Using Saml token profile 1.1 with WLS 10.3

Similar Messages

• SAML Token Profile Policies Issues

  Hi all
  i want to secure a Web service using SAML Token Profile Policies. I am using Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml Policy.
  I have Configured SAML 2.0 Identity Assertion Provider in my WebLogic Server. And added Identity Provider partner.
  I gave the Issues as http://com.example.idp/AssertingParty
  Below is the Soap Request Which i send to my Webservice.
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header>
  <wsse:Security
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
  <saml:Assertion
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_15931837d93e95e7e7ffbaa038ad4942"
  IssueInstant="2013-04-26T15:20:24.021Z" Version="2.0">
  <saml:Issuer>http://com.example.idp/AssertingParty</saml:Issuer>
  <saml:Subject>
  <saml:NameID Format="NameID">weblogic_sp</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
  </saml:Subject>
  <saml:Conditions NotBefore="2013-04-26T15:24:14.021Z" NotOnOrAfter="2013-04-26T15:50:24.021Z"/>
  <saml:AuthnStatement>
  <saml:AuthnContext>
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
  <saml:Attribute Name="Roles">
  <saml:AttributeValue>Administrators</saml:AttributeValue>
  </saml:Attribute>
  </saml:AttributeStatement>
  </saml:Assertion>
  </wsse:Security>
  </env:Header>
  <env:Body/>
  </env:Envelope>
  I am Getting the below error.
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Body>
  <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <faultcode>wsse:InvalidSecurityToken</faultcode>
  <faultstring>Invalid SAML token on CCS?Invalid SAML token when samlAsst= null</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  I turned on the Verbose in the Weblogic server and Got the Below log when i invoke the Web Service.
  <WSEE:24>Created<SoapMessageContext.<init>:48>
  <WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
  <WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
  <WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
  <WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
  <WSEE:24>tokenType: null, cred: [saml:Assertion: null], privkey: null<SAMLCredentialImpl.<init>:107>
  <WSEE:24>Class of cred is: class com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl<SAMLCredentialImpl.<init>:108>
  <WSEE:24>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:113>
  <WSEE:24>Getting SAMLAssertionInfo from DOM Element of CSS<SAMLCredentialImpl.<init>:141>
  <WSEE:24>Got erroron on SAMLAssertionInfo from DOM Element of CSS, msg =[Security:098517]Failed to get SAML assertion info: Unable to construct SAML 1.1/2.0 Schema object, can not perform validation.<SAMLCredentialImpl.<init>:152>
  Please let me if i am doing any thing wrong.
  Thanks
  Ranjith

  Hi all
  i want to secure a Web service using SAML Token Profile Policies. I am using Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml Policy.
  I have Configured SAML 2.0 Identity Assertion Provider in my WebLogic Server. And added Identity Provider partner.
  I gave the Issues as http://com.example.idp/AssertingParty
  Below is the Soap Request Which i send to my Webservice.
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header>
  <wsse:Security
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
  <saml:Assertion
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_15931837d93e95e7e7ffbaa038ad4942"
  IssueInstant="2013-04-26T15:20:24.021Z" Version="2.0">
  <saml:Issuer>http://com.example.idp/AssertingParty</saml:Issuer>
  <saml:Subject>
  <saml:NameID Format="NameID">weblogic_sp</saml:NameID>
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
  </saml:Subject>
  <saml:Conditions NotBefore="2013-04-26T15:24:14.021Z" NotOnOrAfter="2013-04-26T15:50:24.021Z"/>
  <saml:AuthnStatement>
  <saml:AuthnContext>
  <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
  </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
  <saml:Attribute Name="Roles">
  <saml:AttributeValue>Administrators</saml:AttributeValue>
  </saml:Attribute>
  </saml:AttributeStatement>
  </saml:Assertion>
  </wsse:Security>
  </env:Header>
  <env:Body/>
  </env:Envelope>
  I am Getting the below error.
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Body>
  <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <faultcode>wsse:InvalidSecurityToken</faultcode>
  <faultstring>Invalid SAML token on CCS?Invalid SAML token when samlAsst= null</faultstring>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  I turned on the Verbose in the Weblogic server and Got the Below log when i invoke the Web Service.
  <WSEE:24>Created<SoapMessageContext.<init>:48>
  <WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
  <WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
  <WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
  <WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
  <WSEE:24>tokenType: null, cred: [saml:Assertion: null], privkey: null<SAMLCredentialImpl.<init>:107>
  <WSEE:24>Class of cred is: class com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl<SAMLCredentialImpl.<init>:108>
  <WSEE:24>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:113>
  <WSEE:24>Getting SAMLAssertionInfo from DOM Element of CSS<SAMLCredentialImpl.<init>:141>
  <WSEE:24>Got erroron on SAMLAssertionInfo from DOM Element of CSS, msg =[Security:098517]Failed to get SAML assertion info: Unable to construct SAML 1.1/2.0 Schema object, can not perform validation.<SAMLCredentialImpl.<init>:152>
  Please let me if i am doing any thing wrong.
  Thanks
  Ranjith

