This chapter describes the various authentication options for an Oracle WebCenter deployment.
By default, Oracle WebCenter performs authentication using credentials stored in the Oracle WebCenter Interaction portal database. Beyond basic portal authentication, Oracle WebCenter can delegate authentication to other back-end systems, such as:
Access control lists allow permissions to be granted to users and groups, and user and group properties can be pulled from back-end services and mapped to portal users and groups. For details, see Access Control Lists and Profile Sources.
Authenticated users can have their credential information brokered to other back-end services, allowing a single login to the portal to enable access to various systems. For details, see Brokering Credentials.
Delegating Authentication
The portal can be configured to delegate authentication to various other systems, including remote authentication tiers such as LDAP servers and Active Directory, SSO providers such as Oblix or Netegrity, and Windows Integrated Authentication (WIA). The following sections describe delegating authentication to these systems.
Delegating to a Remote Authentication Tier
Authentication can be delegated to a remote authentication tier by implementing an Oracle WebCenter authentication service. The authentication service serves two roles: synchronization and authentication.
Synchronization against a back-end authentication source imports users and groups into the Oracle WebCenter Interaction portal database. This must be done before the portal user can authenticate against the back-end authentication source. Passwords are not imported. This allows portal object permissions to be mapped to external users and groups, while maintaining authentication solely by the back-end authentication source.
Authentication allows the portal to query a back-end authentication source using a user’s credentials. The sequence of events in the process is as follows:
The user browses to the main portal page and is presented the login screen. User enters credentials.
Oracle WebCenter Interaction sends a request to the back-end authentication source using the configured Oracle WebCenter authentication service.
The back-end authentication source returns validity of user credentials.
If the user is authenticated, access to their profile in the portal is granted. If the user is not authenticated, they are presented with the login screen.
Oracle WebCenter Interaction stores credentials in memory, and the user is identified by a browser cookie, if configured to do so. This allows the user to be logged in automatically next time he visits the portal.
Oracle provides pre-made authentication services supporting LDAP and Active Directory back-end systems. In addition, you can develop custom authentication services to authenticate against any back-end system.
Additional resources
For details on configuring a pre-made authentication service, see the Administrator Guide for Oracle WebCenter Interaction.
For details on creating a custom authentication service, start with the Oracle WebCenter Interaction Web Service Development Guide.
Delegating to an SSO Provider
Delegating authentication to an SSO provider can circumvent the Oracle WebCenter Interaction login screen and present the user with the login method of the SSO provider. This allows authentication by non-Web form mechanisms, such as keycards or biometric authentication.
The sequence of events of this process as follows:
The user browses to the main portal page address.
The portal forwards this request to the SSO provider.
The SSO provider determines whether the user is already authenticated or needs to be authenticated. This might be done by checking the user’s browser cookies or by another method.
If the user is not authenticated, the SSO provider does what is necessary to gather credentials and authenticate the user.
The SSO provider returns the user to the portal and instructs Oracle WebCenter Interaction to grant the user access to his profile.
Additional resources
For details on configuring an authentication source for an SSO provider, configuring the portal to use an SSO provider, or configuring the portal and SSO, see the Administrator Guide for Oracle WebCenterInteraction.
Delegating to Windows Integrated Authentication
Delegating to Windows Integrated Authentication (WIA) is similar to delegating to an SSO source. With WIA, the user’s credentials are the same as their Windows network credentials. When the user browses to the portal page, the portal uses Windows to authenticate the user.
Prior to authenticating with WIA, user information must be crawled into the portal database using an Active Directory authentication source.
The sequence of events in the WIA authentication process is as follows:
The user logged into a Windows network browses to the main portal page.
The Portal returns a 401 Unauthorized message to the user browser.
The browser and portal perform the WIA handshake to validate the user.
The portal accepts the authentication and grants access to the user’s profile.
For WIA to work, the user must be logged into a Windows network and be using a browser, such as Internet Explorer, that supports the WIA handshake. WIA will fail over an HTTP proxy.
Additional resources
For details on configuring an authentication source for WIA, configuring the portal to use WIA, or configuring the portal and SSO, see the Administrator Guide for Oracle WebCenter Interaction.
Access Control Lists and Profile Sources
Access Control Lists(ACLs) allow users and groups to be granted permission to use and modify objects in the portal. Portal users who authenticate with any of the methods described in the section Delegating Authentication can be identified within the portal database and added to object ACLs.
A profile serviceuses an authentication service to pull user properties from back-end systems such as LDAP services. Properties in the back-end system are mapped to Oracle WebCenter Interaction portal properties and synchronized with the authentication service.
Additional Resources
For details on configuring ACLs or configuring profile services, see the Administrator Guide For Oracle WebCenter Interaction.
For details on developing profile services, start with the Oracle WebCenter Interaction Web Service Development Guide.
Brokering Credentials
The credentials of a logged in user can be made available to other systems being accessed via the Oracle WebCenter Interaction portal. This allows applications in the portal to display information from systems such as email or other enterprise applications without requiring for the user to log into each of these systems separately.
There are various ways Oracle WebCenter Interaction can pass credentials to back-end systems:
PassThrough: The credentials the user supplied at login can be sent to the remote tier as a Basic Authentication header. This is useful if both the portal login and the back-end system login are based on the same authentication source, such as an LDAP service.
Preferences: Preferences can be created to hold the user’s credential, to be set individually by the end user. Preferences are stored encrypted in the portal database and controlled by the end-user.
UserInfo: User properties are mapped to credential information stored in an LDAP service or other back-end source. Credentials are automatically populated for each user.
SSO: An SSO token can be forwarded to the remote tier. This only works if the remote tier application can accept an SSO token. In cases where an SSO token is not accepted, some SSO Providers provide an API to convert the SSO token to name and password. This is dependent on the SSO vendor and the configuration of the SSO provider.
Lockbox: User credentials can be stored in a lockbox in the Oracle WebCenter Interaction credential vault. The credential vault provides a central repository that securely stores and manages credentials. Portlets that need credentials to access back-end systems can securely retrieve appropriate user credentials.
Additional resources
For details on brokering credentials to existing applications, see the Administrator Guide for Oracle WebCenter Interaction.
For details on developing portlets that use brokered credentials, start with Oracle WebCenter Portlet Toolkit for .NET Development Guide.
