought Accenture’s help to strategically plan, design and upgrade to an improved version of Oracle Directory Services that provided:

• Improved directory services performance
• Multi-user topology support
• Enhanced replication
• Increased security

The implementation comprised of approximately 50 servers located across multiple, geographically distributed data centers supporting over 100 applications and more than 250,000 users – included financial institutions, payment product processors and others doing business with this financial services company. 

Environment design specification

Our environment design specification was initially developed to support legacy applications, but given a new set of business and technical requirements, we needed to modify and scale the solution to support future business services with enough capacity to grow up to 40% year over year.  Key performance requirements included:

• Optimized for reads, writes and replication across data centers located across the globe
• Performs 1000 operations per second
• Supports response time of 0.05 milliseconds for single user id searches
• Supports response time of 0.15 milliseconds for single user attribute writes
• Supports 200 concurrent searches
• Supports growth rate of 10,000 objects per month over the next 5 years
• Provides real time password replication using prioritization

Modifying and scaling the solution:
Our process for modifying and scaling the solution included  engaging Oracle product managers and engineers directly to validate our hardware configuration.

Product: Oracle Directory Services
Operating System: 64-bit Solaris 10 Update 10 or higher
Hardware: SPARC T-series
Memory: 64 GB
Disk Space: 270 GB
Swap Space: 15 GB
Tmp Space: 10 GB
File Descriptor Limit: 8192
Replication Topology: Multi-master with no restrictions on the number of masters

We made several recommended configuration changes and tuned the Operating System, Database Cache, Entry Cache, Import Cache, File System Cache and Indexes. 

Disable schema check for fast replication
$dsconfpath/dsconf set-server-prop -p portNum check-schema-enabled:off

Set DB cache size to 1000M
$dsconfpath/dsconf set-server-prop -p portNum db-cache-size:1000M

Set entry cache size to 1000M
$dsconfpath/dsconf set-suffix-prop -p portNum suffixDN entry-cache-size:1000M

$dsconfpath/dsconf set-server-prop -p portNum import-cache-size:200M

Set all-ids-threshold
$dsconfpath/dsconf set-server-prop -p portNum all-ids-threshold:8000

Set repl-purge-delay to 1 days
$dsconfpath/dsconf set-server-prop -p portNum repl-purge-delay:1d

Change log path
dsconf set-log-prop -p portNum ACCESS path:/var/ldaplogs/access
dsconf set-log-prop -p portNum AUDIT path:/var/ldaplogs/audit
dsconf set-log-prop -p portNum ERROR path:/var/ldaplogs/error

Enable Audit log
dscond f set-log-prop -p portNum AUDIT enabled:on

The outcome:

After we applied our performance tunings, we performed our tests in production-like environments, verified and documented our results, profiled and monitored our solution, tweaked and tuned our environment and cycled through this step-by-step process until we were satisfied that we had met all requirements.  We shared the results with our Oracle peers to validate – including our testing approach which included search rates and modification rates based on 100 users and 200 users connecting concurrently – and the numbers were right on point with our expectations from the Directory Services upgrade.

How can you apply this to your environment? 

Step 1:
Talk to Oracle Product Management, Development and Engineering directly
,get them involved in your project as early as possible and keep them engaged throughout your project.  It helps to have knowledgeable subject matter experts who can bring your implementation up to par with leading implementations.  Some guidelines for checkpoints include:

Checkpoint 1: Before statement of work (SOW) is signed:
• Is the SOW clearly defined?
• Is the described product functionality feasible?
• Are measurable and achievable success criteria defined?

Checkpoint 2: Before requirements, architecture and project plan are delivered:
• Can the product fulfill the defined requirements?
• Is the architecture and solution design sound and scalable?
• Is the customer's environment ready?

Checkpoint 3: Before the design is delivered:
• Is the design technically sound?
• Can the design be implemented, migrated and supported?
• Are the test plans and approach reasonable?

Step 2:
Define specific, measurable objectives for performance tunings based on your requirements.
  To start with, you can use Accenture’s predefined set of key attributes for developing “good” requirements that are measurable.

