WebLogic Security Service Architecture 5-21
5.5.5 SAML Identity Assertion Provider for SAML 1.1
The SAML Identity Assertion provider V2 validates SAML 1.1 assertions and verifies the issuer is trusted. If so, identity is asserted based on the authentication statement
contained in the assertion.
Provider configuration includes settings that configure and enable SAML source site and destination site SSO services such as ITS, ACS, and ARS to run in the server.
The SAML Identity Assertion provider supports the following SAML Subject confirmation methods:
■
artifact
■
bearer
■
sender-vouches
■
holder-of-key
5.5.6 SAML 2.0 Identity Assertion Provider
Similar to the SAML Identity Assertion provider V2 for SAML 1.1, the SAML 2.0 Identity Assertion provider validates SAML 2.0 assertions and verifies that the issuer
is trusted. If so, identity is asserted based on the authentication statement contained in the assertion.
Provider configuration includes settings that configure and enable SAML 2.0 Service Provider services, such as the Assertion Consumer Service and Artifact Resolution
Service, to run in the server.
The SAML 2.0 Identity Assertion provider supports the following SAML Subject confirmation methods:
■
bearer
■
sender-vouches
■
holder-of-key
5.5.7 Negotiate Identity Assertion Provider
The Negotiate Identity Assertion provider is used for SSO with Microsoft clients that support the SPNEGO protocol. Specifically, it decodes SPNEGO tokens to obtain
Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic
Security Service GSS Application Programming Interface API to accept the GSS security context via Kerberos. For more information about the Java GSS API, see
http:download.oracle.comjavase6docstechnotesguidessecuri tyjgssjgss-features.html
. The Negotiate Identity Assertion provider interacts with the WebLogic Servlet
container which handles WWW-Authenticate and WWW-Authorization headers, adding the appropriate Negotiate header.
By default, the Negotiate Identity Assertion provider is available but not configured in the WebLogic default security realm. The Negotiate Identity Assertion provider can be
used instead of or in addition to the WebLogic Identity Assertion provider.
5-22 Understanding Security for Oracle WebLogic Server
5.5.8 WebLogic Principal Validation Provider
Kategori