4-6 Understanding Security for Oracle WebLogic Server – SAML 2.0 Credential Mapping provider ■ Default Certificate Registry When the RDBMS security store is configured in a security realm, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server. Other security providers continue to use their default stores; for example, the WebLogic Authentication provider continues to use the embedded LDAP server. Oracle recommends that you configure the RDBMS security store at the time of domain creation. The Configuration Wizard has been enhanced to simplify the process. This ensures that when the domain is booted, the security policies required to access the domain can be retrieved from the external RDBMS. Note that the use of the RDBMS security store is required to use SAML 2.0 services in two or more WebLogic Server instances in a domain, such as in a cluster. For more information about the RDBMS security store, see Managing the RDBMS Security Store in Securing Oracle WebLogic Server.

4.6.2 Types of Security Providers

The following sections describe the types of security providers that you can use with WebLogic Server: ■ Section 4.6.2.1, Authentication Providers ■ Section 4.6.2.2, Identity Assertion Providers ■ Section 4.6.2.3, Principal Validation Providers ■ Section 4.6.2.4, Authorization Providers ■ Section 4.6.2.5, Adjudication Providers ■ Section 4.6.2.6, Role Mapping Providers ■ Section 4.6.2.7, Auditing Providers ■ Section 4.6.2.8, Credential Mapping Providers ■ Section 4.6.2.9, Certificate Lookup and Validation Providers ■ Section 4.6.2.10, Keystore Providers ■ Section 4.6.2.11, Realm Adapter Providers

4.6.2.1 Authentication Providers

Authentication providers allow WebLogic Server to establish trust by validating a user. The WebLogic Server security architecture supports Authentication providers that perform: usernamepassword authentication, certificate and digest authentication directly with WebLogic Server, and HTTP certificate authentication proxied through an external Web server. Note: You cannot develop a single security provider that merges several provider types for example, you cannot have one security provider that does authorization and role mapping. Security Realms 4-7 A LoginModule is the part of an Authentication provider that actually performs the authentication of a user or system. Authentication providers also use Principal Validation providers which provide additional security by signing and verifying the authenticity of principals usersgroups. For more information about Principal Validation providers, see Principal Validation Providers in Developing Security Providers for Oracle WebLogic Server. You must have at least one Authentication provider in a security realm, and you can configure multiple Authentication providers in a security realm. Having multiple Authentication providers allows you to have multiple LoginModules, each of which may perform a different kind of authentication. An administrator configures each Authentication provider to determine how multiple LoginModules are called when users attempt to login to the system. Because they add security to the principals used in authentication, a Principal Validation provider must be accessible to your Authentication providers. Authentication providers and LoginModules are discussed in more detail in Authentication Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.2 Identity Assertion Providers