• Invalid security error when invoking secure webservice using SAML tokens

  I have deployed a JAX-WS webservice using a stateless session bean to wl 10.3.2 that uses a custom policy. The service deploys fine, but weblogic returns an HTTP error 500 with a SOAP fault. The fault states wsse:InvalidSecurity. The webservice security policy reqires SAML holder of key assertions and attributes. I have tried everything from running weblogic with Metro 1.5 to configuring SAML Identity Asserter Providers, etc with no luck. I even tried using the built in SAML 2.0 assymetric holder of key policy. What am I doing wrong? The XML of interest is attached.
  Thanks;
  -Dave.
  *[Sample message from client]*
  <?xml version="1.0" encoding="UTF-8"?>
  <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
       <S:Header>
            <To xmlns="http://www.w3.org/2005/08/addressing">https://localhost:7002/NHINAdapterDocQuerySecured/AdapterDocQuerySecured</To>
            <Action xmlns="http://www.w3.org/2005/08/addressing">urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage</Action>
            <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
                 <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
            </ReplyTo>
            <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:fec656f8-a2be-4129-8412-34d9453e7cb2</MessageID>
            <wsse:Security S:mustUnderstand="1">
                 <wsu:Timestamp xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_1">
                      <wsu:Created>2010-02-24T21:38:56Z</wsu:Created>
                      <wsu:Expires>2010-02-24T21:43:56Z</wsu:Expires>
                 </wsu:Timestamp>
                 <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="96cdfb70-91a3-4baf-9da1-3ff07d249926" IssueInstant="2010-02-24T21:38:56.671Z" Version="2.0">
                      <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
                      <saml2:Subject>
                           <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=kskagerb*DoD</saml2:NameID>
                           <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
                                <saml2:SubjectConfirmationData>
                                     <ds:KeyInfo>
                                          <ds:KeyValue>
                                               <ds:RSAKeyValue>
                                                    <ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZiqM1BAFp9F73hMHsNrc=</ds:Modulus>
                                                    <ds:Exponent>AQAB</ds:Exponent>
                                               </ds:RSAKeyValue>
                                          </ds:KeyValue>
                                     </ds:KeyInfo>
                                </saml2:SubjectConfirmationData>
                           </saml2:SubjectConfirmation>
                      </saml2:Subject>
                      <saml2:AuthnStatement AuthnInstant="2009-04-16T13:15:39.000Z" SessionIndex="987">
                           <saml2:SubjectLocality Address="158.147.185.168" DNSName="cs.myharris.net"/>
                           <saml2:AuthnContext>
                                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
                           </saml2:AuthnContext>
                      </saml2:AuthnStatement>
                      <saml2:AttributeStatement>
                           <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
                                <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Karl S Skagerberg</saml2:AttributeValue>
                           </saml2:Attribute>
                           <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
                                <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">InternalTest2</saml2:AttributeValue>
                           </saml2:Attribute>
                           <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
                                <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
                           </saml2:Attribute>
                           <saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
                                <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
                           </saml2:Attribute>
                           <saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
                                <saml2:AttributeValue>
                                     <hl7:Role xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="307969004" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="Public Health" xsi:type="hl7:CE"/>
                                </saml2:AttributeValue>
                           </saml2:Attribute>
                           <saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
                                <saml2:AttributeValue>
                                     <hl7:PurposeForUse xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Use or disclosure of Psychotherapy Notes" xsi:type="hl7:CE"/>
                                </saml2:AttributeValue>
                           </saml2:Attribute>
                           <saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
                                <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">500000000^^^&amp;1.1&amp;ISO</saml2:AttributeValue>
                           </saml2:Attribute>
                      </saml2:AttributeStatement>
                      <saml2:AuthzDecisionStatement Decision="Permit" Resource="https://158.147.185.168:8181/SamlReceiveService/SamlProcessWS">
                           <saml2:Action Namespace="urn:nhin:names:hl7:rbac:4.00:operation">EXECUTE</saml2:Action>
                           <saml2:Evidence>
                                <saml2:Assertion ID="40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0">
                                     <saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
                                     <saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z" NotOnOrAfter="2010-12-31T12:00:00.000Z"/>
                                     <saml2:AttributeStatement>
                                          <saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
                                               <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Ref-1234</saml2:AttributeValue>
                                          </saml2:Attribute>
                                          <saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
                                               <saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Instance-1</saml2:AttributeValue>
                                          </saml2:Attribute>
                                     </saml2:AttributeStatement>
                                </saml2:Assertion>
                           </saml2:Evidence>
                      </saml2:AuthzDecisionStatement>
                      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                           <ds:SignedInfo>
                                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                                <ds:Reference URI="#96cdfb70-91a3-4baf-9da1-3ff07d249926">
                                     <ds:Transforms>
                                          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                     </ds:Transforms>
                                     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                     <ds:DigestValue>VnukKqb4Bt1KWDKfy8SDfk1Hp2s=</ds:DigestValue>
                                </ds:Reference>
                           </ds:SignedInfo>
                           <ds:SignatureValue>DUwjh/H3XSfUG250rTlLdihstDXY1+qkY9GaY81Iu7Ag4MgoGvGBrGjZOJ7YnssPdrqUGiURxf6k
  IBH7vaeXk24XvXP3F85WP9nBm+2M4BvGTplgOmAo0yuwze+90FvwILzFNmmX/tvy3QKTDHlh1rEx
  /Jqfm6q/56WW1suAbRY=</ds:SignatureValue>
                           <ds:KeyInfo>
                                <ds:KeyValue>
                                     <ds:RSAKeyValue>
                                          <ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l
  0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZ
  iqM1BAFp9F73hMHsNrc=</ds:Modulus>
                                          <ds:Exponent>AQAB</ds:Exponent>
                                     </ds:RSAKeyValue>
                                </ds:KeyValue>
                           </ds:KeyInfo>
                      </ds:Signature>
                 </saml2:Assertion>
                 <ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_2">
                      <ds:SignedInfo>
                           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                <exc14n:InclusiveNamespaces PrefixList="wsse S"/>
                           </ds:CanonicalizationMethod>
                           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                           <ds:Reference URI="#_1">
                                <ds:Transforms>
                                     <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                          <exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
                                     </ds:Transform>
                                </ds:Transforms>
                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                <ds:DigestValue>oo99UrPhAcwla4Qbkdd9jAPn0cE=</ds:DigestValue>
                           </ds:Reference>
                      </ds:SignedInfo>
                      <ds:SignatureValue>ds4vqts8uCdJcNGo0uTPzId5UBX+GVrdztQPv823c1Zy9ZZGSfQC/GsBPM/EMbFInDPFsyT4e1QYZMCzmqLYnifWHlDQJb7oMJBokafavAqZda1B55Zzh3TSm6BqKWtB/DX17d6rLx/HPiLNZ9qsBfuGn3aTlUCpNsYA8ObBtp8=</ds:SignatureValue>
                      <ds:KeyInfo>
                           <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
                                <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">96cdfb70-91a3-4baf-9da1-3ff07d249926</wsse:KeyIdentifier>
                           </wsse:SecurityTokenReference>
                      </ds:KeyInfo>
                 </ds:Signature>
            </wsse:Security>
       </S:Header>
       <S:Body>
            <ns3:AdhocQueryRequest xmlns:ns2="urn:gov:hhs:fha:nhinc:gateway:samltokendata" xmlns:ns3="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0" xmlns:ns4="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" xmlns:ns5="urn:oasis:names:tc:ebxml-regrep:xsd:rs:3.0" xmlns:ns6="urn:oasis:names:tc:ebxml-regrep:xsd:lcm:3.0" maxResults="-1" startIndex="0" federated="false">
                 <ns3:ResponseOption returnComposedObjects="true" returnType="LeafClass"/>
                 <ns4:AdhocQuery home="urn:oid:2.16.840.1.113883.4.349" id="urn:uuid:14d4debf-8f97-4251-9a74-a90016b0af0d">
                      <ns4:Slot name="$XDSDocumentEntryStatus">
                           <ns4:ValueList>
                                <ns4:Value>('urn:oasis:names:tc:ebxml-regrep:StatusType:Approved')</ns4:Value>
                           </ns4:ValueList>
                      </ns4:Slot>
                      <ns4:Slot name="$XDSDocumentEntryPatientId">
                           <ns4:ValueList>
                                <ns4:Value>'1012581676V377802^^^&amp;2.16.840.1.113883.4.349&amp;ISO'</ns4:Value>
                           </ns4:ValueList>
                      </ns4:Slot>
                 </ns4:AdhocQuery>
            </ns3:AdhocQueryRequest>
       </S:Body>
  </S:Envelope>
  *[Response from server:]*
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
