Configure SAP ABAP as service provider using SAML holder-of-key
Hi
We are trying to configure "SAML Holder of key" between Microsoft (as
a service consumer) and SAP ABAP (as service provider).
The service provider/SAP ABAP is release 7.11 and we need to configure this component.
We have found SAP note 1254821 and are trying to follow the instructions for
the "SAML Holder of key" scenario:
However there is one step that we do not understand: step 5 "The private key to decrypt the
encrypted....at the provider system must be a WS Security Identity in transaction TRUST"
Anyone who can elaborate of the meaning of this step and describe a procedure for what
exactly to do?
BR
Tom Bo
Hi,
a service provider needs to check two things when processing message. The first thing is that SAML assertion was issued by STS by checking signature of SAML assertion. The SAML assertion is signed by STS (step 4 in OSS note). The second thing is to verify that sender knows key from SubjectConfirmation element (that's why it is called holder of key). One way is to encrypt and sign SOAP message using symmetric key. There is also option to use asymmetric key. The key is encrypted by STS using the public key of service provider. Therefore the private key must be imported in service provider system (step 5 from OSS note). More info can be found [here|http://help.sap.com/saphelp_nw73/helpdata/en/e5/9f9913fc9c418db98c8693b2bbdb7c/frameset.htm].
Cheers
Similar Messages
-
Setup SAML 2.0 Service Provider using WLST Offline
Is this possible http://weblogic.sys-con.com/node/1455841 to do using WLST offline?
I enabled "DebugSecurityAtn" as suggested - and "DebugHttpSessions" as well.
Unfortunately, I'm still not sure what's happening though.
Here are all my "Authentication Providers" in the order listed in the Console:
- DefaultAuthenticator : Control Flags=SUFFICIENT
- DefaultIdentityAsserter : No "Active Type"
- saml2IA (SAML 2.0 Identity Assertion Provider)
- samlauth (SAML Authentication Provider): SUFFICIENT
This is an except of the updated server log:
<SecuritySAMLAtn> <SAMLIALoginModule: commit(): SAML IA LoginModule Group Added>
<SecurityAtn> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myuser was not previously locked out>
<SecurityAtn> <com.bea.common.security.internal.service.IdentityCacheServiceImpl.cachedIdentity(Subject: 3
Principal = class weblogic.security.principal.WLSUserImpl("myuser")
Principal = class weblogic.security.principal.WLSGroupImpl("grp_a")
Principal = class weblogic.security.principal.WLSGroupImpl("grp_b")
)>
<HttpSessions> <[HTTP Session:100046]Creating new session with ID: nVm... for Web application: /saml2.>
<SecuritySAML2Service> <Using redirect URL from request cache: 'https://localhost:1234/MyApp/secure/index.html'>
<SecuritySAML2Service> <Redirecting to URL: https://localhost:1234/MyApp/secure/index.html>
<HttpSessions> <[HTTP Session:100078]HTTPSession with id: "nVm..." is of size 84 bytes.>
<SecuritySAML2Service> <SAML2Filter: Processing request on URI '/MyApp/secure/index.html;jsessionid=nVm...'>
<SecuritySAML2Service> <getServiceTypeFromURI(): request URI is not a service URI>
<SecuritySAML2Service> <getServiceTypeFromURI(): returning service type 'SPinitiator'>
Thank you,
Patrick -
Integrating Oracle EBS with web services which use SAML authentication
Hi,
I have a requirement to invoke web service using PL/SQL from a Custom Form of EBS.
The web Service is configured to use SAML as authentication mechanism.
Coming to question!
1) How do I make my EBS integrate with a SAML provider preferably (Oracle Identity Federation) ?
2) How do i get the SAML token in my PL/SQL and pass it on to the web service?
Regards
Dharmviruser1983888 wrote:
Hi ,
We have Oracle EBS R12 (12.1.2) with Oracle Database 11gR2 (11.2.0.2) Database on Linux env.
We want to implement Oracle Database Vault 11gR2. We are referring to Note: Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11gR2 [ID 1091083.1].
Do we need to install Oracle Database 11gR2 (s/w only) again on the Oracle Database Server or can we use the existing Oracle EBS Database 11gR2 Home which is already on 11.2?
Regards,
ThiruAs mentioned in the doc "If your E-Business Suite R12 is already integrated with 11gR2 database, you just need to enable Database Vault 11gR2 & register it with the database as per Task 3", so no installation of ORACLE_HOME is required and you just need to "Register Oracle Database Vault".
Thanks,
Hussein -
Configuring Access Manager as Service Provider
Hi All,
What documentation explains how to configure SSO with Access Manager 7 as Sefrvice Provider using redirect-artifact (or else) binding according to SAML v.2? I have SiteMinder 6.0 as IdP ready to go.
ThanksBernhard,
We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
AMAgent.properties
com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
AMConfig.properties
com.iplanet.am.server.protocol=https
com.iplanet.am.server.host=am.mydomain.com
com.iplanet.am.server.port=443
com.iplanet.am.console.protocol=https
com.iplanet.am.console.host=lb-mydomain.com
com.iplanet.am.console.port=443
com.iplanet.am.profile.host=lb-mydomain.com
com.iplanet.am.profile.port=443
com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
tionservice
If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
Thanks,
Craig -
SAML 2.0 - Double Authentication with AS ABAP as service provider
Hi All -
We are experiencing an issue which someone may have had.
