Infosys’ blog on industry solutions, trends, business process transformation and global implementation in Oracle.

« Agile BI - Implementation through continuous process and Best practices | Main | Why Knowledge Management in Enterprise? »

Integrating On-Premise Security with Oracle Cloud Applications

When I was in a group discussion of late, I've seen people raising many interesting questions around Oracle Cloud Security and how this can be integrated with other on-premise applications. In fact, with the emerging cloud adoption, the modern-day IT Administrators are forced to think at a critical juncture and have more challenges than well-defined solutions before suggesting for an integrated security set up.

  • How can I restrict access to cloud applications that we have subscribed for?
  • Is it required for employees to memorize one more password for cloud access?
  • How the credentials are maintained for Cloud accounts? 
  • How to automatically remove cloud access for separated employees? 
  • How to get usage reports of my cloud application?

Identity set up and Access Management is an on-going problem. Most Organizations have their own setups for identity and Access Management to restrict access to all their on-premise applications. Business processes have evolved over the years and standardized with respect to in-built Identity and Access Management (IAM) systems such as Oracle's Identity and Access Management Suite. We have seen that business processes of most of small/medium type organizations are built with the concept of controlling user access by just implementing a Microsoft Active Directory (MAD) solution.

There is a need to control access to cloud applications as well without incurring more towards operational costs and without compromising on security for current business processes. Again, the new process needs to be simple. This is exactly where we can leverage a decade old technique called Security Assertion Markup Language standard which is flexible enough and very powerful.  As most organizations already know and maintain the identity of users in intranet or in Active Directory, it will be easy and good idea to use the same login information to enable the users logging into other cloud/web based applications.  One of the more graceful ways of doing this is by using Security Assertion Markup Language (SAML).  

As Oracle Cloud commences with the support of Single Sign on by using SAML 2.0 standard, now this is possible to configure Oracle Cloud Applications (call it as Service Provider) to trust the authorization\authentication data that comes from on-premise IAM systems (call it as Identity Provider).  Thus, we can manage and restrict access to Oracle Cloud Applications from on-premise IAM systems. Below are some advantages of this single sign on login standard.

  • Users are not required to type in credentials as it uses credentials of existing session.
  • End users feel it very convenient as they don't need to remember another password for Cloud Apps, their AD/intranet password works for their Oracle Cloud Apps too, no need to remember and renew passwords.
  • Admin can instantaneously revoke access to employees who left the organization.
  • We can get a consolidated view of on-premise versus cloud application access by running reports in existing IAM system.
  • Peace of mind for security admins as their Cloud Applications are protected with the same security policy that prevails in their in-house applications.

When we subscribe for any cloud service from Oracle such as RMCS, BICS, PBCS, the administrator of Identity Domain can log into My Services section and configure single sign-on by clicking UsersàSSO Configuration tab.

Here, administrators need to provide certificates and other related information of on-premise IAM system. Then they need to download Cloud Services information to recognize Oracle Cloud Apps from IAM system.

Once this is in place, when end user tries to access Oracle Cloud App, he is redirected to on-premise IAM system for authentication, after successful authentication, he will be redirected back to Cloud App which sends requested content to client browser.

The above diagram shows the flow for single sign on initiated by service provider. We may try with Identity provider-initiated SSO as well where end user directly interacts with On-premise IAM system denoted with blue line above.

How SAML work for SSO?

Here, SAML transfers the identity of the user from Identity Provider (IAM System) to Service Provider (Oracle Cloud) by mutually exchanging signed documents.

Let's assume a scenario where client is logged into an identity provider system, then he wants to log into a remote service provider cloud application. Then following happens:

  1. User accesses remote application by clicking a link and this loads application.
  2. Application identifies the user's origin and sends authentication request redirecting user back to the identity provider.
  3. The user establishes active browser session by logging into the identity provider.
  4. The identity provider sends the authentication response to service provider which is a XML document containing the user's username signing it using X.509 certificate
  5. The authentication response is then retrieved by service provider which will be validated by using existing certificate fingerprint of the identity provider.
  6. Thus, the client's identity is established and access will be allowed for application.

That's how organizations can have a full control over Oracle Cloud Apps by leveraging their IAM infrastructure and existing security policies.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Subscribe to this blog's feed

Follow us on

Blogger Profiles