Launch Webcast Q & A Identity Management 11g R2
By Naresh Persaud-Oracle on Jul 22, 2012
If you joined our webcast, we hope you found it informative. Below we have embedded a copy of the launch webcast slides. We answered most of the questions during the webcast; however, there were a few we missed. We have captured the answers to all of the questions below. If you missed the webcast and would like a chance to meet in person, we will be hosting physical events and demonstrating the products live. The physical events will allow you to connect with product managers and members of our engineering team in person.
- Los Angeles August 28th 8:30 -1:00 PM
- Washington DC September 5th 8:30 -1:00 PM
- New York September 6th 8:30 - 1:00pm ( Registration page coming soon)
- Chicago September 6th 8:30 - 1:00pm ( Registration page coming soon)
- Toronto September 12th 8:30 - 1:00pm ( Registration page coming soon)
- Montreal September 13th 8:30 - 1:00pm ( Registration page coming soon)
Q: Are OIM & OIA better integrated in 11g R2?
A: Yes, in R2 OIA and OIM share a common data model
Q: Is multi-tenancy part of 11g R2?
A: Many of the components are being used in multi-tenant environments, but multi-tenancy isn't a key capability that we're announcing with this release.
Q: Has the BPEL workflow engine changed? Can your have approval workflows run in parallel?
A: We have direct integration with SOA in this release, so you can take much better of advantage of the ability to include attachments, etc... in approvals.
Q: Can you install and run more than one JDE connector? We have multiple versions of JDE in our environment.
A: We have not upgraded the JDE connector in this release, so while you can have multiple instances of a JDE connector, the version/client libraries need to be the same. We have a new version of the connector planned that uses a new connector framework that will support multiple concurrent versions.
Q: Where can we locate the release notes and documentation for migration?
A:The full set of documentation will be available on the main Oracle doc site (docs.oracle.com) once the software is live. This includes release notes and migration/upgrade docs.
Q: What is the future of OpenSSO? It is nice open-source software, will it be in fusion?
A: OpenSSO will be converged into the broader Oracle Access Manager solutions
Q: Are Oblix 7 and OAM 10g the same product?
A: Similar. The Oblix products were enhanced to leverage the Fusion Middleware stack and offer broader capabilities in Oracle Access Manager
Q: Does OAM 11gR2 webgate support IIS and Apache web servers?
A: This is still the case.
Q: I learned as part of the program to implement SSO between OAM 10g and 11g environments, it is required that both of the environments be in different cookie domains. That makes migration difficult. Can we address this?
A: We will be handling this soon.
Q: Can request based provisioning be configured to digitally sign requests and / or approvals? If so, is the digital signature technology used either FIPS 140-2 compliant or DoD Joint Interoperability Test Command PKE Interoperability Certification?
A: Yes. This is a very specific use case. Please work out the details with the PS team.
Q: With the UI customization, can you add or remove tabs/hyperlinks for one set of users but not for another?
A: Yes, using JSF standard based EL expressions, customizations can be done such that they are effective for one set of users and not a different set. It is something that can be done for all kind of customizations.
Q: Are OAM 18.104.22.168 cookies and Oblix 7 cookies the same? Are the OAM 11gR2 cookies and Oblix 7 cookies the same?
A: Cookies OAM 11g (22.214.171.124 / 126.96.36.199) vs Oblix 7 work differently. OAM 11g uses a combination of host cookies or domain cookies (depending on the version of Webgate you use), a server cookie, and an in-memory session store (based on Oracle Coherence technology) to maintain and correlate user session information.
Q: When requesting new access/entitlements, is there an approval process?
A: Yes. We leverage SOA BPEL-based workflows for approvals
Q: So OAM 11gR2 supports only Oracle HTTP server and no other web server?
Q: How complex the is upgrade path from R1 188.8.131.52 to this release?
A: We provide an in-place upgrade from 184.108.40.206 to 11gR2 and include all required steps in the Upgrade Guide.