We are logging on to the AS ABAP system with SAML 2.0, and the nameID is the personnel number, which is in turn our user master ID.
To be clear:
User ID in SAP = PERNR
Personnel Nr = PERNR
Infotype 0105/0001 = PERNR
The Identity Provider system reaches out to Active Directory and gets the personnel number for the logged on user, this is in turn what is presented back to the SAP ECC System. As you can see we have our user ID's created the same as the PERNR, so the infotype 0105/0001 is also set up to be the pernr.
The problem we face is that sometimes the user's personnel number is incorrectly keyed into the Active directory system. In this case the user is logged in to Self-Service with an incorrect user, and this is therefore a data breach. I would like to do some additional validation to address this issue.
I have set break-points in most of the SAML classes, and tried a number of different options, but am running out of ideas. We have also thought about using the email address, but found that not all employees have an email, and so this option was not selected.
Any input here will be appreciated.Ronald -- did you use the SSO product from SAP for this SAML solution? Wondering if this is available out of the box without the SSO license?
-
Client proxy consuming web service provider using logical port issue
Hi All,
I have a proxy client having a logical port (configured using NWDS) to consume a web service in the provider system.
In the logical port, I have given target address, and logical port name. While moving this client proxy NWDI dev track to Q and prod,
how do I change this target address to point to Q and prod respectively. In other words, even though I am using Visual admin to configure the destination url for the logical port, to point to Q and prod, its still referring to the dev environment provider service after moving the proxy client to Q and prod. What is the suggested approach to take care of this issue
Thx
mikeHi Michael,
I can only help from that point of view that I believe this question belongs to the forum
Service-Oriented Architecture (SOA) and SAP
Please try to raise this question there.
Thanks and Regards,
Ervin -
HTTPS communication for Adobe Offline form with SAP ABAP WAS
Hi Experts,
Can we use HTTPS communication method to call a SAP ABAP Web Service from an Adobe offline form?
Example : I have a SUBMIT button in my Adobe offline form and when clicked, it populates a sales order number in the form.
Here my SAP ABAP server from where it reads the info is using HTTPS communication method. Now if i use the same service with HTTP it works fine but if i switch the service to use HTTPS it shows me an error "Error attempting to read from file. <https://FQDN/<service name> .
I am using self-signed SSL server certificate from SAP ABAP server. But here i also see a certificate error in my browser (IE 7.0) saying "Untrusted Certificate". Is this the reason for my above issue?
I could not find any post in SDN giving me the answer.
Regards,
HobinHi,
The Certificates are already imported into the Trusted Certificates Section. But the real Issue is regading the Adobe Offline forms. If I open the Adobe Offline forms in the Adobe reader 9.0 and the Web Service call is made based on the Https:// . It saying "Error attempting to Read the file". The Fully qualified domain name is also provided VA. I have tried to import the certificates to Adobe Reader's - Trust Identities but still it is not working . If I switch the webservice authentication method to Http:// then it would work. ADS is already configured with SSL. And the HTTPS:// based WebService embedded in the Adobe Interactive Form is working ,if the form is Online in the Browser (integrated in the Webdynpro Abap UI element).
Is there any other way to Add SSL Certificates to Adobe Reader , so that Https:/ based webservice will work if the Form is opened in Adobe Reader 9.0.
Regards,
Hobs -
Invalid security error when invoking secure webservice using SAML tokens
I have deployed a JAX-WS webservice using a stateless session bean to wl 10.3.2 that uses a custom policy. The service deploys fine, but weblogic returns an HTTP error 500 with a SOAP fault. The fault states wsse:InvalidSecurity. The webservice security policy reqires SAML holder of key assertions and attributes. I have tried everything from running weblogic with Metro 1.5 to configuring SAML Identity Asserter Providers, etc with no luck. I even tried using the built in SAML 2.0 assymetric holder of key policy. What am I doing wrong? The XML of interest is attached.
Thanks;
-Dave.