• Necessary – an important capability or element of a solution which cannot be compensated for if absent
• Understandable – stated in a context which conveys the essence of what is needed
• Complete – stated in a standalone context which does not rely upon supplemental and/or assumed definitions
• Consistent – does not contradict by context or terminology nor is contradicted by other statements (e.g. is not mutually exclusive)
• Unambiguous – cannot have more than one interpretation
• Attainable – a capability which can be implemented within the constraints of available resources and technology (e.g. product, cost, schedule)
• Verifiable – can establish that the statement has been satisfied through specific measurements, test, demonstration, inspection, and/or analysis

Step 3:
Determine how you plan to implement performance tunings.
There is more than one way to skin a cat.  In addition to the tuning configuration changes made to the environment, you also have to consider hardware sizing and configurations, middleware technologies, application and data samples used for testing and how you measure/analyze results.  For example, hardware sizing guides are meant to provide you with a baseline for your deployment, but they are not exact specifications for your Oracle Identity & Access Management deployment. 

The same applies for a vendor certification matrix – while Oracle’s Identity & Access Management product might be certified or supported on another vendor’s middleware or platform stack, that does not automatically imply it is the ‘optimal’ configuration for your deployment.  Most organizations already have infrastructure standards (e.g. we use WebSphere Application Server for our J2EE apps), but you need to carefully consider that your Oracle Identity & Access Management deployment may be harder to tweak and tune if implemented on top of multiple vendor stacks.  In fact, the more unique your configuration design is, the more challenging it will be to support and the less likely your deployment will be up to par with common practices.

Step 4:
Apply your performance tunings, perform your tests, verify and document your results, profile and monitor your solution, tweak and tune it – wash, rinse and repeat.
  Consider the testing tools you will use to conduct your performance tests and their limitations.  We used both SLAMD and HP LoadRunner for our Directory Services deployment.  SLAMD had resource limitations on the number of connections and threads we could test, especially if it was not running off a dedicated server.  HP LoadRunner had a limitation with testing multiple attribute updates until we applied a hot fix that the vendor eventually provided.

Also, most deployments are two- to three-tier architectures, so you have to tune the database/directory server, middleware/application server, web servers and every component in between each tier (e.g. load balancers for SSL acceleration).  In fact, each tier requires its own performance tuning, pruning, cleaning, care, feeding and regular maintenance.  At its core, there are several performance bottlenecks to consider:

• Start with your server or system resources (e.g. over clocked CPU, maxed out memory, resource contention, insufficient space)
• Tune your way up from data tier to application/web tier (e.g. database/directory servers typically require specific optimizer tunings, predefined indexes and table pruning while application servers typically require proper JVM heap size allocation, connection pooling and message queue thresholds)

Step 5:
Share your experiences with the Oracle Security community at large.
  By now, your Oracle Identity & Access Management solution should be designed to support not only your legacy applications, but also scaled to support future business services!

Stay tuned for our next post on No Where to go but up: Extending the benefits of accelerated IAM to enable new solutions and features where we highlight interesting trends in Security and Identity & Access Management.

Oracle Directory Services: Overview

Oracle Directory Services: Discussion Forums

Monday Jul 15, 2013

Mobile Application Security Framework by Pawan Yadav (SDG Corporation)

Mobile Application Security Framework

Enterprise Mobility is rapidly expanding opportunities for companies to enhance clients' engagement levels and simplify and improve their interactions. Unfortunately, those opportunities also create significant security threats for businesses and consumers.
Pawan Yadav, Vice President and Chief Technologist from SDG (, in this very topical white paper, outlines the unique challenges that are arising from the explosion of enterprise mobile applications, multiple devices, and platforms.

Read the white paper: click to download

About the Author:

Pawan Yadav

Enterprise Mobility, Practice Leader
Pawan, in his capacity as a SDG Practice Leader, has direct senior management responsibility for the firm's strategy, planning, staffing, engagement deliverance, and commercial operations for the Enterprise Mobility Practice. He brings to this position over 16+ years of IT experience, primarily in the Financial Services - Retail Banking and Credit Card sectors. His expertise includes leading large and complex development programs - time and materials with upper cap and fixed bid, web and enterprise mobility applications services and solutions delivery management, personnel and staff management, and contract and cost management.