Q: Is that password randomly generated ?
A: Assuming this is about password that OPAM generates for checkin/checkout -- it is randomly generated by OPAM and the random generation complies with password policy
Q: Can you please cover the enhancements to Oracle Entitlements Server in R2?
A: We will not dive into OES enhancements on this session. We can schedule a separate call to review our multi-platform enhancements in OES.
Q: What is the integration plan of Oracle Waveset (Sun IDM)?
A: 11gR2 has a number of compelling, cost saving benefits. Coupling these benefits with our pragmatic, co-existence-based model, we are encouraging Waveset customers to work with us on a sensible upgrade path to the Oracle Identity Management Platform.
Q: Is it now a complete ADF app or still a mix of ADF and Struts pages?
A: Identity Self Service and SysAdmin capabilities are now 100% ADF.
Q: Does this mean features/code of OpenSSO will be merged into Oracle Access Manager so that only Oracle AM will have ongoing development?
A: Yes that's correct.
Q: When will 11gR2 be released?
A: It will be released in August.
Q: Is there a service account still in OIM?
A: Yes, the service account feature in OIM is about ensuring that the lifecycle of the service account is not linked to the user that has it, for example the service account is not deprovisioned at employee termination. OPAM serves a different purpose. But over time, we will converge the features into one product.
Q: Has OIA been included in the comprehensive Oracle Identity Management stack?
A: Architecturally, when we release OIM R2, OIA PS1 is integrated with its catalog features. However we have plans to now write all OIA features on the same data model and same UI/backend architecture. This work is ongoing and we will be making announcements later on when the convergence is complete.
Q: Identity Management supports what databases on the back end?
Q: Does it support MySQL as well?
A: Not at this time.
Q: Is social sign-on a kind of federation?
A: Yes. OAUTH/OpenID-based.
Q: Does OIM still restrict us to not provision Users to other systems like AD and Exchange before starting date in organization? Its is very common requirement from clients. They want to provision Users well before starting date in AD.
A: No. You can provision and disable the account before the start date, then enable it when you are ready.
A: That is correct.
Q: What about the DOD Certification?
A: We believe the answer is yes, but this is coming from SOA/WebLogic.
Q: Is OAAM integrated with OAM in 11g R2?
A: Yes OAAM is integrated.
Q: Is the mobile SSO based on the ESSO model?
A: No it's based on OAuth token.
Q: We have the complete IDM stack. When can I get my hands on an evaluation copy of 11gR2 IDM suite?
A: Work with the PM team and your sales rep.
Q: What I am interested in knowing is if OAM has OAAM capabilities in 11g R2 or if they are two separate products that need to be integrated.
A: From the infrastructure perspective, OAM and OAAM are still installed / configured separately. Convergence of these products is planned for later releases. However, we do have an out of the box / tighter integration between OAM and OAAM in R2.
Q: Anything new on UNIX shell login and Oracle DB logins?
A: As in externalizing end-user authentications from Unix/Oracle to IDM or in the context of privileged accounts?
Q: Can it be configured to use a 3rd party token?
A: Yes. It can be interoperable with a 3rd party token.
Q: It is simple to upgrade from Identity Management 11g R1?
A: The details will be posted in August with the release.
Q: Is the 250M users and 3K Auth/Second is supported by single OAM server?
A: Yes. This is for a single node of OAM. We'll have a detailed whitepaper published soon.
Q: Is OAuth support as Identity Provider or Consumer?
A: It supports both.
Q: When will 11gR2 be available for download?
Q: What is OAuth token?
A: For background on OAuth check the wikipedia entry. http://en.wikipedia.org/wiki/OAuth
Q: Does Access 11gR2 provides upgrade path from OAM10.1.4.3
A: Yes the instructions will be provided on OTN in release.
Q: But OAAM still a separate component?
A: Yes, it's a separately installed service from OAM.
