Considering Various Active Directory and Oracle Identity Manager Integration Options

There are a number of different ways of integrating different versions of Microsoft’s Active Directory (including ADFS & FIM) with different versions of Oracle’s Identity Management suite. Unfortunately for the implementer there is very little published architecture best practice covering identity migration / integration. This is surprising because of both vendors’ large market share and the annual number of organisations’ switching products or adding new features using the other vendors software. As an example the following migration / integration options are available when moving from AD to Oracle.

  • You can choose to keep the existing AD as a master identity repository and use Oracle Identity Manager connector between the two products.
    • The connector supports Active Directory and Active Directory Lightweight Directory Services (AD LDS), formerly known as Microsoft Active Directory Application Mode (ADAM) as either a managed target resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager
    • Depending on this approach you may wish to synchronise user’s password from Microsoft Active Directory (AD) to Oracle Identity Manager (OIM) then you must install Microsoft Active Directory Password Synchronization connector

  • A connector though may be insufficient for all your organisational needs. For example you may have issues on aligning password policies, or granting privileged access or wish to clean up your data through an identity reconciliation process. In this case you may wish to migrate Active Directory records to Oracle Internet Directory. There are however multiple ways to achieve user migration (all have different benefits and obviously work with different versions). For example:
    • The Oracle Internet Directory Data Management Tools provide bulk loading utilities which can import AD data using either a database connector or a native connector
    • An LDAP bind using mapping rules to Modify DomainRules and AttributeRules as follows
    • An LDIF export or other data interchange format
    • An end-user re-registration process with an SSO enabled federation between the two identity repositories

The above are just examples of the various ways through which integration / migration is possible. What is intangible is the business benefit of any migration. For example how do the write-down costs on the legacy directory system compare with the benefits of a remediated identity repository? I’ve written previously on the business case for Identity Management which is always subjective to the organisation. Enterprise Architecture though is about collective best practice but frameworks such as TOGAF (e.g. an Identity Management solution in TOGAF) are often at too high a level for an Identity Management implementation project. As a result each implementation becomes the responsibility for the point architect to understand the best practice relevant to the various systems and propose and agree that architecture.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s