Integrating CA Single Sign On (fka SiteMinder) with Oracle WebLogic with Oracle WebCenter 12 deployed

Document ID : KB000012319
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

The Single Sign On (fka SiteMinder) Application Server Agent for WebLogic integrates with the WebLogic Application Server Security Infrastructure utilizing the Security Service Provider Interface (SSPI) from Oracle; SiteMinder does not integrate with Applications installed on WebLogic. The Applications should adhere to WebLogic Application Security with proper Security Constraints defined in the Deployment Descriptors with the auth-method set to Client-Cert.

The SiteMinder IdentityAsserter will validate a SiteMinder user based on a received SMSESSION cookie. SiteMinder's Authentication Provider configured in WebLogic will sign the JAAS Subject with the SiteMinder Principal required to allow the SiteMinder Authorization Provider and Adjudication Provider to then authorize the authenticated user based on SiteMinder Policies. 

Question:

Oracle WebCenter requires the JAAS Subject to be signed with a WebLogic Security Principal, but the SiteMinder Authentication Provider signs the JAAS Subject with a SiteMinder Principal. How do I get CA Single Sign On (fka SiteMinder) to integrate when WebCenter 12 is deployed on the WebLogic Application Server so that WebCenter 12 does not receive a NULL when trying to obtain the Principal?

Answer:

In order for Oracle WebCenter 12 to successfully obtain a WebLogic Security Principal from the JAAS Subject, the JAAS Subject needs to be signed by a WebLogic Authentication Provider that is configured against the SiteMinder User Directory.

Within WebLogic you can configure multiple IdentityAsserter and Authentication Providers to Authenticte the users for your WebLogic requests, and you also list the order in which WebLogic executes authentication providers in the WebLogic Server Administration Console. When a user attempts to access a protected resource, WebLogic executes the first authentication provider in the list. After the first authentication attempt, WebLogic determines whether to execute the next authentication provider based on the following criteria:

  • The outcome of the first authentication attempt
  • The control flag setting for the authentication provider that performed the authentication

For example, if the SiteMinder Authentication Provider is configured first in the execution order with a control flag setting of SUFFICIENT and it fails to authenticate the user, the user request is rejected immediately. WebLogic does not execute any other Authentication Providers (unless other providers are set to REQUIRED).

When you configure an authentication provider in the WebLogic Administrative Console, you set the control flag on the General tab on the properties page for the provider.

The Control Flag determines how much weight an authentication decision has in an environment that includes multiple Authentication Providers. You can select one the following options for the control flag:

 

REQUIRED

This Authentication provider is always called, and the user must always pass its authentication test. After this authentication provider attempts to authenticate the user, WebLogic executes the other configured authentication providers, regardless of whether the authentication attempt succeeded.

 

REQUISITE

The authentication provider must authenticate the user. After the user is authenticated by the authentication provider, other authentication providers attempt to validate the user. The user can fail to authenticate through any other authentication provider, except providers that have the control flag set to REQUIRED.

 

SUFFICIENT

If a user is authenticated by the authentication provider, no other authentication is required (unless another authentication provider has the control flag set to REQUIRED). REQUIRED modules listed after a module flagged SUFFICIENT do not run if it passes.

 

OPTIONAL

The user can pass or fail the authentication provider authentication.

If all of the authentication providers are set to OPTIONAL, the user must pass at least one authentication test.

 

Please see the WebLogic documentation for more information about the control flag.

 

Configure a WebLogic Authentication Provider in the WebLogic Administrative Console configured against the SiteMinder User Directory, and set the Control Flags appropriately for all configured Authentication Providers to ensure WebLogic executes the required authentication providers so that the JAAS Subject is signed with the SiteMinder Principal if utilizing the SiteMinder Authorization Provider and Adjudication Provider and/or signed with the WebLogic Principal for use by Oracle WebCenter 12.