11 About Configuring the Authentication Providers in WebLogic Server

Most Authentication providers provided by Oracle WebLogic Server work in similar fashion: given a username and password credential pair, the provider attempts to find a corresponding user in the provider's data store. These Authentication providers differ primarily in what they use as a data store: one of many available LDAP servers, a SQL database, or other data store. In addition to these username/password based security providers, WebLogic Server includes identity assertion Authentication providers, which use certificates or security tokens, rather than username/password pairs, as credentials.

This chapter includes the following topics:

Choosing an Authentication Provider

The WebLogic Server security architecture supports password-based and certificate-based authentication, HTTP certificate-based authentication proxied through an external Web server, perimeter-based authentication, and authentication based on multiple security token types and protocols. WebLogic Server includes the following Authentication providers to support these authentication types:
  • The WebLogic Authentication provider, also known as the DefaultAuthenticator, accesses user and group information in WebLogic Server's embedded LDAP server.

  • The Oracle Internet Directory Authentication provider accesses users and groups in Oracle Internet Directory, an LDAP version 3 directory.

  • The Oracle Virtual Directory Authentication provider accesses users and groups in Oracle Virtual Directory, an LDAP version 3 enabled service.

  • LDAP Authentication providers access external LDAP stores. You can use an LDAP Authentication provider to access any LDAP server. WebLogic Server provides LDAP Authentication providers already configured for Open LDAP, Oracle Directory Server Enterprise Edition (ODSEE), Microsoft Active Directory, and Novell NDS LDAP servers.

  • RDBMS Authentication providers access external relational databases. WebLogic Server provides three RDBMS Authentication providers: SQL Authenticator, Read-only SQL Authenticator, and Custom RDBMS Authenticator.

  • The WebLogic Identity Assertion provider validates X.509 and IIOP-CSIv2 tokens and optionally can use a user name mapper to map that token to a user in a WebLogic Server security realm.

  • The SAML Authentication provider, which authenticates users based on Security Assertion Markup Language 1.1 (SAML) assertions.

  • The Negotiate Identity Assertion provider, which uses Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users.

  • The SAML Identity Assertion provider, which acts as a consumer of SAML security assertions. This enables WebLogic Server to act as a SAML destination site and supports using SAML for single sign-on.

  • The Oracle Identity Cloud Integrator provider integrates with the Oracle Identity Cloud Service. The Oracle Identity Cloud Integrator provider combines authentication and identity assertion in a single provider. You can authenticate using username and passwords or Oracle Identity Cloud Service identity tokens.

In addition, you can use:

  • Custom (non-WebLogic) Authentication providers, which offer different types of authentication technologies.

  • Custom (non-WebLogic) Identity Assertion providers, which support different types of tokens.

Using More Than One Authentication Provider

Each security realm must have at least one Authentication provider configured. The WebLogic Security Framework supports multiple Authentication providers (and thus multiple LoginModules) for multipart authentication. Therefore, you can use multiple Authentication providers as well as multiple types of Authentication providers in a security realm. For example, if you want to use both a retina-scan and a username/password-based form of authentication to access a system, you configure two Authentication providers.

How you configure multiple Authentication providers can affect the overall outcome of the authentication process. Configure the JAAS Control Flag for each Authentication provider to set up login dependencies between Authentication providers and allow single-sign on between providers. See Setting the JAAS Control Flag Option.

Authentication providers are called in the order in which they were configured in the security realm. Therefore, use caution when configuring Authentication providers. You can use the WebLogic Server Administration Console to re-order the configured Authentication providers, thus changing the order in which they are called. See Changing the Order of Authentication Providers.

Setting the JAAS Control Flag Option

When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Server Administration Console. See Set the JAAS control flag in the Oracle WebLogic Server Administration Console Online Help. You can also use the WebLogic Scripting Tool or Java Management Extensions (JMX) APIs to set the JAAS Control Flag for an Authentication provider.

JAAS Control Flag values are:

  • REQUIRED—The Authentication provider is always called, and the user must pass its authentication test. However, regardless of whether authentication succeeds or fails, authentication still continues down the list of providers.

  • REQUISITE—The Authentication provider is always called, and the user is required to pass its authentication test.

    • If authentication succeeds, subsequent providers are executed but can fail (except for REQUIRED Authentication providers).

    • If authentication fails, control is returned to the caller and no subsequent Authentication provider down the list is executed.

  • SUFFICIENT—The user is not required to pass the authentication test of the Authentication provider.

    • If authentication succeeds, control is returned to the caller and no subsequent Authentication provider down the list is executed.

    • If authentication fails, authentication continues down the list of providers.

    Any REQUIRED or REQUISITE Authentication provider in the list must pass its own authentication test. If no REQUIRED or REQUISITE Authentication provider is in the list, then the authentication test of at least one OPTIONAL or SUFFICIENT Authentication provider must pass.

  • OPTIONAL—The user is not required to pass the authentication test of the Authentication provider. Regardless of whether authentication succeeds or fails, authentication continues down the list of providers.

The overall authentication of the user succeeds only if all REQUIRED and REQUISITE Authentication providers configured in the realm succeed. Note also:

  • If a SUFFICIENT Authentication provider is configured and succeeds, then only the REQUIRED and REQUISITE Authentication providers prior to that SUFFICIENT Authentication provider need to have succeeded for the overall authentication to succeed.

  • If no REQUIRED or REQUISITE Authentication providers are configured in the security realm, then at least one SUFFICIENT or OPTIONAL Authentication provider must succeed.

When additional Authentication providers are added to an existing security realm, by default the Control Flag is set to OPTIONAL. If necessary, change the setting of the Control Flag and the order of Authentication providers so that each Authentication provider works properly in the authentication sequence.

Note:

As part of the startup process, WebLogic Server must be able to initialize all security providers that are configured in the security realm, including any Authentication providers that have a JAAS Control Flag set to OPTIONAL. If the initialization process for any security provider cannot be completed, WebLogic Server fails to boot, and an error message similar to the following is displayed:

<BEA-090870> <The realm "myrealm" failed to be loaded:

Changing the Order of Authentication Providers

The order in which WebLogic Server calls multiple Authentication providers can affect the overall outcome of the authentication process. The Authentication Providers table lists the authentication providers in the order in which they will be called. By default, Authentication providers are called in the order in which they were configured. You can use the WebLogic Server Administration Console to change the order of Authentication providers. Select the Reorder button on the Security Realms > RealmName > Providers > Authentication page in the WebLogic Server Administration Console to change the order in which Authentication providers are called by WebLogic Server and listed in the console.

See Re-order Authentication Providers in the Oracle WebLogic Server Administration Console Online Help.