       <env:Body>
            <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                 <faultcode>wsse:InvalidSecurity</faultcode>
                 <faultstring>weblogic.xml.crypto.api.MarshalException: weblogic.xml.dom.marshal.MarshalException: Failed to unmarshal {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference, no SecurityTokenReference factory found for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifier ValueType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID</faultstring>
            </env:Fault>
       </env:Body>
  </env:Envelope>
  *[webservice WSDL]*
  <?xml version="1.0" encoding="UTF-8"?>
  <!--
  Adapter Document Query WSDL
  -->
  <definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
  xmlns="http://schemas.xmlsoap.org/wsdl/"
  xmlns:tns="urn:gov:hhs:fha:nhinc:adapterdocquerysecured"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:query="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
  xmlns:plnk="http://docs.oasis-open.org/wsbpel/2.0/plnktype"
  xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
  xmlns:wsaws="http://www.w3.org/2005/08/addressing"
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
  xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
  xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
  xmlns:vprop="http://docs.oasis-open.org/wsbpel/2.0/varprop"
  xmlns:sxnmp="http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/NMProperty"
  name="AdapterDocQuerySecured"
  targetNamespace="urn:gov:hhs:fha:nhinc:adapterdocquerysecured">
  <documentation>Adapter Document Query</documentation>
  <types>
  <xsd:schema>
  <xsd:import namespace="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
  schemaLocation="../schemas/ebRS/query.xsd"/>
  <xsd:import namespace="urn:gov:hhs:fha:nhinc:gateway:samltokendata"
  schemaLocation="../schemas/nhinc/gateway/SamlTokenData.xsd"/>
  </xsd:schema>
  </types>
  <message name="RespondingGateway_CrossGatewayQueryRequestMessage">
  <part name="body"
  element="query:AdhocQueryRequest"/>
  </message>
  <message name="RespondingGateway_CrossGatewayQueryResponseMessage">
  <part name="body"
  element="query:AdhocQueryResponse"/>
  </message>
  <portType name="AdapterDocQuerySecuredPortType">
  <operation name="RespondingGateway_CrossGatewayQuery">
  <input name="RespondingGateway_CrossGatewayQueryRequest"
  message="tns:RespondingGateway_CrossGatewayQueryRequestMessage"
  wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage"/>
  <output name="RespondingGateway_CrossGatewayQueryResponse"
  message="tns:RespondingGateway_CrossGatewayQueryResponseMessage"
  wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryResponseMessage"/>
  </operation>
  </portType>
  <binding name="AdapterDocQuerySecuredBindingSoap11" type="tns:AdapterDocQuerySecuredPortType">
  <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
  <wsp:PolicyReference URI="#RespondingGateway_Query_Binding_SoapPolicy"/>
  <operation name="RespondingGateway_CrossGatewayQuery">
  <soap:operation soapAction="urn:RespondingGateway_CrossGatewayQuery"/>
  <input name="RespondingGateway_CrossGatewayQueryRequest">
  <soap:body use="literal"/>
  <wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Input_Policy"/>
  </input>
  <output name="RespondingGateway_CrossGatewayQueryResponse">
  <soap:body use="literal"/>
  <wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Output_Policy"/>
  </output>
  </operation>
  </binding>
  <service name="AdapterDocQuerySecured">
  <port name="AdapterDocQuerySecuredPortSoap11"
  binding="tns:AdapterDocQuerySecuredBindingSoap11">
  <soap:address
  location="https://localhost:7002/NHINAdapterDocQuerySecured" />
  </port>
  </service>
  <!-- Define action property on each receiving message -->
  <vprop:property name="action" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:action"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>action</vprop:query>
  </vprop:propertyAlias>
  <!-- Define resource property on each receiving message -->
  <vprop:property name="resource" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:resource"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>resource</vprop:query>
  </vprop:propertyAlias>
  <!-- Define purposeForUseRoleCode property on each receiving message -->
  <vprop:property name="purposeForUseRoleCode" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:purposeForUseRoleCode"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>purposeForUseRoleCode</vprop:query>
  </vprop:propertyAlias>
  <!-- Define purposeForUseCodeSystem property on each receiving message -->
  <vprop:property name="purposeForUseCodeSystem" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:purposeForUseCodeSystem"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>purposeForUseCodeSystem</vprop:query>
  </vprop:propertyAlias>
  <!-- Define purposeForUseCodeSystemName property on each receiving message -->
  <vprop:property name="purposeForUseCodeSystemName" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:purposeForUseCodeSystemName"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>purposeForUseCodeSystemName</vprop:query>
  </vprop:propertyAlias>
  <!-- Define purposeForUseDisplayName property on each receiving message -->
  <vprop:property name="purposeForUseDisplayName" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:purposeForUseDisplayName"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>purposeForUseDisplayName</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userFirstName property on each receiving message -->
  <vprop:property name="userFirstName" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userFirstName"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userFirstName</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userMiddleName property on each receiving message -->
  <vprop:property name="userMiddleName" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userMiddleName"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userMiddleName</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userLastName property on each receiving message -->
  <vprop:property name="userLastName" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userLastName"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userLastName</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userName property on each receiving message -->
  <vprop:property name="userName" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userName"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userName</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userOrganization property on each receiving message -->
  <vprop:property name="userOrganization" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userOrganization"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userOrganization</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userRoleCode property on each receiving message -->
  <vprop:property name="userRoleCode" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userRoleCode"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userRoleCode</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userRoleCodeSystem property on each receiving message -->
  <vprop:property name="userRoleCodeSystem" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userRoleCodeSystem"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userRoleCodeSystem</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userRoleCodeSystemName property on each receiving message -->
  <vprop:property name="userRoleCodeSystemName" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userRoleCodeSystemName"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userRoleCodeSystemName</vprop:query>
  </vprop:propertyAlias>
  <!-- Define userRoleCodeDisplayName property on each receiving message -->
  <vprop:property name="userRoleCodeDisplayName" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:userRoleCodeDisplayName"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>userRoleCodeDisplayName</vprop:query>
  </vprop:propertyAlias>
  <!-- Define expirationDate property on each receiving message -->
  <vprop:property name="expirationDate" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:expirationDate"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>expirationDate</vprop:query>
  </vprop:propertyAlias>
  <!-- Define signDate property on each receiving message -->
  <vprop:property name="signDate" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:signDate"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>signDate</vprop:query>
  </vprop:propertyAlias>
  <!-- Define contentReference property on each receiving message -->
  <vprop:property name="contentReference" type="xsd:string"/>
  <vprop:propertyAlias propertyName="tns:contentReference"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>contentReference</vprop:query>
  </vprop:propertyAlias>
  <!-- Define content property on each receiving message -->
  <vprop:property name="content" type="xsd:base64Binary"/>
  <vprop:propertyAlias propertyName="tns:content"
  messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
  sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
  <vprop:query>content</vprop:query>
  </vprop:propertyAlias>
  <wsp:Policy wsu:Id="RespondingGateway_Query_Binding_SoapPolicy">
  <wsp:ExactlyOne>
  <wsp:All>
  <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>
  <sc:KeyStore wspp:visibility="private"
  aliasSelector="gov.hhs.fha.nhinc.callback.KeyStoreServerAliasSelector"
  callbackHandler="gov.hhs.fha.nhinc.callback.KeyStoreCallbackHandler"/>
  <sc:TrustStore wspp:visibility="private"
  callbackHandler="gov.hhs.fha.nhinc.callback.TrustStoreCallbackHandler"/>
  <sp:TransportBinding>
  <wsp:Policy>
  <sp:TransportToken>
  <wsp:Policy>
  <sp:HttpsToken>
  <wsp:Policy>
  <sp:RequireClientCertificate/>
  </wsp:Policy>
  </sp:HttpsToken>
  </wsp:Policy>
  </sp:TransportToken>
  <sp:Layout>
  <wsp:Policy>
  <sp:Strict/>
  </wsp:Policy>
  </sp:Layout>
  <sp:IncludeTimestamp/>
  <sp:AlgorithmSuite>
  <wsp:Policy>
  <sp:Basic128/>
  </wsp:Policy>
  </sp:AlgorithmSuite>
  </wsp:Policy>
  </sp:TransportBinding>
  <sp:EndorsingSupportingTokens>
  <wsp:Policy>
  <sp:SamlToken
  sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
  <wsp:Policy>
  <sp:WssSamlV20Token11/>
  </wsp:Policy>
  </sp:SamlToken>
  </wsp:Policy>
  </sp:EndorsingSupportingTokens>
  <sp:Wss11>
  <wsp:Policy>
  <sp:MustSupportRefKeyIdentifier/>
  <sp:MustSupportRefIssuerSerial/>
  <sp:RequireSignatureConfirmation/>
  </wsp:Policy>
  </sp:Wss11>
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  <wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Input_Policy">
  <wsp:ExactlyOne>
  <wsp:All>
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  <wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Output_Policy">
  <wsp:ExactlyOne>
  <wsp:All>
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  <plnk:partnerLinkType name="AdapterDocQuerySecured">
  <!-- A partner link type is automatically generated when a new port type is added.
  Partner link types are used by BPEL processes. In a BPEL process, a partner
  link represents the interaction between the BPEL process and a partner service.
  Each partner link is associated with a partner link type. A partner link type
  characterizes the conversational relationship between two services. The
  partner link type can have one or two roles.-->
  <plnk:role name="AdapterDocQuerySecuredPortTypeRole"
  portType="tns:AdapterDocQuerySecuredPortType"/>
  </plnk:partnerLinkType>
  </definitions>
  Edited by: dvazquez1027 on Feb 25, 2010 5:10 PM
  Edited by: dvazquez1027 on Feb 25, 2010 5:22 PM

