Generate current SAML Token with ADF

Hi all,
How can I generate the current SAML token for the authenticated user with ADF in an input form type hidden.
Thanks.

Hi Samy
Are you trying to propagate identity to an associated FA instance that belong to the same identity domain? If so, You dont need to configure anything. You can directly use the policy oracle/wss11_saml_token_with_message_protection_client_policy in your client. We have a sample in the SDK that showcases this.
Thanks
Vel

Similar Messages

ADFS Active Authentication SAML token with unicode values throwing error when post to _trust end point in SharePoint

Hi All,
I have a SP2013 environment which authenticate users using ADFS 2.0 via Windows AD. We have two separate clients, Portal and Mobile. Portal users Passive Federation where as Mobile client uses Active Authentication with usernamemixed endpoint in ADFS.
I have an AD property which stores Unicode characters. In Active Authentication via Mobile, for a user who has a Unicode value in the AD property, I can get the SAML token successfully from ADFS.
Ex : <saml:AttributeValue>español</saml:AttributeValue>
However, when I post this SAML token to SharePoint _trust endpoint, I'm getting an error "500 Internal Server error". However for the same user, if I change the AD property value from "español" to "English" then I can get the FedAuth
cookie successfully from the _trust endpoint.
Also, for the same user, If I logged in via Portal which uses Passive Federation, then it's working fine.
Really appreciate your thoughts on this.
Supun

Hi Supun,
As you mentioned, the issue only happens in Active authentication. Would you please let me know which mobile client your users are using for the Active authentication, is it a custom one? Please be noted if you use a mobile browser, the authentication will
also be Passive.
In Passive mode authentication, STS also uses POST to pass the security token to the relaying party. I'd like to know what kind of tool you are using to post a SAML token to SharePoint endpoint as impersonation of an Active authentication. Since the Active
authentication flow is quite complex, I also suggest you to check the event log in your ADFS server, and try to find more information about the issue.
Thanks,
Reken Liu
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]

Validate SAML token with WSM

I'v posted this thread in the [SOA Suite forum|http://forums.oracle.com/forums/thread.jspa?threadID=912083&tstart=0] in the first place, but maybe this forum is a better places, for this question.
We're experiencing a lot of inconveniences using the "SAML - Verify WSS 1.0 Token" validation step in WSM. We've configured the SAML verifier to "allow signed assertions only" in order to achieve our security goals. Before a client is allowed access to a protected web service, the client must request an identity provider to get a signed saml assertion and attach this security token to the web service security header. In order to access the protected web services we'll like to use WSM to verify that the saml assertion:
1. Is issued by a specific identity provider (no problem)
2. That the conditions in the assertion is valid (no problem)
3. That the assertion i signed by a trusted certificate (problem)
4. That the signature of the assertion is valid in proportion to the signed context of the assertion (problem)
The inconveniences starts when we expect that the "SAML - Verify WSS 1.0 Token" validation step, validates the signatures of the assertion, before using it. But it seems, that this isn't the purpose of the verifier. When the saml token verifier is configured with "allow signed assertions only", then the client receives a "SAML token verification failed". This seems reasonably, but if we just add an empty ds:Signature element inside the wsse:Security element, then the client is granted access:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature Id="Signature-11551252" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="nakbhwl3Qz8mPC00cL1bUg22" Issuer="https://credentials.com/idp" IssueInstant="2009-06-09T11:05:40Z">
</saml:Assertion>
</wsse:Security>
I find this behavior very strange. Also, if i do some manual changes in the saml assertion issued and signed by the identity provider, this is allowed too, even though the signature is invalidated. Event if I remove the ds:Signature from the assertion, but keeps the empty ds:Signature below the wsse:Security element, the client is granted access.
In the documentation of the "SAML - Verify WSS 1.0 Token", i found this quotation:
"Verifies the SAML token according to the Web Services Security SAML Token Profile 1.0 (WSS STP 1.0) standard."
But I don't find this statement true. Our assertions is issued with confirmation method "sender-voches":
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
I interpret the spec as, a receiver MUST NOT accept assertions containing a "sender-vouches" confirmation method unless the assertions and soap message content being vouches for are protected by an attesting entity who is trusted by the receiver. This is absolute not the case in our tests. The assertion isn't protected at all. The empty ds:Signature element in the wsse:Security element doesn't protect any thing and even when we totally remove the ds:Signature tag in the assertion, we're granted access.
It seems like the purpose of the "SAML - Verify WSS 1.0 Token" step isn't to validate the confidentiality of the saml assertions and only grant access if the saml assertions is correct. It is possible to freely change the tokens and then be granted access. I think we need some more steps in WSM before the saml validation step, but I don't know which.
We'll like to know if any one knows how to use this "SAML - Verify WSS 1.0 Token" step, to achieve a secure access to protected service. Do we need some pre/post step to achieve a satisfying level of security, do we need to make our own custom step or just used another security product?
Regard
Jacob
Edited by: wmjaboj on 2009-06-10 01:42

