OAM identity assertion: It validates already-authenticated (users with obSSOCookie) users & creates a WebLogic-authenticated session.
OAM authenticator: ?
1. Why do we need to verify an already authenticated users (users who has obSSOCookie)?
2. Does identity asserter actually creates WebLogic-authenticated session?
3. What's the use of OAM authenticator?
To get answers of above questions I decompiled oamAuthnProvider.jar. However the code is not very easy to understand. I understood it in bits & pieces but have following questions in code:
OAMIdentityAssertionProviderImpl is the class which gets invoked I suppose as it's mentioned in OAMIdentityAsserter.xml file. It has a method called initialize(), I don't get how this method is getting invoked but I am assuming that it's called. Here we get the OAM related configuration parameters (which we set in WebLogic console) & then have following piece of code:
In OAMUtil constructor we have following piece of code:
Is this the place where we create session for user?
Also in OAMAuthenticationProviderImpl (OAM authenticator) also we do the same thing (get configuration parameters, call OAMUtil), what's different?
Hope my all questions are clear. Please let me know if you want me to explain any question in more detail.
subject: few questions around OAM authentication providers