WebLogic Identity Assertion Provider-->Details
Overview
When using 2-way SSL, WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing an SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to define a user name mapper that maps the digital certificate of a client to a user in a WebLogic Server security realm.
Use this page to activate the default user name mapper and specify which attributes in a digital certificates are used to create the username. The attributes on the page are defined as follows:
- Default User Name Mapper Attribute Type - The attribute from the subject Distinguished Name (DN) which this WebLogic Identity Assertion provider should use when mapping from the X.509 digital certificate or X500 name token used to a username. Valid values are:
- C - Country code.
- CN - Common name.
- E - Email address. (This is the default value).
- L - Name of the city or town.
- O - Organization name.
- OU - Organization unit name (for example, the name of the division or group within a company).
- S - State
- Street - The name of the stree.
- Default User Name Mapper Attribute Delimiter - The delimiter that ends the attribute value when mapping from the X509 digital certificate or X500 name to the user name.
If the authentication type in a Web application is set to CLIENT-CERT, the Web Application Container in WebLogic Server performs identity assertion on values from request headers and cookies. If the header name or cookie name matches the active token type for the configured Identity Assertion provider, the value is passed to the provider.
The Base64 Decoding Required attribute determines whether the request header value or cookie value must be Base64 Decoded before sending it to the Identity Assertion provider. The setting is enabled by default for purposes of backward compatibility, however, most Identity Assertion providers will disable this attribute.
Tasks
Configuring a WebLogic Identity Assertion Provider
Related Topics
Introduction to WebLogic Security
Developing Security Providers for WebLogic Server
Securing a Production Environment
The Security topics in the WebLogic Server 8.1 Upgrade Guide
The Security page in the WebLogic Server documentation