AquaLogic Interaction support of SAML v2.0
Hi,
We are trying to perform perimeter SSO to the portal (AquaLogic Interfaction) using SAML v2.0.
Does anyone know whether this is supported? Can this be done by running ALI on top of WLS 10.3?
Thanks in Advance.
Regards,
eRic
Hi Michael,
I followed same document....Installed webserver...downloaded AM WAR........Deployed WAR....Then accessed amserver..It took me to configurator.jsp...where it ask for params and also we have to provide path to write AMconfig.properties....I installed webservre in C:/....and then deployed WAR...and provided D:/ ....in configurator.jsp...to write AMConfig.properties...Now in AM_CONFIGURATIIN_DIR I am providing same path that I provided in configurator.jsp(D:/) ....and It is saying no AM found........Can you provide me link of SAML setup that you used....because in my saml2setup.bat..I can see that it is looking for registries entries and reading AM_ROOT from registries later on in the java file reads the sam2silent file....I even tried to manipulate SAML2setup.bat and commented out registry checking and provided static value for AM_ROOT...In this case the installation moved forward..read the saml2silent file but showed me license page..but gain stuck while configuring it....
Thanks
Deepak
Similar Messages
-
Aqualogic Interaction support for Z/Os
Hi,
I am new to this portal community and i'm doing some research on Aqualogic Interaction. Can anyone tell me if it supports Z/Os. I could not find any information on this. It does run on WAS which supports Z/Os, so can there be any integration ? Any ideas or support is appreciated.
Thanks in advance,
DeepbluesHi,
Normally listener version is same as DB, but that have several exceptions.
Logon to DB server, with OS user who is owner of DB.
I expect that all required environment variables are already set, execute below statement.
lsnrctl status
if this throws error
lsnrctl status <listener_name>
this will give you status of listener, on the first line of output of the command, you will get version of Listener.
FYI...any DB can have listener with same or higher version than DB and you need to install full Oracle binary to get the listner of that version.
Rahul -
Aqualogic Interaction & IIS - FATAL: ResourceManager i18n Strings Load
Hi, I'm having access issues in initial startup of AquaLogic Interaction on IIS. The error seems to indicate that the IIS user does not have access to the folder which contains the i18n resources. I've verified that this user does have this access and still get this error. Any ideas what else could be the problem? Thanks!
Diagnostic system initialization OK.
Portal Startup begins: 15 total tasks.
Recommendations follow:
ResourceManager i18n Strings Loading Error (.NET)
RECOMMENDATION: This indicates an installation error, folder access
rights issue, corrupt i18n XML files, or incorrect customer
implementation of additional language support. Since this is
.NET you should first check that the IIS anonymous user has full
access to the i18n settings folder. To isolate other causes of
this issue, try enabling debug mode in portalconfig.xml (set the
DebuggingMode setting to 1) and restarting your portal. This
enables the i18n diagnostic unit tests, which should then output
more detailed errors to ptspy.
More Detail:
Problem loading resource file
"C:\bea\alui\ptportal\6.5\i18n\\de\ptmsgs_portaladminmsgs.xml":
Access to the path
'C:\bea\alui\ptportal\6.5\i18n\de\ptmsgs_portaladminmsgs.xml'
is denied."I installed ALUI 6.5 .Net version. on Windows XP".
Don't Think ALUI 6.5 is supported on XP. Try installing on a supported platform.
http://edocs.bea.com/en/alui/ali/docs65/AquaLogicInteraction_win_InstallationGuide_6-5/ref_win_softwarerequirements.html
Component :
AquaLogic Interaction Host Machine
Requirement :
Microsoft Windows Server -2003 SP1 or R2, SP2, on x86 , 32–bit only.
Cheers!!! -
Baisc Aqualogic Interaction SSO mechanism
I have a basic question on how the aqualogic interaction SSO works. I see an Authentication SOurce SSO, but i dont understand which repository it connects to. How it generates the Login Token. Can i use the features of authentication service outside the portal by calling some API.
