OIF SAML 2.0 issue
We are working with a partner on a SAML 2.0 setup and we are stuck with the following error. The partner is using Siteminder. We have uploaded the metadata file in our system, and when we test the connection an error occurs and this is showing up in the logs. Any ideas?
10/01/10 11:53:36: ERROR oracle.security.fed.controller.ApplicationController.processServletRequest() - oracle.security.fed.controller.web.action.RequestHandlerRuntimeException: Could not locate XML signature verification service. Invalid EventReponse: could not locate the verification key for: bms2inter; oracle.security.fed.security.exceptions.NoSuchServiceException: Invalid EventReponse: could not locate the verification key for:
bms2inter
Any ideas on this? This is an urgent issue.
Similar Messages
-
OIF SAML 2.0 verification issue
We are working with a partner on a SAML 2.0 setup and we are stuck with the following error. The partner is using Siteminder. We have uploaded the metadata file in our system, and when we test the connection an error occurs and this is showing up in the logs. Any ideas?
10/01/04 15:04:07: ERROR oracle.security.fed.controller.ApplicationController.processServletRequest() - oracle.security.fed.controller.web.action.RequestHandlerRuntimeException: Could not locate XML signature verification service. Invalid EventReponse: could not locate the verification key for: xxxxxxxxx; oracle.security.fed.security.exceptions.NoSuchServiceException: Invalid EventReponse: could not locate the verification key for: xxxxxxxxxAny ideas on this? This is an urgent issue.
-
OIF+OAM: install/config issues
This post is long. Hoping that at least one of the issues is seen by someone or someone has insights before we open SR(s) with Oracle.
We have a working OAM/OVD 11.1.1.5 installation (done according to the EDG at http://docs.oracle.com/cd/E21764_01/core.1111/e12035/toc.htm).
We started an evaluation of OIF and ran into some issues grouped under Install and Config categories.
h2. Install issues:
We installed it per chapter 16 of that EDG and and all the steps went OK except step 16.7 (http://docs.oracle.com/cd/E21764_01/core.1111/e12035/oif.htm#BAJCJHBG).The config properties userldaphaenabled, fedldaphaenabled are getting set via WLST but don't appear to be persisted anywhere. On a restart they are false again. Are they supposed to be saved to config.xml of the IDMDomain? Can I try adding them manually like this as child elements under each of the wls_oif managed servers?
<datastore>
<userldaphaenabled>true</userldaphaenabled>
<fedldaphaenabled>true</fedldaphaenabled>
</datastore>
If those settings were properly set what is it supposed to do? I can see that config.xml, cots.xml files are stored as blobs in one of the OIF db tables. Will the above setting move them from DB to LDAP?
h2. Config/Runtime Issues:
We proceeded with configuration because the /sp/metadata and /idp/metadata test URLs are working fine via the VIP address. we used this manual to do the integration.
http://docs.oracle.com/cd/E21764_01/doc.1111/e15740/oif.htm#CACJDDGE. In section 4.3.1.6 (Configure Oracle Identity Federation in SP Mode) of this document it says to configure Oracle SSO. We only have OAM and not osso. We went ahead and configured the second tab (OAM) in the screen capture in that section as well (is there any documentation on how to configure that tab?)
In SP mode (section 4.3) , testing of a resource protected with OIFScheme in OAM is not successful. It does not show any OIF login screen. Instead it takes the user to through these URLs:
1. https://sso.company.com/test-app/
2. https://sso.company.com/fed/user/sposso
3. https://sso.company.com/fed/user/authnoam?refid=id-tB20kXzmHjpn6MUSdOr7qbmd2OU-
4. https://sso.company.com/fed/sp/art20?SAMLart=AAQAAbV1ElKBtte9uuhKoeo4h%2FMufCdY2wDlDIM2T9dL%2BvhsvtfUrwCuZg8%3D&RelayState=id-JPh8MY05pAZRckl4yOc2J4-80GI-
and then shows this error in the browser:
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
The following errors are seen in the WLS_OIF1 (we turned off WLS_OIF2 during this test) managed server logs:
<Mar 10, 2012 10:58:37 AM PST> <Error> <oracle.security.fed.eventhandler.authn.engines.oam.OAMAuthnEventHandler> <FED-18068> <Authentication failed: WebGate did not authenticate the user>
<Mar 10, 2012 10:58:37 AM PST> <Emergency> <oracle.security.fed.model.config.Configuration> <FED-10174> <Property was not found: httpheaderattrcollector.>
<Mar 10, 2012 10:59:27 AM PST> <Warning> <oracle.security.fed.http.handlers.authn.LoginRequestHandler> <FED-18051> <Authentication instant was not sent from the authentication engine.>
<Mar 10, 2012 10:59:37 AM PST> <Error> <oracle.security.fed.util.ssl.KeystoreUtil> <FED-18080> <Could not retrieve key from the key store. Please verify that the key password is equal to the key store
< this error is followed by an exception shown below>
<Mar 10, 2012 10:59:39 AM PST> <Error> <oracle.security.fed.eventhandler.authn.engines.osso.OssoFinishSPSSOEventHandler> <FED-15134> <The service providercould not map the identity provider response to a user>
FED-18080 exception:
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at oracle.security.fed.util.ssl.KeystoreUtil.createKeyManagers(Unknown Source)
at oracle.security.fed.util.soap.OIFSSLProtocolSocketFactory.createSSLContext(Unknown Source)
at oracle.security.fed.util.soap.OIFSSLProtocolSocketFactory.getSSLContext(Unknown Source)
at oracle.security.fed.util.soap.OIFSSLProtocolSocketFactory.createSocket(Unknown Source)
at oracle.security.fed.util.soap.OIFSSLProtocolSocketFactory.createSocket(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
at oracle.security.fed.util.soap.SimpleSoapSender.sendMessage(Unknown Source)
at oracle.security.fed.http.flow.profiles.sp.SendSoapRequestSSOResponseHandler.perform(Unknown Source)
at oracle.security.fed.controller.ApplicationController.processServletRequest(Unknown Source)
at oracle.security.fed.controller.web.servlet.FederationServlet.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:57)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
A minor other problem seems to be with adcri:
Cause: DFW-40112: There was an error executing adrci commands; the following errors have been found "Cannot run program "/app/iam/middleware/wlserver_10.3/server/adr/adrci": java.io.IOException: error=12, Cannot allocate memory"
Action: Ensure that command line tool "adrci" can be executed from the command line.
