In this chapter, we will cover how to configure SOA Suite to use the following LDAP providers for authentication and authorization:
Oracle Platform Security Services (OPSS) provides a Java Enterprise Edition (Java EE ) platform-independent identity service. The Oracle SOA Suite uses the identity services provided by OPSS for all its identity related activities, for example when a user logs in to the BPM worklist application.
When the Oracle SOA Suite is deployed on WebLogic, OPSS (and therefore the Oracle SOA Suite) uses the authentication providers defined in WebLogic.
Oracle WebLogic includes an embedded LDAP server, which is the default identity provider for all security related services, such as user authentication and authorization. By default, the embedded LDAP server stores all information including users, groups, credential mappings and role mapping, and role mapping providers.
Most enterprises already have one or more identity stores that are typically based on LDAP or Active Directory. Rather than replicating the existing identity store in WebLogic, the best practice is to configure WebLogic to use the external identity store, such as Oracle Internet Directory, Microsoft Active Directory, or Sun iPlanet, along with the default authenticator.
This will then become the authentication and identity provider for the SOA Suite (via the OPSS layer). In this chapter, we will examine recipes that allow us to configure WebLogic, and, therefore, the SOA Suite to use an external identity store as an authentication provider.
The WebLogic Security Framework supports multiple authentication providers in a security realm in WebLogic. Where multiple authentication providers are defined, WebLogic will attempt to authenticate a user against each provider in turn, according to its control flag, which can be set to one of the following values:
Although you can configure multiple authentication providers for Oracle WebLogic, the Oracle Platform Security Services does not support multiple LDAP authentication providers. As a result, the provider you want to use for the Oracle SOA Suite must be the first one in the list of authentication providers.