JetTang,
1. The administrator cannot access the process. It is strange, but the administrator cannot have access to your process project. you need to assign another user to access the project without admin right in the portal and in OBMP.
2. try to restart your OBMP service and Identity services, and the engine.
3. If you disable the sso, you can't just access workspace stand alone and see your process, it is not as simple to switch.
What version of ALUI and OBMP are you using?
-Lilach -
Where i will find the documentation on aqualogic interaction
Hi ,
I have to install the Aqualogic Interaction , Publish server , Colloboration server ,Analytic server ,Studio server ,SQL server 2005, Weblogic Application server . Portal will access the 50000 users in concurrently.so what should be the my system configuration.
So please tell me any documentation regarding on this.
With Regards
Sivawhen you download the install files from portal.plumtree.com they will include all of the documenation within the zip file.
-
Show button on file open if interactivity supported
Is there any way to show a button upon file open if and only if the PDF reader opening the file supports interactivity? That is, there's no point showing the button if the end user can't do anything with it.
It would be fine if the button showed if and only if the PDF reader opening the file is an Adobe product, but it's not a requirement.
Steps:
1. Open file
Expected result: If interactivity is supported (or if the reader is an Adobe product, doesn't matter), show the button.
The button is not part of a form, but rather is used to show and hide layers. It is okay if the expected result requires JavaScript, as if they have JavaScript disabled, they would get the same result as if they had no interactivity.You could define an invisible button and have JavaScript to make it visible on open. Not guaranteed (because who knows what all PDF viewers will do) but worth trying.
-
Oracle Weblogic 9.2.3 server support for SAML 1.1 'wildcard attributes'
To support Web SSO using SAML on Oracle Weblogic 9.2.3 server - I need to parse SAML 1.1 'wildcard attributes' in the SAML 1.1 Asserter schema; https://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-assertion-1.1.xsd. The Oracle Weblogic 9.2.3 server provides an interface; weblogic.security.providers.saml.SAMLIdentityAssertionNameMapper - for parsing the information in the SAML token provided by an external partner, but this interface only deals with nameid and groups and not attributes in the AttributeStatement of the SAML token. In weblogic 10 a new interface; com.bea.security.saml2.providers.SAML2IdentityAsserterAttributeMapper - is provided, which solves this problem.
My question is, how can I get access to the attributes in the AttributeStatement in the SAML 1.1 token on an Oracle Weblogic 9.2.3 server ?
Or
Is the weblogic.security.providers.saml.SAMLIdentityAssertionAttributeMapper available in weblogic 9.2.3 ?To support Web SSO using SAML on Oracle Weblogic 9.2.3 server - I need to parse SAML 1.1 'wildcard attributes' in the SAML 1.1 Asserter schema; https://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-assertion-1.1.xsd. The Oracle Weblogic 9.2.3 server provides an interface; weblogic.security.providers.saml.SAMLIdentityAssertionNameMapper - for parsing the information in the SAML token provided by an external partner, but this interface only deals with nameid and groups and not attributes in the AttributeStatement of the SAML token. In weblogic 10 a new interface; com.bea.security.saml2.providers.SAML2IdentityAsserterAttributeMapper - is provided, which solves this problem.
My question is, how can I get access to the attributes in the AttributeStatement in the SAML 1.1 token on an Oracle Weblogic 9.2.3 server ?
Or
Is the weblogic.security.providers.saml.SAMLIdentityAssertionAttributeMapper available in weblogic 9.2.3 ? -
Hyperion Interactive Support Required
hi,
my actual scenario is... In my cube am having four dimensions & one measure.
1st dim having totally ten generations
2nd dimension(having members present in dimension 1)i.e(duplicate members)
four generations
3rd dimension
three "
4th dimension
three generations
measure having two members.......
i created above cube in Hyperion Essbase 9.3......
when i try to view that cube in Interactive reporting i accounted an error:Essbase error code 1060200" can anybody help to resolve this problem.......... and just let me know how to view duplicate members in the report?11.1.2 is the latest.
