SAML Assertion Producer APIs

I'm implementing SSO in my servlet, and have fonud some example code using the SAML framework. But I can't find the class files I need, as they are not part of the standard Java libraries, as far as I can tell.
What I need are the ones in com.sun.identity.saml; com.sun.identity.saml.SAMLClient, com.sun.identity.saml.common.SAMLException, com.sun.identity.saml.assertion.Assertion.
Does anybody know where I can download these ?
Thanks.

Hi,
Could you please send me the same code for SAML framework .
my mail id is [email protected]
Rgds,
Raj

Similar Messages

  • Saml assertion error

    Hi,
    My composite app will be invoked by x party from soapui. the input soap request has samlassertion contains
    <saml:Assertion .... Issuer="testone.com" ...xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" ...>
    <saml:Conditions NotBefore="... NotOnOrAfter="...>
    <saml:AudienceRestrictionCondition>
    <saml:Audience>https://ws.test.com/</saml:Audience>
    </saml:AudienceRestrictionCondition>
    </saml:Conditions>
    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="...">
    <saml:Subject>
    <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="testdmn.com">testuser</saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference wsu:Id="TestCert" wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
    <wsse:Reference URI="#....>
    </wsse:SecurityTokenReference>
    </KeyInfo>
    </saml:SubjectConfirmation>
    </saml:Subject>
    </saml:AuthenticationStatement>
    <Signature ...
    I added saml service policy at soa suite composite, if saml authentication succeed then I will call some ecternal service from my bpel in composite.
    If I execute the app from soapui I am getting the following error:
    Found invalid name identifier in SAML assertion. Can not find the specified user in id store: testuser
    Since I want to do saml authentication by consuming the samlassertion is it enough to configure saml identity asserter only or do I also need saml credential mapper?
    Also where exactly I can specify the user, audience, NameQualifier, certificate info which I am getting from saml assertion?
    Please specify any extra configuration do I require to execute this.
    Please provide your inputs as it is urgent for me. Thanks in advance.

    Hi Mahesh,
    There is no scope request parameter needed. It is hard to know precisely what is the issue without the trace of your call, such as provided, for example, by Fiddler. For example, here is a call that I made showing traced through Fiddler showing how this flow works. My suspicion is that you may have a typo in the grant_type parameter, which should be urn:ietf:params:oauth:grant-type:saml2-bearer with the colons escaped as below.
    The HTTP request:
    POST https://jamN.sapjam.com/api/v1/auth/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Java/1.7.0_45
    Host: jamN.sapjam.com
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Connection: keep-alive
    Content-Length: 3202
    client_id=i7Gb...x8D3vZ4&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer&assertion=PEFzc...W9uPg%3D%3D
    The HTTP response:
    HTTP/1.1 200 OK
    Date: Thu, 27 Nov 2014 22:13:44 GMT
    Server: Apache
    ETag: "f5caac8abf77eeb7cff782242d8d0f31"
    Cache-Control: max-age=0, private, must-revalidate
    X-Request-Id: 54ffb30f21bf2258e0f1607b5124da08
    X-Runtime: 0.247811
    X-Rack-Cache: invalidate, pass
    Status: 200 OK
    Vary: Accept-Encoding
    Connection: close
    Content-Type: application/json; charset=utf-8
    Content-Length: 59
    {"access_token":"As3Uv...hVMswcBV"}
    Thanks,
    Bo

  • Problem signing SAML assertion

    Folks,
    I’m having some issues trying to generate a proper signed SAML assertion using JDeveloper 10.1.3. I am securing a java proxy class using the wizard as described in http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html .
    On the OWSM side, I have a service that I am securing with SAML - Verify WSS 1.0 Token. If I set the "Allow signed assertions only" property to false I can complete the service call. However, when it is set to true I am receiving the following fault:
    javax.xml.rpc.soap.SOAPFaultException: SAML token verification failed.
    When I examine the message going to OWSM in a packet analyzer, it is missing the signature in the SAML assertion. The <saml:Assertion> tags looks like:
          <saml:Assertion MajorVersion="1" MinorVersion="1"
                          xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                          xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                          AssertionID="yM0oqZgF0N1a1td6yzKgOQ22"
                          IssueInstant="2007-01-23T17:15:27Z"
                          Issuer="HealthMarkets_s3">
            <saml:Conditions NotBefore="2007-01-23T17:15:27Z"
                             NotOnOrAfter="2007-01-24T17:15:27Z"/>
            <saml:AuthenticationStatement AuthenticationInstant="2007-01-23T17:15:27Z"
                                          AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
              <saml:Subject>
                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">client_s3</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
              </saml:Subject>
            </saml:AuthenticationStatement>
          </saml:Assertion>I have selected the Sign Outbound Messages in step 3 of the Secure Web Proxy Wizard. This step uses the DSA-SHA1 algorithm.
    Any help is greatly appreciated.
    Thanks in advance,
    Joseph