We can run the adcri tool from command line using the same LD_LIBRARY_PATH as used by the wls_oif1 server. Why is it trying to run it and failing and what is it trying to do? Can we turn it off?I reinstalled the suite. This time, during the Policy Manager install I left the "Root Directory for Policy Domains" (step/page 7-12) at the default, which was "/". The GUI now works correctly.
On the previous install I changed the path to /AccessManagerPolicy -- it wasn't clear to me what the installer meant by 'root directory'. I did try to get /AccessManagerPolicy to work by creating a directory under my web root to match, but I still had issues with the Policy Domain -- the no policy domains would match. So, it looks like this parameter should never be changed in the installer.
Aaron. -
Looking for ideas:
Trading partner requires us to send 4 attributes in our SAML 2.0 assertion (staticID, firstName, lastName, EmployeeID). We will be providing the same value for staticID and EmployeeID.
When we configure Attribute Mappings within OIF, if we map the same LDAP attribute (employeenumber) for staticID and EmployeeID, only one of the attributes gets included in the SAML assertion. (3 attributes included in assertion rather than 4)
If I map staticID to employeenumber and EmployeeID to <some other attr> all 4 attributes are included in assertion.
Is there a way to make this happen? Does this violate a SAML standard?I am surprised that it is working. According to the following note:
314948.1: How can I determine what SAML attribute fields are case sensitivity?
the LDAP attributes specified should be in lowercase to work. Did you try specifying both fields in lowercase (employeenumber)?
You should pose this question to Oracle.
-shetty2k -
OIF - SAML AttributeStatement not sending
I set the "attribute mappings and filters" with a single attribute: givenname but it does not send over an attributestatement tag in the SAML. I turned on the xmlmessage so I can view the SAML. However, everything is present but the attributestatement with the attributes. I even put in some bogus attribute values but the authentication process is successful with no errors. The last thing I tried was to set"Enable attributes in Single Sign-on" but it did not change anything.
Does anyone know how to send attributes in Oracle Identity Federation 11g?
Edited by: user4985735 on Oct 13, 2009 2:57 PMI solved my own problem. The "Enable Attribute Query Responder" needed to be checked on the SAML 2.0 tab in the IDP. Ensure you export the metadata after making this change and load in OIF. The other step was to set the "Enable attributes for single sign-on" check box and setting an attribute for testing. I set an attribute name of "mail" with assertion name of "email" and check the send Attribute with assertion. If you choose a bogus attribute the attributestatement will not showup with no errors. If you are doing local testing by setting up IDP and SP on the same OIF instance, only set the SP "Enable attribute for single sign-on" (not IDP). Logic was telling me to set the IDP "enable attribute for single sign-on" but this was wrong. It should be set in the SP metadata. There really is not that many steps once you know how the attributes work but if you try through trial-and-error, you can spend weeks before you get lucky with the right combination.
-
OBIEE 11g: SAML SSO performance issues
Hi All,
We have implemented IDP initiated SAML2-SSO with SQL Authenticator to get user/group information.
After implementing this we see following issues:
1. Login time takes around 1 minute. In nqserver.log file I can see following message:
[2014-12-22T12:55:09.000-05:00] [OracleBIServerComponent] [NOTIFICATION:1] [] [] [ecid: 0000Kdn8fzjFO99_ndL6iZ1Ka4_f0000FW,0:1:1:6] [tid: 1594] User 'BISystemUser(XXXX)' spent 28720.000000 milliseconds for http response when impersonateUserWithLanguageAndProperties
2. General navigation through application is also slow.
Can you please provide any pointers to fix these performance issues?
Thanks,
MahipalI am experiencing performance issues with view selector. It repeats the SQL for each view resulting in duplicate SQL to be run and thus resulting in poor performance of reports. Is this an expected behavior of view selector?
