Administration Console Online Help

Weblogic Identity Assertion Provider-->General

Tasks Related Topics Attributes

Overview

Use this page to configure a WebLogic Identity Assertion provider for a security realm.

Note: The WebLogic Server Administration Console refers to the WebLogic Identity Assertion provider as the Default Identity Asserter.

If you are using perimeter authentication, you need to use an Identity Assertion provider. In perimeter authentication, a system outside of WebLogic Server establishes trust via tokens (as opposed to simple authentication, where WebLogic Server establishes trust via usernames and passwords). An Identity Assertion provider verifies the tokens and performs whatever actions are necessary to establish validity and trust in the token. Each Identity Assertion provider is designed to support one or more token formats.

Multiple Identity Assertion providers can be configured in a security realm, but none are required. Identity Assertion providers can support more than one token type, but only one token type per Identity Assertion provider can be active at a given time. When using the WebLogic Identity Assertion provider, configure the active token type. The WebLogic Identity Assertion provider supports identity assertion using X509 certificates and CORBA Common Secure Interoperability version 2 (CSI v2).

You can use a custom Identity Assertion provider instead of the WebLogic Identity Assertion provider. For a custom Identity Assertion provider to be available in the WebLogic Server Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.

When using 2-way SSL, WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing an SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to define a user name mapper that maps the digital certificate of a client to a user in a WebLogic Server security realm.

This user name mapper is a class that implements the weblogic.security.providers.authentication.UserNameMapper interface. You can either write your own implementation and configure it in the Administration Console or use the default implementation provided by WebLogic Server.

Specify customer implementations of the weblogic.security.providers.authentication.UserNameMapper interface on this page.
Use the Details page to enable the use of the default user name mapper and to configure attributes for that user name mapper.

Tasks

Configuring an Authentication Provider: Main Steps

Configuring a WebLogic Identity Assertion Provider

Attributes

Table 183-1

Attribute Label	Description	Value Constraints
Name	The name of this WebLogic Identity Assertion provider. MBean: `weblogic.security. providers.authentication. DefaultIdentityAsserterMBean` Attribute: `Name`
Description	A short description of this WebLogic Identity Assertion provider. MBean: `weblogic.security. providers.authentication. DefaultIdentityAsserterMBean` Attribute: `Description`	Default: "WebLogic Identity Assertion provider"
Version	The version number of this WebLogic Identity Assertion provider. MBean: `weblogic.security. providers.authentication. DefaultIdentityAsserterMBean` Attribute: `Version`	Default: "1.0"
User Name Mapper Class Name	The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names. MBean: `weblogic.security. providers.authentication. DefaultIdentityAsserterMBean` Attribute: `UserNameMapperClassName`
Trusted Client Principals	The list of trusted client principals to use in CSIv2 identity assertion. The wildcard character () can be used to specify all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected. MBean:* `weblogic.security. providers.authentication. DefaultIdentityAsserterMBean` Attribute: `TrustedClientPrincipals`
Supported Types	The list of token types supported by the Identity Assertion provider. To see a list of default token types, refer the Javadoc for `weblogic.security.spi. IdentityAsserter.` MBean: `weblogic.security. providers.authentication. DefaultIdentityAsserterMBean` Attribute: `SupportedTypes`	Default: new String[] { weblogic.security.spi. IdentityAsserter.AU_TYPE, weblogic.security.spi. IdentityAsserter.X509_TYPE, weblogic.security.spi. IdentityAsserter. CSI_PRINCIPAL_TYPE, weblogic.security.spi. IdentityAsserter. CSI_ANONYMOUS_TYPE, weblogic.security.spi. IdentityAsserter. CSI_X509_CERTCHAIN_TYPE, weblogic.security.spi. IdentityAsserter. CSI_DISTINGUISHED_NAME_TYPE }
Active Types	Specifies what type of token is currently being used by the Identity Assertion provider. MBean: `weblogic.security. providers.authentication. DefaultIdentityAsserterMBean` Attribute: `ActiveTypes`