    I do believe that JDev will produce a deployment descriptor that contains the WS-Security policy information. Can you post this? It should look something like this:
    <oracle-webservice-clients>
    <webservice-client>
    <saml-token>
    <signature-methods>RSA-SHA1</signature-methods>
    </saml-token>
    </webservice-client>
    </oracle-webservice-clients>

  • Problem with Oracle Security Developer Tools creating signed SAML Assertion

    Hi,
    I'm trying to use OSDT to create a signed SAML assertion.
    Basically, what I've done is to use the ST_Test.java sample and the SignXMLEnveloped.java sample together.
    This is just a proof-of-concept, so what I did was use the code from ST_Test.java to create the unsigned assertion, take the byte array that results, and use it in a ByteArrayInputStream feeding into slightly modified SignXMLEnveloped.java code.
    I was actually able to created a signed assertion, but the signature on the signed assertion does not validate.
    I think that the reason it doesn't validate is because the original code in SignXMLEnveloped.java sets the URI in the reference to "", whereas the reference should be to something like "XXXXXX", which is the "AssertionID" attribute on the Assertion element.
    However, if I modify the SignedXMLEnveloped code to do a setUri to "#XXXXXX", I get the following error:
    Exception in thread "main" oracle.security.xmlsec.dsig.SigningException: Cannot find node with @Id="theassertion"
         at oracle.security.xmlsec.dsig.XSSignature.sign(Unknown Source)
         at SignXMLEnveloped.main(SignXMLEnveloped.java:116)
    Caused by: oracle.security.xmlsec.dsig.ReferenceException: Cannot find node with @Id="theassertion"
         at oracle.security.xmlsec.dsig.ObjectReference.dereference(Unknown Source)
         at oracle.security.xmlsec.dsig.XSReference.getTBDData(Unknown Source)
         at oracle.security.xmlsec.dsig.XSReference.computeDigest(Unknown Source)About to sign the Assertion...
         at oracle.security.xmlsec.dsig.XSReference.computeDigest(Unknown Source)
         at oracle.security.xmlsec.dsig.ReferenceList.computeRefDigests(Unknown Source)
         ... 2 more
    I think I know what the problem may be, but I'm not sure how to workaround it. I have written some apps to do digital signature verification before, and I know that there is a problem with SAML 1.1 called the "idness" problem, where the "AssertionID" attribute is not an "id" type attribute in the schema. I have a feeling that I'm running into the same problem here, with OSDT.
    Has anyone been successful at doing something like this with OSDT? If so, how?
    Thanks,
    Jim

    Hi,
    I was able to past my original problem, and can now sign the assertion which has the AssertionID attribute. I had to set the SAML version to 1.1 using initialize().
    Unfortunately, when I run the resulting signed assertion through a signature validation, it is failing to verify.
    I'm not sure why, but it is failing when it tries to verify the hash/digest on the reference.
    I am using a separate application that I wrote that uses Java6 and the security API that Java6 has, and with debugging enabled, I can see the dereferenced data that is being fed into the digester, and that looks correct, but the calculated digest doesn't match what my OSDT-based application generated.
    Anyone have any idea about what the problem might be?
    Thanks,
    Jim

  • Parse a SAML assertion

    I want to parse a SAML assertion from an Identity Provider and use some
    of the data for identity injection. Anyway, the java identity injection
    plug-in can not access the SAML assertion, it can only access the
    username and password using the ExternalDataFillerContext object.
    Is it possible to extend tha authentication class to parse the SAML
    assertion and write out the data to the customisation profile? Which
    method or property returns the SAML assertion?
    Thank you,
    Alessandro
    afolli
    afolli's Profile: http://forums.novell.com/member.php?userid=6964
    View this thread: http://forums.novell.com/showthread.php?t=398904

