Help regarding SAML Assertion

Can any one tell me what SAML assertion is all about?? and I just want to try out sample steps pertaining to SAML assertion in my policy editor.
So Can any one of you kindly tell me a simple use case that you have tried out with SAML assertion. In the sense what all steps are to be added in the request pipeline ... and what are the configuration points in each step....
I am stuck up with this usecase.
Can any one of you owsm gurus can teach me with this...
and at the same time can you guys suggest to me a sample document where I can get a usecase pertaining to SAML Assertion and WS-Security

Thanks for your prompt reply Yogesh. I have created the keystore using the keytool utility. (say keystore location=C:\helloworld.jks and keystorepassword=welcome1)This is what the password that I created.
Firstly,
Creating keystore: I have used the commad some thing like;
C:\>keytool -v -genkey -keyalg RSA -keysize 1024 -keystore owsm_client -storepas
s clientpass -alias client -keypass client
What is your first and last name?
[Unknown]: manoj
What is the name of your organizational unit?
[Unknown]: ebi
What is the name of your organization?
[Unknown]: wipro
What is the name of your City or Locality?
[Unknown]: bangalore
What is the name of your State or Province?
[Unknown]: karnataka
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN="manoj ", OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
[no]:
Is CN="manoj ", OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
[no]:
What is your first and last name?
[manoj ]: manoj
What is the name of your organizational unit?
[ebi]: ebi
What is the name of your organization?
[wipro]: wipro
What is the name of your City or Locality?
[bangalore]: bangalore
What is the name of your State or Province?
[karnataka]: karnataka
What is the two-letter country code for this unit?
[IN]: IN
Is CN=manoj, OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
[no]: yes
Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
for: CN=manoj, OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN
[Storing owsm_client]
C:\>keytool -keystore Helloworld.jks -genkey -keyalg RSA -alias Helloworld -dnam
e "cn=IN, ou=ebi, o=wipro, L=bangalore, ST=karnataka"
Enter keystore password: welcome1
Enter key password for <Helloworld>
(RETURN if same as keystore password): welcome1
This is what I did. So I guess creation part of the keystore is done.
Now I ll tell you the steps that I have used:
In my request pipeline (gateway):
1>extract credentials
2>file authenticate(against .htpasswd)
3>insert saml token 1.0 vouches
(Key store location is specified above)a nd signature method was RSA-MD5)
After this I committed the policy and then tried to test my page.
The fault that it was throwing was: FAULT MESSAGE: Signing error:FAULT CODE: InvalidSecurity FAULT MESSAGE: Signature key not found
can you please tell me why is the signature key not found despite of creating a java key store. Is is possible that the signature key is not found because of that certificate?
can you please tell me what kind of certificate that I should take from verisign SSL test certificate or anything else.
I hope you would revert to me as soon as possible and could you kindly send me the link where I might get that test certificate.
I do have some doubts in policy editor options:
what does that "assertion issuer " do
what is that "subject format" (I made it as unspecified. If so how do I send that format)
what does this do User Attributes for attribute statements string[]
what does this do Corresponding namespace URIs for the user attributes string[]
----------------------------------------------------------------------------------------------------------------------- I am thinking of a scenario something like this.
In the test page I ll be sending the request
The policy manager of the gateway intercepts and does the following:
1)it ll extract credentials(based on standard user name and token(WS-Basic))
2)It authenticates the user against a file(.htpasswd)
3)upon successful authentication,the next step would be Inserting saml token1.0 sender's vouches)step
This ends the gateway part.........
The request is then passed to the webservice and the request is intercepted by the serveragent before sending the request to the webservice.
The serveragent does the following:
3)verifies saml token that is created by the gateway before and upon successful verification it sends the request to the webservice.
So I think (correct me if I am wrong) I need to make the policies in the request pipelines of the gateway and the serveragent. I don't want to lay any policy on the response message as of now.
Could you tell me if this scenario works fine with owsm?
could you tell me what is that keystore doing for me?
Hope you would do the needful and revert to me as soon as possible
Thanks and regards
Mahes

Similar Messages

  • Need Help Regarding Saml 2.0 Federation

    Hi Guys,
    I am settting up Saml 2.0 Federation but facing some problem,since the document does not provide any clear idea how to configure saml 2.0 ...It basically mention on saml 1.x ......
    Does any one has deployed the Oracle Saml 2.0 Federation on Identity Access Manager ..
    Which document to refer for the above
    Thanks in Advance

    Yes, and you can follow the steps described in the metalink note :
    Status Of 'Oracle Ultra Search' is 'No Script' After Upgrading to 10.2 Doc ID: Note:375620.1
    Nicolas.

