Weblogic Identity Assertion Provider-->General
Tasks Related Topics Attributes
Overview
Use this page to configure a WebLogic Identity Assertion provider for a security realm. Note that the WebLogic Server Administration Console refers to the WebLogic Identity Assertion provider as the Default Identity Asserter.
If you are using perimeter authentication, you need to use an Identity Assertion provider. In perimeter authentication, a system outside of WebLogic Server establishes trust via tokens (as opposed to simple authentication, where WebLogic Server establishes trust via usernames and passwords). An Identity Assertion provider verifies the tokens and performs whatever actions are necessary to establish validity and trust in the token. Each Identity Assertion provider is designed to support one or more token formats.
Multiple Identity Assertion providers can be configured in a security realm, but none are required. Identity Assertion providers can support more than one token type, but only one token type per Identity Assertion provider can be active at a given time. When using the WebLogic Identity Assertion provider, configure the active token type. The WebLogic Identity Assertion provider supports identity assertion using X509 certificates and CORBA Common Secure Interoperability version 2 (CSI v2).
You can use a custom Identity Assertion provider instead of the WebLogic Identity Assertion provider. For a custom Identity Assertion provider to be available in the WebLogic Server Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
When using 2-way SSL, WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing an SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to define a user name mapper that maps the digital certificate of a client to a user in a WebLogic Server security realm.
This user name mapper is a class that implements the weblogic.security.providers.authentication.UserNameMapper interface. You can either write your own implementation and configure it in the Administration Console or use the default implementation provided by WebLogic Server.
- Specify customer implementations of the weblogic.security.providers.authentication.UserNameMapper interface on this page.
- Use the Details page to enable the use of the default user name mapper and to configure attributes for that user name mapper.
Tasks
Configuring an Authentication Provider: Main Steps
Configuring a WebLogic Identity Assertion Provider
Related Topics
Introduction to WebLogic Security
Developing Security Providers for WebLogic Server
Securing a Production Environment
The Security topics in the WebLogic Server 8.1 Upgrade Guide
The Security page in the WebLogic Server documentation
Attributes
Attribute Label
Description
Value Constraints
Name The name of this WebLogic Identity Assertion provider.MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBeanAttribute: Name
Description A short description of this WebLogic Identity Assertion provider.MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBeanAttribute: DescriptionDefault: "WebLogic Identity Assertion provider" Version The version number of this WebLogic Identity Assertion provider.MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBeanAttribute: VersionDefault: "1.0" User Name Mapper Class Name The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names.MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBeanAttribute: UserNameMapperClassName
Trusted Client Principals The list of trusted client principals to use in CSIv2 identity assertion. The wildcard character (*) can be used to specify all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected.MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBeanAttribute: TrustedClientPrincipals
Supported Types The list of token types supported by the Identity Assertion provider. To see a list of default token types, refer the Javadoc for weblogic.security.spi.
IdentityAsserter.MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBeanAttribute: SupportedTypesDefault: new String[] { weblogic.security.spi.
IdentityAsserter.AU_TYPE, weblogic.security.spi.
IdentityAsserter.X509_TYPE, weblogic.security.spi.
IdentityAsserter.
CSI_PRINCIPAL_TYPE, weblogic.security.spi.
IdentityAsserter.
CSI_ANONYMOUS_TYPE, weblogic.security.spi.
IdentityAsserter.
CSI_X509_CERTCHAIN_TYPE, weblogic.security.spi.
IdentityAsserter.
CSI_DISTINGUISHED_NAME_TYPE }Active Types Specifies what type of token is currently being used by the Identity Assertion provider.MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBeanAttribute: ActiveTypes