    Hi. Thanks for the answer.
    I have two federated domains. The user requests a resource on domainA
    and he's redirected to IdpA for authentication. The user authenticate on
    IdpB and returns back. At this point I need to extract some info from
    the SAML assertion returned by IdpB.
    Do you think it's possible?
    Thanks,
    Alessandro
    mumasankar;1926007 Wrote:
    > The assertions are not stored on the session. It is little confusing
    > when you say you want to parse a SAML assertion from authentication
    > class. Usually, after authentication is done (after authentication class
    > finished exectuing), the response will be generated by the IDP and
    > assertion cration is part of the response.
    >
    > Can you please give details of your use case ?
    >
    > Regards,
    > Uma.
    afolli
    afolli's Profile: http://forums.novell.com/member.php?userid=6964
    View this thread: http://forums.novell.com/showthread.php?t=398904

  • How to get SAMl assertion from SOAP Header and propagate user context to BW

    Hello to all,
    we implemented this scenario:
    3rdparty System to SAP PI 7.11 to SAP BW.
    sync. communication via SOAP Sender adapter and Receiver XI PROXY.
    We get a SAMl assertion in the SOAP Header from the 3rd-Party System.
    The SAP BW System could not read the Header information.
    How can we get the information of the SOAP Header in the PI System and send the usercontext via XI Proxy to the SAP BW system?
    Can we read the Header information in the SOAP adapter and mapping it to another field in the payload or Headerinformation which could read in the backend system in the proxy class?
    Thanks for your help and regards
    Martin

    Dear Fox,
    Thanks for your reply.
    Is it mandatory to have the Header elements and the message defined in the Mediator wsdl?
    At present I have not defined it in the WSDL.
    Thanks,
    Subin

  • SAML assertion.

