Wednesday, May 24, 2017

OAM: Learning the basics - Part 3 - Understanding User Identity Store, Default Store and System Store

The following is the third post of the series, OAM: Learning the basics.

This series is intended to guide you through understanding the basic concepts of OAM. I assume, no prior knowledge and experience of OAM on your part.

Identity Stores in OAM: 

Simply put, these are the LDAP directories against which the authentication happens. 

There are three identity stores that you must be aware of:


User Identity store: A User Identity Store is a centralized LDAP repository in which an aggregation of Administrator and user-oriented data is stored and maintained in an organized way. Oracle Access Management supports multiple LDAP vendors, and multiple LDAP stores can be registered for use by Oracle Access Management and its services. 

By default the Oracle Access Manager comes with the “UserIdentityStore1”, This identity store is configured with the Embedded LDAP Server of Weblogic instance on which the OAM is running. 

However, the embedded LDAP server should only be used for testing environment. For production environment, you should use external identity stores, such as OUD, OID, AD etc.

Default store: The LDAP store designated as the Default Store is the automatic choice for use by LDAP authentication modules unless you configure use of a different store for the module or plug-in. 

Identity Federation supports multiple Identity Stores, which can be assigned on a per Identity Partner basis. Each Identity Store must be registered with Oracle Access Management. 

If no Identity Store is defined in the Identity Partner, the designated Default Store is used.


System store: Only one User Identity Store can (and must) be designated as the System Store. This is used to authenticate Administrators signing in to use the Oracle Access Management Console, remote registration tools, and custom administrative commands in WLST. 

Administrators using the Oracle Access Management Console or remote registration utility must have credentials stored in the System Store. 

Once you define a remote User Store as the System Store, you must change the OAMAdminConsoleScheme to use an LDAP Authentication Module that references the same remote user store (the System Store).

In next post, we will learn to configure these identity stores.
Keep following....

No comments:

Post a Comment