hi jacob
looks like you have successfully configured the client side ; I am struggling in that itself. I am calling a secure web-service and I want to use saml token profile 1.1. I am using wls 10.3 and I am getting an error Unable to add signature .
Can you help me with the configuration at the client side ?
Thanks
Regards
Sanyam

Oracle BPM and SAML Token

Hi all,
is there any way to use SAML token with OBPM?
I need to invoke webservice from OSB and it needs authentication.
So, i want to provide SAML Token to authenticate.
I just want to know how to configure SAML token in OBPM. is it supported?
With Regards,
Wai Phyo
Edited by: waiphyo on May 25, 2010 5:36 PM

In the data control palette under the collection that represents the child you should see a node of operations - in there you should see next/previous - drag those onto the page to get the scrolling through the records going on.

Using Saml token profile 1.1 with WLS 10.3

Hi All
I am a Student from IITB. I am trying use message-level authentication for webservices using SAML Token Profile 1.1 on weblogic 10.3. I have done the necessary configuration but I am getting an error
"Unable to add Security Token for Identity ". I Started the SamlCredMapper Debug flag on from the console and saw the logs and I saw that everything is going fine untill at one place it
gives this error
<Debug> <SecuritySAMLCredMap> ' *<1245866312123> <BEA-000000> *<SAMLCredentialMapperV2: getCredentialInternal(): InvalidParameterException while validating parameters: weblogic.security.service.InvalidParameterException: Unable to generate SAML Assertion: No partner ID or target resource>**
I do not know how to fix this problem. Please Tell me if anyone has any idea about it.
Thanks
regards,
Sanyam
//The Logs are as follows
<Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310425> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): initiator = Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("ssouser")
>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310425> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): resource = (null)>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310426> <BEA-000000> <SAMLRPConfigManager.findPartnerInTargetMap():Searching with key 'sender-vouches:http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310426> <BEA-000000> <SAMLRPConfigManager.findPartnerInTargetMap():Found partner 'rp_00001'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310436> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Not found name mapper in the cache, try to create one>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310437> <BEA-000000> <SAMLNameMapperCache.getNameMapper: create SAMLNameMapperImpl name mapper>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310439> <BEA-000000> <SAMLNameMapperImpl: mapSubject: No valid WLSGroup pricipals found in Subject, continuing>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310439> <BEA-000000> <SAMLNameMapperImpl: mapSubject: Mapped subject: qualifier: null, name: ssouser, groups: []>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310440> <BEA-000000> <SAMLCreateAssertion: Mapped subject 'Subject: 1
     Principal = class weblogic.security.principal.WLSUserImpl("ssouser")
' to: username='ssouser',qualifier='null',format='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310442> <BEA-000000> <SAMLCreateAssertion: No context or subject attribute were mapped>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310442> <BEA-000000> <SAMLCreateAssertion: Groups attribute statement requested but name mapper returned no groups -- groups attribute statement will not be generated>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: Creating sender-vouches assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: Assertion IS signed>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: KeyInfo IS NOT supplied>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: AttrStmtInfo IS NOT supplied>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310460> <BEA-000000> <SAMLCreateAssertion: Created SAMLSubject for 'ssouser'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310460> <BEA-000000> <SAMLCreateAssertion: Created SAMLSubject>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310475> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Cloning SAMLSubject>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310476> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Created SAMLAuthenticationStatement>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310484> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Signing assertion, keyinfo is included>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310508> <BEA-000000> <SAMLSignedObject.sign(): algorithm 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310509> <BEA-000000> <SAMLSignedObject.sign(): reference '#b21cfea8d3c90fee97a3100a59b0005e'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310509> <BEA-000000> <SAMLSignedObject.sign(): InclusiveNamespaces '#default saml samlp ds dsig code kind rw typens'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310542> <BEA-000000> <SAMLSignedObject.sign(): adding certificates>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310556> <BEA-000000> <SAMLSignedObject.sign(): signing object>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLSignedObject.sign(): completed>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Signed assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Created SAMLAssertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: Returning assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): Returning non-null credential>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311896> <BEA-000000> <SAMLIdentityAsserter: assertIdentity() called>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311897> <BEA-000000> <SAMLIdentityAsserter: SAMLIdentityAsserter: tokenType is 'SAML.Assertion.DOM'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311903> <BEA-000000> <SAMLAssertion: Assertion passed basic validity check>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311905> <BEA-000000> <SAMLAssertion: Target for assertion is: 'http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311905> <BEA-000000> <SAMLAssertion: Assertion issuer is: 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311906> <BEA-000000> <SAMLAssertion: Assertion subject confirmation method is: 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAPConfigManager.findPartnerInTargetMap():Searching with key 'sender-vouches:http://usmumsanygoyal1:7001/&http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAPConfigManager.findPartnerInTargetMap():Found partner 'ap_00001'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAssertion: Found asserting party 'ap_00001'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAssertion: Assertion is signed>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311908> <BEA-000000> <SAMLTrustManager: Looking for certificate alias 'testalias'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311930> <BEA-000000> <SAMLTrustManager: Certificate was found>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311937> <BEA-000000> <SAMLSignedObject.verify(): key supplied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311963> <BEA-000000> <SAMLSignedObject.verify(): obtained signed info>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311963> <BEA-000000> <SAMLSignedObject.verify(): validating signature>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311970> <BEA-000000> <SAMLSignedObject.verify(): completed>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311970> <BEA-000000> <SAMLAssertion: Signature verified using trusted certificate>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <Got signing certificate for signed object: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <SAMLAssertion: Assertion subject confirmation method is: 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <SAMLAssertion: Verified subject confirmation method>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311978> <BEA-000000> <SAMLAssertion: Assertion issuer is 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311978> <BEA-000000> <SAMLAssertion: Assertion issuer verified>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: Assertion contains NotBefore condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: Assertion contains NotOnOrAfter condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: NotBefore condition satisfied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: NotOnOrAfter condition satisfied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion has AudienceRestrictionCondition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Found matching audience 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: AudienceRestriction condition satisfied (matching audience)>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion has DoNotCache condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion conditions verified>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311986> <BEA-000000> <SAMLAssertion: Found subject for name: 'ssouser'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Not found name mapper in the cache, try to create one>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLNameMapperCache.getNameMapper: create SAMLNameMapperImpl name mapper>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: Looking for AttributeName 'Groups'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: Looking for AttributeNamespace 'urn:bea:security:saml:groups'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: ProcessGroups is true but did not find expected groups attribute statement>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311988> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Found name mapper in the cache>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311988> <BEA-000000> <SAMLNameMapperImpl: mapNameInfo: returning name: ssouser>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311989> <BEA-000000> <SAMLNameMapperImpl: mapGroupInfo: returning groups: null>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311989> <BEA-000000> <SAMLIACallbackHandler: SAMLIACallbackHandler(true, ssouser, null)>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311996> <BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(ssouser)>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866312002> <BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(ssouser)>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' <1245866312122> <BEA-000000> <SAMLCredentialMapperV2: getCredentials: Subject initiator>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' <1245866312122> <BEA-000000> <SAMLCredentialMapperV2: getCredentials(Subject): getCredentialInternal() called>
_####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' *<1245866312123> <BEA-000000> **<SAMLCredentialMapperV2: getCredentialInternal(): InvalidParameterException while validating parameters: weblogic.security.service.InvalidParameterException: Unable to generate SAML Assertion: No partner ID or target resource>**_*