You may find the install docs at-
http://download.oracle.com/docs/cd/E17236_01/epm.1112/epm_install_start_here.pdf
http://download.oracle.com/docs/cd/E17236_01/epm.1112/epm_install.pdf
http://download.oracle.com/docs/cd/E17236_01/epm.1112/epm_install_troubleshooting.pdf
HTH-
Jasmine. -
BEA AquaLogic? Interaction Collaboration Integration
Hello,
I'm trying to find a solution for integration of "BEA AquaLogic Interaction Collaboration" with "AquaLogic BPM Studio 5.7" without developing a custom JPD component.
Basically I'd like to assign tasks on the community portal as part of the workflow.
Can anyone recommend a product or document that would solve this problem?
Thank you!ALUI does currently support Linux (both Red Hat & SuSE) with the the 6.0 SP1 version. The latest version (i.e. 6.1) will support Linux when the first Service Pack for 6.1 is released - tentatively scheduled for the first half of next year. ALUI 6.1 currently supports Windows, Solaris & AIX.
ALUI 6.1 is aligned with how BEA licenses other products where the product is essentially available to download and install for an evaluation period for free. Previous versions of ALUI (including 6.0 SP1) are only available for download for paying customers or partners. Correspondingly, only paying customers or partners can log into the ALUI support site.
The UI Customization Installer for 6.1 (for Windows) is currently available for download and eval from http://commerce.bea.com/showproduct.jsp?family=ALI&major=6.1&minor=0
john -
PI 7.4 Single Stack support for Principle Propagation SAML
Hi Folks,
Que: Does the single stack now support Principle Propagation using SAML?
The posts I have read so far conclude that SAML is only supported on the dual stack, not the single stack.
SAP Help gives steps for dual stack: Configuring Principal Propagation (SAML) - SAP Help Portal
This post from 2013 concludes no support for SAML in the single stack: PI 7.31 AEX - Principal Propagation
My time would better spent looking for an alternative solution for Principal Propagation rather than chasing something which is not supported (SAML on single stack).
Any help appreciated.
CheHi Che,
Please have a look at below blog
Principal Propagation using SAP Assertion Ticket CRM -> PO7.31 Single Stack
regards,
Harish -
Installing Webcenter Interaction 10g in Solaris SPARC 32 ????
Hi everyone:
Im trying to install Webcenter Interaction 10g on solaris SPARC 32 bits but looking for the installation package in OTN http://edelivery.oracle.com/EPD/Search/get_form?results=1 It seems not supported for this plataform ... i'm right ??
Only a version for aqualogic Interaction but I think that's not works for my development.
I try to install a linux version and everything seems to went fine but when I try to run the config manager the shell programing detects the plataform with the command uname -s then the process "thinks" that it is on SunOS with 64 bits of course, and it can't go on.
I appreciate any help from you.
And lots of thanks in advance.
Edited by: user11959610 on 19/02/2010 02:11 PMOn Sun Sparc processor, WCI requires 64-bit OS (32-bit is not supported for Sparc):
http://www.oracle.com/technology/products/webcenter/files/webcenter_interaction_10gr3_certification_matrix.xls -
Oracle WebCenter Interaction 10.3.0 Installation and start up error
Hi,
I am trying to install the Java version of Oracle WCI 10.3.0 on Windows 7. I know Windows 7 of not officially supported. I was able to successfully install on Windows XP using the installation wizard.
However, for Windows 7 - I can't use installation wizard because when the wizard does not ask me to choose between Java and .NET installations, and by default it selects .NET. So, I had to use silent installation and was able to successfully install.
I am getting the below error (logs from portalserver.log) when I try to start the WebLogic server or run the portal diagnostic tool.
