Home‎ > ‎Oracle Identity Manager‎ > ‎

Architecture

Oracle Identity Manager is a three tier web application that also provides command line and thick client (design console) for administration purpose. It leverages a large plethora of Oracle's proprietary and open source technologies.

The following diagram identifies some of the important components of the Oracle Identity Manager.
OIM Component Architecture
OIM is primarily a J2EE application that is broken in to a core application packaged and deployed through oim.ear (available in $MW_HOME/Oracle_IDM1/server/apps folder). This application implements most of the OIM business services and exposes them as needed through EJB. Most of the other web applications that provide interface (like self-service, admin, SPML and SCIM interfaces) to end users and applications are packaged as separate applications and deployed on the same Weblogic managed server. These applications use the OIM client APIs (which are basically EJB clients) to perform various operations exposed by core OIM application.

In addition to the interfaces identified above, OIM also exposes various Management Beans (JMX) which are available through the weblogic JMX infrastructure. Oracle Enterprise Management Console (EM console) available on admin server (typically http://<host name>:7001/em) can also be used to access these JMX beans and perform various operations. Oracle EM product also provides customized UI that provides end-user friendly interface to perform various administrative operations.

Besides the core application, OIM leverages other Oracle products like Oracle SOA/BPEL and Oracle BI Publisher for approval and reporting respectively. SOA component is well integrated with OIM since OIM 11g. BI Publisher is part of core installation and configuration starting with OIM 11g R2 PS3.

Components of OIM

Identity Self Service UI - is the web interface used by business users to manage users, roles, organizations and policies. In addition to that end-users can submit and track their requests, approve requests assigned to them.

OIM Self-service UI (11g R2 PS3)
Identity System Admin UI - is web interface used by system administrator to configure the product.

OIM Enterprise Manager - This is an Oracle application that allows system administrators to manage, configure and monitor OIM infrastructure.

Design Console - A thick client that used by OIM developers to configuring the provisioning and reconciliation process. This application is typically available in $MW_HOME/Oracle_IDM1/designconsole and configured as part of the OIM configuration process.

SPML - is a web service interface available to external applications to integrate with OIM. This has been deprecated since PS3 in favor of SCIM web service.

SCIM - is a new standard based web service available (since PS3) to external applications and web UI to integrate with OIM. This implements a bunch of SCIM standard and proprietary Oracle extensions as REST API which can be used to integrate external UI and applications to OIM. The first release (i.e. PS3) is NOT functionally complete.

Data Management API - collectively represents the EJB based interfaces which allows external applications and OOTB web UI to manage various entities like User, Roles, Organizations, etc. This consists of 11g interfaces (for user, role, request, etc entities) and 9i interfaces (identifiable as tc interface and primarily geared towards the provisioning engine) available through two mechanism i.e. OIM Client (for external application) and OIMPlatform (for extensions running within the OIM address space like plugins, event handlers, scheduled tasks).

Request Engine - is core feature that manages the user requests' life cycle based on the various events and triggers. This is typically used by other Entity Management APIs and user interface to initiate requests. In addition to that Orchestration Engine has specific request specific event handler that interact with request engine to update request details and status.

Separation of Duty - is core engine that is used by other components to trigger and validate separation of duty concern at specific step in various process flows.

Access Policy - Access policies are used to automate the provisioning of target systems to users.Access policy allows provisioning of one or more accounts (and/or entitlements) to a user based on the role assigned to user. This functionality is probably one of the most powerful and misunderstood functionality of OIM. You should understand the various idiosyncrasies of the Oracle implementation and map it to specific requirements and understand potential future pitfalls before using the feature.

Orchestration Engine - forms the core functionality that takes an OIM event through it's life cycle. These events are typically generated by OIM Data Management APIs, request engines, access policy engines, etc and then taken through the defined lifecycles (typically consists of validation, pre-process, action, audit, post-process and finalization event handlers). Like many of the 11g features like request engine, orchestration engine has been maturing over multiple releases.

Scheduler Engine - is task scheduler that allows system to create and process time based events. This is typically used to process external events in batch (reconciliation), process internal timed events (like future on-boarding) and other processes (like catalog updates, access policy) that need to execute in single transaction. 

Audit Engine - provides the ability to generate and then save audit events in database for easy reporting. 

Notification - OIM provides a notification template and email notification engine which can be used to define and send emails based on specific condition during event processing. Due to multiple reasons, OIM provides different email dispatch engines that can be configured to work with notification.

Form - OIM uses forms to define system entities (like users, accounts/application instance) and model them in OIM database. In addition to that various user interfaces use the form definition to control how the entities are displayed to end-users and system administrators.

Provisioning Engine - is responsible for translating account events in to corresponding target system operations based on the provisioning process definition. These account events may be triggered due to either automation (like access policy, attribute linking), timed events or user requests.

Identity Connector Factory (ICF) / Generic Technology Connector (GTC) / Adapter Factory - are various frameworks to standardize and implement target system specific operations. These frameworks have been developed over time and at this point, ICF is the recommended framework for integrating new target systems with OIM.

Deployment (Export/Import) - OIM uses a proprietary Nexaweb component to export and import various entity definitions and configuration. This along with ADF sandbox and MDS form the major components that are part of deployment and environment migration process.  

Plugin Framework - is a pretty good integration framework leveraged with in the product to allow functionality extensions. Even though it is extensively used within the OIM, there is no easy way to identify and document all the plugin point available within the product.
 

Besides the various internal components, OIM also leverages a lot of other Oracle technologies that add to the over all product complexity. Due to level of integration performed, it is really important to understand the significance and idiosyncrasies of various components that are used in OIM.

Authentication - OIM uses the underlying application server (weblogic) security to authenticate the user. This allows OIM to support various authentication mechanisms that is supported by weblogic.

Authorization - The security model within OIM is spread across ADF jazn (Java Authorization) and OES policy modelling. Each of the these components must be understood well to get a complete picture of the security model. With PS3, OIM also features additional configurable constructs like Admin Roles, Capabilities, Self-service capabilities which provide a user friendly interface to underlying jazn and OES system.

MDS (Metadata Service) -  is an Oracle product that provides versioned file system which is used within OIM to store configuration information. It is an important part of UI customization since the underlying framework leverages MDS to support end-user and administrator customization. In addition to that other components like OWSM, Oracle SOA, leverage this to store metadata information. It is typically deployed as a separate schema within the OIM database.

Cache - OIM leverages multiple cache in different places to improve it's performance. Most of the modules use a common caching module which provides basic capability to configure and control.

TopLink - is an ORM implementation used within OIM for specific use-cases and scenarios. Due to the inherent complexity and performance requirements, OIM uses a lot of SQL queries within the product. Most of the time these queries are typically stored in a file in the META-INF folder of the jar file. 

Disqus for Google Sites