  Hi
  yes, I had the same issue and I found a solution.
  You need to request a patch for BUG 9212862 (already corrected in WLS 10.3.3) and do the follwing:
  javax.xml.ws.BindingProvider provider = (javax.xml.ws.BindingProvider)port;
  java.util.Map context = provider.getRequestContext();
  context.put(weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_PREFERENCE, weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_MSFT);      
  This will cause the SecurityMessageArchitect class of WLS to not send the SecurityTokenReference in the Soap security header.
  Please note that is evidently a non-comformity to the specs of microsoft:
  Please give a look at
  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf (8.3 Signing Tokens)
  and also at:
  http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
  (3.4 Identifying and Referencing Security Tokens)
  A SAML key identifier reference MUST be used for all (local and remote) references to SAML 1.1
  assertions. [...]
  All conformant implementations MUST be able to process SAML assertion references occurring in a
  <wsse:Security> header or in a header element other than a signature to acquire the corresponding
  assertion. A conformant implementation MUST be able to process any such reference independent of the
  confirmation method of the referenced assertion.
  It follows that the .NET 3.5 is a non conformat implementation: I would gladly know which is the position of Microsoft on that.
  ciao
  carlo

• ACE 4710 using SAML Tokens

  reposted from another forum:
  Am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
  The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and fails when comparing to the digest in the Xml Signature block.
  Is anybody else using SAML tokens?
  Has anyone else seen a similar problem?

  You are right we are using transport encryption (SSL) to protect the WSS Password.
  We then use LDAP to authenticate the username/password and create a SAML token using attributes from LDAP. The ACE Xml Gateway creates this SAML token, signs it and inserts into the SOAP header that is forwarded to our service.
  At our service we are trying to verify the signed SAML token. The error we are seeing is the Xml signature digest created by the ACE XML Gateway is wrong.
  With XML signature some Xml referenced by an ID is canonicalised, hashed (digest created) and then this digest is encrypted using the private key of some certificate.
  On receipt we repeat the process, canonicalise and hash the Xml referenced and compare our computed digest to the one created by the ACE device. This is where we get the error. We are using the standard canonicalisation and hashing algorithms (c14n and SHA1 respectively). Our code can successfully verify SAML tokens from other sources.