*[Sample message from client]*
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
<S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing">https://localhost:7002/NHINAdapterDocQuerySecured/AdapterDocQuerySecured</To>
<Action xmlns="http://www.w3.org/2005/08/addressing">urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:fec656f8-a2be-4129-8412-34d9453e7cb2</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_1">
<wsu:Created>2010-02-24T21:38:56Z</wsu:Created>
<wsu:Expires>2010-02-24T21:43:56Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="96cdfb70-91a3-4baf-9da1-3ff07d249926" IssueInstant="2010-02-24T21:38:56.671Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=kskagerb*DoD</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZiqM1BAFp9F73hMHsNrc=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2009-04-16T13:15:39.000Z" SessionIndex="987">
<saml2:SubjectLocality Address="158.147.185.168" DNSName="cs.myharris.net"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Karl S Skagerberg</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">InternalTest2</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
<saml2:AttributeValue>
<hl7:Role xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="307969004" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="Public Health" xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
<saml2:AttributeValue>
<hl7:PurposeForUse xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Use or disclosure of Psychotherapy Notes" xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">500000000^^^&1.1&ISO</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="https://158.147.185.168:8181/SamlReceiveService/SamlProcessWS">
<saml2:Action Namespace="urn:nhin:names:hl7:rbac:4.00:operation">EXECUTE</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
<saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z" NotOnOrAfter="2010-12-31T12:00:00.000Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Ref-1234</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Instance-1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#96cdfb70-91a3-4baf-9da1-3ff07d249926">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VnukKqb4Bt1KWDKfy8SDfk1Hp2s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>DUwjh/H3XSfUG250rTlLdihstDXY1+qkY9GaY81Iu7Ag4MgoGvGBrGjZOJ7YnssPdrqUGiURxf6k
IBH7vaeXk24XvXP3F85WP9nBm+2M4BvGTplgOmAo0yuwze+90FvwILzFNmmX/tvy3QKTDHlh1rEx
/Jqfm6q/56WW1suAbRY=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l
0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZ
iqM1BAFp9F73hMHsNrc=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
<ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>oo99UrPhAcwla4Qbkdd9jAPn0cE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ds4vqts8uCdJcNGo0uTPzId5UBX+GVrdztQPv823c1Zy9ZZGSfQC/GsBPM/EMbFInDPFsyT4e1QYZMCzmqLYnifWHlDQJb7oMJBokafavAqZda1B55Zzh3TSm6BqKWtB/DX17d6rLx/HPiLNZ9qsBfuGn3aTlUCpNsYA8ObBtp8=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">96cdfb70-91a3-4baf-9da1-3ff07d249926</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<ns3:AdhocQueryRequest xmlns:ns2="urn:gov:hhs:fha:nhinc:gateway:samltokendata" xmlns:ns3="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0" xmlns:ns4="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" xmlns:ns5="urn:oasis:names:tc:ebxml-regrep:xsd:rs:3.0" xmlns:ns6="urn:oasis:names:tc:ebxml-regrep:xsd:lcm:3.0" maxResults="-1" startIndex="0" federated="false">
<ns3:ResponseOption returnComposedObjects="true" returnType="LeafClass"/>
<ns4:AdhocQuery home="urn:oid:2.16.840.1.113883.4.349" id="urn:uuid:14d4debf-8f97-4251-9a74-a90016b0af0d">
<ns4:Slot name="$XDSDocumentEntryStatus">
<ns4:ValueList>
<ns4:Value>('urn:oasis:names:tc:ebxml-regrep:StatusType:Approved')</ns4:Value>
</ns4:ValueList>
</ns4:Slot>
<ns4:Slot name="$XDSDocumentEntryPatientId">
<ns4:ValueList>
<ns4:Value>'1012581676V377802^^^&2.16.840.1.113883.4.349&ISO'</ns4:Value>
</ns4:ValueList>
</ns4:Slot>
</ns4:AdhocQuery>
</ns3:AdhocQueryRequest>
</S:Body>
</S:Envelope>
*[Response from server:]*
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>weblogic.xml.crypto.api.MarshalException: weblogic.xml.dom.marshal.MarshalException: Failed to unmarshal {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference, no SecurityTokenReference factory found for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifier ValueType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
*[webservice WSDL]*
<?xml version="1.0" encoding="UTF-8"?>
<!--
Adapter Document Query WSDL
-->
<definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="urn:gov:hhs:fha:nhinc:adapterdocquerysecured"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:query="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
xmlns:plnk="http://docs.oasis-open.org/wsbpel/2.0/plnktype"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:vprop="http://docs.oasis-open.org/wsbpel/2.0/varprop"
xmlns:sxnmp="http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/NMProperty"
name="AdapterDocQuerySecured"
targetNamespace="urn:gov:hhs:fha:nhinc:adapterdocquerysecured">
<documentation>Adapter Document Query</documentation>
<types>
<xsd:schema>
<xsd:import namespace="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
schemaLocation="../schemas/ebRS/query.xsd"/>
<xsd:import namespace="urn:gov:hhs:fha:nhinc:gateway:samltokendata"
schemaLocation="../schemas/nhinc/gateway/SamlTokenData.xsd"/>
</xsd:schema>
</types>
<message name="RespondingGateway_CrossGatewayQueryRequestMessage">
<part name="body"
element="query:AdhocQueryRequest"/>
</message>
<message name="RespondingGateway_CrossGatewayQueryResponseMessage">
<part name="body"
element="query:AdhocQueryResponse"/>
</message>
<portType name="AdapterDocQuerySecuredPortType">
<operation name="RespondingGateway_CrossGatewayQuery">
<input name="RespondingGateway_CrossGatewayQueryRequest"
message="tns:RespondingGateway_CrossGatewayQueryRequestMessage"
wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage"/>
<output name="RespondingGateway_CrossGatewayQueryResponse"
message="tns:RespondingGateway_CrossGatewayQueryResponseMessage"
wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryResponseMessage"/>
</operation>
</portType>
<binding name="AdapterDocQuerySecuredBindingSoap11" type="tns:AdapterDocQuerySecuredPortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_SoapPolicy"/>
<operation name="RespondingGateway_CrossGatewayQuery">
<soap:operation soapAction="urn:RespondingGateway_CrossGatewayQuery"/>
<input name="RespondingGateway_CrossGatewayQueryRequest">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Input_Policy"/>
</input>
<output name="RespondingGateway_CrossGatewayQueryResponse">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Output_Policy"/>
</output>
</operation>
</binding>
<service name="AdapterDocQuerySecured">
<port name="AdapterDocQuerySecuredPortSoap11"
binding="tns:AdapterDocQuerySecuredBindingSoap11">
<soap:address
location="https://localhost:7002/NHINAdapterDocQuerySecured" />
</port>
</service>
<!-- Define action property on each receiving message -->
<vprop:property name="action" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:action"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>action</vprop:query>
</vprop:propertyAlias>
<!-- Define resource property on each receiving message -->
<vprop:property name="resource" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:resource"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>resource</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseRoleCode property on each receiving message -->