Thanks. -
Configure SAP ABAP as service provider using SAML holder-of-key
Hi
We are trying to configure "SAML Holder of key" between Microsoft (as
a service consumer) and SAP ABAP (as service provider).
The service provider/SAP ABAP is release 7.11 and we need to configure this component.
We have found SAP note 1254821 and are trying to follow the instructions for
the "SAML Holder of key" scenario:
However there is one step that we do not understand: step 5 "The private key to decrypt the
encrypted....at the provider system must be a WS Security Identity in transaction TRUST"
Anyone who can elaborate of the meaning of this step and describe a procedure for what
exactly to do?
BR
Tom BoHi,
a service provider needs to check two things when processing message. The first thing is that SAML assertion was issued by STS by checking signature of SAML assertion. The SAML assertion is signed by STS (step 4 in OSS note). The second thing is to verify that sender knows key from SubjectConfirmation element (that's why it is called holder of key). One way is to encrypt and sign SOAP message using symmetric key. There is also option to use asymmetric key. The key is encrypted by STS using the public key of service provider. Therefore the private key must be imported in service provider system (step 5 from OSS note). More info can be found [here|http://help.sap.com/saphelp_nw73/helpdata/en/e5/9f9913fc9c418db98c8693b2bbdb7c/frameset.htm].
Cheers -
Sharepoint 2013 and ADFS 3.0 Multi-Tenancy Problems
Hi
I am hoping someone might be able to help with my scenario.
Architectural Overview:
We have a 3-Tier Sharepoint 2013 deployed. In this infrastructure we have the following Servers (1x ADFS server, 1x TMG Proxy for External Access, 2x Web Front-End servers, 1x Application Server, 2x SQL Servers with P2P replication
On sharepoint we have a multi-tenant setup based on HSNC i.e. with AD integration on domain example.com. We also integrate with a 3rd Party myexample.com which we have ADFS connected to
site1.example.com
site2.exmaple.com
For both of the sites we have configured the required application and run as per requirements of ADFS 3.0.
ADFSserver -> server1.example.com
DefaultRealm -> urn:sharepoint:site
site1.example.com -> "https://site1.example.com/_trust/", urn:sharepoint:site1
with default login page specified /_trust/default.aspx
site2.example.com -> "https://site2.example.com/_trust/", urn:sharepoint:site2
with default login page specified /_trust/default.aspx
On ADFS 3.0 we have realm trusts corresponding to this i.e.
Trust 1:
identifier -> "https://site1.example.com/_trust/" , urn:sharepoint:site1
Endpoint -> "https://site1.example.com/_trust/Pages/Default.aspx
Trust 2:
identifier -> "https://site2.example.com/_trust/", urn:sharepoint:site2
Endpoint -> "https://site2.example.com/_trust/Pages/Default.aspx, urn:sharepoint:site2
The Problem:
When accessing the sites from the client browser to test (using Chrome Incognito mode so cookies terminates at close of browser session), I get weird stuff happening on ADFS and Sharepoint. I try site1.example.com and it fails stating that urn:sharepoint:site1
is not a recognised realm. When looking at the URL request sent to ADFS I can see irrespective of urn set on sharepoint to differentiate, it sends the default urn of urn:sharepoint:site which is not part of the Relay Party Trust in ADFS for site1 or site2.
This causes the SAML authentication to fail. When I add the default Realm to one of the Trusts then it works fine but then It is not a true multi-tenant environment as requests for both sites gets redirected to a single ADFS endpointDid you set the ProviderRealms on the Trusted Identity Token Issuer?
http://sharepointobservations.wordpress.com/2013/08/13/adding-host-name-site-collections-to-existing-saml-claims-token-issuer/
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Oracle Identity Federation or Microsoft ADFS
Hi,
There are two companies A & B having an isolated infrastructure. Currently we have an architecture where Company A is providing OAM-IWA based SSO functionality for its own users and not for Company B users. If Company B also wants to avail the benefits of IWA/SSO for an application hosted in Company AS what should they do? Please advise-
1. Implement Microsoft ADFS? Company B may not like it because they think ADFS might expose confidential attributes to Company A?
2. Implement Oracle Identity Federation? How will that fit in if we have OAM in place? Can OAM authenticate half of the user base and OIF do the rest? Pls advise
3. Implement OVD? I am not sure if OVD can authenticate userbase against AD credentials?
Pls let me know.
Thanks,Since company A and B have isolated infrastructures, I assume they are separate companies and on separate networks, with the internet as the network that will allow users from company B to access the application hosted by company A. And I assume the application is a web application.
First, IWA is a function of the IIS web server and suppported browsers (IE and Firefox) and is independent of OAM or OIF. OAM 10g supports IWA when running a webgate on the IIS web server that is configured to accept IWA authentication. IWA will work on the Intranet, so employees of company A can use IWA to SSO to OAM in their environment. Likewise, if company B has their own deployment of OAM, they can use IWA to SSO their users to their instance of OAM.
If you deploy OAM 11g, there is no longer a dependency on IIS because OAM 11g support Windows Native Authentication. You can read OAM 11g documentation for details on WNA.