• Validate SAML token with WSM

  I'v posted this thread in the [SOA Suite forum|http://forums.oracle.com/forums/thread.jspa?threadID=912083&tstart=0] in the first place, but maybe this forum is a better places, for this question.
  We're experiencing a lot of inconveniences using the "SAML - Verify WSS 1.0 Token" validation step in WSM. We've configured the SAML verifier to "allow signed assertions only" in order to achieve our security goals. Before a client is allowed access to a protected web service, the client must request an identity provider to get a signed saml assertion and attach this security token to the web service security header. In order to access the protected web services we'll like to use WSM to verify that the saml assertion:
  1. Is issued by a specific identity provider (no problem)
  2. That the conditions in the assertion is valid (no problem)
  3. That the assertion i signed by a trusted certificate (problem)
  4. That the signature of the assertion is valid in proportion to the signed context of the assertion (problem)
  The inconveniences starts when we expect that the "SAML - Verify WSS 1.0 Token" validation step, validates the signatures of the assertion, before using it. But it seems, that this isn't the purpose of the verifier. When the saml token verifier is configured with "allow signed assertions only", then the client receives a "SAML token verification failed". This seems reasonably, but if we just add an empty ds:Signature element inside the wsse:Security element, then the client is granted access:
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <ds:Signature Id="Signature-11551252" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="nakbhwl3Qz8mPC00cL1bUg22" Issuer="https://credentials.com/idp" IssueInstant="2009-06-09T11:05:40Z">
  </saml:Assertion>
  </wsse:Security>
  I find this behavior very strange. Also, if i do some manual changes in the saml assertion issued and signed by the identity provider, this is allowed too, even though the signature is invalidated. Event if I remove the ds:Signature from the assertion, but keeps the empty ds:Signature below the wsse:Security element, the client is granted access.
  In the documentation of the "SAML - Verify WSS 1.0 Token", i found this quotation:
  "Verifies the SAML token according to the Web Services Security SAML Token Profile 1.0 (WSS STP 1.0) standard."
  But I don't find this statement true. Our assertions is issued with confirmation method "sender-voches":
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  I interpret the spec as, a receiver MUST NOT accept assertions containing a "sender-vouches" confirmation method unless the assertions and soap message content being vouches for are protected by an attesting entity who is trusted by the receiver. This is absolute not the case in our tests. The assertion isn't protected at all. The empty ds:Signature element in the wsse:Security element doesn't protect any thing and even when we totally remove the ds:Signature tag in the assertion, we're granted access.
  It seems like the purpose of the "SAML - Verify WSS 1.0 Token" step isn't to validate the confidentiality of the saml assertions and only grant access if the saml assertions is correct. It is possible to freely change the tokens and then be granted access. I think we need some more steps in WSM before the saml validation step, but I don't know which.
  We'll like to know if any one knows how to use this "SAML - Verify WSS 1.0 Token" step, to achieve a secure access to protected service. Do we need some pre/post step to achieve a satisfying level of security, do we need to make our own custom step or just used another security product?
  Regard
  Jacob
  Edited by: wmjaboj on 2009-06-10 01:42

  hi jacob
  looks like you have successfully configured the client side ; I am struggling in that itself. I am calling a secure web-service and I want to use saml token profile 1.1. I am using wls 10.3 and I am getting an error Unable to add signature .
  Can you help me with the configuration at the client side ?
  Thanks
  Regards
  Sanyam

• OWSM: Setting up SAML token verification with Novell Access manager

  Hello,
  We are trying to set-up communication between an OWSM gateway and a Novell Accces Manager to do the following:
  All requests to our services should be secured using Web Services Security SAML Token Profile 1.0. OWSM will validate this token using the SAML – Verify WSS 1.0 Token step. The assertion will be issued by a Novell Access Manager. Are we right that OWSM needs to communicate with the Novell Access Manager for this? In that case Novell requires us to deliver metadata to establish a trust relation between the Identity Provider (Novell) and the Service Provider (OWSM). This metadata should look something like this:
  odysseus:/var/opt/novell/tomcat4/webapps/nidp # cat application.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE application PUBLIC '-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN' 'http://java.sun.com/j2ee/dtds/application_1_2.dtd'>
  <application>
  <display-name>NIDPJ2EEApp</display-name>
  <description>Novell Identity Provider</description>
  <module>
  <web>
  <web-uri>nidp.war</web-uri>
  <context-root>nidp</context-root>
  </web>
  </module>
  </application>
  However I cannot find anything on this in the OWSM documentation.

  To answer my own question. We found 4 application.xml files which seem to contain the metadata in the folders ccore, coreman, gateway and policymanager of $AS_HOME/owsm/config/.

• HT204387 Does a classic bluetooth (v2.1) based accessory using Serial Port Profile (SPP) require MFi chip to communicate with iPhone or iPad ?

  Dear All
    Can classic bluetooth (v2.1) based accessory using Serial Port Profile (SPP)  communicate with all iPhones or iPads ?
    Is MFi chip required by a classic bluetooth(v2.1) accessory to communiate with iPhone or iPad  over Serial Port Profile  ?
  Thanks
  Manju

  Due to a copy/paste glitch, some necessary spaces have inadvertently been removed.  If I could fix this, I would.

