Thanks to everyone who joined us on our webcast with SANS Institute on "Demystifying External Authorization". Also a special thanks to Tanya Baccam from SANS for sharing her experiences reviewing Oracle Entitlements Server. If you missed the webcast, you can catch a replay of the webcast here.
Here is a compilation of the slides that were used on today's webcast.
SANS Institute Product Review: Oracle Entitlements Server
We have captured the Q&A from the webcast for those who couldn't attend.
Q: Is Oracle ADF integrated with Oracle Entitlements Server (OES) ?
A: In Oracle Fusion Middleware 11g and later, Oracle ADF, Oracle WebCenter, Oracle SOA Suite and other middleware products are all built on Oracle Platform Security Services (OPSS). OPSS privodes many security functions like authentication, audit, credential stores, token validaiton, etc. OES is the authorization solution underlying OPSS. And OES 11g unifies different authorization mechanisms including Java2/ABAC/RBAC.
Q: Which portal frameworks support the use of OES policies for portal entitlement decisions?
A: Many portals including Oracle WebCenter 11g run natively on top of OES. The authorization engine in WebCenter is OES. Besides, OES offers out of the box integration with Microsoft SharePoint. So SharePoint sites, sub sites, web parts, navigation items, document access control can all be secured with OES. Several other portals have also been secured with OES ex: IBM websphere portal
Q: How do we enforce Seperation of Duties (SoD) rules using OES (also how does that integrate with a product like OIA) ?
A: A product like OIM or OIA can be used to set up and govern SoD policies. OES enforces these policies at run time. Role mapping policies in OES can assign roles dynamically to users under certain conditions. So this makes it simple to enforce SoD policies inside an application at runtime.
Q: Our web application has objects like buttons, text fields, drop down lists etc. is there any ”autodiscovery” capability that allows me to use/see those web page objects so you can start building policies over those objects? or how does it work?
A: There ae few different options with OES. When you build an app, and make authorization calls with the app in the test environment, you can put OES in discovery mode and have OES register those authorization calls and decisions. Instead of doing this after the fact, an application like Oracle iFlex has built-in UI controls where when the app is running, a script can intercept authorization calls and migrate those over to OES. And in Oracle ADF, a lot of resources are protected so pages, task flows and other resources be registered without OES knowing about them.
Q: Does current Oracle Fusion application use OES ? The documentation does not seem to indicate it.
A: The current version of Fusion Apps is using a preview version of OES. Soon it will be repalced with OES 11g.
Q: Can OES secure mobile apps?
A: Absolutely. Nowadays users are bringing their own devices such as a a smartphone or tablet to work. With the Oracle IDM platform, we can tie identity context into the access management stack. With OES we can make use of context to enforce authorization for users accessing apps from mobile devices. For example: we can take into account different elements like authentication scheme, location, device type etc and tie all that information into an authorization decision.
Q: Does Oracle Entitlements Server (OES) have an ESAPI implementation?
A: OES is an authorization solution. ESAPI/OWASP is something we include in our platform security solution for all oracle products, not specifically in OES
Q: ESAPI has an authorization API. Can I use that API to access OES?
A: If the API supports an interface / sspi model that can be configured to invoke an external authz system through some mechanism then yes