Hello everybody,
Today I would like to discuss the authenticator provider for
IDM.
Basically , let's start answering
then main question. The difference comes from OIMSignatureAuthenticator
being used in situations where a digital signature can be inspected instead of
a password - which is useful in some specific integrations. Such as Quartz
Scheduler integration with OIM as: OAM
with OIM or SiteMinder with OIM.
So, it allows Weblogic Server and its provider to participate,
for example, in SSO solution for Web service applications. It validates
assertions by checking the signature and validates, if needed, the certificate
for trust based on data configured for a specific partner.
Trying to clarify a bit more with one simple example:
Use-case:
All authentication either via browser (http/https) or
non-http, such as Design Console login or t3/t3s route, must be handled by
Siteminder SSO. Only signature authentication will be handled by Oracle
Identity Manager.
This way you will allow only integration products to use
signature as part of the authentication process, all others will be controlled
by your SSO product , in my example SiteMinder.
So, into WLS(Home >Summary of Security Realms >myrealm
>Providers ) your authemtication chain will be like this:
SiteminderIdentityAsserter
DefaultAuthenticator SUFFICIENT
OIMSignatureAuthenticator SUFFICIENT
SiteminderAuthenticationProvider SUFFICIENT
DefaultIdentityAsserter SUFFICIENT
References:
1-Oracle® Fusion Middleware Administrator's Guide for Oracle
Identity Manager-11g Release 2 (11.1.2)-doc: E27149-04
Definitions from WLS Console:
OIMSignatureAuthenticator
Provider that performs signature based authentication thru
the Oracle Identity Manager relational database
OIM Authenticator or OIM Authenticator Provider
Provider that performs authentication thru the Oracle
Identity Manager relational database
I hope this helps,
Thiago Leoncio.