  • ID4220 SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Please help!

    Hi Everyone,
    I really would appreciate some help or pointers on my situation. I have a SharePoint 2013 farm, 1 server is the DC and runs SQL, the other is the WFE Server with SharePoint and ADFS. I've configured Active Directory Certification Services and followed an
    excellent ADCS blog here. 
    I've gone ahead and configured ADFS and believe my Certificates to be sound as I have no warnings or anything for the Service Communication, Token Signing nor Token Decrypting Certificate. Below are my certs.
    I also configured the trusted relying party following numerous blogs (I did this a couple of times to make sure I didn't do anything wrong) but followed this blog.
    My Adfs RP looks like this:
    Upon configuring the relying trust for me SharePoint Web Application, I used a powershell script, added 3 claim mappings and specified the exported token signing certificate as the main certificate. Running Get-SPTrustedIdentityTokenIssuer I can confirm
    that I've added the Token Issuer, what I believe to be correct:
    ProviderUri                   : https://adfsportal.mvdb.com/adfs/ls/
    DefaultProviderRealm          : urn:sharepoint:adfs
    ProviderRealms                : {}
    ClaimTypes                    : {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn, 
                                    http://schemas.microsoft.com/ws/2008/06/identity/claims/role, 
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress}
    HasClaimTypeInformation       : True
    ClaimTypeInformation          : {Email Address, Account ID, Role}
    ClaimProviderName             : 
    UseWReplyParameter            : False
    UseWHomeRealmParameter        : False
    RegisteredIssuerName          : 
    IdentityClaimTypeInformation  : Microsoft.SharePoint.Administration.Claims.SPTrustedClaimTypeInformation
    Description                   : ADFS SAML Provider
    SigningCertificate            : [Subject]
                                      CN=tokensigning.adfs.mvdb.com
                                    [Issuer]
                                      CN=mvdb-MVDBPRIME-CA, DC=mvdb, DC=com
                                    [Serial Number]
                                      24000000036DEE002044F8EC45000000000003
                                    [Not Before]
                                      2014-03-24 10:35:17 AM
                                    [Not After]
                                      2016-03-23 10:35:17 AM
                                    [Thumbprint]
                                      ED85DB5F1FF564FD7F645E365EB52C2DB406B825
    AdditionalSigningCertificates : {}
    MetadataEndPoint              : 
    IsAutomaticallyUpdated        : False
    Name                          : SAML Provider
    TypeName                      : Microsoft.SharePoint.Administration.Claims.SPTrustedLoginProvider
    DisplayName                   : SAML Provider
    Id                            : 2f59bcca-6ee1-43ae-b9fa-f1b415cdd58b
    Status                        : Online
    Parent                        : SPSecurityTokenServiceManager Name=SecurityTokenServiceManager
    Version                       : 22046
    Properties                    : {}
    Farm                          : SPFarm Name=SharePoint_Config
    UpgradedPersistedProperties   : {}
    So then went and extended my Web Application, added a host header (secured with wildcard cert) and chose my trusted provider I've just added with the script. When logging on, sure enough, I get prompted with the login dropdown but as soon as I choose the
    adfs option I get:
    ID4220: The SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements,
    extend Saml11TokenSerializer and override ReadToken
    So far I have not been able to get further than this. I've double checked that I have given permissions on the token signing cert's private keys (read permissions on the ADFS service account as well as Network Service).
    Please help!
    -Mike

    Hi,
    According to your post, my understanding is that you got the “ID4220 SAML Assertion is either not signed or the signature's KeyIdentifier cannot be resolved to a SecurityToken” error.
    I recommend to run Get-SPTrustedIdentityTokenIssuer PowerShell command on SharePoint server and look at the Trusted Identity Token Issuer to see if certificate associated was correct version of ADFS Token signing certificate.
    If you export ADFS Communication Certificate for ADFS Login URL instead of ADFS Token Signing Certificate, please export the correct version of ADFS Token Signing Certificate and rerun the
    following command on SharePoint Servers using SharePoint Install account to associate correct version of ADFS Signing certificate with SharePoint TrustedIdentityTokenIssuer and it should resolve the issue.
    $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Host\ADFS Signing.cer”)
    $sts = Get-SPTrustedIdentityTokenIssuer
    $sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert
    More information:
    SharePoint and ADFS Configuration Error – ID4220: The SAML
    Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken
    Thanks,
    Linda Li
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Linda Li
    TechNet Community Support