1) Regarding use of ADFS, I have no comment as I am not familiar with the details of ADFS.
2) Regarding using OIF, some questions and clarifications
- Does company B own a web SSO and/or federation product? Do they own OAM? Do they own OIF? If not, they'll need something that speaks SAML or another federation protocol supported by OIF.
- For company A, you can buy OIF and integrate with OAM, if necessary. Since company A is hosting the application that company B employees want to get to, they would most likely be configured as the service provider/relying party.
- For company B, you can buy OIF and integrate with OAM. And OAM can integrate with IWA. So a user could use IWA to seamlessy SSO to OAM and then follow a federation enabled link to company A's app and seamlessy SSO to that as well.
- There is some integration work to be done here. Specificaly, company B needs to have a way to send its users over to company A so they can import them into company A's app. You need to exchange some metadata and agree on a unique identifier to identify the users. Or if the app works by having company B users access it as a generic user or something, you need to set something up for that (such as passing the generic userID in the SAML assertion).
- I would probably deploy the app such that there were two entry doors. One door would be for company A's employees and would be internally accessible only and protected by OAM. Then I would have an externally accessible door that relied on OIF SAML and was configured as a relying party for company B's employees.
3) regarding OVD, I don't see how that is going to help you since each company is on a separate isolated infrastructure. -
SAML / OIF integration does not work - Could not extract SAML2 message
Hi gurus,
We are trying to establish SSO between SAP Portal 7.3 and OIF 11.1.5 (Oracle Identity federation). I configured SAP Portal as service provider and OIF is also configured. I changed Login Module and add SAMl as on top of my default auth stack. When we try to do end-to-end test is does not work and throws the following error:
Default SAML2 configuration is selected because login module option [provider] is not configured.
SAML2LoginModule is running in execution mode DEFAULT.
SAML2Principal not found in current client context.
Exiting method
Entering method
SAMLResponse: PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6
<BR>U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL2ppZXB0ODIu
<BR>dWsuY2VudHJpY2FwbGMuY29tOjgxODIvc2FtbDIvc3AvYWNzIiBJRD0iaWQtVVRW...........................
Decoded SAMLResponse: <samlp:Response mlns:samlp="urn:oasis:names:tc: 4 пїЅГЈ"пїЅ пїЅ &пїЅFпїЅ6пїЅпїЅ" FW7FпїЅпїЅ.......................3E&saml2post=false
Could not extract SAML2 message from request.
[EXCEPTION]
java.lang.SecurityException: com.sap.security.saml2.lib.common.SAML2Exception: SAML parsing failed..................
No user name provided.
Entering method
Automatic IdP Selection mode configured for the Service Provider
POST parameters set as HTTP request attribute [sap.com/login_post_parameters] to be re-submitted during login: [SAMLResponse, SAMLart, RelayState]
Could not remove original application URL cookie because the provided name is invalid: <null>
Exiting method with true
LOGIN.FAILED
User: N/A
IP Address: 10.11.11.11
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.saml2.sp.SAML2LoginModule REQUIRED ok exception true Service Provider could not extract SAML2 message from request.
#1 AcceptedAuthenticationMethods = *
#2 Mode = Standalone
2. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 trusteddn1 = CN=ERT,OU=I0020100174,O=SAP Web AS
#2 trustediss1 = CN=ERT,OU=I0020100174,O=SAP Web AS
#3 trustedsys1 = ERT,010
#4 ume.configuration.active = true
3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
4. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true
Decoded SAMl response looks strange with all non-readable characters and as a result, there is no username passed to the portal and SAML login fails and portal offers a fall-back login with username/password
Also, can you please comment the line from the help.sap.com (http://help.sap.com/saphelp_nw73/helpdata/en/bf/b0b879544740c8a3c8bdda87e50587/frameset.htm)
"Prerequisites for SAML
"Your service provider must be able to reach the identity provider over HTTP or HTTPS." "
We have our identity provider / service provider in two different segment of the network and there is no http/https connection between these segments as we assumed that all the communication is going through the browser and we would not need the port to be opened on the firewall. Is it something which is absolutely necessary? In our opinion it negates all the benefits of SAML
Help will be very much appreciated
Many thanks in advance,
Regards, ElenaHi Elena,
The issue was discovered and fixed during the SAML Interoperability Tests early last year (2011). I'm not sure I will be able to find a dedicated note because the fix was not downported but just submitted in the latest SP in correction. If you need a justification then you can open a support ticket with SAP and this will be the official answer there. If you do so please to not forget to attach traces from the system - use the tool described in 1332726 with type "SAML 2.0 (Info)". If you send me the ticket number I can speed-up the processing of the ticket.
Regards,
Dimitar -
SAML Overview
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and
authorization data between security domains, that is, between an identity provider (a producer of assertions)
and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services
Technical Committee.
SAML is relevant to those customers who already have a SAML implementation in use with other systems in
their organization. Therefore, it is recommended you engage your technology team that has a working
knowledge of SAML and provide this document to them for their review.
