Hi, I have IIS authenicates the user using kerberos. The app runs in wls10. In order for the users to access wls apps, do I need to create custom Authentication Providers to allow kerberos ticket to pass through? How can I get the user name from kerberos? I've never done kerberos before. how can i implement this custom Authentication Providers? Thanks!
Weblogic Server comes with an Identity asserter called "Negotiate Identity Asserter" out of box.Hence, You could have used it for authentication itself, as WLS uses it to parse the incoming Kerberos token and authenticates against the AD authentication provider for the user it got from that token.
You can refer the below link about how kerberos works in weblogic server :)
How To Configure Browser-based SSO with Kerberos/SPNEGO and Oracle WebLogic Server
However in your case, the users are authenticated with Kerberos authentication at IIS rather than inside WebLogic,then you need to create a custom Identity Asserter rather than custom Authentication Provider to parse the incoming "Proxy-Remote-User" HTTP header by your custom Identity Asserter from IIS side
You can refer the below link for more details on the same:
Thank you very much. The links are very helpful and your explaination cleared most of my doubts.
I used the example SimpleSampleIdentityAsserterProviderImpl and added to my console. However it's not invoked. I read more about it. I think I either need to add a loginmodule or create an custom authentication provider.
In the example all these 3 methods getLoginModuleConfiguration(), getAssertionModuleConfiguration(), getPrincipalValidator() just returns null, is that right?
Also if I just pass the user name and put in subject, is there any needed changes in my web app for security? Do I have to create a group?