• SAML token not understood (weblogic 10.3)

  I'm trying to call my webservice with a SAML sender-vouches, and keep getting an error message. This used to work when running in Weblogic 9.2.3 (but we are in the process of upgrading to Weblogic 10.3).
  (This is running from alsb 2.6)
  My request:
  <soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
       <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
       </soap:Header>
       <soapenv:Body>
       <saml:TestRequest      xmlns:saml="http://saml.webservice.namespace.model">
       <saml:Call>string</saml:Call>
       </saml:TestRequest>
       </soapenv:Body>
       </soapenv:Envelope>
       <soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
       <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
       <wsse:Security      soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
       <saml:Assertion      AssertionID="d08c0548d758b52dbebfdb327e60a201" IssueInstant="2009-11-24T15:16:20.192Z" Issuer="http://www.sparebank1.no" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
       <saml:Conditions      NotBefore="2009-11-24T15:16:10.192Z" NotOnOrAfter="2009-11-24T15:18:10.192Z">
       <saml:DoNotCacheCondition/>
       </saml:Conditions>
       <saml:AuthenticationStatement      AuthenticationInstant="2009-11-24T15:16:20.192Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
       <saml:Subject>
       <saml:NameIdentifier      Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="sparebank1.no">supermann</saml:NameIdentifier>
       <saml:SubjectConfirmation>
       <saml:ConfirmationMethod>
       urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
       </saml:ConfirmationMethod>
       </saml:SubjectConfirmation>
       </saml:Subject>
       </saml:AuthenticationStatement>
       <dsig:Signature      xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
       <dsig:SignedInfo>
       <dsig:CanonicalizationMethod      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       <dsig:SignatureMethod      Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       <dsig:Reference      URI="#d08c0548d758b52dbebfdb327e60a201">
       <dsig:Transforms>
       <dsig:Transform      Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
       <dsig:Transform      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
       <exc14n:InclusiveNamespaces      PrefixList="" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       </dsig:Transform>
       </dsig:Transforms>
       <dsig:DigestMethod      Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
       <dsig:DigestValue>KWkdUKb1gfftG4XchDnrmZmKbEc=</dsig:DigestValue>
       </dsig:Reference>
       </dsig:SignedInfo>
       <dsig:SignatureValue>
       uRvZvXqmLlxj/wXSaG7zwLATsRCwPND++4zUHQZB2o6KPeDNR89f02t/CnLDsrbjGr9Y4JgXmGSkmMK+eP0JdY/q9CiOekhpJJ9RhZupE1ldoIPzLqc8nLUC3lHJUrKCchnuKmxg76V7I3TWFCvqYMz2pFiNdm6n8Fq2xgxtjRc=
       </dsig:SignatureValue>
       </dsig:Signature>
       </saml:Assertion>
       </wsse:Security>
       </soap:Header>
       <soapenv:Body>
       <saml:TestRequest      xmlns:saml="http://saml.webservice.namespace.model">
       <saml:Call>string</saml:Call>
       </saml:TestRequest>
       </soapenv:Body>
       </soapenv:Envelope>
  Response:
  The invocation resulted in an error: Internal Server Error.
       <S:Envelope      xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
       <S:Body>
       <SOAP-ENV:Fault      xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
       <faultstring>
       MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood
       </faultstring>
       <faultcode>SOAP-ENV:MustUnderstand</faultcode>
       </SOAP-ENV:Fault>
       </S:Body>
       </S:Envelope>
  My policy file:
  <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/wls90/security/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
  wsu:Id="amartaSaml">
  <wssp:Identity>
  <wssp:SupportedTokens>
  <wssp:SecurityToken
  TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
  <wssp:Claims>
  <wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
  </wssp:Claims>
  </wssp:SecurityToken>
  </wssp:SupportedTokens>
  </wssp:Identity>
  </wsp:Policy>
  java file:
  @WebService( serviceName="SamlService", portName="SamlPort", endpointInterface="namespace.webservice.saml.SamlServiceImplPort", targetNamespace="http://saml.webservice.namespace", wsdlLocation="/wsdl/saml.wsdl" )
  public class SamlServiceImpl implements SamlServiceImplPort
  @RolesAllowed( {
  @SecurityRole(role = "sb1.life.customer.employer"),
  @SecurityRole(role = "sb1.life.customer.individual"),
  @SecurityRole(role = "sb1.life.customer.authorizedparty"),
  @SecurityRole(role = "sb1.life.distributor.change"),
  @SecurityRole(role = "sb1.life.distributor.read"),
  @SecurityRole(role = "sb1.life.distributor.expert") })
  @Policy(uri = "policy:sb1life-ws-policy.xml", direction = Policy.Direction.inbound)
  public TestResponse getCall( TestRequest parameter )
  TestResponse response = new TestResponse();
  response.setResponse( "Hello " + parameter.getCall() );
  return response;
  One thing that got changed was that in WLS 9.2.3 we deployed the services as EAR, while now we are just deploying them as WAR. Don't know if that makes a difference. Also, the domain template for creating the weblogic domain is different.
  I looked in Google, and there seems to be a "common" problem with SAML, but I couldn't find a Weblogic specific solution.
  Thank you,
  John

  This is not currently supported in 10.3 because JAX-WS only supports SAML2.0 on WLS 10.3 whilst OSB 10.3 can only generate SAML 1.1 tokens.
  from support :
  "JAX-WS as implemented in WLS 10.3 does not support deprecated SAML policy (but SAML 2.0).
  On the other hand OSB 10.3 is not supporting new SAML policy (you cannot import SAML 2.0 policy)."
  Two solutions/workarounds:
  1. Create a JAX-RPC WebService using the SAML-policy you have in place
  2. Use OSB on the response-domain, create a proxy with policy and wsdl...
  Adjust the endpoints in asserter and mapper

• Oracle BPM and SAML Token

  Hi all,
  is there any way to use SAML token with OBPM?
  I need to invoke webservice from OSB and it needs authentication.
  So, i want to provide SAML Token to authenticate.
  I just want to know how to configure SAML token in OBPM. is it supported?
  With Regards,
  Wai Phyo
  Edited by: waiphyo on May 25, 2010 5:36 PM

  In the data control palette under the collection that represents the child you should see a node of operations - in there you should see next/previous - drag those onto the page to get the scrolling through the records going on.

• Oracle Service Registry - UserName Token profile

  Hi,
  My web services use UserName Token profile for authentication. It also supports encryption. Is there a way to publish these information along with the wsdl?
  Steve

  Thank you for your helpful reply!
  Although the installation appears to fail, the db schema is actually created.
  Thus, when I run installation the next time, having selected an existing db schema, all appears to go well.
  NA
  http://nickaiva.blogspot.com
  Edited by: Nick Aiva on Dec 29, 2010 10:20 AM

• SAML tokens in OSB

  Can I secure a "http" transport type and "Text" messaging proxy service using SAML tokens?
  I am reading SAML is applicable only for wsdl webservices.Is this true?
  Please guide me on using SAML for http/text proxy services if that is possible.
  Thanks.

  any help..

• ACE 4710 SAML Tokens

  I am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
  The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and compares to the digest in the Xml Signature block.
  Is anybody else using SAML tokens?
  Has anyone else seen a similar problem?