About SDG:
SDG Corporation empowers forward thinking companies to strategize their future, realize their vision, and minimize IT risk. SDG distinguishes itself by offering flexible business models to fit their clients’ needs; faster time-to-market with its pre-built solutions and frameworks; a broad-based foundation of domain experts, and deep program management expertise. (

Friday Jul 12, 2013

CSO Webcast with Mary Ann Davidson & CSO Magazine

According to a recent survey by IDG Research, 40 percent of respondents felt that a fragmented reactive approach to security left them more vulnerable. More than 35 percent felt that their organization was reactive to sensational news about security threats. To better align IT security resources with risk, organizations will need to refocus on strategic assets

Join us for a Webcast with Oracle Chief Security Officer, Mary Ann Davidson and CSO magazine to learn how an inside-out security approach enables you to concentrate your security efforts where they matter most.

  • Protect your most valuable assets
  • Rethink security inside out
  • Improve security governance
Register now and attend the live webcast to chat with security experts and receive a copy of the full IDG Research report.

Thursday Jul 11, 2013

NEC Australia hosts Part 2: Identity Governance Key Insights

NEC Australia is back with Part 2, in their two part series with key leaders from the Oracle Identity Management product team. Host Larry Samuels of NEC Australia takes us into the topic area of "Identity Governance Key Insights".  This includes key information on point-in-time audits and their use as a baseline, as well as steps your organization can take to minimize your risk by better understanding the complexity of your identity enviroment.  To view this video, click HERE


Wednesday Jul 10, 2013

NEC Australia hosts video Roundtable on "Key Trends in Identity Management" (Part 1)

Join NEC Australia as they host a Roundtable discussion with key members from Oracle, to discuss the Key Identity Management Trends. Host Larry Samuels of NEC Australia leads this conversation with experts in the field of Identity Management to discuss how the landscape is changing and evolving to encompass the new demands of Cloud, Mobile and regulatory compliance.  With him are Amit Jasuja, Sr Vice President of Identity Management at Oracle Corporation, to help us navigate the ever changing demands of IT, and how partners like NEC are working with Oracle to meet those demands. To view Part 1 of this video, click HERE

Tuesday Jul 09, 2013

Necessity is the mother of invention: Technical Solutions Developed in the Field by Kishan Malineni (Accenture)

As promised in last week’s post, today we will go into tuning specifics and address well proven tricks of the trade, used by IAM guru’s to maximize your solution while addressing the requirements of global organizations.


In this post we will use a specific, anonymous project example to walk you through the process, specifically:

  1. Setting the Stage: Establish Service Level Agreements and Critical Project Metrics
  • In our example, the goal was to support page load times for OIM access requests of less than 5 seconds for 40 concurrent users. All of this would have to be possible with a 100,000+ active user base dispersed globally.
  1. Approach:
  • Accenture teamed with Oracle Product Development and Field Engineering to troubleshoot the performance issues
  • Identify the issues and release appropriate Merge Label Requests (patches) on top of Bundle Patch 06
  • Secure Socket Layer (SSL) Certificates presented a unique scenario, which when pushed to all end users through a Group Policy Object (GPO), they decreased load time for the pages listed below by up to 15 seconds:
      • Login page
      • Home page/dashboard
      • User Search
      • User account details
  1. Getting Started in your Implementation:
  • Technical Steps
  • Proactively teaming with Oracle 

4.      Challenges:

  • Single server location presents network concerns for distributed user base which compounds the need for high application performance.
  • Internet Explorer is client standard and is dramatically slower than open source browsers due to the complex ADF framework.
  • Traditional downtime non-existent with users in time zones across the globe
  • Despite having 4 physical servers with 8 managed nodes, page load times were not meeting the 5 second or less requirement
  • This client was an early adopter of 11gR2 release, as part of the Oracle Beta program


The goal for any new software implementation is for it to be fast and that’s no different for this Global Financial Services client. The Accenture team worked closely with the client to address numerous requirements including mapping complex provisioning, de-provisioning, and numerous other lifecycle changes.