Key Roles
• Identity Provider (IDP): The system in authority that provides the user information
• Service Provider (SP): The system that trusts the asserting party’s information, and uses the data to
provide an application to the user.
• Subject: The user and their identity that is involved in the transaction.
Note! In our context, Learning Maestro is the SP, the IDP is customer-specific, and the Subject is the user
who is logged in.
Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 2
Typical SAML Components
Source: http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 3
Implementing SAML 2.0
• SumTotal LMS supports only SAML 2.0 Standards.
• We support only IDP-initiated SAML authentication.
• The SAML Response should be signed and base64 Encoded.
• UserName should be passed in NameID element under Assertion\Subject Keys.
• We use the timestamp provided in IssueInstant attribute of SAML Assertion to find the valid period
(+/- 5 min ) for the SAML Response.
• Currently, we do not support signed or encrypted assertions.
• Deep linked URLs can be passed through an additional URL parameter of “OriginalURL.”
IDP Initiated Web SSO
Source: http://www.ijcsi.org/papers/2-41-48.pdf
4
When Learning Maestro is Accessed from a Portal
1. The user logs into the customer portal.
2. The user clicks on a link to the LMS from the customer’s portal.
3. The link points to an IDP page.
4. The IDP pages posts an HTTP Request to Learning Maestro
5. The request is an < ... > message.
Typical Structure of a SAML Response
• Below is the typical SAML Response received by LMS from IDP
• Value of SAMLResponse parameter should be base64 Encoded.
Please double-click to open the below XML file to view how the response looks after decoding:
ExampleSuccessfulAssertion.xml
5
Configuring SAML 2.0
SumTotal Maestro supports SAML 2.0 for the “Identity Provider Initialized SSO” protocol.
To configure your Maestro domain to accept SAML 2.0 Assertions, the following steps must be taken:
1. Confirm that Usernames are in sync
2. Provide an X.509 Certificate to SumTotal Systems (SHA1 Hashed)
SumTotal Systems will configure your environment with the X.509 cert you provide.
3. Point your call to the following URL:
https://gm1.geolearning.com/geonext/<your_domain>/saml.geo
After authenticating to your Identity Provider, the provider will pass a user into Maestro IF:
• The user has a username matching an existing Maestro username
• The x509 certificates match on both sides
If authentication fails, the user will be presented with a failure page.
Assertions
An optional assertion is available to specify the URL a user will be sent if there is an authentication error.
ErrorRedirectURL Assertion
• If ‘ErrorRedirectURL’ is not specified and an authentication error or other security exception
occurs it will redirect the user to the default secerror.geo page as it does today
• If a value (URL) is specified for ‘ErrorRedirectURL’ and there is an authentication error the user
will be redirected to the URL specified
Sample
6
Additional Information
For additional information on SAML, please refer to the following sources:
Wikipedia: Security Assertion Markup Language
OASIS Executive Summary
IJCSI Intermediate Concept
OASIS Technical Overview
FAQs
Question Answer
What .NET library are we using? SumTotal uses “Componentspace” net SAML 2.0 library
Can users still log in via the login page? Yes. The SAML target page is different than the login page.
Can we deep link into the LMS through
the SAML 2.0 authentication workflow?
Can I get rid of the Logout button?
What is the Session timeout setting? Session Hard Life and Idle Life settings can be configured in
What is the unique ID for SAML? The “username” field.
Yes. “Deep Link Target” (target or original URL parameter) is
accepted. If none is provided, then it will default to the default
landing page as configured in Maestro.
Yes, When using SAML, the logout button still exists
intentionally in the navigation but can be disabled in the
“configure Navigation” options.
the security section of the administration interface of Maestro.
What is the failure page if
Authentication fails?
If the authentication fails, by default an intentionally simple error
is presented to the user stating “Authentication Failure”.
For security purposes, no further information regarding the
specifics of the failure are defined to the user.
An optional ErrorRedirectURL assertion can be used.
What URL do we point to? https://gm1.geolearning.com/geonext/<your_domain>/saml.geoHello,
Thanks for posting your question to here. However, this forum is used to discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. For issues regarding configuring SAML, this is beyond
the scope of our support.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
I currently have a working Service Provider-IDP SAML solution working inside Enterprise Manager (both setup by an Oracle Engineer).
I'm trying to use my own IDP (created using OpenSAML - which does work successfully with other products) to interact in the same way. I've overcome a few issues (made difficult by the not very helpful error messages) but I'm now stuck on what appears to be incorrect assertion timings:
From the browser:
Federation SSO Operation Result
SSO Authentication Result Authentication Failed
User Identifier
Authentication Instant
Session Expiration Instant
Authentication Mechanism
SSO Primary Status Code RESPONDER
SSO Secondary Status Code
SSO Status Message The assertion could not be validated
IdP Provider ID http://192.168.0.180:8080/SAMLOracle
Relay State
From log messages:
FED-18018 Assertion has expired or is not yet valid: {0}
FED-18012 Assertion cannot be validated.
However, as previous error messages were misleading (some turned out to be omissions in the IDP metadata I provided) I'm doubtful its that. I've also removed all timings except the mandatory authorisation and issue instants.