Client Side
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:credential-mapper xsi:type="wls:saml-credential-mapper-v2Type">
<sec:name>SAMLCredentialMapper</sec:name>
<wls:issuer-uri>www.bea.com/demoSAML</wls:issuer-uri>
<wls:name-qualifier>bea.com</wls:name-qualifier>
<wls:signing-key-alias>testalias</wls:signing-key-alias>
<wls:default-time-to-live-delta>-30</wls:default-time-to-live-delta>
<wls:signing-key-pass-phrase-encrypted>{3DES}dOC15C42IEzCnN/klGIdyQ==</wls:signing-key-pass-phrase-encrypted>
</sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:key-store xsi:type="wls:default-key-storeType">
<sec:name>keystore</sec:name>
</sec:key-store>
<sec:name>myrealm</sec:name>
</realm>
Server side
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:saml-identity-asserter-v2Type">
<sec:name>SAMLIdentityAsserter</sec:name>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
Sanyam

How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication
Identity provider here is Oracle identity provider
harika kakkireni

Hi,
The following materials for your reference:
Consuming List.asmx on a claims based sharepoint site
http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
Sharepoint Claims based authentication and Single Sign on
http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
Best Regards
Dennis Guo
TechNet Community Support

Jsessionid - weblogic 10.3.5, saml 2.0 & adfs 2.0 with peopletools 8.5x

We have set up SAML 2.0 to enable sso into peoplesoft (idp is adfs 2.0).
On a simple sample web application SAML is working correctly.
However when we tried to enable this for one of our Peoplesoft systems we ran into the issue that after the final
redirect to the target access is denied.
Peoplesoft is using a non-standard cookie name:
from weblogic.xml
<session-param>
<param-name>CookieName</param-name>
<param-value>PSDev2-0-PORTAL-PSJSESSIONID</param-value>
</session-param>
According to http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/saml.html
\quote
Use of Non-default Cookie Name
When the Assertion Consumer Service logs in the Subject contained in an assertion, an HTTP servlet session is created using the default cookie name JSESSIONID. After successfully processing the assertion, the ACS redirects the user’s request to the target web application. If the target web application uses a cookie name other than JSESSIONID, the Subject’s identity is not propagated to the target web application. As a result, the servlet container treats the user as if unauthenticated, and consequently issues an authentication request.
To avoid this situation, do not change the default cookie name when deploying web applications in a domain that are intended to be accessed by SAML 2.0 based single sign-on.
\endquote
This is exactly the issue we encounter. SAML itself is working properly. However, on redirect to the target application access is denied.
Now, if we disable the non-default cookie name in the peoplesoft application we get the error message 'cookies must be enabled' when trying to access i.e. \signon.html.
What can we do to make SAML 2.0 work with Peoplesoft?
Is there a way to change the cookie name for SAML or share the SAML session with the peoplesoft application?
Any help in this matter is greatly appreciated.
Thank you
Karl Weber
Systems Analyst
NAIT - Department of Information Services

Hi Karl,
I have reproduced your issue in my environment:
<session-descriptor>
<cookie-name>HELLO_WORLD_SSO</cookie-name>
</session-descriptor>What I am seeing is that Weblogic is not able to fix the user session (JSESSIONID), so it sends again the authentication request. Actually, in my case, it performs 5-6 retries. If you take a look at THE ADFS2 log you will see an exception like this: "The same client browser has made 6 request in the last 4 seconds..." At the end the IdP sends you a SAMLResponse with the status urn:oasis:names:tc:SAML:2.0:status:Responder. Weblogic +"translates"+ that message in a *403 Forbidden Error*.
Maybe you could feed that cookie, PSDev2-0-PORTAL-PSJSESSIONID, by yourself, i.e. implementing a filter:
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.addCookie(new Cookie("PSDev2-0-PORTAL-PSJSESSIONID", yourValue));
.../...Hope it helps,
Luis

ADFS saml tokens and Weblogic

Hi, i have configured ADSF server (with Active Directry) and a Weblogic server configured to work with ADFS. Services on weblogic are protected with oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_policy policy.
Now i need to define a users, having rights to invoke services.
I create users and roles in Active Directory, And create the same users and roles in Weblogic console.
How to map users between ActiveDirectory and WebLogic? When Weblogic receive a token with user claims, how will it find if this users is allowed or not to proceed?

any help..

Generating input textfields on clicking image with adf

Is it possible to generate input text fields dynamically on clicking a image with adf??
The functionality to add and remove text field from UI with ADF??
Edited by: 897462 on Nov 16, 2011 12:16 AM

thanks for ur reply....my other question is
Is it possible to generate input text fields dynamically on clicking a image with adf??
The functionality to add and remove text field from UI with ADF??

OWSM: Setting up SAML token verification with Novell Access manager

Hello,
We are trying to set-up communication between an OWSM gateway and a Novell Accces Manager to do the following:
All requests to our services should be secured using Web Services Security SAML Token Profile 1.0. OWSM will validate this token using the SAML – Verify WSS 1.0 Token step. The assertion will be issued by a Novell Access Manager. Are we right that OWSM needs to communicate with the Novell Access Manager for this? In that case Novell requires us to deliver metadata to establish a trust relation between the Identity Provider (Novell) and the Service Provider (OWSM). This metadata should look something like this:
odysseus:/var/opt/novell/tomcat4/webapps/nidp # cat application.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application PUBLIC '-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN' 'http://java.sun.com/j2ee/dtds/application_1_2.dtd'>
<application>
<display-name>NIDPJ2EEApp</display-name>
<description>Novell Identity Provider</description>
<module>
<web>
<web-uri>nidp.war</web-uri>
<context-root>nidp</context-root>
</web>
</module>
</application>
However I cannot find anything on this in the OWSM documentation.

To answer my own question. We found 4 application.xml files which seem to contain the metadata in the folders ccore, coreman, gateway and policymanager of $AS_HOME/owsm/config/.

Step-by-step Configuration of weblogic 9 as SAML token generator

Hi all,
Is there a online help where i can find a step by step guide to configure weblogic 9 as SAML token Source site?
http://e-docs.bea.com/wls/docs91/secmanage/saml.html
and http://e-docs.bea.com/wls/docs91/secintro/concepts.html and http://e-docs.bea.com/wls/docs91/secintro/archtect.html didnt help me much. It didnt explain the meaning of all the input fields in the admin console which are needed to configure weblogic as saml token generator.
Peace

I'm having the same issues - have you figured this out or received assistance?

Generate input text fields dynamically on clicking a image with adf??

Is it possible to generate input text fields dynamically on clicking a image with adf??
The functionality to add and remove text field from UI with ADF??

Yes, you can dynamically add components to a page.
[url http://www.nearinfinity.com/blogs/michael_bevels/dynamic_forms_using_jsf.html]Here is an example - it demonstrates with ICE Faces components, but the concept is the same for any type of component, including ADF
John

SAML token not understood (weblogic 10.3)

I'm trying to call my webservice with a SAML sender-vouches, and keep getting an error message. This used to work when running in Weblogic 9.2.3 (but we are in the process of upgrading to Weblogic 10.3).
(This is running from alsb 2.6)
My request:
<soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
     </soap:Header>
     <soapenv:Body>
     <saml:TestRequest      xmlns:saml="http://saml.webservice.namespace.model">
     <saml:Call>string</saml:Call>
     </saml:TestRequest>
     </soapenv:Body>
     </soapenv:Envelope>
     <soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
     <soap:Header      xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
     <wsse:Security      soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <saml:Assertion      AssertionID="d08c0548d758b52dbebfdb327e60a201" IssueInstant="2009-11-24T15:16:20.192Z" Issuer="http://www.sparebank1.no" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
     <saml:Conditions      NotBefore="2009-11-24T15:16:10.192Z" NotOnOrAfter="2009-11-24T15:18:10.192Z">
     <saml:DoNotCacheCondition/>
     </saml:Conditions>
     <saml:AuthenticationStatement      AuthenticationInstant="2009-11-24T15:16:20.192Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
     <saml:Subject>
     <saml:NameIdentifier      Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="sparebank1.no">supermann</saml:NameIdentifier>
     <saml:SubjectConfirmation>
     <saml:ConfirmationMethod>
     urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
     </saml:ConfirmationMethod>
     </saml:SubjectConfirmation>
     </saml:Subject>
     </saml:AuthenticationStatement>
     <dsig:Signature      xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
     <dsig:SignedInfo>
     <dsig:CanonicalizationMethod      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     <dsig:SignatureMethod      Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <dsig:Reference      URI="#d08c0548d758b52dbebfdb327e60a201">
     <dsig:Transforms>
     <dsig:Transform      Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
     <dsig:Transform      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
     <exc14n:InclusiveNamespaces      PrefixList="" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
     </dsig:Transform>
     </dsig:Transforms>
     <dsig:DigestMethod      Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     <dsig:DigestValue>KWkdUKb1gfftG4XchDnrmZmKbEc=</dsig:DigestValue>
     </dsig:Reference>
     </dsig:SignedInfo>
     <dsig:SignatureValue>
     uRvZvXqmLlxj/wXSaG7zwLATsRCwPND++4zUHQZB2o6KPeDNR89f02t/CnLDsrbjGr9Y4JgXmGSkmMK+eP0JdY/q9CiOekhpJJ9RhZupE1ldoIPzLqc8nLUC3lHJUrKCchnuKmxg76V7I3TWFCvqYMz2pFiNdm6n8Fq2xgxtjRc=
     </dsig:SignatureValue>
     </dsig:Signature>
     </saml:Assertion>
     </wsse:Security>
     </soap:Header>
     <soapenv:Body>
     <saml:TestRequest      xmlns:saml="http://saml.webservice.namespace.model">
     <saml:Call>string</saml:Call>
     </saml:TestRequest>
     </soapenv:Body>
     </soapenv:Envelope>
Response:
The invocation resulted in an error: Internal Server Error.
     <S:Envelope      xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
     <S:Body>
     <SOAP-ENV:Fault      xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
     <faultstring>
     MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood
     </faultstring>
     <faultcode>SOAP-ENV:MustUnderstand</faultcode>
     </SOAP-ENV:Fault>
     </S:Body>
     </S:Envelope>
My policy file:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
wsu:Id="amartaSaml">
<wssp:Identity>
<wssp:SupportedTokens>
<wssp:SecurityToken
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
java file:
@WebService( serviceName="SamlService", portName="SamlPort", endpointInterface="namespace.webservice.saml.SamlServiceImplPort", targetNamespace="http://saml.webservice.namespace", wsdlLocation="/wsdl/saml.wsdl" )
public class SamlServiceImpl implements SamlServiceImplPort
@RolesAllowed( {
@SecurityRole(role = "sb1.life.customer.employer"),
@SecurityRole(role = "sb1.life.customer.individual"),
@SecurityRole(role = "sb1.life.customer.authorizedparty"),
@SecurityRole(role = "sb1.life.distributor.change"),
@SecurityRole(role = "sb1.life.distributor.read"),
@SecurityRole(role = "sb1.life.distributor.expert") })
@Policy(uri = "policy:sb1life-ws-policy.xml", direction = Policy.Direction.inbound)
public TestResponse getCall( TestRequest parameter )
TestResponse response = new TestResponse();
response.setResponse( "Hello " + parameter.getCall() );
return response;
One thing that got changed was that in WLS 9.2.3 we deployed the services as EAR, while now we are just deploying them as WAR. Don't know if that makes a difference. Also, the domain template for creating the weblogic domain is different.
I looked in Google, and there seems to be a "common" problem with SAML, but I couldn't find a Weblogic specific solution.
Thank you,
John