Naturally for requirements as demanding as these, a robust technical architecture was required. Within the Design Phase and into the Test Phase, the Accenture team was seeing page load times of more than five seconds.


After engaging Oracle via a service request, the project team was able to engage Oracle engineers to specifically resolve the performance issues that were identified. Initially, baselines were taken across multiple browsers including Internet Explorer 8, Mozilla Firefox, and Google Chrome. Oracle was able to help the project team to identify a bundle patch that was expected to dramatically decrease page load times. With the OIM code fully optimized, the magnifying glass could be applied to the browsers within the client’s enterprise standard builds.  


Through a collaborative effort involving extensive testing, it was determined that Internet Explorer 8 (IE8) required additional security certificates to be pushed to the intermediate store. Through this change, page load times decreased by up to 15 seconds. Fortunately, through a Group Policy Object, the client is able to push this change to all users within the enterprise.


With the help of Oracle Product Management, several iterations of testing were performed to collect test data and provide to the client stakeholder team. During this process Accenture and Oracle provided daily updates to the client to ensure awareness of all stakeholders.


Step 1 of Problem Solving:

The combined Oracle and Accenture team performed the following steps to dramatically improve the page load times for 40 concurrent users:

  • Modified Java Virtual Machine settings and increased memory to each managed node
  • Applied Bundle Patch 04
  • Applied performance patch for Catalog and My Access which provided the following page load times:


Step 2: The Project Team and Oracle Team then performed the following changes:

  • Modified OIM operations, Java message service, SOA, applications data sources
  • Applied HTTP compression
  • Applied performance patch for user profile/search
  • Disabled web cache



Step 3: After seeing a dramatic decrease in page load times, the final performance tweaks were applied:


  • Applied Bundle Patch 06
  • Applied Application Development Framework (ADF) Merge Label Request
  • Apply OIM Merge Label Request for User Interface Self Service Workflows
  • Internet Explorer 8 (IE8) specific Issues: Unchecking “Check for Server Certificate Revocation” within IE8. This update will be performed through a Group Policy Object (GPO) change.


Final Results:


Conclusion: Upon achieving the desired results for page load times the Accenture Project Team was able to deploy the OIM to Production environments.


While this client experience highlights specific examples of performance tuning for Oracle IAM, the approach and collaboration are just as critical and can be applied to many other implementation challenges.  Additionally, it is also critical to use industry leading practices for planning and implementing your IAM program, including:

  • Clustering OIM managed servers
  • Clustering SOA servers
  • Using Oracle database real application cluster
  • Using fully qualified domain names
  • Ensure ports used are non-conflicting and similar across the clustered servers
  • Utilizing Coherence for SOA (SOA clustering)
  • Oracle HTTP Server configuration is critical to load balance between clustered servers correctly
  • Set ideal connection pool settings, message buffer size, caching, statement cache size, inactive connection timeout parameters for the system data sources deployed with OIM

Implementing a high performance IAM implementation will have a substantial impact on the success of your team and your program and it requires a combination of well-trained IAM SMEs, clearly established metrics and SLAs, leveraging best practices and industry leading solutions, and most importantly a strong collaborative approach across teams.

Please stay tuned for next week’s series installment on The Art & Science of Performance Tuning of Oracle IAM 11gR2 where we will share war stories of clients across industries finding paths to success with Oracle IAM and Accenture

Tuesday Jul 02, 2013

Taking the training wheels off: Accelerating the Business with Oracle IAM by Brian Mozinski (Accenture)

Today, technical requirements for IAM are evolving rapidly, and the bar is continuously raised for high performance IAM solutions as organizations look to roll out high volume use cases on the back of legacy systems.  Existing solutions were often designed and architected to support offline transactions and manual processes, and the business owners today demand globally scalable infrastructure to support the growth their business cases are expected to deliver.