'weblogic.kernel.Default (self-tuning)' com.plumtree.uiinfrastructure.diagnostic.reporter.Reporter FAILED TO INITIALIZE SYSTEM. YOU CANNOT PROGRESS BEYOND THIS POINT. <ptLogMsgEnd>
9-25-2011 20:12:04.664 Error UI_Infrastructure portal.CNU008092S-W7.kota.s [ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)' com.plumtree.uiinfrastructure.application.startup.CheckDevKit Aqualogic Interaction's UI Infrastructure does NOT support this version: The detected Java JDK version is: 1.6.0_22 <ptLogMsgEnd>
Does anyone have seen this type of error and know how to resolve?
Thanks.I have been dealing with this for the past 2 weeks as well. It turns out that the diagnostics, and Weblogic (in my case) think that the portal is trying to run on an unsupported RedHat OS version. I was able to get around this by altering the following 2 files...
I added the parameter: -Dos.name="windows 2003" This tels the OS check that it's running on Windows 2003. I found this little tip in the following link: http://www.function1.com/2009/12/running-wci-10gr3-on-windows-2008/ It talks about Windows 2008, but seems to work for Windows 7 as well.
D:\oracle\Middleware\user_projects\domains\wc_domain\bin\startWebLogic.cmd
if "%WLS_REDIRECT_LOG%"=="" (
echo Starting WLS with line:
echo %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %JAVA_OPTIONS% %PROXY_SETTINGS% %SERVER_CLASS%
%JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% -Dos.name="windows 2003" -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %JAVA_OPTIONS% %PROXY_SETTINGS% %SERVER_CLASS%
) else (
echo Redirecting output from WLS window to %WLS_REDIRECT_LOG%
%JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% -Dos.name="windows 2003" -Dweblogic.Name=%SERVER_NAME% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %JAVA_OPTIONS% %PROXY_SETTINGS% %SERVER_CLASS% >"%WLS_REDIRECT_LOG%" 2>&1
- And -
D:\oracle\wci\ptportal\10.3.0\bin\diagnostic.bat
rem Start the command-line version tool
"%PT_HOME%\%JRE_PATH%\bin\java.exe" -Dos.name="windows 2003" -Xms16m -Xmx512m -cp "%LIB_DIR%\diagrun.jar" com.plumtree.diagtool.diagnostic_net %*
goto end
Also, note that you probably had to install the components in silent mode. This did not install all the services correctly. I was able to get around this by going back into the installation, and choosing the individual components to install. The a link above also mentions the config manager, and how to get this working as well.
Hope this helps!! -
SAML Overview
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and
authorization data between security domains, that is, between an identity provider (a producer of assertions)
and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services
Technical Committee.
SAML is relevant to those customers who already have a SAML implementation in use with other systems in
their organization. Therefore, it is recommended you engage your technology team that has a working
knowledge of SAML and provide this document to them for their review.
Key Roles
• Identity Provider (IDP): The system in authority that provides the user information
• Service Provider (SP): The system that trusts the asserting party’s information, and uses the data to
provide an application to the user.
• Subject: The user and their identity that is involved in the transaction.
Note! In our context, Learning Maestro is the SP, the IDP is customer-specific, and the Subject is the user
who is logged in.
Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 2
Typical SAML Components
Source: http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 3
Implementing SAML 2.0
• SumTotal LMS supports only SAML 2.0 Standards.
• We support only IDP-initiated SAML authentication.
• The SAML Response should be signed and base64 Encoded.
• UserName should be passed in NameID element under Assertion\Subject Keys.
• We use the timestamp provided in IssueInstant attribute of SAML Assertion to find the valid period
(+/- 5 min ) for the SAML Response.
• Currently, we do not support signed or encrypted assertions.
• Deep linked URLs can be passed through an additional URL parameter of “OriginalURL.”
