About Authentication

Get an overview of the different ways in which you can determine the identity of a user or system that is accessing an application running in Oracle Java Cloud Service. Clients can authenticate against an external LDAP or database, or their identities can be validated with different token technologies like SAML.

By default, cloud users and application users are managed by different security frameworks and are located in different identity stores. Consequently, these users support different authentication options.

Single Sign-On (SSO) is the ability for a user to authenticate once and then gain access to many different application components, even though these components may have their own authentication schemes. SSO enables users to login securely to all their applications, web sites and mainframe sessions with just one identity.

Topics

• Cloud Authentication
• WebLogic Server Authentication

Cloud Authentication

In order to create and manage cloud services such as Oracle Java Cloud Service instances, service administrators in Oracle Cloud are authenticated against a specific identity domain and with a username and password.

If your Oracle Cloud account includes Oracle Identity Cloud Service, then service administrators are authenticated against its identity store. See Add Users, Assign Policies and Roles in Getting Started with Oracle Cloud.

WebLogic Server Authentication

An Oracle WebLogic Server domain defines a security realm that controls authentication, authorization, role mapping, credential mapping and security auditing across all of the servers in the domain.

These services are implemented as security providers. WebLogic Server includes many types of built-in providers and you can also build your own. Authentication providers in particular establish trust for a user by validating credentials or tokens. They can also identify any groups to which the user belongs, in order to make access decisions.

You can also configure multiple authentication providers in a single security realm. For example, consider a scenario in which the WebLogic Server administration users are located in one LDAP server while application users are found in a different LDAP server.

This table describes some of the authentication options available in a WebLogic Server security realm.

Authentication Option	Description
Embedded LDAP (default)	Each user’s credentials and group memberships are maintained in a Lightweight Directory Access Protocol (LDAP) server that is hosted in the domain’s Administration Server and replicated to all Managed Servers in the domain. Oracle does not recommend using the embedded LDAP for large production applications. See: Managing the Embedded LDAP Server in Administering Security for Oracle WebLogic Server (12.2.1.3) Managing the Embedded LDAP Server in Securing Oracle WebLogic Server (11.1.1.7)
Oracle Identity Cloud Service	If your cloud account includes Oracle Identity Cloud Service, Oracle Java Cloud Service can provision your service instance so that WebLogic Server is configured to use Oracle Identity Cloud Service for authentication. As a result, when users access your Java applications or tools like the Administration Console they are authenticated against the users, groups, roles and policies defined in Oracle Identity Cloud Service. See Use Oracle Identity Cloud Service with Oracle Java Cloud Service.
External LDAP	WebLogic Server includes authentication providers that are compatible with Oracle Internet Directory, Microsoft Active Directory, iPlanet, Open LDAP or any other LDAP-compliant server. These providers differ primarily in how they are configured by default to match typical directory schemas for their corresponding LDAP server. If this LDAP server is hosted outside of the nodes in your Oracle Java Cloud Service instance, you may need to enable network communication between your nodes and the LDAP server. See Create an Access Rule. See: Configuring LDAP Authentication Providers in Administering Security for Oracle WebLogic Server (12.2.1.3) Configuring LDAP Authentication Providers in Securing Oracle WebLogic Server (11.1.1.7)
Relational Database	WebLogic Server includes authentication providers that use a relational database as a data store for users, passwords and groups. These providers are configured by default with a typical SQL database schema to support these entities, but you can also customize this default configuration to match your database's existing schema. In order to use the database authentication providers you must create a data source in the domain to establish connectivity to the database. If you selected this database when you created your Oracle Java Cloud Service instance, a data source already exists. If this database is hosted outside of the nodes in your Oracle Java Cloud Service instance, you may need to enable network communication between your nodes and the database. See Create an Access Rule. See: Configuring RDBMS Authentication Providers in Administering Security for Oracle WebLogic Server (12.2.1.3) Configuring RDBMS Authentication Providers in Securing Oracle WebLogic Server (11.1.1.7) Tutorial
SAML	In perimeter authentication, a system outside of WebLogic Server establishes trust through tokens. WebLogic Server can generate and consume Security Assertion Markup Language (SAML) tokens (assertions), and supports both SAML 1.1 and SAML 2.0. See: Configuring Identity Assertion Providers and Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML in Administering Security for Oracle WebLogic Server (12.2.1.3) Configuring Identity Assertion Providers and Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML in Securing Oracle WebLogic Server (11.1.1.7)