  • How to get SAMl assertion from SOAP Header and propagate user context to BW

    Hello to all,
    we implemented this scenario:
    3rdparty System to SAP PI 7.11 to SAP BW.
    sync. communication via SOAP Sender adapter and Receiver XI PROXY.
    We get a SAMl assertion in the SOAP Header from the 3rd-Party System.
    The SAP BW System could not read the Header information.
    How can we get the information of the SOAP Header in the PI System and send the usercontext via XI Proxy to the SAP BW system?
    Can we read the Header information in the SOAP adapter and mapping it to another field in the payload or Headerinformation which could read in the backend system in the proxy class?
    Thanks for your help and regards
    Martin

    Dear Fox,
    Thanks for your reply.
    Is it mandatory to have the Header elements and the message defined in the Mediator wsdl?
    At present I have not defined it in the WSDL.
    Thanks,
    Subin

  • Verify signature on SAML assertion

    I've already asked this question on StackOverflow (http://stackoverflow.com/questions/25394137/verify-signature-on-saml-assertion), but I'm hoping to get a better response here. I'm trying to validate some SAML that looks like this:
    <samlp2:Response Destination="http://www.testhabaGoba.com" ID="ResponseId_934151edfe060ceec3067670c2f0f1ea" IssueInstant="2013-09-24T14:33:29.507Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    </ds:Signature>
    <saml2:Assertion ID="SamlAssertion-05fd8af7f2c9972e69cdbca612d3f3b8" IssueInstant="2013-09-24T14:33:29.496Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    </ds:Signature>
    </saml2:Assertion>
    </samlp2:Response>
    The signature on the response always passes, but the signature on the assertion always fails. Even when I use a SAML that doesn't sign the response the assertion signature fails. Here's a condensed version of the code I'm using:
    foreach (XmlElement node in xmlDoc.SelectNodes("//*[local-name()='Signature']"))
    {// Verify this Signature block
    SignedXml signedXml = new SignedXml(node.ParentNode as XmlElement);
    signedXml.LoadXml(node);
    KeyInfoX509Data x509Data = signedXml.Signature.KeyInfo.OfType<KeyInfoX509Data>().First();
    // Verify certificate
    X509Certificate2 cert = x509Data.Certificates[0] as X509Certificate2;
    log.Info(string.Format("Cert s/n: {0}", cert.SerialNumber));
    VerifyX509Chain(cert);// Custom method
    // Check for approval
    X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection collection = store.Certificates.Find(X509FindType.FindBySerialNumber, cert.SerialNumber, true);
    Debug.Assert(collection.Count == 1);// Standing in for brevity
    // Verify signature
    signedXml.CheckSignature(cert, true);
    Everything works except the CheckSignature method. It's the only thing that fails and it always fails the SAML assertion. What am I doing wrong?

    Hello Matthew T. Ricks,
    Personally after reading your post I don't think this issue is related to this forum "Discuss and ask questions about the C# programming language, IDE, libraries, samples, and tools."
    The problem is due to SAML assertion fail and I read something like this
    http://docs.oracle.com/cd/E21455_01/common/tutorials/authn_saml_xml_sig.html to konw what is SAML and how it works. I will recommend you consult SAML related forum to ask this question.
    Regards,
    Barry
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • SAML Assertion URL

    Been working with a 3rd party IDP on establishing SSO for my on premise environment with SAML, I'm at the point now where they are needing to know what the ACS or SAML endpoint URL would be...this would actually process the SAML assertion they send back.
    Looking through documentation all i can see is that other 3rd party IDPs are only configuring the response to go back to the root site collection for the web application. Am i correct in my thought that if i provide them the URL of my root site collection
    say "https://example.company.com" that SharePoint will process the SAML assertion? Or is there some other URL i need to be passing that will handle the assertion?

