Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Default Identity Asserter: Provider Specific

Configuration Options     Related Tasks     Related Topics

Use this page to define the provider specific configuration of this WebLogic Identity Assertion provider.

Configuration Options

Name Description
Supported Types

The token types supported by the Identity Assertion provider.

MBean Attribute:
DefaultIdentityAsserterMBean.SupportedTypes

Changes take effect after you redeploy the module or restart the server.

Active Types

Returns the token types that the Identity Assertion provider is currently configured to process.

MBean Attribute:
DefaultIdentityAsserterMBean.ActiveTypes

Changes take effect after you redeploy the module or restart the server.

Base64 Decoding Required

Returns whether the tokens that are passed to the Identity Assertion provider will be will base64 decoded first. If false then the server will not base64 decode the token before passing it to the identity asserter. This defaults to true for backwards compatibility but most providers will probably want to set this to false.

MBean Attribute:
DefaultIdentityAsserterMBean.Base64DecodingRequired

Changes take effect after you redeploy the module or restart the server.

User Name Mapper Class Name

The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names.

MBean Attribute:
DefaultIdentityAsserterMBean.UserNameMapperClassName

Changes take effect after you redeploy the module or restart the server.

Trusted Client Principals

The list of trusted client principals to use in CSI v2 identity assertion.

The wildcard character (*) can be used to specify all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected.

MBean Attribute:
DefaultIdentityAsserterMBean.TrustedClientPrincipals

Changes take effect after you redeploy the module or restart the server.

Use Default User Name Mapper

Uses the user name mapping class provided by WebLogic Server. The default user name mapping class only validates that a certificate has not expired.

If you require additional validation, you need to write your own user name mapping class. Writing your own user name mapping class also allows you to specify what attribute in the subject DN of the certificate is used to map to the user name.

MBean Attribute:
DefaultIdentityAsserterMBean.UseDefaultUserNameMapper

Changes take effect after you redeploy the module or restart the server.

Default User Name Mapper Attribute Type

The name of the attribute from the subject DN to use when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.

MBean Attribute:
DefaultIdentityAsserterMBean.DefaultUserNameMapperAttributeType

Changes take effect after you redeploy the module or restart the server.

Default User Name Mapper Attribute Delimiter

The delimiter that ends the attribute value when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.

MBean Attribute:
DefaultIdentityAsserterMBean.DefaultUserNameMapperAttributeDelimiter

Changes take effect after you redeploy the module or restart the server.

Digest Replay Detection Enabled

Enables the storage of the digest nonce values used to detect replay attacks.

If this setting is enabled, you must configure a data source to store the nonces for the specified expiration period. WebLogic Server then stores all the nonces from digest authentication attempts for all the machines in the domain. On each digest authentication attempt, the nonce is validated against the stored nonces. If the nonce is present, a replay attack has occurred and the digest authentication attempt fails.

MBean Attribute:
DefaultIdentityAsserterMBean.DigestReplayDetectionEnabled

Changes take effect after you redeploy the module or restart the server.

Digest Expiration Time Period

Determines how long digests are valid.

A digest that was created before the specified time will not be valid. This setting impacts how long previous digest values must be stored in the database for use in detecting replay attacks.

MBean Attribute:
DefaultIdentityAsserterMBean.DigestExpirationTimePeriod

Changes take effect after you redeploy the module or restart the server.

Digest Data Source Name

The name of the data source to use for storage digest values. These digest values are used to detect replay attacks.

MBean Attribute:
DefaultIdentityAsserterMBean.DigestDataSourceName

Changes take effect after you redeploy the module or restart the server.

Related Tasks

Related Topics


Back to Top