Single Sign-on for an EIS User
Overview
Resource adapters can authenticate EIS users using credential maps. To create a credential map, first create a WebLogic Server user or group, and then create a credential map for the EIS user
Use Deployment Descriptors to Create Credential Maps
Credentials maps can be specified in the <security-principal-map> element of weblogic-ra.xml. The <security-principal-map> element provides the association between the credentials used to login to the EIS and credentials used to authenticate to WebLogic resources. Listing<security-principal-map> <map-entry> <initiating-principal>raruser</initiating-principal> <initiating-principal>javajoe</initiating-principal> <resource-principal> <resource-username>scott</resource-username> <resource-password>tiger</resource-password> </resource-principal> </map-entry> </security-principal-map>The deployment descriptor technique for creating credential maps is deprecated in this release of WebLogic Server. Instead, use the console to create credential maps.
If you deploy a resource adapter that has a weblogic-ra.xml deployment descriptor file containing a defined <security-principal-map> element, the data in this file can be imported into the embedded LDAP server and then used by the Credential Mapping provider.
To import the information from the weblogic-ra.xml deployment descriptor file into the embedded LDAP server, enable the Credential Mapping Deployment Enabled attribute on the Credential Mapping provider in the default (active) security realm. When the resource adapter is deployed, the credential map information is loaded into the Credential Mapping provider.
The WebLogic Credential Mapping provider implements the DeployableCredentialProvider SSPI. Information from weblogic-ra.xml is automatically loaded into the Credential Mapping provider when the resource adapter is deployed.
Once weblogic-ra.xml is loaded into the embedded LDAP server, the original resource adapter remains unchanged. Therefore, if you redeploy the original resource adapter using the console, modify it on disk, or restart WebLogic Server), the data will once again be imported from weblogic-ra.xml and credential mapping information may be lost.
To avoid overwriting new credential mapping information with old information in weblogic-ra.xml, click through...
Security --> MBean=medrec%3AName%3Dmedrec%2CType%3DDomain">Realms --> Realm --> General --> Ignore Deploy Credential Mapping...and then reboot WebLogic Server.You probably will want to modify weblogic-ra.xml to remove the <security-principal-map> element.
Use the Console to Create Credential Maps
The mapping between credentials can now done through the console. If you are using the Credential Mapping provider, the credential maps are stored in the embedded LDAP server.
To create a credential map:
- Verify "Ignore Deploy Credential Mapping" is enabled on the active security realm. Otherwise, you risk overwriting credential maps with old information in weblogic-ra.xml.
Define a user or group for the EIS user.
Deploy a resource adapter.
Click through:
Connectors --> Right-click on the desired resource adapter --> Define Credential Mappings --> Configure a New Credential Mapping...- Enter the WebLogic Server user or group name you defined for the EIS user in step 2 in the WLS User field.
- Enter the name of the EIS user in Remote User field.
- Click Apply.
- Enter the password of the EIS user in the Password field.
- Click Apply.
