Identity Propagation for Web Service - 11g
- by Prakash Yamuna
I came across this post from Beimond on how to do identity propagation using OWSM.As I have mentioned in the past here, here and here - Beimond has a number of excellent posts on OWSM. However I found one part of his comment puzzling. I quote:
"OWSM allows you to pass on the identity of the authenticated user to
your OWSM protected web service ( thanks to OPSS ), this username can
then be used by your service. This will work on one or between different
WebLogic domains. Off course when you don't want to use OWSM you can
always use Oracle Access Manager OAM which can do the same." The sentence in red highlights the issue i find puzzling.
In fact I just discussed this particular topic recently here.
So let me try and clarify on a few points:
a) OAM is used for Web SSO.
b) OWSM is used for securing Web Services. You cannot do identity propagation using OAM for Web Services.
c) You use SAML to do identity propagation across Web Services. OAM also supports SAML - but that is the browser profile of SAML relevant in the context of Web SSO and is not related to the SAML Token Profile defined as part of the WS-Security spec.