<vprop:property name="purposeForUseRoleCode" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseRoleCode"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseRoleCode</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseCodeSystem property on each receiving message -->
<vprop:property name="purposeForUseCodeSystem" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseCodeSystem"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseCodeSystem</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseCodeSystemName property on each receiving message -->
<vprop:property name="purposeForUseCodeSystemName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseCodeSystemName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseCodeSystemName</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseDisplayName property on each receiving message -->
<vprop:property name="purposeForUseDisplayName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseDisplayName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseDisplayName</vprop:query>
</vprop:propertyAlias>
<!-- Define userFirstName property on each receiving message -->
<vprop:property name="userFirstName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userFirstName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userFirstName</vprop:query>
</vprop:propertyAlias>
<!-- Define userMiddleName property on each receiving message -->
<vprop:property name="userMiddleName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userMiddleName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userMiddleName</vprop:query>
</vprop:propertyAlias>
<!-- Define userLastName property on each receiving message -->
<vprop:property name="userLastName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userLastName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userLastName</vprop:query>
</vprop:propertyAlias>
<!-- Define userName property on each receiving message -->
<vprop:property name="userName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userName</vprop:query>
</vprop:propertyAlias>
<!-- Define userOrganization property on each receiving message -->
<vprop:property name="userOrganization" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userOrganization"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userOrganization</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCode property on each receiving message -->
<vprop:property name="userRoleCode" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCode"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCode</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeSystem property on each receiving message -->
<vprop:property name="userRoleCodeSystem" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeSystem"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeSystem</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeSystemName property on each receiving message -->
<vprop:property name="userRoleCodeSystemName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeSystemName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeSystemName</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeDisplayName property on each receiving message -->
<vprop:property name="userRoleCodeDisplayName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeDisplayName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeDisplayName</vprop:query>
</vprop:propertyAlias>
<!-- Define expirationDate property on each receiving message -->
<vprop:property name="expirationDate" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:expirationDate"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>expirationDate</vprop:query>
</vprop:propertyAlias>
<!-- Define signDate property on each receiving message -->
<vprop:property name="signDate" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:signDate"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>signDate</vprop:query>
</vprop:propertyAlias>
<!-- Define contentReference property on each receiving message -->
<vprop:property name="contentReference" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:contentReference"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>contentReference</vprop:query>
</vprop:propertyAlias>
<!-- Define content property on each receiving message -->
<vprop:property name="content" type="xsd:base64Binary"/>
<vprop:propertyAlias propertyName="tns:content"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>content</vprop:query>
</vprop:propertyAlias>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_SoapPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>
<sc:KeyStore wspp:visibility="private"
aliasSelector="gov.hhs.fha.nhinc.callback.KeyStoreServerAliasSelector"
callbackHandler="gov.hhs.fha.nhinc.callback.KeyStoreCallbackHandler"/>
<sc:TrustStore wspp:visibility="private"
callbackHandler="gov.hhs.fha.nhinc.callback.TrustStoreCallbackHandler"/>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:RequireClientCertificate/>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV20Token11/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<plnk:partnerLinkType name="AdapterDocQuerySecured">
<!-- A partner link type is automatically generated when a new port type is added.
Partner link types are used by BPEL processes. In a BPEL process, a partner
link represents the interaction between the BPEL process and a partner service.
Each partner link is associated with a partner link type. A partner link type
characterizes the conversational relationship between two services. The
partner link type can have one or two roles.-->
<plnk:role name="AdapterDocQuerySecuredPortTypeRole"
portType="tns:AdapterDocQuerySecuredPortType"/>
</plnk:partnerLinkType>
</definitions>
Edited by: dvazquez1027 on Feb 25, 2010 5:10 PM
Edited by: dvazquez1027 on Feb 25, 2010 5:22 PMHi
yes, I had the same issue and I found a solution.
You need to request a patch for BUG 9212862 (already corrected in WLS 10.3.3) and do the follwing:
javax.xml.ws.BindingProvider provider = (javax.xml.ws.BindingProvider)port;
java.util.Map context = provider.getRequestContext();
context.put(weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_PREFERENCE, weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_MSFT);
This will cause the SecurityMessageArchitect class of WLS to not send the SecurityTokenReference in the Soap security header.
Please note that is evidently a non-comformity to the specs of microsoft:
Please give a look at
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf (8.3 Signing Tokens)
and also at:
http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
(3.4 Identifying and Referencing Security Tokens)
A SAML key identifier reference MUST be used for all (local and remote) references to SAML 1.1
assertions. [...]
All conformant implementations MUST be able to process SAML assertion references occurring in a
<wsse:Security> header or in a header element other than a signature to acquire the corresponding
assertion. A conformant implementation MUST be able to process any such reference independent of the
confirmation method of the referenced assertion.
It follows that the .NET 3.5 is a non conformat implementation: I would gladly know which is the position of Microsoft on that.
ciao
carlo -
SAML2 Service Provider not writing artifact key to cache
I have been following http://biemond.blogspot.com/2009/09/sso-with-weblogic-1031-and-saml2.html to attempt to get Single Sign On working.