    Hi Jacob,
    Thank you for your question.
    We are currently looking into this issue and will give you an update as soon as possible.
    Thank you for your understanding and support.
    Best Regards,
    Wendy
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Wendy Li
    TechNet Community Support

  • Parse a SAML assertion

    I want to parse a SAML assertion from an Identity Provider and use some
    of the data for identity injection. Anyway, the java identity injection
    plug-in can not access the SAML assertion, it can only access the
    username and password using the ExternalDataFillerContext object.
    Is it possible to extend tha authentication class to parse the SAML
    assertion and write out the data to the customisation profile? Which
    method or property returns the SAML assertion?
    Thank you,
    Alessandro
    afolli
    afolli's Profile: http://forums.novell.com/member.php?userid=6964
    View this thread: http://forums.novell.com/showthread.php?t=398904

    Hi. Thanks for the answer.
    I have two federated domains. The user requests a resource on domainA
    and he's redirected to IdpA for authentication. The user authenticate on
    IdpB and returns back. At this point I need to extract some info from
    the SAML assertion returned by IdpB.
    Do you think it's possible?
    Thanks,
    Alessandro
    mumasankar;1926007 Wrote:
    > The assertions are not stored on the session. It is little confusing
    > when you say you want to parse a SAML assertion from authentication
    > class. Usually, after authentication is done (after authentication class
    > finished exectuing), the response will be generated by the IDP and
    > assertion cration is part of the response.
    >
    > Can you please give details of your use case ?
    >
    > Regards,
    > Uma.
    afolli
    afolli's Profile: http://forums.novell.com/member.php?userid=6964
    View this thread: http://forums.novell.com/showthread.php?t=398904

  • Problem with signed SAML assertion and Web Services Manager

    Folks,
    I’m having some issues trying to generate a proper signed SAML assertion using JDeveloper 10.1.3. I am securing a java proxy class using the wizard as described in http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html .
    On the OWSM side, I have a service that I am securing with SAML - Verify WSS 1.0 Token. If I set the "Allow signed assertions only" property to false I can complete the service call. However, when it is set to true I am receiving the following fault: javax.xml.rpc.soap.SOAPFaultException: SAML token verification failed.
    When I examine the message going to OWSM in a packet analyzer, it is missing the signature in the SAML assertion. The <saml:Assertion> tags looks like:
          <saml:Assertion MajorVersion="1" MinorVersion="1"
                          xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                          xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                          AssertionID="yM0oqZgF0N1a1td6yzKgOQ22"
                          IssueInstant="2007-01-23T17:15:27Z"
                          Issuer="HealthMarkets_s3">
            <saml:Conditions NotBefore="2007-01-23T17:15:27Z"
                             NotOnOrAfter="2007-01-24T17:15:27Z"/>
            <saml:AuthenticationStatement AuthenticationInstant="2007-01-23T17:15:27Z"
                                          AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
              <saml:Subject>
                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">client_s3</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
              </saml:Subject>
            </saml:AuthenticationStatement>
          </saml:AssertionI have selected the Sign Outbound Messages in step 3 of the Secure Web Proxy Wizard. This step uses the DSA-SHA1 algorithm.
    Any help is greatly appreciated.
    Thanks in advance,
    Joseph

    Thanks for the response. I am not using any pages for this application yet... just calling the web service from SOAP UI or any Web Service testing tool causes the problem.
    All that has to be done to replicate it is to build a simple EJB 3.0 JPA bean using the entities from tables wizard and then add named query as follows:
    @NamedQuery(name = "BomHeader.findByDesc", query = "select o from BomHeader o where o.bomDesc like :p_bomDesc")
    then build a session bean with the wizard that includes the JPA persistence unit and the entity and subsequently use the wizard to wrap the session bean in a web service.
    The whole replication process should take 5 minutes if you have some database tables to work with. It breaks when the web service is called.
    Thanks in advance

  • SAML Assertion ID already in cache -- returning SC_FORBIDDEN

    We are using WLS 10.3 and getting a SAML Assertion IDI already in cache -- returning SC_FORBIDDEN.
    Any clue as to how or why this would happen or resolution.
    Also we are in a Managed Server Cluster Environemnt.
    thanks
    ft

    Hi Hao,
    Regarding claims based issue, I suggest you refer to experts from the following forum to get professional support:
    Claims based access platform (CBA), code-named Geneva Forum
    http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
    Thank you for your understanding and support.
    Best Regards,
    Amy