IDP Initiated Web SSO
Source: http://www.ijcsi.org/papers/2-41-48.pdf
4
When Learning Maestro is Accessed from a Portal
1. The user logs into the customer portal.
2. The user clicks on a link to the LMS from the customer’s portal.
3. The link points to an IDP page.
4. The IDP pages posts an HTTP Request to Learning Maestro
5. The request is an < ... > message.
Typical Structure of a SAML Response
• Below is the typical SAML Response received by LMS from IDP
• Value of SAMLResponse parameter should be base64 Encoded.
Please double-click to open the below XML file to view how the response looks after decoding:
ExampleSuccessfulAssertion.xml
5
Configuring SAML 2.0
SumTotal Maestro supports SAML 2.0 for the “Identity Provider Initialized SSO” protocol.
To configure your Maestro domain to accept SAML 2.0 Assertions, the following steps must be taken:
1. Confirm that Usernames are in sync
2. Provide an X.509 Certificate to SumTotal Systems (SHA1 Hashed)
SumTotal Systems will configure your environment with the X.509 cert you provide.
3. Point your call to the following URL:
https://gm1.geolearning.com/geonext/<your_domain>/saml.geo
After authenticating to your Identity Provider, the provider will pass a user into Maestro IF:
• The user has a username matching an existing Maestro username
• The x509 certificates match on both sides
If authentication fails, the user will be presented with a failure page.
Assertions
An optional assertion is available to specify the URL a user will be sent if there is an authentication error.
ErrorRedirectURL Assertion
• If ‘ErrorRedirectURL’ is not specified and an authentication error or other security exception
occurs it will redirect the user to the default secerror.geo page as it does today
• If a value (URL) is specified for ‘ErrorRedirectURL’ and there is an authentication error the user
will be redirected to the URL specified
Sample
6
Additional Information
For additional information on SAML, please refer to the following sources:
Wikipedia: Security Assertion Markup Language
OASIS Executive Summary
IJCSI Intermediate Concept
OASIS Technical Overview
FAQs
Question Answer
What .NET library are we using? SumTotal uses “Componentspace” net SAML 2.0 library
Can users still log in via the login page? Yes. The SAML target page is different than the login page.
Can we deep link into the LMS through
the SAML 2.0 authentication workflow?
Can I get rid of the Logout button?
What is the Session timeout setting? Session Hard Life and Idle Life settings can be configured in
What is the unique ID for SAML? The “username” field.
Yes. “Deep Link Target” (target or original URL parameter) is
accepted. If none is provided, then it will default to the default
landing page as configured in Maestro.
Yes, When using SAML, the logout button still exists
intentionally in the navigation but can be disabled in the
“configure Navigation” options.
the security section of the administration interface of Maestro.
What is the failure page if
Authentication fails?
If the authentication fails, by default an intentionally simple error
is presented to the user stating “Authentication Failure”.
For security purposes, no further information regarding the
specifics of the failure are defined to the user.
An optional ErrorRedirectURL assertion can be used.
What URL do we point to? https://gm1.geolearning.com/geonext/<your_domain>/saml.geoHello,
Thanks for posting your question to here. However, this forum is used to discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. For issues regarding configuring SAML, this is beyond
the scope of our support.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
SAML Sender Vouches Assertion in ABAP only environment
All u2013 apologies for a length postu2026
subject: Standard logon - SAML Authentication (logon using SAML).
We are testing if an external app u2013 like Oralce (consumer), can render a web service via SAML assertion into an AS ABAP (provider) environment. Per OSS note 1254821, we have setup a trusted environment, and were able to successfully test a bapi function via Certificate Authentication (logon using a client certificate), one of the standard logons.
This test validates that the SOAP message can be processed through SAP, from the secured transport layer to decrypting and processing the SOAP message.
When we move to test the SAML assertion piece, we are not able to find the logon of u201CSAML Authenticationu201D via the standard logon through trnx SICF.
We nonetheless moved to test with all the available logon options without success:
1 Fields Authentication
2 SSO Authentication
3 Basic Authentication
4 SAP Authentication
5 Certificate Authentication (we deactivated the USEREXTIDu2019s DN user)
6 Service Authentication
While researching, we come across that there should be a u201CSAML Authenticationu201D standard logon option, yet this is not available in our test system.