Q: Is OIA integrated with OIM in 11gR2?
A: OIA has been integrated with OIM since the R1 release.
Q: Does OAAM integrate well with OIM replace /suffix the authentication into OIM?
A: Yes this is a use case that would work.
Q: Is fraud management derived from OAAM? Are they the same thing?
Q: Will OIM and OIA also be more tightly integrated? Or will they continue to be stand-alone products?
A: They are tightly integrated today and will continue to be more tightly integrated in the future.
A: Yes a mobile component with ship with R2 allowing mobile apps to be developed.
Q: When is 11g R2 planned to be released ?
Q: Will OIA continue to be a separate product or is is now part of OIM?
A: For now, it is separate, but we are already working on an offering that has all OIM and OIA features on a common UI architecture, common data model and common support for connected and disconnected resources. You will see us making more announcements in this area later.
Q: What components do we need to create apps on Mobile for SSO?
A: Access Management Suite includes the mobile server components as well as a client SDK that can be used in native apps.
Q: Where does Enterprise Gateway stand?
A: Enterprise gateway is still a separate component.
Q: Can all of the OIM configurations be done through web UI in R2 or do we have to still use java applet (xlclient) for some?
A: All of the new UI customizations can use the web UI.
Q: Can the entitlement shopping cart list be filtered based on the identity of the "customer" doing the shopping?
A: To some degree yes.
Q: Can OAM R2 support case insensitive resource type. This is about MS IIS.
A: We do not support this functionality at this time but we are looking at how to support it in future releases.
Q: So OAM 220.127.116.11 does not support OpenSSO?
A: No it does not
Q: What is Oracle's strategy to migrate customers running on OAM and OIF separately today without support for OAuth, etc
A: The migration will be in the release in August
Q: Can Oracle Beehive components be authenticated with IDM 11g R2
A: Yes using OAM for Web SSO. Oracle does this in house today.
Q: Is this slide presentation available ?
A: It is embedded in this blog
Q: Since it was not specifically mentioned, where does the Sun Directory (DSEE) fit into this framework solution?
A: Sun DSEE is part of the ODS+ suite
Q: Do we still need Design Console to config OIM?
A: The only one feature for which design console is still required is to do adapter config/integration in connected provisioning workflows. The use of it for all other features has been eliminated.
Q: Does 11gR2 support the virtual hardware?
A: It can be run in a VM
Q: What all are the improvements from OIA integration perspective in 11gR2?
A: There are a few improvements like the SOA work-lists. The release notes will contain more details
Q: Which version of SOA BPEL is certified for 11gR2?
A: The version that ships in Fusion Middleware 11g
Q: How 11gR2 integrate with MS SharePoint?
A: OES supports SharePoint and Share point can be a provisioning target.
Q: How many out of the box connectors available for 11gR2?
A: All of our existing connectors are certified with R2.
Q: We are in the midst of development of two level approval workflows for over 200 application roles in JDE 9.0. How easy will the conversion be when we upgrade? What things do we need to consider as we move forward with our development work?
A: The approval architecture has not changed between R1 and R2. While I do not know specifics of your implementation, generally speaking, no changes should be required.
Q: Does OAM11gR2 provide any capability towards securing webservices along with standard web applications?
A: Securing Webservices has always been part of the Identity suite there are no new SOA security components
Q: Can you compare DSEE vs OUD as an offering?
A: For high scale new deployments OUD is the recommended path.
Q: What is OAAM?
A: OAAM stands for Oracle Adaptive Access Manager
Q: Is OIM compatible to run on WebSphere ?
A: Currently it runs on WebLogic only. You will see us making WebSphere certification planning announcements in the coming months.
Q: Any more updates on OIA, i.e. are there any plans for direct connectors for pulling out the data?
A: Not in R2, but this is getting addressed soon as part of our convergence plan. Stay tuned for more updates from us.
