I have been running Oracle Identity Management 10g with heavy use of 10g SSO capabilities. Much of our web security architecture along with application authentication relies on this infrastructure. What do I do as development begins to shift from OracleAS to WebLogic, and our middleware stack goes from 10g to 11g? We will need to run 10g and 11g in production side-by-side for some period of time.
This is a question many of our customers are asking and it is understandable that there is confusion around this. Oracle hasn’t provided the clearest of answers, and in general, identity management initiatives are not for the faint of heart to tackle. The fact is that 11g identity management has begun a paradigm shift away from the 10g approach. The good news is that customers have options as they inevitably run 10g and 11g together in their environments since identity management solutions span across applications and nobody [I know of] decides to upgrade all of their enterprise applications at once.
In 11g, you have the option of integrating applications (i.e. ADF 11g applications) running on WebLogic with 10g SSO through identity asserters. This approach basically passes in header information to WebLogic that enables it to “trust” a user authenticated via 10g SSO much like it would trust AD or any other form of identity assertion. As you move to an 11g identity management stack, nowhere will you find 10g SSO as you know it. You will need to buy into the OAM (Oracle Access Manager) 11g model, which includes a robust enterprise access management approach in line with 11g applications that rely on J2EE security standards like JAAS.