    Hi Folks,
    I needed your expert advice here related to the OWSM error in the SOA log:
    Caused by: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Found invalid condition "not before" in SAML assertion. Current Time:Fri Feb 22 06:59:18 EST 2013, clockSkew:360000 milli seconds, NotBefore Time:Fri Feb 22 07:12:29 EST 2013
    My test SOA server on Windows based box is integrated correctly into the Oracle Fusion Apps. The tasks in my SOA server need to be seen on Oracle Fusion Apps Worklist, but due to clockSkew the above error is hit. Could you please advise a resolution? I tried Windows "net time" command to time sync my server time with that of the Fusion Apps server. But, that did not work as it was a Linux box.
    SOA log trace:
    [2013-02-22T06:55:19.363-05:00] [soa_server1] [ERROR] [OWS-04115] [oracle.webservices.service] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004p^wCfGg29xWGpIwP5if0006SK000H4B,1:23756:2:1] [APP: soa-infra] [URI: /homePage/faces/AtkHomePageWelcome] An error occurred for port: {http://xmlns.oracle.com/bpel/workflow/taskQueryService}TaskQueryServicePort: oracle.fabric.common.PolicyEnforcementException: InvalidSecurity : error in processing the WS-Security security header.
    [2013-02-22T06:59:18.613-05:00] [soa_server1] [ERROR] [WSM-07618] [oracle.wsm.resources.enforcement] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004p^wQwJi29xWGpIwP5if0006SK000GFk,1:23758:3:1] [WSM_POLICY_NAME: oracle/wss_saml_or_username_token_service_policy] [WEBSERVICE_PORT.name: TaskQueryServicePort] [APP: soa-infra] [J2EE_MODULE.name: integration/services/TaskQueryService] [WEBSERVICE.name: TaskQueryService] [J2EE_APP.name: soa-infra] [URI: /homePage/faces/AtkHomePageWelcome] Failed to execute the assertion "WSSecurity SAML Token" in the conditional policy. InvalidSecurityToken : The security token is not valid.[[
    oracle.wsm.common.sdk.WSMException: InvalidSecurityToken : The security token is not valid.
         at oracle.wsm.security.policy.scenario.executor.Wss10SamlTokenScenarioExecutor.receiveRequest(Wss10SamlTokenScenarioExecutor.java:156)
         at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:562)
         at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:669)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeXorAssertion(WSPolicyRuntimeExecutor.java:480)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:340)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:294)
         at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
         at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1001)
         at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:470)
         at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
         at oracle.integration.platform.common.InterceptorChainImpl.processRequest(InterceptorChainImpl.java:128)
         at oracle.integration.platform.common.mgmt.InterceptorChainManager.processRequest(InterceptorChainManager.java:276)
         at oracle.j2ee.ws.server.mgmt.runtime.SuperServerInterceptorPipeline.handleRequest(SuperServerInterceptorPipeline.java:165)
         at oracle.j2ee.ws.server.provider.management.AbstractProviderInterceptorPipeline.executeRequestInterceptorChain(AbstractProviderInterceptorPipeline.java:576)
         at oracle.j2ee.ws.server.provider.ProviderProcessor.executeInterceptorRequestChain(ProviderProcessor.java:921)
         at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:231)
         at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:193)
         at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:485)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
         at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
         at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
         at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
         at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
         at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
         at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    Caused by: oracle.wsm.security.SecurityException: WSM-00008 : Web service authentication failed.
         at oracle.wsm.security.jps.JpsManager.authenticate(JpsManager.java:240)
         at oracle.wsm.security.jps.JpsManager.samlAuthenticate(JpsManager.java:377)
         at oracle.wsm.security.policy.scenario.processor.WssSaml11TokenProcessor.authenticateSamlToken(WssSaml11TokenProcessor.java:313)
         at oracle.wsm.security.policy.scenario.processor.WssSaml11TokenProcessor.authenticate(WssSaml11TokenProcessor.java:221)
         at oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor.verify(WssSamlTokenProcessor.java:598)
         at oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor.verify(WssSamlTokenProcessor.java:572)
         at oracle.wsm.security.policy.scenario.executor.Wss10SamlTokenScenarioExecutor.receiveRequest(Wss10SamlTokenScenarioExecutor.java:137)
         ... 43 more
    Caused by: javax.security.auth.login.LoginException
         at oracle.security.jps.internal.jaas.module.saml.JpsAbstractSAMLLoginModule.login(JpsAbstractSAMLLoginModule.java:122)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
         at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
         at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
         at oracle.wsm.security.jps.JpsManager.authenticate(JpsManager.java:235)
         ... 49 more
    Caused by: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Found invalid condition "not before" in SAML assertion. Current Time:Fri Feb 22 06:59:18 EST 2013, clockSkew:360000 milli seconds, NotBefore Time:Fri Feb 22 07:12:29 EST 2013.
         at oracle.security.jps.internal.jaas.module.saml.SAMLUtils.verifyNotBefore(SAMLUtils.java:92)
         at oracle.security.jps.internal.jaas.module.saml.JpsSAMLVerifier.verifyConditions(JpsSAMLVerifier.java:223)
         at oracle.security.jps.internal.jaas.module.saml.JpsSAMLVerifier.verify(JpsSAMLVerifier.java:124)
         at oracle.security.jps.internal.jaas.module.saml.JpsSamlAssertor.verify(JpsSamlAssertor.java:90)
         at oracle.security.jps.internal.jaas.module.saml.JpsSamlAssertor.assertToken(JpsSamlAssertor.java:67)
         at oracle.security.jps.internal.jaas.module.saml.JpsAbstractSAMLLoginModule.login(JpsAbstractSAMLLoginModule.java:102)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
         at javax.security.auth.login.LoginContext$5.run(LoginContext.java:707)
         at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
         at oracle.wsm.security.jps.JpsManager.authenticate(JpsManager.java:235)
         at oracle.wsm.security.jps.JpsManager.samlAuthenticate(JpsManager.java:377)
         at oracle.wsm.security.policy.scenario.processor.WssSaml11TokenProcessor.authenticateSamlToken(WssSaml11TokenProcessor.java:313)
         at oracle.wsm.security.policy.scenario.processor.WssSaml11TokenProcessor.authenticate(WssSaml11TokenProcessor.java:224)