Q: We are currently evaluating Tivoli. Can you talk about how does the new version compare with Tivoli?
A: 11gR2 is simpler to use and configure. In addition, OIM has more connectors out of the box.
Q: Earlier it was said that OAAM is now integrated into OAM, but then he just said OAAM is still a separate component. Can you clarify please?
A: Integrated so that the context information is available. They are still separate components.
Q: Is licensing for 11g OAM included with licensing for current EBS implementation (assuming OAM is used only for EBS authentication) or is additional licensing required?
A: The licensing with EBS is limited to EBS.
Q: Are there labs available ?
A: The website will contain the latest content. Training content will follow shortly.
Q: When can we expect OIM to be compatible with other Application servers?
A: WebSphere certification will follow after the R2 release.
A: In August.
Q: What components of OIA are now merged and available in OIM 11gR2?
A: Nothing has merged in OIM R2. The only change to integration is that the OIM catalog becomes authoritative for business context - glossary definition, risk score etc. so that customers define it once and use it consistently in request, approval, provisioning and certification. Stay tuned for more updates in coming months on OIM OIA convergence.
Q: When OIA will be totally integrated with OIM (single db)? Moreover will this integration mean that OIA (former Sun product) technology will be substituted by Oracle Role Manager technology? Will the two technologies be compatible?
A: As part of the SUN acquisition strategy, we announced that ORM is no longer strategic. OIA continues to be our strategic product for compliance features. OIM and OIA are integrated out of box, and over time we are converging them on a common data model and common architecture. This work will continue post R2.
Q: Is a certification matrix available for 11gR2 (for planning purposes)?
A: We have the certification matrix ready and we'll make it available at the same time that R2 is released. The R2 certification matrix will be published here: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
Q: OAM, OAAM, OIF, OESSO, OEG, Social and Mobile, all the features can be installed just by installing one OAM?
A: OAM, OIF, OAAM, and Mobile and Social can all be installed from a single install session. OESSO is separately installed.
Q: Both ODSEE and OID are directory products; does Oracle plan to consolidate its directory products with either ODSEE or OID?
A: ODSEE, OUD, and OID all continue to be developed. We have many ODSEE customers that are upgrading to OUD, but we continue to support all three actively as they tend to be attractive to different parts of our customer base.
Q: Do you have any clear upgrade path for OAM 10g customers, particularly on the obsolete Identity System/IDXML in 10g?
A: Our plan for IDXML is to provide a bridge from IDXML to OIM so that you are not required to rewrite the entire UI based on IDXML, but it is not part of R2 release. It is something that we are looking to address in our product roadmap.
Q: Is there an upgrade path available from OAM10gR3 to 11gR2?
Q: Is upgrade the only option for customers that needs OAuth support in OAM?
A: Mobile and Social features are available in R2 and can run alongside of OAM 11g R1. The benefit of upgrading to R2 is that you can have OAM plus mobile/social in the same container.
Q: Does the IDM suite have a built-in two factor authentication component/feature?
A: Oracle Adaptive Access Manager offers risk-based authentication, multi-channel authentication, and other features that strengthen authentication. OAM also supports authentication through tokens and other strong authentication methods, but tokens & PKI features are not part of the suite and must be acquired separately.
Q: Is OIC (Oracle Identity Connect) part of this 11g R2 release?
A: Yes. We now refer to that functionality as "Mobile and Social" and it is a part of Oracle Access Management.
Q: Can you tell us a little bit more about ESSO/OAM integration in R2? Any particular features?
A: User authentication to eSSO (via machine logon) will start an OAM session to give users uninterrupted single sign-on to web and client server/host-based applications.
Q: How difficult is upgrading from OpenSSO 8.0?
A: We have a co-existence model whereby OAM can leverage OpenSSO Agents to simplify the upgrade process
Q: What are the Hardware requirements for Oracle Identity Manager 11g R2?
A: They will be listed in the release notes on OTN in August