  • Problem signing SAML assertion

    Folks,
    I’m having some issues trying to generate a proper signed SAML assertion using JDeveloper 10.1.3. I am securing a java proxy class using the wizard as described in http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html .
    On the OWSM side, I have a service that I am securing with SAML - Verify WSS 1.0 Token. If I set the "Allow signed assertions only" property to false I can complete the service call. However, when it is set to true I am receiving the following fault:
    javax.xml.rpc.soap.SOAPFaultException: SAML token verification failed.
    When I examine the message going to OWSM in a packet analyzer, it is missing the signature in the SAML assertion. The <saml:Assertion> tags looks like:
          <saml:Assertion MajorVersion="1" MinorVersion="1"
                          xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                          xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                          AssertionID="yM0oqZgF0N1a1td6yzKgOQ22"
                          IssueInstant="2007-01-23T17:15:27Z"
                          Issuer="HealthMarkets_s3">
            <saml:Conditions NotBefore="2007-01-23T17:15:27Z"
                             NotOnOrAfter="2007-01-24T17:15:27Z"/>
            <saml:AuthenticationStatement AuthenticationInstant="2007-01-23T17:15:27Z"
                                          AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
              <saml:Subject>
                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">client_s3</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
              </saml:Subject>
            </saml:AuthenticationStatement>
          </saml:Assertion>I have selected the Sign Outbound Messages in step 3 of the Secure Web Proxy Wizard. This step uses the DSA-SHA1 algorithm.
    Any help is greatly appreciated.
    Thanks in advance,
    Joseph

    I do believe that JDev will produce a deployment descriptor that contains the WS-Security policy information. Can you post this? It should look something like this:
    <oracle-webservice-clients>
    <webservice-client>
    <saml-token>
    <signature-methods>RSA-SHA1</signature-methods>
    </saml-token>
    </webservice-client>
    </oracle-webservice-clients>

  • Sample SAML assertion

    Hi Gurus,
    Can any body send a sample SAML assertion which is accepted by SAP EP?
    I am particularly interested in the format it is generated.
    Warm Regards,
    Karan

    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906d9fc6-31b9-2910-1385-90edad7d7570

  • How to make OAM accept SAML Assertion?

    Hi folks,
    I need to make OAM accept SAML Assertion. We have a Layer7 appliance called SSG (Secure Span Gateway) which protects web resources and generates SAML assertion. I need to find out whether OAM can accept the SAML Assertion sent by SSG appliance to authenticate and authorize access.
    Any help is appreciated.
    Thank you, Roman

    Hi idmgod,
    Thanks for the post. Rather interesting! Correct me if I'm wrong here, but this is how this should work:
    1. The simpleSAMLphp (configured to support php w extensions, connect and authenticate/authorize against ldap server in my case, etc) sits in front of OAM, and accept the SAML Assertion
    2. It then creates an obSSOCookie (just like the WebGate does), and sends it to OAM
    3. OAM checks obSSOCookie and based on the cookie data (user DN, shared secret key, etc) allows access to a protected resource
    Does this sound right?
    Roman

  • Static values in SAML assertion

    In Saml 1.0, will it be possible to include static values in SAML assertion?

    These are two different queries. The static list:
    select * from tab_1 where
    (col_1) in (1,2,3) means return all rows where COL_1 = 1 or COL_1 = 2 or COL_1 = 3. The syntax only allows one column as the argument in this sort of IN.
    The variable list:
    select * from tab_1 where
    (col_1,col_2) in (select col_1,col_2 from tab_2)means return all rows where TAB_1.COL_1 = TAB_2.COL_1 and TAB_1.COL_2 = TAB_2.COL_2. In this case the number on arguments on the left hand side of the IN must match the number of arguments on the righthand side of the argument.
    In other words this is not valid syntax either: select * from tab_1 where
    (col_1,col_2) in (select col_1 from tab_2)If you want to test two columns against a static list you need separate clauses for each of them.
    You may find the documentation helpful.
    expression lists: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96540/expressions14a.htm#1029285
    membership conditions: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96540/conditions5a.htm#1013449
    Cheers, APC

  • Read Userid from SAML Assertion Ticket

    Hi,
    I have following queries:
    1)  I need to read userid from SAML assertion ticket. If so, pls share the process/code ?
    2)  Can i send authorization data as part of SAML assertion ticket. if so, pls share the process.
    Thanks,
    Mano.

    Hi Mano,
    I am not sure what you mean by User id as output. But I know you can configure an SAP server as a service provider which can initiate an authentication to an Identity provider.
    Here is the documentation. Hopefully this helps.
    Using SAML2.0 in SAP for ABAP #
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/46/631b92250b4fc1855686b4ce0f2f33/content.htm
    Using SAML2.0 in SAP for Java #
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm?frameset=/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm
    SAP As a Service provider for ABAP #
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b6df333fec6d83e10000000a42189c/content.htm
    Including Legacy System in your SAML2.0 Landscape #
    http://help.sap.com/saphelp_nw70ehp2/helpdata/en/4a/b4f01285376d61e10000000a42189c/content.htm?frameset=/en/4a/b6df333fec6d83e10000000a42189c/frameset.htm
    Dhee

  • How validate user.attributes in SAML assertation?