This is my assertion (which I automatically validate so I know, as much as I can, is valid)
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response ID="gkpakaanklepldgdcbkldcjmdhjldodkemhollpj"
IssueInstant="2011-04-05T13:33:06.484Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://192.168.0.180:8080/SAMLOracle</saml2:Issuer>
<saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="lomhembcokbdhnnlhjkiejmchkmjgacbcbaalioe"
IssueInstant="2011-04-05T13:33:06.484Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://192.168.0.180:8080/SAMLOracle</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:Reference URI="#lomhembcokbdhnnlhjkiejmchkmjgacbcbaalioe"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ec:InclusiveNamespaces PrefixList="ds saml2"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">A6CyjTZQ6dcAG7LyhxewOLomLG8=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">sPbNCQ7QdosRpcOJgfeLw+llUoIOTt204/mvs0aRvKKr1E3+2XfABg==</ds:SignatureValue>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData
Recipient="http://fed.demo.oracle.com:7779/fed/sp/authnResponse20" />
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AudienceRestriction>
<saml2:Audience>http://fed.demo.oracle.com:7779/fed/sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2011-04-05T13:38:06.535Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Could anyone give me some pointers on what I'm missing please?
Thanks,
AndyThanks guys, I've already tried altering the server drift (and the Request Timeout for good measure) to the maximum values. I've also restarted the server in case the values weren't been used. I still get the same results.
This why I think the error messages are incorrect. Is there anyway of further refining the debugging so I can see the output of an assertion and see which of my values was incorrect and what it should be - even knowing if its not yet valid OR has expired would point me in the right direction. -
OIF with external IdP (Shibboleth) - certificate issue
Hi,
We are in the process of setting up Oracle Identify Federation(as SP) with an external IdP (shibboleth) for SSO,
We got the meta data from the IdP and setup the Identify Provider in OIF with IdP meta data,
The IdP got self sign certificate,
When we try to test the connection, it redirects to the IdP but it fails in the end with below bad certificate error,
Can someone shed some light into this and this is a road block for us? Is Self certificate a issue? please advice any steps to be followed and how
<Error> <oracle.security.fed.controller.library.api.FedEngineInstance> <FEDSTS-12079> <ResponseHandlerException: {0}
oracle.security.fed.controller.frontend.action.exceptions.ResponseHandlerException: oracle.security.fed.util.soap.SOAPException: javax.net.ssl.SSLHandshakeException: Received fatal alert: <b>bad_certificate
at oracle.security.fed.frontend.fed.responsehandler.profiles.sp.SendSoapRequestSSOResponseHandler.perform(SendSoapRequestSSOResponseHandler.java:119)
at oracle.security.fed.controller.library.api.FedEngineInstance.processCall(FedEngineInstance.java:279)
at oracle.security.fed.controller.library.api.FedEngineInstance.processCall(FedEngineInstance.java:164)
at oracle.security.fed.controller.library.api.FedEngineSPInstance.validateAndMapAssertion(FedEngineSPInstance.java:166)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.security.am.engine.authn.internal.plugin.FedUserAuthenticationPlugin.invokeValidateAndMapAssertion(FedUserAuthenticationPlugin.java:284)
at oracle.security.am.engine.authn.internal.plugin.FedUserAuthenticationPlugin.process(FedUserAuthenticationPlugin.java:162)
at oracle.security.am.engine.authn.internal.executor.PlugInExecutor.execute(PlugInExecutor.java:197)
at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:101)
at oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl.validateUser(AuthenticationEngineControllerImpl.java:265)
at oracle.security.am.engines.enginecontroller.AuthnEngineController.authenticateUser(AuthnEngineController.java:698)
at oracle.security.am.engines.enginecontroller.AuthnEngineController.processEvent(AuthnEngineController.java:299)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:570)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:759)
at oracle.security.am.controller.MasterController.process(MasterController.java:682)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:177)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:136)
at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:699)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:264)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:134)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:120)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3738)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3704)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2281)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2180)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1491)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
>
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.security.am.engine.authn.internal.plugin.FedUserAuthenticationPlugin.invokeValidateAndMapAssertion(FedUserAuthenticationPlugin.java:284)
at oracle.security.am.engine.authn.internal.plugin.FedUserAuthenticationPlugin.process(FedUserAuthenticationPlugin.java:162)
at oracle.security.am.engine.authn.internal.executor.PlugInExecutor.execute(PlugInExecutor.java:197)
at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:101)
at oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl.validateUser(AuthenticationEngineControllerImpl.java:265)
at oracle.security.am.engines.enginecontroller.AuthnEngineController.authenticateUser(AuthnEngineController.java:698)
at oracle.security.am.engines.enginecontroller.AuthnEngineController.processEvent(AuthnEngineController.java:299)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:570)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:759)
at oracle.security.am.controller.MasterController.process(MasterController.java:682)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:177)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:136)