  By adding SAML assertions to outgoing requests, the ACE XML Gateway can act as an asserting party for systems that rely on SAML credentials. The SAML assertions generated by the ACE XML Gateway can be in the form of a SAML 1.0, SAML 1.1, or SAML 2.0 credential.
  The following url may help you;
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_xml_gateway/v52/user/guide/axg_ug_backendauth.html#wp1049962

• Problems with JAX-WS when using security (e.g. username token profile)

  Hello,
  I am deploying a web service on weblogic 11g (10.3.1) with this policy:
  @Policy(uri = "policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",attachToWsdl=true)
  I have another web application as client which is using a JAX-WS SOAP handler to communicate with web service
  and everything works fine when my client is deployed on tomcat 6 (JRE 6) (anthentication goes through)
  The handleMessage() method of my handler is posted here :
       public boolean handleMessage(SOAPMessageContext context) {
       m_logger.debug("UserNameTokenHandler handleMessage() called");
       Boolean outboundProperty = (Boolean) context.get (MessageContext.MESSAGE_OUTBOUND_PROPERTY);
       SOAPMessage message =context.getMessage();
  if (outboundProperty.booleanValue()) {
       m_logger.debug("\n (client protocol handler) Outbound message:");
  try {
       SOAPEnvelope envelope = context.getMessage().getSOAPPart().getEnvelope();
       SOAPHeader header = envelope.getHeader();
       if (header == null ) {
            header = envelope.addHeader();
       SOAPElement security = header.addChildElement("Security", "wsse", WSSE_NAMESPACE);
       SOAPElement usernameToken = security.addChildElement("UsernameToken", "wsse");
       usernameToken.addAttribute(new QName("xmlns:wsu"), WSU_NAMESPACE);
       SOAPElement username = usernameToken.addChildElement("Username", "wsse");
       username.addTextNode(user);
       SOAPElement password = usernameToken.addChildElement("Password", "wsse");
       password.addTextNode(pass);
       } catch (Exception e) {
            m_logger.error("Failed to add username token profile security", e);
  } else {
       m_logger.debug("\n (client protocol handler) Inbound message:");
  return true;
  but when I deploy the same client on weblogic server it fails to communicate with my web service with this error:
  javax.xml.ws.soap.SOAPFaultException: Unable to add security token for identity, token uri =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
  I noticed Weblogic has some packages to handle security like:
  weblogic.wsee.security.unt.ClientUNTCredentialProvider
  weblogic.xml.crypto.wss.provider.CredentialProvider
  weblogic.xml.crypto.wss.WSSecurityContext
  So I added another mechanism using weblogic package to add username password to SOAP header
  Map<String, Object> request = ((BindingProvider) proxy).getRequestContext();
            if (connectInfo.get("username") != null && connectInfo.get("password") != null) {
            List<CredentialProvider> credProviders = new ArrayList<CredentialProvider>();
            //client side UsernameToken credential provider
            CredentialProvider cp = new ClientUNTCredentialProvider((String)connectInfo.get("username"),
                      (String)connectInfo.get("password"));
            credProviders.add(cp);
            request.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);      
  This seems to be ok but only for weblogic.
  I don't want to have one client for deploying on weblogic and another one for JAX-WS
  I suppose weblogic follows the standard and should support the original approach.
  Is this an incompatibly issue or am i missing something

  In one of WLP Pageflows, I invoke a SOA BPEL WebService that needs Security Header like the way you have. I have my own Handler class and I call the below private method in handleMessage(...) and so far it is working fine. Security Header is adding fine.
  One difference I could see in your method and my method is when we create SOAPElement for "Security" Tag, at the time of creation itself, I pass the third argument also that is the namespace. I remember vaguely, when I used code like yours, like first instantiate with only 2 args. Then set the namespace. It did not work. So I used the API, that takes the namespace as third argument.
  So try something like below. This is a working code snipped deployed on WLP 10.3 (WLP is on top of WLS 10.3).
  Thanks
  Ravi Jegga
       private void setSOAPSecurityHeader(SOAPEnvelope soapEnvelope) throws Exception {
            try {
                 //soapEnvelope.addNamespaceDeclaration("soap", "http://schemas.xmlsoap.org/soap/envelope/");
                 soapEnvelope.addNamespaceDeclaration("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
                 SOAPHeader header = soapEnvelope.addHeader();
                 String namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
                 SOAPElement securityElement = header.addHeaderElement(soapEnvelope.createName("Security", "wsse", namespace));
                 securityElement.addNamespaceDeclaration("", namespace);
                 //securityElement.addNamespaceDeclaration("env", "http://schemas.xmlsoap.org/soap/envelope/");
                 SOAPElement usernameTokenElement = securityElement.addChildElement(soapEnvelope.createName("UsernameToken", "wsse", namespace));
                 usernameTokenElement.addNamespaceDeclaration("", namespace);
                 SOAPElement usernameElement = usernameTokenElement.addChildElement(soapEnvelope.createName("Username"));
                 SOAPElement passwordElement = usernameTokenElement.addChildElement(soapEnvelope.createName("Password"));
                 // For Testing Purposes only hardcoded this username and password values. Later on this may be set dynamically
                 usernameElement.setValue("xxxxxxx");
                 passwordElement.setValue("yyyyyyy");
                 //SOAPBody soapBody = soapEnvelope.getBody();
                 //SOAPHeader soapHeader = soapEnvelope.getHeader();
            } catch (Exception e) {
                 // Handle This error in the main method that is calling this private method. So just return the Exception as it is...
                 throw e;
       }

• Using WSSEC User token with WLS 702

  Hi,
  I am trying to use the WSSEC user token auth with WLS 7.0.2. I am not sure if I understand this correctly or not but I think WSSEC is not supported in my version. If so, which version do I need to upgrade to?
  Also, as I understand it, there are three types of auth: Basic, Form and Client Cert. Which type(s) do I use to make sure my WSSEC user token is parsed correctly?
  I have my HTTP Auth working correctly with Basic Auth and I neither have a Cert nor am I using a form to send my username and password (they are sent encoded in the SOAP headers).
  Any help to get me moving would be greatly appreciated.
  Thanks,
  Sridhar.