I created 2 new WebLogic 10.3.3 domains using an RDBMS Security Store (They are both pointing to the same RDBMS Security Store). I went through the guide, and after some time and troubleshooting was able to complete all the steps. I then created a very very basic JSF2 application that basically has a secured blank page. I set up this URL in the Service Provider configuration so that when I attempt to browse to the url http://localhost:7002/saml-test/ (7002 is the port I assigned the second server, it is not ssl) it does successfully attempt to redirect to the Identity Provider for authentication. However; when it redirects I get a 403 Forbidden Error.
Based on the logs it appears that the Service Provider is writing the artifact key to "the cache" (logs aren't specific, but I'm assuming DemoIdentity.jks?). But when the Identity Provider attempts to retrieve the key from the cache it finds nothing and returns null, causing an exception. I also attempted to view the DemoIdentity.jks contents by using:
keytool -list -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase
And the key specified in the logs is not there. I also looked at all the data in the RDBMS database and could not find the key there. I'm assuming I am just missing some basic understanding of what is going on here, but I've been pulling my hair out with this thing for a week, and have had no luck figuring it out.
Below are the logs: (Note: I removed some of the leading debug info like time and date to save space)
Service Provider Logs:
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <SAML2Filter: Processing request on URI '/saml-test/index.xhtml'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <getServiceTypeFromURI(): request URI is '/saml-test/index.xhtml'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <getServiceTypeFromURI(): request URI is not a service URI>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <getServiceTypeFromURI(): returning service type 'SPinitiator'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667020> <BEA-000000> <SP initiating authn request: processing>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667036> <BEA-000000> <SP initiating authn request: partner id is null>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667036> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667036> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667036> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore Checking if the Keystore file was modified>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667052> <BEA-000000> <put: item with key _0x55e0aecb9df9ad1a2061c408ed8fb7a6 is saved in cache.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667052> <BEA-000000> <SP initiating authn request: use partner binding HTTP/Artifact>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <put: item with key AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI= is saved in cache.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <store saml object org.opensaml.saml2.core.impl.AuthnRequestImpl@1d0397d, BASE64 encoded artifact is AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI=>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <post artifact: false>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <local ARS binding location: http://localhost:7001/saml2/idp/sso/artifact>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <post form template url: null>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <URL encoded artifact: AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI%3D>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <URL encoded relay state: null>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667067> <BEA-000000> <artifact is sent in http url:http://localhost:7001/saml2/idp/sso/artifact?SAMLart=AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI%3D>
Identity Provider Logs:
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <SAML2Servlet: Processing request on URI '/saml2/idp/sso/artifact'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <getServiceTypeFromURI(): request URI is '/saml2/idp/sso/artifact'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <getServiceTypeFromURI(): service URI is '/idp/sso/artifact'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <getServiceTypeFromURI(): returning service type 'SSO'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <Request URI: /saml2/idp/sso/artifact>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <Method: GET>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <Query string: SAMLart=AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI%3D>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Accept: */*>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Accept-Language: en-us>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 3.0.04506.648; MS-RTC LM 8; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Accept-Encoding: gzip, deflate>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Host: localhost:7001>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> < Connection: Keep-Alive>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyStore Checking if the Keystore file was modified>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <ssl client key:Sun RSA private CRT key, 512 bits
modulus: 7817332509587397552890028336578207339286770598290114724527725719770879356379795125511472689827439136630867724827096844273172334826513804343303721031800247
public exponent: 65537
private exponent: 2389560434022984500008330220587930903580143665342415250567830833638555718851227441135738538593823573280638974177840057994863001694333515217638747428107137
prime p: 89878601557891020780681845905770729690536603261106674473148151816104280723703
prime q: 86976570330283066459007767878319559738265898367448286741620259855280595939649
prime exponent p: 49531492934775012550710075660752268859317797579709015700240960055270126903855
prime exponent q: 86241336493473679108071803409323587446354469591404733468585827031687427955905
crt coefficient: 20900431671220180283467175612491957186643034513437468583594091501365673934630, ssl client cert chain:[Ljava.security.cert.Certificate;@17de8c5>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <get BASE64 encoded artifact from http request, value is:AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI=>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667083> <BEA-000000> <ArtifactResolver: sha-1 hash value of remote partner id is '0x0a6b8a4b62a8fc4312f59b578c8e615540467de7'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <ArtifactResolver: found remote partner 'WebSSO-SP-Partner-0' with entity ID 'saml2AP'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <ArtifactResolver: returning partner: [email protected]ba20>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <partner entityid issaml2AP, end point index is:0>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <find end point:[email protected]6886, binding location is:http://localhost:7001/saml2/sp/ars/soap>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <got samlp:ArtifactResolve signing key:Sun RSA private CRT key, 512 bits
modulus: 7817332509587397552890028336578207339286770598290114724527725719770879356379795125511472689827439136630867724827096844273172334826513804343303721031800247
public exponent: 65537
private exponent: 2389560434022984500008330220587930903580143665342415250567830833638555718851227441135738538593823573280638974177840057994863001694333515217638747428107137
prime p: 89878601557891020780681845905770729690536603261106674473148151816104280723703
prime q: 86976570330283066459007767878319559738265898367448286741620259855280595939649
prime exponent p: 49531492934775012550710075660752268859317797579709015700240960055270126903855
prime exponent q: 86241336493473679108071803409323587446354469591404733468585827031687427955905
crt coefficient: 20900431671220180283467175612491957186643034513437468583594091501365673934630>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667099> <BEA-000000> <weblogic.security.service.internal.SAMLKeyServiceImpl.getKeyInfo>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <<?xml version="1.0" encoding="UTF-8"?><samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0x419833daa9699be237eb505d62fe5ab2" IssueInstant="2012-09-17T13:47:47.099Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml2CMP</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_0x419833daa9699be237eb505d62fe5ab2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>QBOav/grXIftH9szz7jigjkJSXe5oeTUe+mecOWQs44=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
C9bKLG5yYjU0UvLj0nlN8KJJfRoQiGzse8ZeSVOR2nHicx3M3YQjGgzNJdDIiC69FoUitEOBNAHg
oYfLcc/5Uw==
</ds:SignatureValue>
</ds:Signature><samlp:Artifact>AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI=</samlp:Artifact></samlp:ArtifactResolve>>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <open connection to send samlp:ArtifactResolve. partner id:saml2AP, endpoint url:http://localhost:7001/saml2/sp/ars/soap>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <isClientPasswordSet:false>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <connect to remote ARS.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: begin to send SAMLObject to server.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667114> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: sending completed, now waiting for server response.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <SAML2Servlet: Processing request on URI '/saml2/sp/ars/soap'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <getServiceTypeFromURI(): request URI is '/saml2/sp/ars/soap'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <getServiceTypeFromURI(): service URI is '/sp/ars/soap'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <getServiceTypeFromURI(): returning service type 'ARS'>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667317> <BEA-000000> <ArtifactResolutionService.process: get SoapHttpBindingReceiver as receiver and SoapHttpBindingSender as sender.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <remove: key AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI= does not exist in cache.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <retrieve: no message was found in cache with the messageHandle, return null.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <SoapHttpBindingSender.sendResponse: Set HTTP headers to prevent HTTP proxies cache SAML protocol messages.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <SoapHttpBindingSender.send: the SOAP envelope to be sent is :
>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667333> <BEA-000000> <<?xml version="1.0" encoding="UTF-8"?><soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/"><soap11:Body><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xd927ce91bb367412a50520dc7695df1e" InResponseTo="_0x419833daa9699be237eb505d62fe5ab2" IssueInstant="2012-09-17T13:47:47.333Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml2CMP</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><samlp:StatusMessage>[Security:096502]There is no saml message in returned samlp:ArtifactResponse.</samlp:StatusMessage></samlp:Status></samlp:ArtifactResponse></soap11:Body></soap11:Envelope>>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: response code from server is: 200>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: get a HTTP_OK response, now receive a SOAP envelope message.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <SoapSynchronousBindingClient.sendAndReceive: found XMLObject in envelope, return it.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <http url connection disconnect.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <<?xml version="1.0" encoding="UTF-8"?><samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_0xd927ce91bb367412a50520dc7695df1e" InResponseTo="_0x419833daa9699be237eb505d62fe5ab2" IssueInstant="2012-09-17T13:47:47.333Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">saml2CMP</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/><samlp:StatusMessage>[Security:096502]There is no saml message in returned samlp:ArtifactResponse.</samlp:StatusMessage></samlp:Status></samlp:ArtifactResponse>>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <get samlp:ArtifactResponse and verify it.>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <saml version:2.0>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <inResponseTo:_0x419833daa9699be237eb505d62fe5ab2>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <status code: urn:oasis:names:tc:SAML:2.0:status:Success>
#<SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889667349> <BEA-000000> <status message: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.>
####<Sep 17, 2012 9:47:49 AM EDT> <Debug> <SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889669802> <BEA-000000> <[Security:096577]Failed to receive AuthnRequest document from the requester.>
####<Sep 17, 2012 9:47:49 AM EDT> <Debug> <SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889669802> <BEA-000000> <Caused by: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.>
####<Sep 17, 2012 9:47:49 AM EDT> <Debug> <SecuritySAML2Service> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1347889669802> <BEA-000000> <exception info
com.bea.security.saml2.service.SAML2Exception: [Security:096577]Failed to receive AuthnRequest document from the requester.
at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:301)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProcessor.java:118)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:100)
at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
at $Proxy26.process(Unknown Source)
at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3686)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused By: com.bea.security.saml2.binding.BindingHandlerException: [Security:096502]There is no saml message in returned samlp:ArtifactResponse.
at com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.getSamlMsg(AbstractArtifactResolver.java:459)
at com.bea.security.saml2.artifact.impl.AbstractArtifactResolver.resolve(AbstractArtifactResolver.java:304)
at com.bea.security.saml2.binding.impl.ArtifactBindingReceiver.resolve(ArtifactBindingReceiver.java:77)
at com.bea.security.saml2.binding.impl.ArtifactBindingReceiver.receiveRequest(ArtifactBindingReceiver.java:40)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.receive(SSOServiceProcessor.java:295)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.processAuthnRequest(SSOServiceProcessor.java:118)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:100)
at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:27)
at $Proxy26.process(Unknown Source)
at com.bea.security.saml2.servlet.SAML2Servlet.service(SAML2Servlet.java:34)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3686)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>Hi user13435437,
The key=AAQAAApriktiqPxDEvWbV4yOYVVARn3nNdPnLeD3F4z6gSCUJyQg8b2cZZI= is the SAMLArtifact id, it has nothing to do with any of the public/private keys of the managed servers.