at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:697)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:264)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:133)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:120)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3738)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3704)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2281)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2180)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1491)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: java.lang.RuntimeException: oracle.security.fed.controller.frontend.action.exceptions.ResponseHandlerException: oracle.security.fed.util.soap.SOAPException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at oracle.security.fed.controller.library.api.FedEngineInstance.processCall(FedEngineInstance.java:395)
at oracle.security.fed.controller.library.api.FedEngineInstance.processCall(FedEngineInstance.java:164)
at oracle.security.fed.controller.library.api.FedEngineSPInstance.validateAndMapAssertion(FedEngineSPInstance.java:166)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.security.am.engine.authn.internal.plugin.FedUserAuthenticationPlugin.invokeValidateAndMapAssertion(FedUserAuthenticationPlugin.java:284)
at oracle.security.am.engine.authn.internal.plugin.FedUserAuthenticationPlugin.process(FedUserAuthenticationPlugin.java:162)
at oracle.security.am.engine.authn.internal.executor.PlugInExecutor.execute(PlugInExecutor.java:197)
at oracle.security.am.engine.authn.internal.executor.AuthenticationSchemeExecutor.execute(AuthenticationSchemeExecutor.java:101)
at oracle.security.am.engine.authn.internal.controller.AuthenticationEngineControllerImpl.validateUser(AuthenticationEngineControllerImpl.java:265)
at oracle.security.am.engines.enginecontroller.AuthnEngineController.authenticateUser(AuthnEngineController.java:698)
at oracle.security.am.engines.enginecontroller.AuthnEngineController.processEvent(AuthnEngineController.java:299)
at oracle.security.am.controller.MasterController.processEvent(MasterController.java:570)
at oracle.security.am.controller.MasterController.processRequest(MasterController.java:759)
at oracle.security.am.controller.MasterController.process(MasterController.java:682)
at oracle.security.am.pbl.PBLFlowManager.delegateToMasterController(PBLFlowManager.java:209)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:147)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:177)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:136)
at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:699)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:821)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
at oracle.security.am.agent.wls.filters.OAMServletAuthenticationFilter.doFilter(OAMServletAuthenticationFilter.java:264)
at oracle.security.am.agent.wls.filters.OAMValidationSystemFilter.doFilter(OAMValidationSystemFilter.java:134)
at oracle.security.wls.oamagent.OAMAgentWrapperFilter.doFilter(OAMAgentWrapperFilter.java:120)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:61)
... 9 more
Caused by: oracle.security.fed.controller.frontend.action.exceptions.ResponseHandlerException: oracle.security.fed.util.soap.SOAPException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at oracle.security.fed.frontend.fed.responsehandler.profiles.sp.SendSoapRequestSSOResponseHandler.perform(SendSoapRequestSSOResponseHandler.java:119)
at oracle.security.fed.controller.library.api.FedEngineInstance.processCall(FedEngineInstance.java:279)
... 51 more
<Mar 21, 2013 3:50:16 PM EST> <Error> <oracle.oam.binding> <OAM-00002> <Error occurred while handling the request.
java.lang.NullPointerException
at oracle.security.am.pbl.protocol.plugin.credcollect.DefaultRedirectionStrategy.getTargetUrl(DefaultRedirectionStrategy.java:403)
at oracle.security.am.pbl.protocol.plugin.credcollect.DefaultRedirectionStrategy.getRedirectUrl(DefaultRedirectionStrategy.java:314)
at oracle.security.am.pbl.protocol.plugin.credcollect.DefaultCredCollectResponseExecutor.process(DefaultCredCollectResponseExecutor.java:121)
at oracle.security.am.pbl.protocol.plugin.credcollect.CredentialCollectionResponseHandler.process(CredentialCollectionResponseHandler.java:99)
at oracle.security.am.pbl.PBLFlowManager.handleBaseEvent(PBLFlowManager.java:175)
at oracle.security.am.pbl.PBLFlowManager.processRequest(PBLFlowManager.java:107)
at oracle.security.am.pbl.transport.http.AMServlet.handleRequest(AMServlet.java:177)
at oracle.security.am.pbl.transport.http.AMServlet.doPost(AMServlet.java:136)
at oracle.security.am.pbl.transport.http.AMServlet.doGet(AMServlet.java:697)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)extract the certificate for your https site and add this to your trusted store.
if you are using the default trust, it should be located under WLSERV~1.3\server\lib\DemoTrust.jks.
you can either use keytool or a tool like portecle for the same. -
SAML Token Profile Policies Issues
Hi all
i want to secure a Web service using SAML Token Profile Policies. I am using Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml Policy.
I have Configured SAML 2.0 Identity Assertion Provider in my WebLogic Server. And added Identity Provider partner.
I gave the Issues as http://com.example.idp/AssertingParty
Below is the Soap Request Which i send to my Webservice.
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_15931837d93e95e7e7ffbaa038ad4942"
IssueInstant="2013-04-26T15:20:24.021Z" Version="2.0">
<saml:Issuer>http://com.example.idp/AssertingParty</saml:Issuer>
<saml:Subject>
<saml:NameID Format="NameID">weblogic_sp</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
</saml:Subject>
<saml:Conditions NotBefore="2013-04-26T15:24:14.021Z" NotOnOrAfter="2013-04-26T15:50:24.021Z"/>
<saml:AuthnStatement>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Roles">
<saml:AttributeValue>Administrators</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wsse:Security>
</env:Header>
<env:Body/>
</env:Envelope>
I am Getting the below error.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurityToken</faultcode>
<faultstring>Invalid SAML token on CCS?Invalid SAML token when samlAsst= null</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
I turned on the Verbose in the Weblogic server and Got the Below log when i invoke the Web Service.