Our system information is as follow:
SAP ECC 6.0
SAP_BASIS 700 SAPKB70017
SAP_ABA 700 SAPKA70017
We are testing in an ABAP stack environement.
We have crossed reference with note 1254821, and have satisfied all the requirements.
We expect the standard logon to contain the u201CSAML Authenticationu201D through SICF since we have configured the web service through SOAMANAGER using u201CSAML 1.1. Sender Vouches Assertionu201D.
Question:
Is u201CSAML Authenticationu201D standard logon necessary to facilitate the SAML sender vouches solution (we have only AS ABAP)?
If needed, what configuration, or support pack we need to be on.
Better yet, have anyone out there make it work? If so, please share.
Thanks much,
AlexHi Jens,
yes, it's keystore view TicketKeystore. The idea is that a logon ticket trust suffices to get the SAML 1.1 Sender Vouches trust as well.
The next thing you should take care of is to make sure that your SAP Portal system trusts the SAML issuer of your SAML assertion. This is to be configured in NetWeaver Administrator under Configuration Management Security > Trusted Systems. There you add the issuer string of your SAML Assertion into the Trusted Partners section.
Please follow paragraph "Configuring the Trusted Partners (Provider)" on this documentation link for details: http://help.sap.com/saphelp_nw73/helpdata/en/48/b264916b156ff4e10000000a42189b/frameset.htm
Another thing. Please see that for SOAP Web Services SAP (both AS ABAP and AS Java) for Sender-Vouches only SAML 1.1 is supported. Holder-of-key SAML assertions are supported with SAML 1.1 and SAML 2.0.
Regards,
Mathias -
How to develop a webservice with SAML on Weblogic 8.1
I will develop some webservices on Weblogic 8.1. On the security part, we will
use SAML. Is there somebody who can tell me how to do it? Do I need third party
product? And where I can find samples?
Thanks.
JianI will develop some webservices on Weblogic 8.1. On the security part,
we will use SAML. Is there somebody who can tell me how to do it? Do I
need third party product? And where I can find samples?Currently, we don't offer any support for SAML in WLS -- so you would
have to use a third party product. Depending on how you want to use it,
you may be able to use a third party product to create a handler for your
service or client.
However, if you want to use the handler in the server to set the subject
for the invoke, the handler architecture will prevent you from doing
this -- the API you use to set the user
(weblogic.security.service.SecurityManager.runAs() -- see
http://edocs.bea.com/wls/docs81/javadocs/weblogic/security/service/SecurityManager.html)
cannot be successfully used in handler methods. If you wish to do this,
I'm afraid the only way we have to support this is to use a servlet filter.
-Pete
Maybe you are looking for
-
Performance issues in Proxy-XI-Jdbc scenario
Hello, I have developed a proxy to JDBC synchronous scenario. My scenario works like this. *i run an abap program which calls a client proxy, the proxy fetches the data from database table and returns the data in the ABAP program.(select query) there
-
My 5th generation ipod won't turn on and my home button is broken. How do I reset?
I've connected to the computer and it doesn't recognize it. I've held top button down for 2 seconds and longer.
-
How to go from AppleScript 1.0 to 1.9 or higher?
Maybe this is a stupid question, but I wonder how I could move from AppleScript 1.0 to 1.9 or higher. I recently downloaded a programme that requires at least 1.9. I then checked my AppleScript version that was installed as part of the Tiger installa
-
Pdf creation: filename copy/paste does not work
Hi! There seems to be a bug in OSX 10.4 - when printing a document and saving it as a pdf-document you get asked for the filename. At OS X 10.3 you could simply paste in the filename - with OSX 10.4 there is no copy paste possible even if there is a
-
I bought a dictionary for $29.99 on 30.11.11 and cannot redownload it. I was under the impression that once an app is purchased it belongs to you for all time. Shouldn't I be able to get this app.?