To help IAM practitioners address these challenges and make their organizations and themselves more successful, this series we will outline the:

• Taking the training wheels off: Accelerating the Business with Oracle IAM
The explosive growth in expectations for IAM infrastructure, and the business cases they support to gain investment in new security programs.

• "Necessity is the mother of invention": Technical solutions developed in the field
Well proven tricks of the trade, used by IAM guru’s to maximize your solution while addressing the requirements of global organizations.

• The Art & Science of Performance Tuning of Oracle IAM 11gR2
Real world examples of performance tuning with Oracle IAM

• No Where to go but up: Extending the benefits of accelerated IAM
Anything is possible, compelling new solutions organizations are unlocking with accelerated Oracle IAM

Let’s get started … by talking about the changing dynamics driving these discussions.

Big Companies are getting bigger everyday, and increasingly organizations operate across state lines, multiple times zones, and in many countries or continents at the same time.  No longer is midnight to 6am a safe time to take down the system for upgrades, to run recon’s and import or update user accounts and attributes.  Further IT organizations are operating as shared services with SLA’s similar to telephone carrier levels expected by their “clients”.  Workers are moved in and out of roles on a weekly, daily, or even hourly rate and IAM is expected to support those rapid changes.  End users registering for services during business hours in Singapore are expected their access to be green-lighted in custom apps hosted in Portugal within the hour.  Many of the expectations of asynchronous systems and batched updates are not adequate and the number and types of users is growing.

When organizations acted more like independent teams at functional or geographic levels it was manageable to have processes that relied on a handful of people who knew how to make things work …. Knew how to get you access to the key systems to get your job done.  Today everyone is expected to do more with less, the finance administrator previously supporting their local Atlanta sales office might now be asked to help close the books for the Johannesburg team, and access certification process once completed monthly by Joan on the 3rd floor is now done by a shared pool of resources in Sao Paulo.  

Fragmented processes that rely on institutional knowledge to get access to systems and get work done quickly break down in these scenarios.  Highly robust processes that have automated workflows for connected or disconnected systems give organizations the dynamic flexibility to share work across these lines and cut costs or increase productivity.

As the IT industry computing paradigms continue to change with the passing of time, and as mature or proven approaches become clear, it is normal for organizations to adjust accordingly. Businesses must manage identity in an increasingly hybrid world in which legacy on-premises IAM infrastructures are extended or replaced to support more and more interconnected and interdependent services to a wider range of users. The old legacy IAM implementation models we had relied on to manage identities no longer apply.

End users expect to self-request access to services from their tablet, get supervisor approval over mobile devices and email, and launch the application even if is hosted on the cloud, or run by a partner, vendor, or service provider.

While user expectations are higher, they are also simpler … logging into custom desktop apps to request approvals, or going through email or paper based processes for certification is unacceptable.  Users expect security to operate within the paradigm of the application … i.e. feel like the application they are using.

Citizen and customer facing applications have evolved from every where, with custom applications, 3rd party tools, and merging in from acquired entities or 3rd party OEM’s resold to expand your portfolio of services.  These all have their own user stores, authentication models, user lifecycles, session management, etc.  Often the designers/developers are no longer accessible and the documentation is limited.  Bringing together underlying directories to scale for growth, and improve user experience is critical for revenue … but also for operations.

Job functions are more dynamic.... take the Olympics for example.  Endless organizations from corporations broadcasting, endorsing, or marketing through the event … to non-profit athletic foundations and public/government entities for athletes and public safety, all operate simultaneously on the world stage.  Each organization needs to spin up short-term teams, often dealing with proprietary information from hot ads to racing strategies or security plans.  IAM is expected to enable team’s to spin up, enable new applications, protect privacy, and secure critical infrastructure.  Then it needs to be disabled just as quickly as users go back to their previous responsibilities.

