We are implementing a Centralized Security Program (W-Fi Security Platform or WSP) where all authentication and authorization are performed and is decoupled from all applications.
All authentication and authorization will be handled within the Wi-Fi Security Platform, which utilizes the following Oracle products (additional products are on roadmap):
· Oracle Identity Manager
· Oracle Access Manager
· Oracle Identity Federation
· Oracle Unified Directory
· Oracle Virtual Directory
We will provide Single Sign On as well as serve as both an Identity Provider and Service Provider. We will have multiple user directories connected via OVD and Federation.
Our current BO design and implementation has issues which prevent us from decoupling security from BO.
· All users are required to be stored locally within BO.
o This is not scalable nor is it compliant with security policies and best practices, i.e. user attestation must be performed every 180 days.
· The current implementation utilizes OVD to connect to several user directories and then replicates the users locally within BO.
· For our Federated customers BO must impersonate a single user account since the user directory is managed by our federated partners
o This prevents us from auditing user access
o All users receive the same access
WSP will be the trusted source for authentication and authorization. WSP will pass all Authentication and Authorization credentialing in http headers to each application. We are requesting assistance in designing security integration with BO. At a minimum, we must provide both Folder and report level security. We understand that major redesign may be required in our BO implementation. We have read many articles on SAP web as well as other sources that indicate we can decuple security requirements from BO.
Items we need to accomplish include:
· Single Sign On to BO using a trusted source for authentication (OAM)
· SAML interpretation by BO
· Eliminate user information being retained in BO repository
· Federated customers access to BO reports
· BO acceptance and processing of header information passed from OAM
· Multi-level security levels for BO access
Has anyone implementing the type of security were are planning. If so, cn you point me to some "real" and not "sales" documentation on how to perform this integration with BO 4.1.