         at oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor.verify(WssSamlTokenProcessor.java:598)
         at oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor.verify(WssSamlTokenProcessor.java:574)
         at oracle.wsm.security.policy.scenario.executor.Wss10SamlTokenScenarioExecutor.receiveRequest(Wss10SamlTokenScenarioExecutor.java:141)
         at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:562)
         at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:669)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeXorAssertion(WSPolicyRuntimeExecutor.java:480)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:340)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:295)
         at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
         at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1001)
         at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:470)
         at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
         at oracle.integration.platform.common.InterceptorChainImpl.processRequest(InterceptorChainImpl.java:128)
         at oracle.integration.platform.common.mgmt.InterceptorChainManager.processRequest(InterceptorChainManager.java:276)
         at oracle.j2ee.ws.server.mgmt.runtime.SuperServerInterceptorPipeline.handleRequest(SuperServerInterceptorPipeline.java:165)
         at oracle.j2ee.ws.server.provider.management.AbstractProviderInterceptorPipeline.executeRequestInterceptorChain(AbstractProviderInterceptorPipeline.java:576)
         at oracle.j2ee.ws.server.provider.ProviderProcessor.executeInterceptorRequestChain(ProviderProcessor.java:921)
         at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:232)
         at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:194)
         at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:485)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
         at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
         at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
         at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
         at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
         at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
         at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
         ... 9 more
    [2013-02-22T06:59:18.613-05:00] [soa_server1] [ERROR] [WSM-07618] [oracle.wsm.resources.enforcement] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004p^wQwJi29xWGpIwP5if0006SK000GFk,1:23758:3:1] [WSM_POLICY_NAME: oracle/wss_saml_or_username_token_service_policy] [WEBSERVICE_PORT.name: TaskQueryServicePort] [APP: soa-infra] [J2EE_MODULE.name: integration/services/TaskQueryService] [WEBSERVICE.name: TaskQueryService] [J2EE_APP.name: soa-infra] [URI: /homePage/faces/AtkHomePageWelcome] Failed to execute the assertion "WSSecurity UserName Token" in the conditional policy. InvalidSecurity : error in processing the WS-Security security header[[
    oracle.wsm.common.sdk.WSMException: InvalidSecurity : error in processing the WS-Security security header
         at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.receiveRequest(WssUsernameTokenScenarioExecutor.java:197)
         at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:562)
         at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:669)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeXorAssertion(WSPolicyRuntimeExecutor.java:480)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:340)
         at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:294)
         at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
         at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1001)
         at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:470)
         at oracle.fabric.common.BindingSecurityInterceptor.processRequest(BindingSecurityInterceptor.java:94)
         at oracle.integration.platform.common.InterceptorChainImpl.processRequest(InterceptorChainImpl.java:128)
         at oracle.integration.platform.common.mgmt.InterceptorChainManager.processRequest(InterceptorChainManager.java:276)
         at oracle.j2ee.ws.server.mgmt.runtime.SuperServerInterceptorPipeline.handleRequest(SuperServerInterceptorPipeline.java:165)
         at oracle.j2ee.ws.server.provider.management.AbstractProviderInterceptorPipeline.executeRequestInterceptorChain(AbstractProviderInterceptorPipeline.java:576)
         at oracle.j2ee.ws.server.provider.ProviderProcessor.executeInterceptorRequestChain(ProviderProcessor.java:921)
         at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:231)
         at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:193)
         at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:485)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
         at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
         at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
         at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
         at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
         at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
         at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
    Caused by: oracle.wsm.security.SecurityException: WSM-00265 : The Username token is missing in the security header. Ensure that there is a Username token policy attached on the client side. Tokens found in the security header are :- [(saml:Assertion), ].
         at oracle.wsm.security.policy.scenario.processor.UsernameTokenProcessor.verify(UsernameTokenProcessor.java:241)
         at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.receiveRequest(WssUsernameTokenScenarioExecutor.java:129)
         ... 43 more
    [2013-02-22T06:59:18.613-05:00] [soa_server1] [ERROR] [WSM-07602] [oracle.wsm.resources.enforcement] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004p^wQwJi29xWGpIwP5if0006SK000GFk,1:23758:3:1] [WSM_POLICY_NAME: oracle/wss_saml_or_username_token_service_policy] [WEBSERVICE_PORT.name: TaskQueryServicePort] [APP: soa-infra] [J2EE_MODULE.name: integration/services/TaskQueryService] [WEBSERVICE.name: TaskQueryService] [J2EE_APP.name: soa-infra] [URI: /homePage/faces/AtkHomePageWelcome] Failure in WS-Policy Execution due to exception.
    [2013-02-22T06:59:18.613-05:00] [soa_server1] [ERROR] [WSM-07501] [oracle.wsm.resources.enforcement] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 004p^wQwJi29xWGpIwP5if0006SK000GFk,1:23758:3:1] [WSM_POLICY_NAME: oracle/wss_saml_or_username_token_service_policy] [WEBSERVICE_PORT.name: TaskQueryServicePort] [APP: soa-infra] [J2EE_MODULE.name: integration/services/TaskQueryService] [WEBSERVICE.name: TaskQueryService] [J2EE_APP.name: soa-infra] [URI: /homePage/faces/AtkHomePageWelcome] Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.service, application=soa-infra, composite=null, modelObj=TaskQueryService, policy=oracle/wss_saml_or_username_token_service_policy, policyVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolicy}wss-username-token.