  Jong,
  Thanks for your reply. I downloaded and installed WLS 813. I still am unable to do an wssec authentication. I think my problem is that I am more of a "do as you see" guy. So, if you have an example (with a properly configured deployment descriptor files), it would help me better.
  I did look at your http://webservice.bea.com:7001/ scenarios. The only one which said anything about WSSEC was Scenario 3 and the invocation failed! So, I was unable to see the request to send over.
  Currently, I am using Vordel SOAPBox to generate the request (with WSSEC username token added in).
  All I want to do is authenticate my user based on my defined realm role using WSSEC username token and password (which happens to be the one which weblogic server starts with).
  Any help with this would be much appreciated.
  Thanks,
  Sridhar.

• Failing to Validate SAML Token : while setting WSRP security using SAML

  Hi All,
  I am trying to configure SAML on WLP 10.2 consumer domain along with WLS 10.2 producer domain ( extended domain to use as WSRP producer ) on single machine. I followed the steps as per the bea edocs - http://edocs.bea.com/wlp/docs92/federation/Chap-Security-SAML.html , which talks about how easy its to configure SAML with WSRP. But i am stuck at this point where the TransportException says the SAML token is not valid , stacktrace below:
  Error invoking portlet "Cportlet"
  The source of this error is:
  *com.bea.wsrp.faults.TransportException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@1e5d6b9[status: false][msg The SAML token is not valid.] at com.bea.wsrp.faults.FaultInstanceFactory.getException(FaultInstanceFactory.java:94) at com.bea.wsrp.proxy.ProxyBase.raiseFault(ProxyBase.java:768) at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:478) at $Proxy110.getMarkup(Unknown Source) at com.bea.wsrp.consumer.markup.GetMarkupService.invoke(GetMarkupService.java:44) at com.bea.wsrp.consumer.markup.GetMarkupService.invoke(GetMarkupService.java:27) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:85) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:68) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:61) at com.bea.wsrp.consumer.markup.MarkupServicesFacade.invoke(MarkupServicesFacade.java:44) at com.bea.wsrp.consumer.controls.ProxyPortletContent.invokeGetMarkup(ProxyPortletContent.java:664) at com.bea.wsrp.consumer.controls.ProxyPortletContent.beginRender(ProxyPortletContent.java:316) at com.bea.netuix.servlets.controls.application.laf.ContentControlRenderer.beginRender(ContentControlRenderer.java:48) at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:481) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:352) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:326) at com.bea.netuix.nf.UIControl.render(UIControl.java:582) at com.bea.netuix.servlets.controls.PresentationContext.render(PresentationContext.java:486) at com.bea.netuix.servlets.util.RenderToolkit.renderChild(RenderToolkit.java:146) at com.bea.netuix.servlets.jsp.taglib.skeleton.Child.doTag(Child.java:63) at jsp_servlet._framework._skeletons._bighorn.__flowlayout._jspService(__flowlayout.java:192) at weblogic.servlet.jsp.JspBase.service(JspBase.java:34) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175) at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:528) at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:454) at com.bea.netuix.servlets.controls.application.laf.JspTools.renderJsp(JspTools.java:130) at com.bea.netuix.servlets.controls.application.laf.JspControlRenderer.beginRender(JspControlRenderer.java:72) at com.bea.netuix.servlets.controls.application.laf.PresentationControlRenderer.beginRender(PresentationControlRenderer.java:65) at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:481) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:199) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at com.bea.netuix.servlets.manager.PortalServlet.service(PortalServlet.java:686) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at com.bea.portal.tools.servlet.http.HttpContextFilter.doFilter(HttpContextFilter.java:60) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:336) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(Unknown Source) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)*
  Have tried a lot of different things but no luck proceeding further. Configured all the producer domain as per the link mentioned above., reconfigured the consumer again. Also tested by crearting a new keystore, but all this does not help me proceed further.
  Any help is greatly appreciated.
  Thanks in Advance.
  Maurya

  I am also facing the same kind of issue. see the error message below. Please help me to kill this error.
  \com.bea.wsrp.faults.TransportException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@1423066[status: false][msg The SAML token is not valid.]
       at com.bea.wsrp.proxy.ProxyBase.raiseFault(ProxyBase.java:578)
       at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:464)
       at $Proxy118.getServiceDescription(Unknown Source)
       at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:93)
       at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:55)
       at com.bea.jsptools.portal.helpers.wsrp.ProducerRegistryControlImpl.getServiceDescription(ProducerRegistryControlImpl.java:205)
       at com.bea.jsptools.portal.helpers.wsrp.ProducerRegistryControlBean.getServiceDescription(ProducerRegistryControlBean.java:133)
       at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper.getProducerForWsdl(AddProducerHelper.java:704)
       at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper.access$100(AddProducerHelper.java:61)
       at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper$FindProducers.producerWsdl(AddProducerHelper.java:249)
       at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper$FindProducers.run(AddProducerHelper.java:235)
       at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.runAction(AddProducerWizardController.java:566)
       at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.doIfValid(AddProducerWizardController.java:542)
       at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.selectProducerAction(AddProducerWizardController.java:172)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:878)
       at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:808)
       at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:477)
       at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:305)
       at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:335)
       at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:51)
       at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:95)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2042)
       at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2114)
       at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:554)
       at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:851)
       at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:630)
       at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:157)
       at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
       at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1169)
       at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:688)
       at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.processActionInternal(ScopedContentCommonSupport.java:144)
       at com.bea.portlet.adapter.scopedcontent.PageFlowStubImpl.processAction(PageFlowStubImpl.java:107)
       at com.bea.portlet.adapter.NetuiActionHandler.raiseScopedAction(NetuiActionHandler.java:99)
       at com.bea.netuix.servlets.controls.content.NetuiContent.raiseScopedAction(NetuiContent.java:180)
       at com.bea.netuix.servlets.controls.content.NetuiContent.raiseScopedAction(NetuiContent.java:168)
       at com.bea.netuix.servlets.controls.content.NetuiContent.handlePostbackData(NetuiContent.java:222)
       at com.bea.netuix.nf.ControlLifecycle$2.visit(ControlLifecycle.java:178)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:351)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
       at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:128)
       at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
       at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:339)
       at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:330)
       at com.bea.netuix.nf.Lifecycle.runInbound(Lifecycle.java:162)
       at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:137)
       at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:370)
       at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:229)
       at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:183)
       at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:221)
       at com.bea.netuix.servlets.manager.PortalServlet.service(PortalServlet.java:600)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:223)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at com.bea.jsptools.servlet.PagedResultServiceFilter.doFilter(PagedResultServiceFilter.java:82)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:251)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3243)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2003)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1909)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1359)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)