5-20 Understanding Security for Oracle WebLogic Server object matches the presented certificate, and then retrieves the name of the user from the LDAP object for the purpose of authentication.

5.5.3 Password Validation Provider

WebLogic Server includes a Password Validation provider, which manages and enforces a set of password composition rules when configured with one or more of the following authentication providers: ■ WebLogic Authentication provider ■ SQL Authenticator provider ■ LDAP Authentication provider ■ Active Directory Authentication provider ■ iPlanet Authentication provider ■ Novell Authentication provider ■ Open LDAP Authentication provider When the Password Validation provider is configured with an authentication provider, the authentication provider invokes the Password Validation provider whenever a password is created or updated. The Password Validation provider then performs a check to determine whether the password meets the criteria established by a set of configurable composition rules.

5.5.4 WebLogic Identity Assertion Provider

The WebLogic Identity Assertion provider supports certificate authentication using X.509 certificates and CORBA Common Secure Interoperability version 2 CSIv2 identity assertion. The WebLogic Identity Assertion provider validates the token type, then maps X.509 digital certificates and X.501 distinguished names to WebLogic users. It also specifies a list of trusted client principals to use for CSIv2 identity assertion. The wildcard character can be used to specify that all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected. The WebLogic Identity Assertion provider supports the following token types: ■ AU_TYPE - for a WebLogic AuthenticatedUser used as a token. ■ X509_TYPE - for an X.509 client certificate used as a token. ■ CSI_PRINCIPAL_TYPE - for a CSIv2 principal name identity used as a token. ■ CSI_ANONYMOUS_TYPE - for a CSIv2 anonymous identity used as a token. ■ CSI_X509_CERTCHAIN_TYPE - for a CSIv2 X.509 certificate chain identity used as a token. ■ CSI_DISTINGUISHED_NAME_TYPE - for a CSIv2 distinguished name identity used as a token. ■ WSSE_PASSWORD_DIGEST - for a wsse:UsernameToken with a password type of wsse:PasswordDigest used as a token. Note: By default, these additional Authentication providers are available but not configured in the WebLogic default security realm. WebLogic Security Service Architecture 5-21

5.5.5 SAML Identity Assertion Provider for SAML 1.1