4-8 Understanding Security for Oracle WebLogic Server Multiple Identity Assertion providers can be configured in a security realm, but none are required. An Identity Assertion provider can support more than one token type, but only one token type at a time can be active in a particular Identity Assertion provider. For example, a particular Identity Assertion provider can support both X.509 and SAML either 1.1 or 2.0, but not both, but an administrator configuring the system must select which token type X.509 or SAML is to be active in that Identity Assertion provider. For example, if there only one Identity Assertion provider configured and it is set to handle X.509 tokens, but SAML token types must be supported as well, then another Identity Assertion provider must be configured that can handle SAML tokens and SAML must be set as its active token type. Identity Assertion providers are discussed in more detail in Identity Assertion Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.3 Principal Validation Providers

A Principal Validation provider is a special type of security provider that primarily acts as a helper to an Authentication provider. Because some LoginModules can be remotely executed on behalf of RMI clients, and because the client application code can retain the authenticated subject between programmatic server invocations, Authentication providers rely on Principal Validation providers to provide additional security protections for the principals contained within the subject. Principal Validation providers provide these additional security protections by signing and verifying the authenticity of the principals. This principal validation provides an additional level of trust and may reduce the likelihood of malicious principal tampering. Verification of the subjects principals takes place during the WebLogic Servers demarshalling of RMI client requests for each invocation. The authenticity of the subjects principals is also verified when making authorization decisions. Because you must have at least one Authentication provider in a security realm, you must also have one Principal Validation provider in a security realm. If you have multiple Authentication providers, each of those Authentication providers must have a corresponding Principal Validation provider. Note: To use the WebLogic Identity Assertion provider for X.501 and X.509 certificates, you have the option of using the default user name mapper that is supplied with the WebLogic Server product weblogic.security.providers.authentication. DefaultUserNameMapperImpl or providing you own implementation of the weblogic.security.providers.authentication.UserNameM apper interface. See Do You Need to Develop a Custom Identity Assertion Provider? in Developing Security Providers for Oracle WebLogic Server Note: WebLogic Server provides separate Identity Assertion providers for SAML 1.1 and SAML 2.0. They are not interchangeable between versions of SAML. The SAML Identity Assertion provider V2 consumes SAML 1.1 assertions only, and the SAML 2.0 Identity Assertion provider consumes SAML 2.0 assertions only. Security Realms 4-9 Principal Validation providers are discussed in more detail in Principal Validation Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.4 Authorization Providers