    we got the update and this has been resolved as we have installed weblogic 10.

  • Problem with signed SAML assertion and Web Services Manager

    Folks,
    I’m having some issues trying to generate a proper signed SAML assertion using JDeveloper 10.1.3. I am securing a java proxy class using the wizard as described in http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html .
    On the OWSM side, I have a service that I am securing with SAML - Verify WSS 1.0 Token. If I set the "Allow signed assertions only" property to false I can complete the service call. However, when it is set to true I am receiving the following fault: javax.xml.rpc.soap.SOAPFaultException: SAML token verification failed.
    When I examine the message going to OWSM in a packet analyzer, it is missing the signature in the SAML assertion. The <saml:Assertion> tags looks like:
          <saml:Assertion MajorVersion="1" MinorVersion="1"
                          xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                          xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                          AssertionID="yM0oqZgF0N1a1td6yzKgOQ22"
                          IssueInstant="2007-01-23T17:15:27Z"
                          Issuer="HealthMarkets_s3">
            <saml:Conditions NotBefore="2007-01-23T17:15:27Z"
                             NotOnOrAfter="2007-01-24T17:15:27Z"/>
            <saml:AuthenticationStatement AuthenticationInstant="2007-01-23T17:15:27Z"
                                          AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
              <saml:Subject>
                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">client_s3</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
              </saml:Subject>
            </saml:AuthenticationStatement>
          </saml:AssertionI have selected the Sign Outbound Messages in step 3 of the Secure Web Proxy Wizard. This step uses the DSA-SHA1 algorithm.
    Any help is greatly appreciated.
    Thanks in advance,
    Joseph

    Thanks for the response. I am not using any pages for this application yet... just calling the web service from SOAP UI or any Web Service testing tool causes the problem.
    All that has to be done to replicate it is to build a simple EJB 3.0 JPA bean using the entities from tables wizard and then add named query as follows:
    @NamedQuery(name = "BomHeader.findByDesc", query = "select o from BomHeader o where o.bomDesc like :p_bomDesc")
    then build a session bean with the wizard that includes the JPA persistence unit and the entity and subsequently use the wizard to wrap the session bean in a web service.
    The whole replication process should take 5 minutes if you have some database tables to work with. It breaks when the web service is called.
    Thanks in advance

  • SAML Assertion ID already in cache -- returning SC_FORBIDDEN

    We are using WLS 10.3 and getting a SAML Assertion IDI already in cache -- returning SC_FORBIDDEN.
    Any clue as to how or why this would happen or resolution.
    Also we are in a Managed Server Cluster Environemnt.
    thanks
    ft

    Hi Hao,
    Regarding claims based issue, I suggest you refer to experts from the following forum to get professional support:
    Claims based access platform (CBA), code-named Geneva Forum
    http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
    Thank you for your understanding and support.
    Best Regards,
    Amy

  • SAML assertion was used to sign a message, the verification of signature us

    CR325776, CR301621, CR331147
    When SAML assertion was used to sign a message, the verification of signature used to fail with NullPointerException.
    This problem has been resolved.
    We have 9.2 MP2 as our ALDSP weblogic server. Is there any way to do a smart Update from MP2 to MP3?
    Can it be done behind the proxy, ie., download the patch and install ?
    Our Unix server is Solaris. Please let us know.
    Thanks.

    we got the update and this has been resolved as we have installed weblogic 10.

  • Invoke a Webservice that return a SAML assertion

    Dear Developers,
    how can i invoke a Synchronous Webservices(AuthenticateUserService) that reteurn an authentication assertion (SAML assertion) and then use this authentication assertion to invoke another service.
    the AuthenticateUserService has one web service method "login" with the following parameter: loginRequest (with the attributes user and pass which are necessary for logon)
    loginResponse (with the response attribute authentication assertion and response message
    authentication assertion will be use to invoke another WebService
    thanks in advance

    Sorry my entity is like this...
    @Entity
    @Table(name = "V_I_ORGANISATIONS")
    Class InternalOrganisationImpl implements InternalOrganisation{
        @Id
        @Column(name = "IO_ID")
        @ManyToOne(cascade=javax.persistence.CascadeType.ALL)
        private Long id;
        @OneToOne
        @JoinColumn(name = "IO_PARENT_ID")
        private InternalOrganisation parent;
        @OneToMany(mappedBy="parent", fetch=FetchType.LAZY)
        private List<InternalOrganisation> children;
        public List<InternalOrganisation> getChildrenOrganisation(Long id){
            return children;
    }This example is fo a hierarchical table/entity but for other case, the problem is tha same...
    No dao there in of course!
    When I do this i've an error "reference to an unknow entity ... *InternalOrganisation*" (problem is the getChildren method)
    Yes it's normal as InternalOrganisation is an interface.
    So it's not possible to cretae inteface for entities?
    But how to create a webservices that return entities as those entities contains jpa annotations?
    Edited by: paf.be on May 16, 2008 9:54 AM

