WebLogic Identity Assertion Provider-->Details

Tasks     Related Topics

 

Overview

When using 2-way SSL, WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing an SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to define a user name mapper that maps the digital certificate of a client to a user in a WebLogic Server security realm.

Use this page to activate the default user name mapper and specify which attributes in a digital certificates are used to create the username. The attributes on the page are defined as follows:

  • Default User Name Mapper Attribute Type - The attribute from the subject Distinguished Name (DN) which this WebLogic Identity Assertion provider should use when mapping from the X.509 digital certificate or X500 name token used to a username. Valid values are:

    • C - Country code.
    • CN - Common name.
    • E - Email address. (This is the default value).
    • L - Name of the city or town.
    • O - Organization name.
    • OU - Organization unit name (for example, the name of the division or group within a company).
    • S - State
    • Street - The name of the stree.
  • Default User Name Mapper Attribute Delimiter - The delimiter that ends the attribute value when mapping from the X509 digital certificate or X500 name to the user name.

If the authentication type in a Web application is set to CLIENT-CERT, the Web Application Container in WebLogic Server performs identity assertion on values from request headers and cookies. If the header name or cookie name matches the active token type for the configured Identity Assertion provider, the value is passed to the provider.

The Base64 Decoding Required attribute determines whether the request header value or cookie value must be Base64 Decoded before sending it to the Identity Assertion provider. The setting is enabled by default for purposes of backward compatibility, however, most Identity Assertion providers will disable this attribute.

 

Tasks

Configuring a WebLogic Identity Assertion Provider

 

Related Topics

Introduction to WebLogic Security

Managing WebLogic Security

Securing WebLogic Resources

Programmimg WebLogic Security

Developing Security Providers for WebLogic Server

Securing a Production Environment

The Security topics in the WebLogic Server 8.1 Upgrade Guide

Security FAQ

The Security page in the WebLogic Server documentation

Skip navigation bar  Back to Top Previous Next