Configure Authentication and Identity Assertion providers

Before you begin

If automatic realm restart is enabled, you do not need to restart WebLogic Server after activating non-dynamic changes to security providers. See Enable automatic realm restart and Using Automatic Realm Restart.

WebLogic Server offers the following types of Authentication and Identity Assertion providers:

The WebLogic Authentication provider allows you to manage users and groups in one place, the embedded LDAP server. Note that the Administration Console refers to the WebLogic Authentication provider as the Default Authenticator. For more information, see Configuring the WebLogic Authentication Provider.
Identity Assertion providers use token-based authentication. WebLogic Server provides the WebLogic Identity Assertion Provider (referred to in the Administration Console as the Default Identity Asserter), LDAP X.509 Identity Asserter, Negotiate Identity Asserter, SAML (1.1) Identity Asserter, and SAML 2.0 Identity Asserter. For more information, see Configuring Identity Assertion Providers.
LDAP Authentication providers access external LDAP stores. WebLogic Server provides LDAP Authentication providers that access Oracle Internet Directory, Oracle Virtual Directory, Open LDAP, Oracle Unified Directory, Oracle Directory Server Enterprise Edition (ODSEE), Microsoft Active Directory, Tuxedo LDAP, and Novell NDS stores. For more information, see Configuring LDAP Authentication Providers. If the connection to the LDAP server uses SSL, create and configure a custom trust keystore as described in Enabling an LDAP Authentication Provider for SSL.
Note: Please note the following:
- You are not limited to these LDAP Authentication providers. To use an LDAP server other than the supported LDAP servers, choose the LDAP server type that has the closest defaults to the LDAP server you want to use and modify the attribute values accordingly.
- When configuring a generic LDAP Authentication provider, the value you enter for principal on the Provider-Specific tab must be an LDAP administrator who has the privilege to search users and groups in the corresponding LDAP server. If the LDAP administrator does not have privileges to search the LDAP server, an LDAP exception with error code 50 is generated.
- For information about using Oracle Unified Directory, see Configuring an Authentication Provider for Oracle Unified Directory.
DBMS Authentication providers access an external database management system. WebLogic Server provides for SQL Authentication Providers, Read-Only SQL Authentication Providers, and Custom DBMS Authentication Providers. For more information, see Configuring RDBMS Authentication Providers.
The WebLogic SAML Authentication provider enables authentication based on the Security Assertion Markup Language (SAML).
Note: The WebLogic SAML Authentication provider can be used with both the SAML Identity Asserter (for SAML 1.1) as well as the SAML 2.0 Identity Asserter to allow virtual users to log in. For important usage notes, see Configuring the SAML Authentication Provider.
The NT Authentication provider for Windows NT domains. For more information, see Configuring a Windows NT Authentication Provider.

Oracle recommends that you configure the Password Validation provider immediately after configuring a new WebLogic domain. The Password Validation provider, which is included with WebLogic Server, can be configured with several out-of-the-box authentication providers to manage and enforce password composition rules. Whenever a password is created or updated in the security realm, the corresponding authentication provider automatically invokes the Password Validation provider to ensure that the password meets the composition requirements that are established. For more information, see Configure the Password Validation provider.

In addition, you can use a Custom Authentication provider which offers different types of authentication technologies. For more information, see Configure custom security providers.

Each security realm must have one at least one Authentication provider configured. The WebLogic Security Framework is designed to support multiple Authentication providers (and thus multiple LoginModules) for multipart authentication. Therefore, you can use multiple Authentication providers as well as multiple types of Authentication providers in a security realm. The Control Flag attribute determines how the LoginModule for each Authentication provider is used in the authentication process. For more information, see Set the JAAS control flag.

All Authentication providers included in WebLogic Server support identity domains. If the identity domain attribute is set on an Authentication provider, that Authentication provider can authenticate only users who are defined in that identity domain. For more information, see Configuring Security.

To configure an Authentication or Identity Assertion provider:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
In the left pane, select Security Realms and click the name of the realm you are configuring (for example, myrealm).
Select Providers > Authentication and click New.
The Create a New Authentication Provider page appears.
In the Name field, enter a name for the Authentication provider.
From the Type drop-down list, select the type of the Authentication provider and click OK.
Select Providers > Authentication and click the name of the new Authentication provider to complete its configuration.
On the Configuration page for the Authentication provider, set the desired values on the Common and Provider-Specific tabs.
Repeat these steps to configure additional Authentication providers.
If you are configuring multiple Authentication providers, refer to Set the JAAS control flag.
In the Change Center, click Activate Changes.

Administration Console Online Help

Configure Authentication and Identity Assertion providers