  • Verify signature on SAML assertion

    I've already asked this question on StackOverflow (http://stackoverflow.com/questions/25394137/verify-signature-on-saml-assertion), but I'm hoping to get a better response here. I'm trying to validate some SAML that looks like this:
    <samlp2:Response Destination="http://www.testhabaGoba.com" ID="ResponseId_934151edfe060ceec3067670c2f0f1ea" IssueInstant="2013-09-24T14:33:29.507Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    </ds:Signature>
    <saml2:Assertion ID="SamlAssertion-05fd8af7f2c9972e69cdbca612d3f3b8" IssueInstant="2013-09-24T14:33:29.496Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    </ds:Signature>
    </saml2:Assertion>
    </samlp2:Response>
    The signature on the response always passes, but the signature on the assertion always fails. Even when I use a SAML that doesn't sign the response the assertion signature fails. Here's a condensed version of the code I'm using:
    foreach (XmlElement node in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
    {// Verify this Signature block
    SignedXml signedXml = new SignedXml(node.ParentNode as XmlElement);
    signedXml.LoadXml(node);
    KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();
    // Verify certificate
    X509Certificate2 cert = x509Data.Certificates[0] as X509Certificate2;
    log.Info(string.Format("Cert s/n: {0}", cert.SerialNumber));
    VerifyX509Chain(cert);// Custom method
    // Check for approval
    X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection collection = store.Certificates.Find(X509FindType.FindBySerialNumber, cert.SerialNumber, true);
    Debug.Assert(collection.Count == 1);// Standing in for brevity
    // Verify signature
    signedXml.CheckSignature(cert, true);
    Everything works except the CheckSignature method. It's the only thing that fails and it always fails the SAML assertion. What am I doing wrong?

    Hello Matthew T. Ricks,
    Personally after reading your post I don't think this issue is related to this forum "Discuss and ask questions about the C# programming language, IDE, libraries, samples, and tools."
    The problem is due to SAML assertion fail and I read something like this
    http://docs.oracle.com/cd/E21455_01/common/tutorials/authn_saml_xml_sig.html to konw what is SAML and how it works. I will recommend you consult SAML related forum to ask this question.
    Regards,
    Barry
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • OSB: Change SAML Assertions

    Hi,
    I've been looking for the configuration that changes the default time to live of SAML headers generated in OSB.
    I found that to change SAML issuer name, it is done in the oracle/wss10_saml20_token_client_policy in Enterprise Manager by changing the following:
    Property set: standard-security-properties
    Name: saml.issuer.name
    Value: www.oracle.com (change this)
    I thought there would also be a property set that changes SAML TTL. Found this document but no mention on TTL configuration
    http://docs.oracle.com/cd/E28271_01/web.1111/b32511/assertion_schema.htm#CHDEBGGF
    Moving on, found that it could be configured in SAML Credential Mapping Provider. Ironically, I've checked the WLS console and there was no SAML Credential Mapping Provider created in the weblogic server as documented below.
    http://docs.oracle.com/cd/E12840_01/wls/docs103/secmanage/providers.html#SAML_cred
    I'm suspecting it is configured elsewhere, but I could not find it. Could anyone please shed some lights?
    Below is the sample SAML header I've generated. The part I would like to change is TTL portion (NotOnOrAfter). Currently defaulted to 5 mins.
    <soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <saml:Assertion Version="2.0" ID="SAML-Kr4iE8Cl6zzQKsiEjF64Hg22" IssueInstant="2012-06-07T12:01:02Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>www.oracle.com</saml:Issuer>
    <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">abc</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
    </saml:Subject>
    <saml:Conditions NotBefore="2012-06-07T12:01:02Z" NotOnOrAfter="2012-06-07T12:06:02Z"/>
    <saml:AuthnStatement AuthnInstant="2012-06-07T12:01:02Z">
    <saml:AuthnContext>
    <saml:AuthnContextClassRef>
    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    </saml:AuthnContextClassRef>
    </saml:AuthnContext>
    </saml:AuthnStatement>
    </saml:Assertion>
    </wsse:Security>
    </soapenv:Header>
    Thanks.

    I think this is parameter "agent.expire.time"
    look here:
    http://docs.oracle.com/cd/E14571_01/web.1111/b32511/managing.htm#BABHIFDD
    Edited by: AigarsP on Jun 8, 2012 2:01 AM

  • Problem with validating SAML assertion signature ("bad" certificate?)

