Using Multiple Authentication Providers with WebLogic Portal

If you are storing users, passwords, and groups in an authentication provider outside of WebLogic Server (such as an RDBMS user store or an OpenLDAP server), you can connect that provider to WebLogic Server (assuming it is a supported type), and the users in that external provider can log in to your portals. In addition to the default LDAP authentication provider, WebLogic Server and WebLogic Portal support the use of multiple authentication providers.

As a portal administrator, multiple authentication providers matter to you for a number of reasons. You may want to:

Note: If your external user store contains additional properties for users and groups (for example, e-mail and phone), accessing those properties involves separate development steps for creating a unified user profile. See Unified User Profiles Overview in the WebLogic Workshop help system for details.

The following steps guide you through the process of setting up multiple authentication providers for use with WebLogic Portal.

  1. Most of the effort involved with using multiple authentication providers is setting up and configuring those providers (such as an RDBMS user store or an OpenLDAP server), then connecting WebLogic Server to those providers. Once those two tasks are accomplished, seeing those external users and groups in WebLogic Portal happens almost automatically.
    1. Developing Security Providers for WebLogic Server provides the development details for setting up and configuring an authentication provider to work with WebLogic Server.
    2. Configuring Security Providers provides details on connecting WebLogic Server to an authentication provider.
      After this step, the authentication providers you connect to WebLogic Server are added to drop-down lists in the WebLogic Administration Portal tools.
  2. After your external authentication providers are set up and connected to WebLogic Server, you can build group hierarchy trees for those providers in WebLogic Portal. A tree view of groups provides a convenient visual mode for changing profile values, finding users within groups, and adding users and groups to rules for Delegated Administration and Visitor Entitlements.

The default configuration for supported external authentication providers is read-only access to users and groups from the WebLogic Administration Portal (or WebLogic Server Administration Console). To provide write access to external users and groups from the WebLogic Administration Portal, the authentication provider must be developed to allow write access. WebLogic Server's Default Authenticator and portal RDBMSAuthenticator provide write access by default.

If a provider does not allow read access, you can still create profiles for users and groups in that provider in the WebLogic Administration Portal, as well as add users or groups in that provider in roles for Delegated Administration and Visitor Entitlements.

Changes to Authentication Provider Settings

If you make changes to any authentication provider configuration in the WebLogic Server Administration Console, be sure to restart the server. Restarting the server prevents exceptions in the WebLogic Administration Portal.

Removing Authentication Providers

If you remove an authentication provider (in the WebLogic Administration Console), be sure to also remove the provider from the WebLogic Administration Portal in Service Administration --> Authentication Hierarchy Service. In the "Provider to Remove from Build List" field, enter the name of the provider you want to remove and click "Update & Build Tree."

Related Help Topics: