More than 30 IDM realisations in Czech Republic and abroad

AMI Praha Reference IdM Development 2013

IdM Development 2013


The project to upgrade SUN Identity Manger version 7.1 to Oracle Waveset 8.1 was completed on time and on budget.

Project goal

The aim of the project was to upgrade the already outdated version of SUN Identity Manager 7.1 to the latest version of this product already under the name of the new vendor Oracle Vaweset 8.1, which has a promised support until 2017.

As part of this upgrade, which had to be done without restricting existing operations, it was also expected to replace some obsolete end-system adapters, unify adapters and code, perform a slight perfomance tuning, and remove SUN Access Manager as the authentication agent for IDM.

Project description

Upgrade produktu a úpravy funkcí byly provedeny pouze ve třech prostředích bez přidání dalších prostředí. Tím se sice snížil rozpočet projektu, ale zvýšilo se riziko oprav chyb v produkčním prostředí v době, kdy se již nová verze produktu testovala v testovacím prostředí.

Téměř rok trvající projekt byl dokončen včas, v rámci rozpočtu a v souladu s kvalitou.

Solution description


The upgrade itself had to be done in two steps. Firstly to version 8.0 and then to the required version 8.1. The upgrade was performed using Oracle migration tools and took place without any major complications.

Adapters to end systems

Some of the adapters were replaced with more modern connectors that can later be used in the Oracle Identity Manager product, which has a different platform for the product itself, but the same connector platform.

Adapters for these end systems have been replaced:

SAP – a new connector that supports role splitting (black/blue), brings management of new attributes such as mobile phone (this allowed the workaround functionality that set this attribute separately alongside the adapter to be removed), allows connection to multiple SAPs (failover) and other administrative connector settings that improved user processing speeds.

MS AD – a new connector that supports script execution and user management on 64bit Active Directory.

RSA – a new adapter that no longer uses shell calls but classic web services. In addition, it supports the new RSA version 7.1, which was upgraded from the old version 6 in a tight connection at CEZ ICT.

Replacing metaview

The obsolete metaview system, which was no longer supported on the new version, was replaced by custom forms. This also allowed some SAP attributes to be set independently of individual SAP modules (such as language, time zone, and others).

Replacement of Access Manager

All servers running the SUN Access Manager product, which provided two-factor authentication to the IDM admin environment and provided Single Sign-On (SSO) for the IDM user interface, were removed from the CEZ ICT Services architecture.

The SSO functionality was replaced with functionality directly in IDM where SSO was simulated by a virtual endpoint system on which all users in the domain had access. The IDM then used the spnego java library to provide authentication against the domain and login to the IDM user interface.

The two-factor authentication to the IDM admin environment was replaced by authentication against RSA keychains with a strong PIN (10 alphanumeric characters). Thus, the IDM checks only a strong enough PIN for admin access.

Another projects for the client

Are you interested in this reference?