    Hi,
    We've been developing and testing webservices and webservice clients under WebLogic for awhile. In our typical configuration, we have the SAML Credential mapper configured on the webservice client side, and the SAML Identity Asserter on the webservice side, and we are using "sender-vouches", whereby the SAML assertions are being signed by the SAML Credential mapper.
    Up through development, for the signing, we've been using certs issued by a test CA that we have, but now, we are moving to a pre-production environment, and we're required to use certs issued by a specific 3rd party CA. Since we've started using those new certs, we have been getting "token failed to validate" errors. We've been trying to diagnose this problem for awhile, and we're at the point that we believe that, for some reason, the certs that we got that were issued by the 3rd party CA are "bad".
    Specifically, those certs are SSL Server certs, with the following characteristics:
    Usages:
    Digital Signature
    Key Encipherment
    Key Agreement
    Netscape Type: SSL Server Authentication
    but, they also have two "extended usage extension" OIDs, both are "2.16.840.1.101.2.x.yy.zz".
    When we looked at the certs using various tools, e.g., "openssl x509...", etc., those extended usage extensions are being displayed as "unknown", which made us a littel suspicious about them, so I setup a simple test configuration with two WebLogic 10.0 MP1 instances.
    For testing, we first used a cert from the 3rd party CA, which gave us the "failed to validate token" errors.
    During this testing, we put a sniffer on the line, and captured the SOAP message with the signed SAML assertion, and we used a small Java app that I wrote awhile ago that will validate a digital signature. When we ran that Java app, the digital signature validated successfully (i.e., the digital signature was GOOD).
    This seems to imply that the "failed to validate token signature" errors are happening because of something other than the digital signature being incorrect.
    So, then, we created a certificate that matches the 3rd party CA certs almost exactly, except that we did not include the two extended usage extensions, and we configured the two WebLogic instances to use this new certificate.
    When we tested with the new certificate, we no longer got the errors.
    So, it appears that when the cert has those two enhanced usage extensions, WebLogic is either not willing to, or not able to, utilize the certs for validating digital signatures.
    Does anyone have any insight into this problem, or has anyone encountered a problem like this before?
    I also was wondering if there are any parameters for WebLogic that we might try to set that would tell WebLogic to perhaps ignore the certificate extensions and to just do the digital signature validation?
    Thanks,
    Jim

    Hi,
    FYI, we were able to resolve this problem today. It turned out to be that the certificate and key were not "matched".
    The way that we figured this out was to use openssl and the procedure here:
    http://kb.wisc.edu/middleware/page.php?id=4064
    which showed the mismatch.
    We've since generated a new cert request and got a new certificate, and it's working now.
    Jim

  • SAML Assertion URL

    Been working with a 3rd party IDP on establishing SSO for my on premise environment with SAML, I'm at the point now where they are needing to know what the ACS or SAML endpoint URL would be...this would actually process the SAML assertion they send back.
    Looking through documentation all i can see is that other 3rd party IDPs are only configuring the response to go back to the root site collection for the web application. Am i correct in my thought that if i provide them the URL of my root site collection
    say "https://example.company.com" that SharePoint will process the SAML assertion? Or is there some other URL i need to be passing that will handle the assertion?

    Hi Jacob,
    Thank you for your question.
    We are currently looking into this issue and will give you an update as soon as possible.
    Thank you for your understanding and support.
    Best Regards,
    Wendy
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Wendy Li
    TechNet Community Support

Maybe you are looking for

  • Search Help in ECC 5.0

    Hi great minds, I am working on a project in which the most of the programs are copied from another system (Version 46C) a new system (ECC 5.0). Here I have encountered a issue regarding search helps. In version 46C a Pooled table starting with M (fo

  • Migration from Oracle 9i database to 10g in ECC5

    Hi Experts, We are planning to move our production system which is currently running ECC5 on AIX OS and Oracle 9i database to AIX OS and Oracle 10g database. Some doubts regarding the above procedure: 1)Is there any possibility of SAP system migratio

  • How do I create a title for a document in Pages?

    How do I get a title to show for my documents?  When I click on the blank document, then type, it shows up on my document page as "Blank 2" or 3 or 4.... How do I give it a name?

  • No Access to Message Box

      Hello,   It seems their is something wrong with the access to the Message Box, I am unable to retrieve the messages. When trying to access the messages before  a voice would say to enter your pass word now their is nothing looks like it is on a TIL

  • Flexconnect AP Provisioning

    I have 3 AP's that I will be setting up in a remote office. Currently there is only one subnet in the office. This subnet can reach the controller via ping. Can I provision these at my local office in the current VLAN which I am using for the local A