This is not currently supported in 10.3 because JAX-WS only supports SAML2.0 on WLS 10.3 whilst OSB 10.3 can only generate SAML 1.1 tokens.
from support :
"JAX-WS as implemented in WLS 10.3 does not support deprecated SAML policy (but SAML 2.0).
On the other hand OSB 10.3 is not supporting new SAML policy (you cannot import SAML 2.0 policy)."
Two solutions/workarounds:
1. Create a JAX-RPC WebService using the SAML-policy you have in place
2. Use OSB on the response-domain, create a proxy with policy and wsdl...
Adjust the endpoints in asserter and mapper

Exception: "Could not validate SAML Token"

We have an evaluation system setup that we are using to generate PDF from PS. We're connecting via the EJB client, and typically have had no problems. Until today. At some point today we began seeing exceptions being thrown on the client:
Caused by: com.adobe.idp.um.api.UMException | [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion has expired and hence not valid for user [administrator@DefaultDom]. Its valid till time [Tue Feb 04 10:58:45 MST 2014] was found to be before the current time [Tue Feb 04 16:04:41 MST 2014]
Simply bouncing the app server where the client code is running solved the problem, however we'd like to better understand what is going on and why. Nothing that I can find in the docs seems to indicate the cause/solution, and possible solutions have links that appear to no longer function: http://cookbooks.adobe.com/post_Renewing_the_context_to_handle_session_expiry-16410.html
Any suggestions and/or insight would be greatly appreciated. Thanks!

PROBLEM
Using the same instance of ServiceClientFactory to remotely invoke the services exposed by the LiveCycle container can lead to
exception related to assertion expiry
Solution
To handle the timeout use the ThrowHandler mechanism provided by the ServiceClientFactory framework
Detailed explanation
LiveCycle provides a client sdk for java based client to invoke its services remotely.
An invocation involves Creation of a ServiceClientFactory instance Setting the user credential in thefactory instance Pass that factory to a service client or use that to create InvocationRequest directly
Use the client to make the actual request.
For more details refer to Invoking
LiveCycle ES Using the Java API .
A ServiceClientFactory instance once created is valid for a ceratin
period of time which is by default 120 min. if the same instance is used to invoke beyond this period then it would lead to an exception stating that
the session has expired [com.adobe.idp.um.api.impl.AuthenticationManagerImpl]
errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML
Token --- Assertion has expired and hence not valid for user
[administrator@DefaultDom]. Its valid till time [Thu Oct 22
17:07:53 IST
2009] was found to be before the current time [Thu Oct
22 17:58:18 IST 2009]
This is not an issue if the ServiceClientFactory instance is used for short duration. However if you are going to perform a long
running task like converting large number of documents to pdf ,applying policies to them etc then it would be an issue.
Session Expiry
Before fxing the issue some info on what is session expiry.
When you use a ServiceClientFactory instance to invoke the service following fow happens
You set the credentials in the properties and invoke theservice
LiveCycle on server side validates the credentials and issues a Context. It is sort of a ticket which can be reused later instead of the actual credentials.
Upon receiving the response from the server the ServiceClientFactory instance deletes its own copy of credentials and instead stores the Context For later invocations this Context instance is passed instead of the user credentials
This whole fow is done to ensure that user's credentials are not sent for each remote call thus improving the security.
For more information on Context refer to
User Identity in LiveCycle .
Solution
To fx this issue you would have to re authenticate to LiveCycle and get the Context reissued. the best way to do that is to make use of the ThrowHandler provided by the ServiceClientFactory framework
STEP1 - Create a Throwhandler
* This ThrowHandler caches the user credentials and uses them
to refresh the Context in the
* ServiceClientFactory upon expiry.
private static class SimpleTimeoutThrowHandler implements
ThrowHandler {
private String username;
private String password;
public SimpleTimeoutThrowHandler(String username, String
password) {
this.username = username;
this.password = password;
public boolean handleThrowable(Throwable t, ServiceClient
sc,
ServiceClientFactory scf, MessageDispatcher md,
InvocationRequest ir, int numTries) throws
DSCException {
if(timeoutError(t)){
//The call to AuthenticationManager do not require
authentication so the default properties
//are suffcient
AuthenticationManager am =
new
AuthenticationManagerServiceClient(ServiceClientFactory.createInstance (getDefaultProperties()));
AuthResult ar = null;
try {
ar =
am.authenticate(username,password.getBytes());
} catch (UMException e) {
throw new IllegalStateException(e);
Context ctx = new Context();
ctx.initPrincipal(ar);
//Refresh the ServiceClientFactory instance with
the new context
scf.setContext(ctx);
logger.info("Refreshed the context associated with
ServiceCLientFactory");
//Now tell SCF to try the invocation again
return true;
//Check so that we do not wrap the exception again
if(t instanceof DSCException)
throw (DSCException)t;
if(t instanceof RuntimeException)
throw (RuntimeException)t;
// how is it possible to get this far?
throw new IllegalStateException(t);
private boolean timeoutError(Throwable t) {
if(!(t.getCause() instanceof UMException)){
return false;
UMException ue = (UMException) t.getCause();
//Check that UMException is due to the
assertion/context expiry
if(UMConstants.ErrorCodes.E_TOKEN_INVALID ==
ue.getErrCode()){
return true;
return false;
This ThrowHandler would be invoked by the ServiceClientFactory upon receiving any exception. The handler would then determine if its a timeout related exception and then would refresh the Context associated with the factory instance and tells it to retry the invocation.
STEP - 2 Register the handler
ServiceClientFactory.installThrowHandler(new
SimpleTimeoutThrowHandler(username, password));
Note: The handler should be registered only once in the application
STEP 3 - Perform your invocation
Following sample would try to apply policies on all the fles present in a directory
Properties p = getDefaultProperties();
p.setProperty(DSC_CREDENTIAL_USERNAME, username);
p.setProperty(DSC_CREDENTIAL_PASSWORD, password);
ServiceClientFactory scf =
ServiceClientFactory.createInstance(p);
//Now do some long running operation
String inputDirName ="path-to-input-dir";
String outDirName = "path-to-out-dir";
String policyName = "the-policy-name";
File inDir = new File(inputDirName);
File outDir = new File(outDirName);
RightsManagementClient rmClient = new
RightsManagementClient(scf);
DocumentManager docManager = rmClient.getDocumentManager();
//Iterate over all the pdf in the inDir and apply the
policies. If this takes a
for(File pdfFile : inDir.listFiles()){
Document inDoc = new Document(pdfFile, false);
Document securedDoc = docManager.applyPolicy(inDoc,
pdfFile.getName(), null, policyName, null, null);
securedDoc.copyToFile(new
File(outDir,pdfFile.getName()));
Now the invocation would complete even if it takes a long time. if any session expiry occurs then our ThrowHandler would take care of that.
here's a sample:
TimeOutSample.zip