My scenario is a little bit different: Weblogic working as SP and ADFS2 as IdP. What I would recommend you s to use the HTTP-POST & HTTP-REDIRECT binding instead of the Artifact one.
But if you want to remain with this binding maybe you should check the "Authentication Request Cache Timeout" attribute.
Hope it helps,
Luis -
Hello,
i want to configure SAP Retail Store Services in Portal (701) (ERP 6.0 EHP4)
Business Component BP IS-R-SRS 1.40 is already installed.
But i can´t find a documentation explain the configuration in the Portal Enviroment.
Can anybody guide me ?
Regards & Thanks,
StevenHI Steven,
It looks like you need to use a iView to call the SRS.
Documentation about the SRS: SAP notes 763210 and 918018.
Maybe [this|http://help.sap.com/erp2005_ehp_04/helpdata/EN/25/f96c801c124fd1ae205d763585d427/frameset.htm] SAP Help page also can provide you with information.
I hope this can be (at least) a kick-start.
Best regards,
Cristiano -
Defaulting the Service Provider for the receipts pulled from credit card
Hi,
When the Associate goes on a business trip , some of the expenses are processed through the AMEX corporate credit card. Using a custom PRCC , these credit card transactions are uploaded into the system and are available as buffer during the trip creation. Associates creates the trip using ESS Portal. When the Associate selects the expense from the credit card buffer , we want the Service Provider to be defaulted to AX (AMEX). The service provider code for AMEX is configured as AX.
In the following configuration (Travel Expenses->Master Data->Credit Card Clearing->Define Assignment Table for Credit Card Clearing , we updated the Service Provider as AX for all the expense types related to AMEX.
Now we notice that AX is not defaulted in the Service Provider when the Associates pulls the expense from the AMEX credit card buffer.
Is there a way to default the service provider for all the expenses pulled from the credit card buffer?
Thanks
SukumarHi Nandagopal,
You are right that the origin column has Amex logo when selected from the Buffer. We are using Service provider in determining who the payment should go to. If the expense is from the credit card buffer , the payment should go to AMEX directly. If the expense is non-AMEX (i.e manual entry and not from buffer) , then the payment will go to the employee themselves. Different wage types are determined based on the Service Provider for the same expense type. For example for expense type ACAR (Rental) , if the Service Provider is AX , then wage type say WJ67 is selected by the system . For expense type ACAR and no Service provider , then wage type WJ17 is derived. The accounting is determined based on the wage type.
So Service Provider is one of the key field that determines the accounting. When the associate selects from credit card buffer , the associate should also select the service provider as AX so that payment goes to AMEX. If the Associate forgets to select the service provider , then the payment goes to the Employee. Then the employee has to pay AMEX separately. In order to avoid this, we want to default the service provider as AX when the associate pulls from the credit card buffer.
We maintained the default service provider as AX for AMEX credit card clearing in img node Travel Expenses->Master Data->Credit Card Clearing->Define Assignment Table for Credit Card clearing. In this node we link the credit card company transaction keys to SAP expense type and you have the option to select the Service Provider. But his default is not working in Portal.
Please let me know if this default setting should work.
Thanks
Sukumar -
Access Enterprise Search via ABAP Web Service
Hello ES experts,
I am looking for more information on how to access Enterprise Search via ABAP web service QSDispatcher, using processQuery operation. I created a client proxy and need information on structure of input and output parameters (query and query result)
Thanks, SrdjanHi Srdjan
You can access the SAP ABAP system by configuring it in the NW ES admin console, any system with version > 4.6C can be integrated in the search engine.
The UI for NW ES is a WebDynpro via Web Browser (In the future will be integrated in Widgets and Portal, etc) but i'm not sure if you want to use the WS to access the results of the ES searching or if you want to integrate a WS from ABAP as part of the searching area...
Please clarify.
Thanks,
Best Regards,
Luis -
I am opening this thread on behalf of my colleague Bala regarding SSO and ABAP Web Services.
We have gone through single sign on options and found several options are available within 5.0.
We would like to know the options available for SAP ABAP web services access from a Non-SAP system with user authorization but without Portal/ITS installation.
Also I would like to avoid any hard coding of user id in Non-SAP system .
Could you provide any information.
Thanks,
BalaWe have gone through single sign on options and found several options are available within 5.0.
Tell me what are the several options and what is your Non-SAP system?
without Portal/ITS installation.
ITS is now an integral part of ECC 5.0 system. So would not need a seperate installation, unlike earlier versions.
AB -
Whats the important of " table-type " in sap abap?
hi,
i am ahmed. abap fresher.
i want to what use and importance of table-type in sap abap which comes in
datadictionary
V
data types
V----
V V V
data element structure table type
i want to know about table type. plz give a brief idea.
bye.hi,
Transparent Tables
A transparent table in the dictionary has a one-to-one relationship with a table in the database. Its structure in R/3 Data Dictionary corresponds to a single database table. For each transparent table definition in the dictionary, there is one associated table in the database. The database table has the same name, the same number of fields, and the fields have the same names as the R/3 table definition. When looking at the definition of an R/3 transparent table, it might seem like you are looking at the database table itself.
Transparent tables are much more common than pooled or cluster tables. They are used to hold application data. Application data is the master data or transaction data used by an application. An example of master data is the table of vendors (called vendor master data), or the table of customers (called customer master data). An example of transaction data is the orders placed by the customers, or the orders sent to the vendors.