On a more technical level …
Optimized system directory; tuning guidelines and parameters are needed by businesses today. Business’s need to be making the right choices (virtual directories) and considerations via choosing the correct architectural patterns (virtual, direct, replicated, and tuning), challenge is that business need to assess and chose the correct architectural patters (centralized, virtualized, and distributed)

Today's Business organizations have very complex heterogeneous enterprises that contain diverse and multifaceted information. With today's ever changing global landscape, the strategic end goal in challenging times for business is business agility. The business of identity management requires enterprise's to be more agile and more responsive than ever before. The continued proliferation of networking devices (PC, tablet, PDA's, notebooks, etc.) has caused the number of devices and users to be granted access to these devices to grow exponentially. Business needs to deploy an IAM system that can account for the demands for authentication and authorizations to these devices.

Increased innovation is forcing business and organizations to centralize their identity management services. Access management needs to handle traditional web based access as well as handle new innovations around mobile, as well as address insufficient governance processes which can lead to rouge identity accounts, which can then become a source of vulnerabilities within a business’s identity platform. Risk based decisions are providing challenges to business, for an adaptive risk model to make proper access decisions via standard Web single sign on for internal and external customers,. Organizations have to move beyond simple login and passwords to address trusted relationship questions such as: Is this a trusted customer, client, or citizen? Is this a trusted employee, vendor, or partner? Is this a trusted device?

Without a solid technological foundation, organizational performance, collaboration, constituent services, or any other organizational processes will languish. A Single server location presents not only network concerns for distributed user base, but identity challenges. The network risks are centered on latency of the long trip that the traffic has to take. Other risks are a performance around availability and if the single identity server is lost, all access is lost.

As you can see, there are many reasons why performance tuning IAM will have a substantial impact on the success of your organization.  In our next installment in the series we roll up our sleeves and get into detailed tuning techniques used everyday by thought leaders in the field implementing Oracle Identity & Access Management Solutions.

Monday Jul 01, 2013

SIM to OIM Migration: A How-to Guide to Avoid Costly Mistakes (SDG Corporation)

In the fall of 2012, Oracle launched a major upgrade to its IDM portfolio: the 11gR2 release.  11gR2 had four major focus areas:

  • More simplified and customizable user experience
  • Support for cloud, mobile, and social applications
  • Extreme scalability
  • Clear upgrade path

For SUN migration customers, it is critical to develop and execute a clearly defined plan prior to beginning this process.  The plan should include initiation and discovery, assessment and analysis, future state architecture, review and collaboration, and gap analysis. 

To help better understand your upgrade choices, SDG, an Oracle partner has developed a series of three whitepapers focused on SUN Identity Manager (SIM) to Oracle Identity Manager (OIM) migration.

In the second of this series on SUN Identity Manager (SIM) to Oracle Identity Manager (OIM) migration, Santosh Kumar Singh from SDG  discusses the proper steps that should be taken during the planning-to-post implementation phases to ensure a smooth transition from SIM to OIM.

Read the whitepaper for Part 2: Download Part 2 from

In the last of this series of white papers, Santosh will talk about Identity and Access Management best practices and how these need to be considered when going through with an OIM migration.

If you have not taken the opportunity, please read the first in this series which discusses the Migration Approach, Methodology, and Tools for you to consider when planning a migration from SIM to OIM. Read the white paper for part 1: Download Part 1 from

About the Author:

Santosh Kumar Singh

Identity and Access Management (IAM) Practice Leader

Santosh, in his capacity as SDG Identity and Access Management (IAM) Practice Leader, has direct senior management responsibility for the firm's strategy, planning, competency building, and engagement deliverance for this Practice. He brings over 12+ years of extensive IT, business, and project management and delivery experience, primarily within enterprise directory, single sign-on (SSO) application, and federated identity services, provisioning solutions, role and password management, and security audit and enterprise blueprint. Santosh possesses strong architecture and implementation expertise in all areas within these technologies and has repeatedly lead teams in successfully deploying complex technical solutions.

About SDG:

SDG Corporation empowers forward thinking companies to strategize their future, realize their vision, and minimize their IT risk. SDG distinguishes itself by offering flexible business models to fit their clients’ needs; faster time-to-market with its pre-built solutions and frameworks; a broad-based foundation of domain experts, and deep program management expertise. (


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2013 »