Getting Invalid SAML token error while trying to access wls9.2 webservice

Hi,
I am using wss4j at the client side as SAML token issuer to add saml assertion to the soap envelop whose target is a webservice deployed in a aqua logic service bus 2.6. But at the server side i.e wls9.2, i am getting following exception
weblogic.xml.crypto.wss.SecurityTokenValidateResult@326f6a[status: false][msg The SAML token is not valid.]</faultstring></soapenv:Fault></soapenv:Body></soapenv:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@326f6a[status: false][msg The SAML token is not valid.]
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSecurityToken(SecurityImpl.java:476)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:392)
This error seems to be coming during unmarshalling of soap envelop which is run before request goes to SAML Identity Assertion provider V1. Certificates are properly configured at both client and server side so it seems that generated SAML assertion is not compliant with weblogic 9.2 unmarshalling process.
Has anyone got any solution for this problem. I am not exactly looking for full SSO configuration at the weblogic side so I have not set any credential mapper (which is also a saml issuer). Nor have i done any setting related with SSO on weblogic.
Any idea will really be helpful in this regard.
Thanks.

In what version of Oracle?
I see a couple of problems assuming you are working with a currently supported version:
1. Never grant CONNECT to anyone: Ever. Grant CREATE SESSION.
2. GRANT CREATE TABLE to AQ;
Go to Morgan's Library at www.psoug.org and look at AQ Demo 1. You should have no problem cutting and pasting your way to where you are trying to go.

Generate current SAML Token with ADF

Similar Messages

Maybe you are looking for