User Authentication

To authenticate and subsequently access an Oracle Health Insurance application, a user needs a user-account in that application. The administration of role-based access rights for the users is handled in Oracle Health Insurance applications as part of their user-account. The User Provisioning supports creating and maintaining user accounts and their access-rights.

Although user accounts are stored in the Oracle Health Insurance application, user passwords are not. Oracle Health Insurance applications delegate the actual authentication request to an identity and access management system of choice. The authentication provider can be configured through the WebLogic console. A combination of multiple authentication providers is supported, for example to try credential store A first and credential store B second.

Failed login attempts can be logged in a specific security log.

Oracle Health Insurance applications do not enforce any password policies, like setting a maximum number of failed login attempts before an account is locked. That is also delegated to an access management system. The Oracle Health Insurance Operations Guide explains the configuration for that.

Delegating Authentication to an LDAP Authentication Provider

Users in the LDAP server are expected to be defined using the industry standard inetOrgPerson object class (which is derived from the organizationalPerson object class). Typically, in that class, the properties uid and userpassword are used to store the credentials used for logging in.

The following picture shows the flow of the authentication process:

Authentication Process

The user passes the credentials via the application’s Login page or included in the request header of a RESTful web service request.

LDAP Authentication Providers Configuration for Performance

WebLogic Server supports the use of several ways to improve the performance of LDAP Authentication providers, such as optimizing settings for the group membership caches, connection pool size, and user cache. See the WebLogic documentation on Improving the Performance of LDAP Authentication Providers to configure the following:

Table 1. LDAP Authentication Providers Configuration for Performance
Area Field Suggested Values

Connection Pool

Connection Pool Size

100

LDAP Server Cache

Cache Enabled

Checked (or Enabled)

Cache Size

3200 kilobytes

Cache TTL

Specify a time-to-live value that matches the Group Hierarchy Cache TTL value (see Optimizing the Group Membership Caches). Suggested value: 6000 seconds.

Results Time Limit

1000 ms

Make sure to restart the WebLogic Server for the changes to take effect.

For additional information on authentication see the Weblogic Documentation.