    Hello!
    I'm using WebLogic Server 10.3.6.0 + Oracle Service Bus 11.1.1.6 + Oracle Enterprise Manager 11g.
    I deploy my Web Service on Weblogic Server and protect this by OWSM SAML-based policy (now it is oracle/wss_saml_token_bearer_over_ssl_service_policy).
    It is working, but some things I don't understand.
    My main question: how can I configure to validation of user.attributes in the saml assertation?
    For example, inbound requests has 3 attributes in saml assertation tag: role, email and dept.
    <?xml version="1.0" encoding="utf-8"?>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance">
    <soap:Header>
    <wsse:Security>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="Id-0000010a3c4ff12c-0000000000000002"
    IssueInstant="2006-03-27T15:26:12Z" Version="2.0">
    <saml:Issuer Format="urn:oasis ... WindowsDomainQualifiedName">
    TestCA
    </saml:Issuer>
    <saml:Subject>
    <saml:NameIdentifier Format="urn:oasis ... WindowsDomainQualifiedName">
    TestUser
    </saml:NameIdentifier>
    </saml:Subject>
    <saml:Conditions NotBefore="2005-03-27T15:20:40Z"
    NotOnOrAfter="2028-03-27T17:20:40Z"/>
    *<saml:AttributeStatement>*
    *<saml:Attribute Name="role" NameFormat="http://www.oracle.com">*
    *<saml:AttributeValue>admin</saml:AttributeValue>*
    *</saml:Attribute>*
    *<saml:Attribute Name="email" NameFormat="http://www.oracle.com">*
    *<saml:AttributeValue>[email protected]</saml:AttributeValue>*
    *</saml:Attribute>*
    *<saml:Attribute Name="dept" NameFormat="">*
    *<saml:AttributeValue>engineering</saml:AttributeValue>*
    *</saml:Attribute>*
    *</saml:AttributeStatement>*
    </saml:Assertion>
    </wsse:Security>
    </soap:Header>
    <soap:Body>
    <product>
    <name>Enterprise Gateway</name>
    <company>Oracle</company>
    <description>Web Services Security</description>
    </product>
    </soap:Body>
    </soap:Envelope>
    But I want permit only request's with 4 attibutes (for example, role + email + dept + city) or something like? How I can configure this in OWSM-policy settings or WebLogic settings?
    Thanks for any help.

    That would be the easiest route but isn't it against the standards to use triggers on tables. I was thinking of doing the validation before the item is created on the page, by customizing the create item and update item pages.
    Did anyone work on PIM to do this sort of customization, the pages are all dynamic and are pretty complex, I am not able to figure out where to fit in my validation.

Maybe you are looking for

  • 11gR2 installation problem on Windows XP

    I use my laptop (Windows XP S2, with 2 GB RAM), name 'L3-ACH9M'. I login company network. From user account property, my account Group Member is others 'Administrator' (complete and unrestricted access to the computer/domain). I installed Oracle 11g

  • Reverse Pen Pressure Effect.

    the default makes perfect sense, but i'd like an option to reverse pen pressure per effect. for example for opacity, i would like no pressure to = full opacity and lot's of pressure to = no opacity, etc. that particular setting plus size pressure con

  • Simulation Assessment

    I am creating a simulation assessment for a client. They do not have an LMS, the link to the product will run off their Intranet site and be taken by 20,000 unassociated users. The issuing customer wants to be able to have a way to know who (name and

  • Access romote EJB using EJBTransport

    I'm trying to access an ejb deployed in WLS 8.1 SP6 from ALSB 2.5 using the EJBTransport following the instructions conteined in http://e-docs.bea.com/alsb/docs25/userguide/ejbtransport.html#wp1074283 But... when I tried to register an ejb client jar

  • After Service, Airport card stops working randomly on macbook pro 17" early 2009

    Hi, So after the last time my computer was serviced, the airport card stops working randomly on moving the screen. Upons restarting the computer, it sometimes says wi-fi hardware not installed. Then, if I move my machine around, lift it up, turn it a