Security Realms 4-7 A LoginModule is the part of an Authentication provider that actually performs the authentication of a user or system. Authentication providers also use Principal Validation providers which provide additional security by signing and verifying the authenticity of principals usersgroups. For more information about Principal Validation providers, see Principal Validation Providers in Developing Security Providers for Oracle WebLogic Server. You must have at least one Authentication provider in a security realm, and you can configure multiple Authentication providers in a security realm. Having multiple Authentication providers allows you to have multiple LoginModules, each of which may perform a different kind of authentication. An administrator configures each Authentication provider to determine how multiple LoginModules are called when users attempt to login to the system. Because they add security to the principals used in authentication, a Principal Validation provider must be accessible to your Authentication providers. Authentication providers and LoginModules are discussed in more detail in Authentication Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.2 Identity Assertion Providers

Identity assertion involves establishing a clients identity using client-supplied tokens that may exist outside of the request. Thus, the function of an Identity Assertion provider is to validate and map a token to a username. Once this mapping is complete, an Authentication providers LoginModule can be used to convert the username to principals. Identity Assertion providers allow WebLogic Server to establish trust by validating a user. An Identity Assertion provider is a specific form of Authentication provider that allows users or system processes to assert their identity using tokens in other words, perimeter authentication. You can use an Identity Assertion provider in place of an Authentication provider if you create a LoginModule for the Identity Assertion provider, or in addition to an Authentication provider if you want to use the Authentication providers LoginModule. Identity Assertion providers enable perimeter authentication and support single sign-on. WebLogic Server provides Identity Assertion providers that perform perimeter-based authentication Web server, firewall, VPN, support token types such as Digest, SPNEGO, and SAML 1.1 and 2.0, and can handle multiple security protocols Kerberos, SOAP, IIOP-CSIv2. You can also write custom Identity Assertion providers that support different token types, such as Microsoft Passport. When used with an Authentication providers LoginModule, Identity Assertion providers support single sign-on. For example, the Identity Assertion provider can generate a token from a digital certificate, and that token can be passed around the system so that users are not asked to sign on more than once. Note: An Identity Assertion provider is a special type of Authentication provider that handles perimeter-based authentication and multiple security token typesprotocols. 4-8 Understanding Security for Oracle WebLogic Server Multiple Identity Assertion providers can be configured in a security realm, but none are required. An Identity Assertion provider can support more than one token type, but only one token type at a time can be active in a particular Identity Assertion provider. For example, a particular Identity Assertion provider can support both X.509 and SAML either 1.1 or 2.0, but not both, but an administrator configuring the system must select which token type X.509 or SAML is to be active in that Identity Assertion provider. For example, if there only one Identity Assertion provider configured and it is set to handle X.509 tokens, but SAML token types must be supported as well, then another Identity Assertion provider must be configured that can handle SAML tokens and SAML must be set as its active token type. Identity Assertion providers are discussed in more detail in Identity Assertion Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.3 Principal Validation Providers