Oracle Magazine - January/February 2011

FEDERATED IDEN TI T Y MANAGEMEN T

SUNY is the largest comprehensive system of public higher education in the United States, with 64 geographically dispersed campuses, more than 88,000 faculty and staff members, and 465,000 students.

Since 1980, SUNY has relied on distributed identity management and user authentication processes at each institution. When the State of New York asked SUNY to also define each of SUNY’s 88,000 employees in the state’s own user directory, SUNY worked with Oracle to devise a federated identity management solution that would leverage SUNY’s existing security architecture, user IDs, and passwords for each staff member to permit access to New York State’s services.

Dave Powalyk, chief technology officer (C TO) in the SUNY Office of Information and Technology (OI T), says the goal was to permit campus employees to access both SUNY and state resources with their existing security credentials by connecting SUNY’s identity management system to the state’s identity management system. SUNY succeeded by using Oracle Identity Federation 11 g, a complete solution for securely exchanging identity information between two independent entities. This flexible, multiprotocol federation server works with existing identity and access management systems, reducing the need to manage multiple accounts for each user.

“Oracle Identity Federation 11 g gave us an out-of-the-box solution for interacting with the New York
State Office for Technology as both an identity provider and a service provider via SAML [Security Assertion
Markup Language] 2,” says Powalyk. “This was a first-ever federation between a New York State government
entity and the university, and it clearly demonstrated the power of the Oracle approach. In addition to Oracle
Identity Federation 11 g, we are evaluating Oracle Access Manager 11 g and Oracle Identity Manager 11 g for
upcoming projects.”
SAML is an XML-based standard for exchanging authentication and authorization information among
security domains. Oracle supports both SAML and Shibboleth, a popular federation standard in the higher
education arena. Adherence to these standards ensures that SUNY can securely share identities with other
campus systems without having to manage, maintain, and administer additional identities and credentials.

“With Oracle Identity Federation 11 g, Oracle has created an effective and efficient way of deploying a
federation model,” continues Powalyk. “This release reflects some of the specific features we requested from
Oracle. Oracle took the time to understand exactly what we needed, and it developed this software with its
customers’ needs in mind. This is just another great example of a true partnership between Oracle and SUNY.”
SUNY extended the default Oracle Identity Federation 11 g behaviors by using the supplied third-party
extension classes to leverage SUNY’s existing Java entitlements, access services, and LDAP directories.
Paul Lienhard, a programmer/analyst at SUNY and the lead Java architect for this project, says the process
took only eight weeks from start to finish. “We have 64 campuses with their own LDAP directories, and we
needed to access all of them,” he explains. “Now users log in to the familiar identity management portal,
and Oracle Identity Federation 11 g brokers the exchange with the outside SAML service provider.”
“Oracle Identity Federation 11 g enabled us to take advantage of our existing infrastructure and wrap it
within an SAML identity provider,” adds Ken Runyon, the program manager for identity management at
SUNY OI T. “Tens of thousands of campus employees can access resources from the State, even though the
campus and the State use two completely different federation technologies. Oracle’s standards-based,
SAML 2.x approach enabled us to easily establish secure communications and pass all requested and
required attributes between these two independent entities.”
SUNY now provides federated access to New York State’s online training classes to faculty and staff at
every SUNY campus in a seamless and integrated manner. Other online resources will be available from the
State in the future. “The best part of the whole process is that we provided these services quickly and in a
manner that was best suited for our community,” Runyon says.

IDENTITY MANAGEMENT GLOSSARY AT TESTATION Compliance mandates often require periodic attestation—or confirmation/ authentication—of users’ access to critical applications. Attestation requires that a defined approval workflow periodically reauthorizes access to sensitive information (typically financial data) that falls within a particular compliance mandate such as the Sarbanes-Oxley Act (SOX).

FEDERATED IDENTI T Y The technologies and standards that provide portability of identity information across security domains to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration.

RESOURCE ACCESS CONTROL FACILI T Y (RACF) An IBM security system that provides access control and auditing functionality for the z/OS and z/VM operating systems.

SECURI T Y ASSERTION MARKUP LANGUAGE (SAML) An XML-based standard for exchanging authentication and authorization data between security domains—for example, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).

ADHERING TO S TANDARDS

Integration with Oracle Identity Federation 11 g enables the SUNY community to seamlessly access federated services provided by other higher education institutions as well. According to Lienhard, as long as it is a SAML 2–compliant identity management solution, Oracle Identity Federation 11 g can work with that solution in a straightforward fashion without any modifications to the SAML federation and communication architecture. “Support for several industry federation standards in Oracle Identity Federation 11 g enables SUNY to continue its support of its custom ‘federation-like’ infrastructure as well as other federation technologies, such as Shibboleth, within its existing federated identity infrastructure,” he says. “We were able to link the 64 campuses that currently use our custom solution relatively easily, using the software Oracle provided, right out of the box.”