<WSEE:24>Created<SoapMessageContext.<init>:48>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>tokenType: null, cred: [saml:Assertion: null], privkey: null<SAMLCredentialImpl.<init>:107>
<WSEE:24>Class of cred is: class com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl<SAMLCredentialImpl.<init>:108>
<WSEE:24>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:113>
<WSEE:24>Getting SAMLAssertionInfo from DOM Element of CSS<SAMLCredentialImpl.<init>:141>
<WSEE:24>Got erroron on SAMLAssertionInfo from DOM Element of CSS, msg =[Security:098517]Failed to get SAML assertion info: Unable to construct SAML 1.1/2.0 Schema object, can not perform validation.<SAMLCredentialImpl.<init>:152>
Please let me if i am doing any thing wrong.
Thanks
RanjithHi all
i want to secure a Web service using SAML Token Profile Policies. I am using Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml Policy.
I have Configured SAML 2.0 Identity Assertion Provider in my WebLogic Server. And added Identity Provider partner.
I gave the Issues as http://com.example.idp/AssertingParty
Below is the Soap Request Which i send to my Webservice.
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_15931837d93e95e7e7ffbaa038ad4942"
IssueInstant="2013-04-26T15:20:24.021Z" Version="2.0">
<saml:Issuer>http://com.example.idp/AssertingParty</saml:Issuer>
<saml:Subject>
<saml:NameID Format="NameID">weblogic_sp</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
</saml:Subject>
<saml:Conditions NotBefore="2013-04-26T15:24:14.021Z" NotOnOrAfter="2013-04-26T15:50:24.021Z"/>
<saml:AuthnStatement>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Roles">
<saml:AttributeValue>Administrators</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wsse:Security>
</env:Header>
<env:Body/>
</env:Envelope>
I am Getting the below error.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurityToken</faultcode>
<faultstring>Invalid SAML token on CCS?Invalid SAML token when samlAsst= null</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
I turned on the Verbose in the Weblogic server and Got the Below log when i invoke the Web Service.
<WSEE:24>Created<SoapMessageContext.<init>:48>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>tokenType: null, cred: [saml:Assertion: null], privkey: null<SAMLCredentialImpl.<init>:107>
<WSEE:24>Class of cred is: class com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl<SAMLCredentialImpl.<init>:108>
<WSEE:24>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:113>
<WSEE:24>Getting SAMLAssertionInfo from DOM Element of CSS<SAMLCredentialImpl.<init>:141>
<WSEE:24>Got erroron on SAMLAssertionInfo from DOM Element of CSS, msg =[Security:098517]Failed to get SAML assertion info: Unable to construct SAML 1.1/2.0 Schema object, can not perform validation.<SAMLCredentialImpl.<init>:152>
Please let me if i am doing any thing wrong.
Thanks
Ranjith -
OIF -- 500 Server Error when trying to import SAML 2.0 metadata
Hi,
We have setup OIF version 10.1.4.0.1 on Windows 2003 server with integration to OAM running on the same machine. We need to configure this server as a SAML 2.0 IdP.
When we try to import a SAML 2.0 SP metadata by navigating as Circle of Trust -> Add Trusted Provider, the browser shows a 500 Server error with the following URL -
http://fedserver208.orclidp.com:7777/fed/admin/servlet/loadmetadata
Can someone please point us to the location of log file(s) where we can check for errors? Thanks much for your response.
VijayVinod,
Thanks for the follow-up on this thread. It turned out that the metadata from the SP wasn't conformant to the spec, so we had to hand-craft the metadata file to allow OIF to import it.
Vijay
Maybe you are looking for
-
Youtube from my mac to Apple TV
Is there a way to stream youtube videos from my macbook air to my apple TV like I do with my iPhone? I know there's this new feature on Mountain Lion but my old MacBook Air doesn't support it. I was hoping there was another software that would do thi
-
How can I change the gui language to german? I can use the german gui in my sql developer version 1.5. If I update the version 1.5 to 1.5.1 through the "Check for Updates" button, the gui is still displayed in german language. If I download the sql d
-
Yosemite/FileVault - data lost?
device Macbook pro retina 2012 osx Yosemite filevault enabled story upgraded to yosemite, enabled filevault after reaching desktop I would get spinning beachball after 5-10 seconds. Guest account worked fine. Reinstalled Yosemite from recovery mode a
-
Pages freezes when I open up a project
I purchased Pages off the Apple site back in March. I am working on a project that involves several images. I tired to back up to a usb and when I did the usb said no image files. Pages froze and would not let me continue to work on it. I have del
-
Hi all, I am very new to HR- ABAP. I have a requirement that in PB30 there is one infotype 9024 which is custom infotype, if i select 9024 infotype and pressing the display or create it will take me into a screen 9024. In that screen there is one tab