In this chapter, we will cover how to configure SOA Suite to use the following LDAP providers for authentication and authorization:
- Configuring the SOA Identity service to use Oracle Internet Directory
- Configuring the SOA Identity service to use Oracle Virtual Directory
- Configuring the SOA Identity service to use Active Directory
- Configuring the SOA Identity service to use the Sun iPlanet server
Oracle Platform Security Services (OPSS) provides a Java Enterprise Edition (Java EE ) platform-independent identity service. The Oracle SOA Suite uses the identity services provided by OPSS for all its identity related activities, for example when a user logs in to the BPM worklist application.
When the Oracle SOA Suite is deployed on WebLogic, OPSS (and therefore the Oracle SOA Suite) uses the authentication providers defined in WebLogic.
Oracle WebLogic includes an embedded LDAP server, which is the default identity provider for all security related services, such as user authentication and authorization. By default, the embedded LDAP server stores all information including users, groups, credential mappings and role mapping, and role mapping providers.
Most enterprises already have one or more identity stores that are typically based on LDAP or Active Directory. Rather than replicating the existing identity store in WebLogic, the best practice is to configure WebLogic to use the external identity store, such as Oracle Internet Directory, Microsoft Active Directory, or Sun iPlanet, along with the default authenticator.
This will then become the authentication and identity provider for the SOA Suite (via the OPSS layer). In this chapter, we will examine recipes that allow us to configure WebLogic, and, therefore, the SOA Suite to use an external identity store as an authentication provider.
The WebLogic Security Framework supports multiple authentication providers in a security realm in WebLogic. Where multiple authentication providers are defined, WebLogic will attempt to authenticate a user against each provider in turn, according to its control flag, which can be set to one of the following values:
- REQUIRED: The authentication test is always called and must succeed. Regardless of whether the authentication succeeds or fails, the authentication process continues to the next authentication provider in the list of providers.
- REQUISITE: The authentication test must succeed. If it succeeds, the authentication process continues to the next authentication provider in the list of providers. If it fails, the authentication process fails and the control is returned to the application.
- SUFFICIENT: The authentication test need not succeed. If it succeeds, the authentication process is successful and returns the control to the application. If it fails the authentication process continues to the next authentication provider in the list.
- OPTIONAL: The authentication test need not succeed. Regardless of whether it succeeds or fails, the authentication test proceeds down the list.
Note
Although you can configure multiple authentication providers for Oracle WebLogic, the Oracle Platform Security Services does not support multiple LDAP authentication providers. As a result, the provider you want to use for the Oracle SOA Suite must be the first one in the list of authentication providers.