Transparent tables are probably the only type of table you will ever create. Pooled and cluster tables are not usually used to hold application data but instead hold system data, such as system configuration information, or historical and statistical data.
Both pooled and cluster tables have many-to-one relationships with database tables. Both can appear as many tables in R/3, but they are stored as a single table in the database. The database table has a different name, different number of fields, and different field names than the R/3 table. The difference between the two types lies in the characteristics of the data they hold, and will be explained in the following sections.
Table Pools and Pooled Tables
A pooled table in R/3 has a many-to-one relationship with a table in the database (see Figures 3.1 and 3.2). For one table in the database, there are many tables in the R/3 Data Dictionary. The table in the database has a different name than the tables in the DDIC, it has a different number of fields, and the fields have different names as well. Pooled tables are an SAP proprietary construct.
When you look at a pooled table in R/3, you see a description of a table. However, in the database, it is stored along with other pooled tables in a single table called a table pool. A table pool is a database table with a special structure that enables the data of many R/3 tables to be stored within it. It can only hold pooled tables.
R/3 uses table pools to hold a large number (tens to thousands) of very small tables (about 10 to 100 rows each). Table pools reduce the amount of database resources needed when many small tables have to be open at the same time. SAP uses them for system data. You might create a table pool if you need to create hundreds of small tables that each hold only a few rows of data. To implement these small tables as pooled tables, you first create the definition of a table pool in R/3 to hold them all. When activated, an associated single table (the table pool) will be created in the database. You can then define pooled tables within R/3 and assign them all to your table pool (see Figure 3.2).
Pooled tables are primarily used by SAP to hold customizing data.
When a corporation installs any large system, the system is usually customized in some way to meet the unique needs of the corporation. In R/3, such customization is done via customizing tables. Customizing tables contain codes, field validations, number ranges, and parameters that change the way the R/3 applications behave.
Some examples of data contained in customizing tables are country codes, region (state or province) codes, reconciliation account numbers, exchange rates, depreciation methods, and pricing conditions. Even screen flows, field validations, and individual field attributes are sometimes table-driven via settings in customizing tables.
During the initial implementation of the system the data in the customizing tables is set up by a functional analyst. He or she will usually have experience relating to the business area being implemented and extensive training in the configuration of an R/3 system.
Table Clusters and Cluster Tables
A cluster table is similar to a pooled table. It has a many-to-one relationship with a table in the database. Many cluster tables are stored in a single table in the database called a table cluster.
A table cluster is similar to a table pool. It holds many tables within it. The tables it holds are all cluster tables.
Like pooled tables, cluster tables are another proprietary SAP construct. They are used to hold data from a few (approximately 2 to 10) very large tables. They would be used when these tables have a part of their primary keys in common, and if the data in these tables are all accessed simultaneously. The data is stored logically as shown in Figure 3.3.
Figure 3.3 : Table clusters store data from several tables based on the primary key fields that they have in common.
Table clusters contain fewer tables than table pools and, unlike table pools, the primary key of each table within the table cluster begins with the same field or fields. Rows from the cluster tables are combined into a single row in the table cluster. The rows are combined based on the part of the primary key they have in common. Thus, when a row is read from any one of the tables in the cluster, all related rows in all cluster tables are also retrieved, but only a single I/O is needed.
A cluster is advantageous in the case where data is accessed from multiple tables simultaneously and those tables have at least one of their primary key fields in common. Cluster tables reduce the number of database reads and thereby improve performance.
For example, as shown in Figure 3.4, the first four primary key fields in cdhdr and cdpos are identical. They become the primary key for the table cluster with the addition of a standard system field pageno to ensure that each row is unique.
Reward if helpful
Jagadish -
Iam getting fear about sap(abap),how to reprove knowledge
pls help him
hi.
Its damn simple to learn ABAP no need to fear.
Try SAMS ABAP in 21 days to get a basic idea. It will be very Helpful
check the below link for it.
http://venus.imp.mx/hilario/Libros/TeachYrslfAbap4/index.htm
for more reference
check the below book
http://sap.mis.cmich.edu/sap-abap/index.htm
Try using F1 help at each and every point in ABAP programming so that you can use the excellent library provided by SAP
http://help.sap.com/saphelp_erp2004/helpdata/EN/d1/8019f9454211d189710000e8322d00/frameset.htm
make a good use of sdn for your doubts. its wonderful
regards
prasanth
Maybe you are looking for
-
Export from Destop Formatting Issue
I am on Desktop Client: 10.1.2.48.18. When I export my worksheet to Excel. I loose the Formaating. My formatting is only color on some columns and Headers. Any thoughts, as to why this is happening??
-
How can I make a mural in photoshop elements 6?
How can I make a mural in photoshop elements 6?
-
Just thought I'd ask in case others are having same problems or if solutions are available
-
iMovie file converted to AVI file (23G+ ), however when played via Quick Time only the first 2 minutes play (project is just under 2 hours & was prepped by FCE - 2 minutes of 2 hour project is unacceptable -- any advice?
-
Converting pdf file in Hebrew to Word
I tried to convert a pdf file in Hebrew to Word - when it came out in Word, the letters of each word were fine, but the order of the letters is backwards (Hebrew reads from left to right), making the whole document useless. How can I convert the fil