This MBean specifies configuration attributes for the Oracle Identity Cloud Integrator provider. This provider supports simple authentication with the Oracle Identity Cloud Service and perimeter authentication (identity assertion) using Oracle Identity Cloud Service tokens.
| Fully Qualified Interface Name | If you use the getMBeanInfo operation in MBeanTypeServiceMBean, supply the following value as this MBean's fully qualified interface name:
weblogic.security.providers.authentication.OracleIdentityCloudIntegratorMBean
|
||
| Factory Methods | No factory methods. Instances of this MBean are created automatically. | ||
| Access Points Inherited from AuthenticationProviderMBean |
Because this MBean extends or implements AuthenticationProviderMBean, you can also access this MBean by retrieving AuthenticationProviderMBeans. The following attributes contain AuthenticationProviderMBeans and its subtypes:
|
This section describes attributes that provide access to other MBeans.
|
|
Returns the realm that contains this security provider. Returns null if this security provider is not contained by a realm.
| Privileges | Read only |
| Type | RealmMBean |
| Relationship type: | Reference. |
This section describes the following attributes:
The number of seconds before an access token times out that a new access token is requested. Adjusting the timeout window impacts how long access tokens are cached for reuse before an updated access token is requested from the authorization server.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 300 |
The token types that are currently active.
| Privileges | Read/Write |
| Type | class java.lang.String[] |
| Default Value | idcs_user_assertion Idcs_user_assertion |
The Oracle Identity Cloud Integrator provider defines this setting as always enabled.
| Privileges | Read only |
| Type | boolean |
| Default Value | true |
The name of the HTTP header used to determine the application name applied when filtering the authentication and assertion requests to the Oracle Identity Cloud Service. When no value is supplied or can be determined, requests are not filtered by an application.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | X-RESOURCE-SERVICE-INSTANCE-IDENTITY-APPNAME |
Used to get AppRoles from the token.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | appRoles |
Specifies whether the audience from the access token is stored in the subject for later use by the application.
| Privileges | Read/Write |
| Type | boolean |
| Default Value | true |
Specifies whether the tokens that are passed to the Oracle Identity Cloud Integrator provider for identity assertion are base 64 decoded first. This setting is defined by the Oracle Identity Cloud Integrator provider based on the supported tokens.
| Privileges | Read only |
| Type | boolean |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
The URI base path used for the connection to the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | java.lang.String |
Specifies whether to cache the Oracle Identity Cloud Service user's information.
| Privileges | Read/Write |
| Type | boolean |
| Default Value | true |
Specifies the maximum number of entries to cache.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 500 |
The time-to-live (TTL) of the Oracle Identity Cloud Service user cache, in seconds.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 300 |
Specifies whether the client name from the access token is stored in the subject as the username for later use by the application.
| Privileges | Read/Write |
| Type | boolean |
The Client Id used when retrieving tokens from the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | java.lang.String |
Used for Client ID App Assertion. The default value results in the use of the attribute configured by the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value |
Used to get the client Id (GUID) from the access token.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | client_id |
Used to get the client name from the access token.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | client_name |
The Client secret used when retrieving tokens from the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | java.lang.String |
| Encrypted | true |
| Privileges | Read/Write |
| Type | byte[] |
| Encrypted | true |
The tenant in which the Client Id resides from the Oracle Identity Cloud Service. When no client tenant name is configured, the tenant configured for the provider is used.
| Privileges | Read/Write |
| Type | java.lang.String |
Used to get the Identity Domain for the client from the access token.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | client_tenantname |
The maximum time to wait, in seconds, for the connection to the Oracle Identity Cloud Service to be established.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 60 |
Returns how the login sequence uses the Authentication provider.
A REQUIRED value specifies this LoginModule must
succeed. Even if it fails, authentication proceeds down the list of
LoginModules for the configured Authentication providers. This
setting is the default.
A REQUISITE value specifies this LoginModule must
succeed. If other Authentication providers are configured and this
LoginModule succeeds, authentication proceeds down the list of
LoginModules. Otherwise, control is return to the application.
A SUFFICIENT value specifies this LoginModule need
not succeed. If it does succeed, return control to the application.
If it fails and other Authentication providers are configured,
authentication proceeds down the LoginModule list.
