In order for Oracle WebCenter 12 to successfully obtain a WebLogic Security Principal from the JAAS Subject, the JAAS Subject needs to be signed by a WebLogic Authentication Provider that is configured against the SiteMinder User Directory.
Within WebLogic you can configure multiple IdentityAsserter and Authentication Providers to Authenticte the users for your WebLogic requests, and you also list the order in which WebLogic executes authentication providers in the WebLogic Server Administration Console. When a user attempts to access a protected resource, WebLogic executes the first authentication provider in the list. After the first authentication attempt, WebLogic determines whether to execute the next authentication provider based on the following criteria:
- The outcome of the first authentication attempt
- The control flag setting for the authentication provider that performed the authentication
For example, if the SiteMinder Authentication Provider is configured first in the execution order with a control flag setting of SUFFICIENT and it fails to authenticate the user, the user request is rejected immediately. WebLogic does not execute any other Authentication Providers (unless other providers are set to REQUIRED).
When you configure an authentication provider in the WebLogic Administrative Console, you set the control flag on the General tab on the properties page for the provider.
The Control Flag determines how much weight an authentication decision has in an environment that includes multiple Authentication Providers. You can select one the following options for the control flag:
This Authentication provider is always called, and the user must always pass its authentication test. After this authentication provider attempts to authenticate the user, WebLogic executes the other configured authentication providers, regardless of whether the authentication attempt succeeded.
The authentication provider must authenticate the user. After the user is authenticated by the authentication provider, other authentication providers attempt to validate the user. The user can fail to authenticate through any other authentication provider, except providers that have the control flag set to REQUIRED.
If a user is authenticated by the authentication provider, no other authentication is required (unless another authentication provider has the control flag set to REQUIRED). REQUIRED modules listed after a module flagged SUFFICIENT do not run if it passes.
The user can pass or fail the authentication provider authentication.
If all of the authentication providers are set to OPTIONAL, the user must pass at least one authentication test.
Please see the WebLogic documentation for more information about the control flag.
Configure a WebLogic Authentication Provider in the WebLogic Administrative Console configured against the SiteMinder User Directory, and set the Control Flags appropriately for all configured Authentication Providers to ensure WebLogic executes the required authentication providers so that the JAAS Subject is signed with the SiteMinder Principal if utilizing the SiteMinder Authorization Provider and Adjudication Provider and/or signed with the WebLogic Principal for use by Oracle WebCenter 12.