Configuring a P-Asserted-Identity Assertion Provider
Follow these steps to configure a security provider used to support the P-Asserted-Identity header. Note that one of two providers can be selected, as described in "Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers".
In addition to configuring one of the above providers, configure a secondary, "fallback" login method (for example, using DIGEST or CLIENT-CERT authentication).
To configure a P-Asserted-Identity provider:
- From the Edit Tree of the Remote Console, click Security, and then Realms, and your specific realm, and then Authentication Providers.
- Click New, enter a name, and select one of the following options for the
Type:
- PAsserted Identity Asserter: Select this option to
configure a provider that does not throw an exception when the
P-Asserted-Identityheader is invalid or is received from a non-trusted host and an anonymous user is substituted. - PAsserted Identity Strict Asserter: Select this option to
configure a provider that throws an exception when the
P-Asserted-Identityheader is invalid or is received from a non-trusted host and an anonymous user is substituted.
See "Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers" for more information.
- PAsserted Identity Asserter: Select this option to
configure a provider that does not throw an exception when the
- Click Create.
- Select the Custom Parameters tab.
- Fill in the fields of the configuration tab as follows:
- Trusted Hosts: Enter one or more host names that the
provider will treat as trusted hosts. You can enter a list of IP addresses
or DNS names, and wildcards are supported.
Note:
The provider does not use trusted hosts configured in the
sipserver.xmlfile. See information onsip-securityin the Oracle Communications Converged Application Server Administrator's Guide. - User Name Mapper Class Name: Enter the name of a custom
Java class used to map user names in the
P-Asserted-Identityheader to user names in the default security realm. A custom user name mapper is generally used if user names are received from two or more different domains. In this case additional logic may be required to map usernames received from each domain. A custom user name mapper class is required if you want to map usernames in theP-Asserted-Identityheader to WebLogic usernames. See Securing Oracle WebLogic Server in the Oracle WebLogic Server documentation for more information.Alternatively, leave this field blank to use the default user name mapper. The default mapper simply discards the domain name and takes the resulting user name without applying any additional logic.
- Trusted Hosts: Enter one or more host names that the
provider will treat as trusted hosts. You can enter a list of IP addresses
or DNS names, and wildcards are supported.
- Click Save.
- Restart the server.