An OPTIONAL value specifies this LoginModule need
not succeed. Whether it succeeds or fails, authentication proceeds
down the LoginModule list.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | REQUIRED |
| Legal Values |
|
A short description of the Oracle Identity Cloud Integrator provider.
| Privileges | Read only |
| Type | java.lang.String |
| Default Value | Provider that performs identity assertion for Oracle Identity Cloud Service tokens |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
Used to get groups from the token.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | groups |
The host name used to connect to the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | localhost |
An override for the token issuer value used during validation. The issuer is normally obtained from the Oracle Identity Cloud Service Discovery Metadata. When configured, the issuer value is used for all tenants.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value |
An override for the JSON Web Key Set location (jwks_uri) used during validation of tokens. A file location can be specified to load keys from the local environment. The location of the keys is normally obtained from the Oracle Identity Cloud Service Discovery Metadata. When configured, the URI is used for all tenants.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value |
The time-to-live (TTL) of the empty metadata for known Oracle Identity Cloud Service tenants in Oracle Identity Cloud Service metadata cache, in seconds. The default value 300.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 300 |
The list of tenant prefixes that would identify known or valid Oracle Identity Cloud Service tenant names. Used in combination with KnownTenantEmptyMetadataTTL to decide the TTL of cached empty metadata for Oracle Identity Cloud Service tenants. When no perfixes are configured, all tenants are considered as Oracle Identity Cloud Service tenants.
| Privileges | Read/Write |
| Type | class java.lang.String[] |
| Default Value | idcs- |
| Privileges | Read only |
| Type | java.lang.String |
| Default Value | OracleIdentityCloudIntegrator |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
Specifies whether the claims about the user from the token are the only claims processed when a subject is created. Any additional information in the subject about the user, including groups and application roles, is obtained from the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | boolean |
The port number used to connect to the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 0 |
The name of the Java class used to load the Oracle Identity Cloud Integrator provider.
| Privileges | Read only |
| Type | java.lang.String |
| Default Value | weblogic.security.providers.authentication.IDCSIntegratorProviderImpl |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
Used to get the Identity Domain for the resource from the access token.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | tenant |
The maximum time to wait, in seconds, for a response from the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 60 |
Specifies whether to backoff and retry requests when Oracle Identity Cloud Service returns a response that too many requests are being processed in a specific time window.
| Privileges | Read/Write |
| Type | boolean |
| Default Value | true |
The interval, in seconds, that the count of authentication failures caused by the Oracle Identity Cloud Service not being available are logged to the server log. Setting to zero (0) or negative value turns off the logging of the count.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 300 |
If the optional X.509 certificate chain ("x5c claim") is available from the JSON Web Key Set, this attribute specifies whether the public key obtained from the X.509 certificate in the supplied chain is used during the verification of the token signature.
| Privileges | Read/Write |
| Type | boolean |
Specifies whether the TLS/SSL protocol is used when connecting to the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | boolean |
The types of tokens supported by the Oracle Identity Cloud Integrator provider.
| Privileges | Read only |
| Type | class java.lang.String[] |
| Default Value | idcs_user_assertion Idcs_user_assertion Authorization REMOTE_USER IDCS_REMOTE_USER |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
Specifies whether the synchronization filter is enabled for servlet applications deployed on the security realm.
| Privileges | Read/Write |
| Type | boolean |
| Default Value | true |
Specifies whether the synchronization filter performs case match when comparing the session user and the remote user.
| Privileges | Read/Write |
| Type | boolean |
Specifies whether the synchronization filter only filters the requests with CLIENT_CERT or CLIENT-CERT Auth Type.
| Privileges | Read/Write |
| Type | boolean |
| Default Value | true |
Specifies whether the synchronization filter looks into the requests header before looking at the token for the remote user and tenant. This attribute is used only when the synchronization filter is enabled for requests with all authentication types.
| Privileges | Read/Write |
| Type | boolean |
The names of HTTP headers sent on requests that the synchronization filter uses to look for remote user information.
| Privileges | Read/Write |
| Type | class java.lang.String[] |
| Default Value |
The name of the primary tenant where users and groups reside from the Oracle Identity Cloud Service. When the primary tenant is not configured, the user authentication processing must identify the tenant name.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value |
The interval, in seconds, that the cached data for all the tenants, including the metadata and public key is flushed. Adjusting the interval impacts how long the tenant data is cached for reuse before it is updated. The default value is 0, which means that tenant data from a previous download is not cleared unless triggered by an MBean operation or configuration change.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 0 |
Specifies whether to re-load Oracle Identity Cloud Service tenant data when a token validation error occurs.
| Privileges | Read/Write |
| Type | boolean |
| Default Value | true |
The interval, in seconds, that the Oracle Identity Cloud Service tenant data would not be removed when a token validation error occurs. Adjusting the interval impacts how long the tenant data is cached for reuse before repeated token validation errors result in a tenant data re-load.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 300 |
The names of HTTP headers sent on requests to the Oracle Identity Cloud Service that are used to determine the tenancy during authentication.
