About Importing and Authenticating Users with Authentication
Sources
Authentication
sources enable you to import users, groups, and group memberships
that are already defined in your enterprise in existing user repositories,
such as Active Directory or LDAP servers. After users are imported,
you can authenticate them with the credentials from those user repositories.
Authentication Providers
An authentication
provider is a piece of software that tells the portal how to use the
information in the external user repository. Oracle provides authentication
providers as part of the Oracle WebCenter Interaction Identity Services.
The Oracle WebCenter Interaction Identity Service - LDAP is used to
import and authenticate users and group from LDAP servers. The Oracle
WebCenter Interaction Identity Service - Active Directory is used
to import and authenticate users and groups from Active Directory
servers. If your users and groups reside in a custom system, such
as a custom database, you can import and authenticate them by writing
your own authentication provider using the IDK.
Note:
- Your portal administrator must install the authentication provider
before you can create the associated authentication web service. For
information on obtaining authentication providers, refer to the Oracle
Support site at http://www.oracle.com/support/index.html. For information on installing authentication providers, refer to
the Installation Guide for Oracle WebCenter Interaction (available on the Oracle Technology Network at http://www.oracle.com/technology/documentation/bea.html) or the documentation that comes with your authentication provider,
or contact your portal administrator.
- To learn about developing your own authentication provider, to
the Oracle WebCenter Interaction Web Service Development Guide, which is located on the Oracle Technology Network at http://www.oracle.com/technology/documentation/bea.html.
Authentication Web Services
Authentication web
services enable you to specify general settings for your external
user repository, leaving the more detailed settings (like domain specification)
to be set in the associated remote authentication sources. This allows
you to create different authentication sources to import each domain
without having to repeatedly specify all the settings.
Authentication Sources
Authentication sources
can import users and/or groups, authenticate imported users, or both
import and authenticate. Your security needs determine how many authentication
sources to create and what functionality they need. You might be able
to create just one authentication source that imports and authenticates
all users and groups, but here are a couple examples of when that
would not suffice:
- If you want to use single sign-on (SSO), create a synchronization-only
authentication source.
If you want to distinguish users and groups from different
domains, create separate synchronization-only authentication sources
for each domain, and create an authentication-only authentication
source to authenticate users from all domains (assuming they are from
the same user repository).
This enables you to store users and
groups imported from different domains in different portal folders
or to create separate users or groups with the same name but from
different domains.
If you are importing users and groups into the portal,
you run a job for the initial import and then continue to run the
job periodically to keep the users and groups in the portal synchronized
with those in the source user repository.
Note: When you run the job
to import users and groups, the portal also creates a group that includes
all users imported through the authentication source. This group is
named after the authentication source; for example, if your authentication
source is called mySource, the group would be called Everyone
in mySource.
How Authentication Works
When you use authentication
sources to authenticate portal users, the user credentials are left
in the external repository; they are not stored in the portal database.
When someone attempts to log in to your portal through an imported
user account, the portal confirms the password with the external repository.
This means that the user's portal password always matches the password
in the external repository. For example, if a user with a portal account
imported from Active Directory changes the Active Directory password,
the user can immediately log in to the portal with that password.
If the user is already logged in to the portal, the user must log
in again with the new password, because the portal will no longer
be able to recognize the old password.
WCI Authentication Source
The WCI
Authentication Source is automatically created upon installation.
It is the authentication source used for users stored in the portal
database (users created upon install, users created manually through
the portal, and self-registered users). This authentication source
cannot be modified or deleted.