MySTF - An Enterprise Access Management Success Story



 

The 21st century is the era of the Internet. As the Internet has become the primary method for disseminating information, companies and government agencies are faced with the challenge of regulating the access of external users and employees to various data while also keeping track of who has access to what resources. So the organizations are increasingly reliant on identity and access management solutions to increase regulatory compliance, cut operational costs and improve application security and usability.

Recently, ESTI had the privilege to work with the Saskatchewan Teachers' Federation (STF) to deploy an external facing Oracle Access Manager (OAM) stack to protect the member's only section of the STF's newly enhanced web system - MySTF. This new system serves vital information to Saskatchewan's teacher community. ESTI has worked closely with the STF's business and IT staff through all phases from access management product selection all the way to successful deployment of the Oracle Access Manager functions.

Figure 1: STF's new web system designed by a well-known Saskatoon based web design company

Challenges

  • Integrate a Drupal based, highly customized, web portal application with the Oracle Identity Management suite and perform authentication and authorization functionalities.
  • Simplify user management and authentication for more than 14,000 external users ensuring fast uptake and satisfaction while meeting the STF's security standards.
  • Replace multiple identity repositories with a single source of identity and access information to optimize data access and credentials management and reduce IT costs.
  • Inter-organizational Single Sign-On service was required so that users authenticated to the STF web system could access and securely transmit identity information to a custom developed pension calculator hosted by a partner organization in a geographically distributed data center.

Solution

  • A PHP-based Drupal module was developed to broker the authentication and authorization requests. This module intercepts requests from Oracle Access Manager before it reaches the Drupal internal framework.  It extrapolates HTTP request header parameters and transforms user identity and authorization information in a way that Drupal can understand, and hands off the request to Drupal's internal framework.
  • A set of Java REST-based web services was implemented to encapsulate the Java APIs provided by OIM. The PHP based Drupal web portal was then re-architected to consume the web services and implement new user and password management functionalities provided with OIM.
  • The outdated OID based identity repository, and the database based identity store, were migrated into a single replicated Microsoft Active Directory, and then integrated with Oracle Access Manager to be the single source of identity for the external users. This helped reduce capital and operating expenditures.
  • Oracle Identity Federation along with Active Directory ADFS was used to establish a SAML 2.0 compliant federated access.

Benefits to the STF and Members

  • The technological uncertainty was removed and desired functionality was achieved because users did not need to login twice. User authentication and authorization functions are centrally maintained within OAM supporting the COBIT and ITCG control objectives, reducing maintenance, and ensuring consistency within the system.
  • Introduction of the following user and password management functions as provided by OIM.
    • First time login processing
    • Password recovery
    • Self-registration
    • Password policy implementation

These allowed the STF to enforce internal security policies and provide the highest service levels by automating user administration tasks.

  • Consolidation of user identity repositories thus reducing capital and operating expenditures.
  • 'Federated access with the partner organization hosting the pension calculator allowing for secure and seamless access to the shared resources.
  • ESTI would like to congratulate our long term partner, the Saskatchewan Teacher's Federation on the successful launch of their new web portal.

Why ESTI

ESTI has been an Oracle partner since 1996, and has maintained a steady focus on Oracle technologies since the early 1990's. ESTI has had a project team focusing on providing Identity and Access Management based services for a number of years.  Whether it be Oracle based technology, or the ForgeRock based technology suite, we have successfully provided these services to multiple western Canadian clients during that time. Our team of experts are skilled at mapping identity and access management best practices in a variety of areas including:

  • Access Management
    • Oracle Access Manager, ForgeRock OpenAm, and Oracle WaveSet
  • Provisioning
    • Oracle Access Manager, ForgeRock OpenIDM, and Oracle WaveSet
  • Directory services
    • Oracle Unified Direct (OUD), Oracle Directory Server Enterprise Edition (ODSEE), ForgeRock OpenDJ, and Microsoft Active Directory
  • Identity Gateways
    • ForgeRock OpenIG and Oracle Webgate

SHARE






MOST RECENT




RELATED POSTS