| Privileges | Read/Write |
| Type | class java.lang.String[] |
| Default Value | X-USER-IDENTITY-SERVICE-GUID X-USER-IDENTITY-DOMAIN-NAME X-RESOURCE-IDENTITY-SERVICE-GUID X-RESOURCE-IDENTITY-DOMAIN-NAME |
The tenant-based host name, in Fully Qualified Domain name (FQDN) format, comprised of a tenant name and a host name. This attribute contains the tokens, such as {%tenant}.{%host}, that are replaced with the actual values.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | {%tenant}.{%host} |
The list of allowable tenant names consumed from the Oracle Identity Cloud Service. When no tenant names are configured, any tenant from the Oracle Identity Cloud Service is accessible.
| Privileges | Read/Write |
| Type | class java.lang.String[] |
| Default Value |
Used to get the Identity Domain from the token.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | user_tenantname |
The maximum time to wait, in seconds, when a thread attempts to acquire a synchronization lock for obtaining metadata, keys and access tokens.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 120 |
Specifies whether to cache Oracle Identity Cloud Service tokens after successful validation of the token.
| Privileges | Read/Write |
| Type | boolean |
| Default Value | true |
The allowable variance, in seconds, for the token Expiration, Issued At, and Not Before attributes.
| Privileges | Read/Write |
| Type | int |
| Default Value | 120 |
| Minimum value | 0 |
Determines whether the Oracle Identity Cloud Integrator provider checks for a secure transport connection before accepting active token types. When enabled and a secure transport connection cannot be determined, tokens are not accepted for identity assertion.
| Privileges | Read/Write |
| Type | boolean |
The level of validation performed on Oracle Identity Cloud
Service tokens passed to the Identity Asserter. Valid values are
FULL, NORMAL, SIGNATURE and
NONE.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | NORMAL |
| Legal Values |
|
Determines whether to allow identity assertion to authenticate WebLogic Server users who are not represented in the security store.
| Privileges | Read/Write |
| Type | boolean |
The time-to-live (TTL) of the empty metadata for unknown tenants in Oracle Identity Cloud Service metadata cache, in seconds. The default value is 0 to disable the TTL.
| Privileges | Read/Write |
| Type | java.lang.Integer |
| Default Value | 0 |
Used for User Authentication and Assertion. The default value results in the use of the attribute configured by the Oracle Identity Cloud Service.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value |
SCIM User resource type attribute that specifies the ID (GUID) of the user.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | id |
Used to get the user ID (GUID) from the token. Corresponds to the SCIM User ID resource type attribute.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | user_id |
SCIM User resource type attribute that specifies the name of the user.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | userName |
Used to get the user name from the token. Corresponds to the SCIM User name resource type attribute. If not set, the subject ("sub claim") is used.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value |
The version number of the Oracle Identity Cloud Integrator provider.
| Privileges | Read only |
| Type | java.lang.String |
| Default Value | 1.0 |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
This section describes the following operations:
Clears (removes) the loaded metadata for the specified tenant. The metadata is re-loaded upon access from a user of the specified tenant.
| Operation Name | "clearMetadata" |
| Parameters | Object [] { tenant }
where:
|
| Signature | String [] {
"java.lang.String" } |
| Returns |
void
|
Clears (removes) the loaded public key(s) for the specified tenant. The public key(s) is re-loaded when a token requires verification.
| Operation Name | "clearPublicKey" |
| Parameters | Object [] { tenant }
where:
|
| Signature | String [] {
"java.lang.String" } |
| Returns |
void
|
Clears (removes) all data (metadata, keys, etc.) for all the known tenants. Tenant data is re-loaded upon access from a user.
| Operation Name | "clearTenantData" |
| Parameters | null |
| Signature | null |
| Returns |
void
|
Verifies if metadata is loaded for a tenant. It returns true if the metadata is available; false otherwise.
| Operation Name | "hasMetadataAvailable" |
| Parameters | Object [] { tenant }
where:
|
| Signature | String [] {
"java.lang.String" } |
| Returns |
boolean
|
Verifies if the public key is loaded for a tenant. It returns true if the public key is available; false otherwise.
| Operation Name | "hasPublicKeyAvailable" |
| Parameters | Object [] { tenant }
where:
|
| Signature | String [] {
"java.lang.String" } |
| Returns |
boolean
|
Returns true if the specified attribute has been set explicitly in this MBean instance.
| Operation Name | "isSet" |
| Parameters | Object [] { propertyName }
where:
|
| Signature | String [] {
"java.lang.String" } |
| Returns |
boolean
|
| Exceptions |
|
Restore the given property to its default value.
| Operation Name | "unSet" |
| Parameters | Object [] { propertyName }
where:
|
| Signature | String [] {
"java.lang.String" } |
| Returns |
void
|
| Exceptions |
|
| Operation Name | "wls_getDisplayName" |
| Parameters | null |
| Signature | null |
| Returns | String
|