OIF SAML Attribute Mappings

Similar Messages

• OIF - SAML AttributeStatement not sending

  I set the "attribute mappings and filters" with a single attribute: givenname but it does not send over an attributestatement tag in the SAML. I turned on the xmlmessage so I can view the SAML. However, everything is present but the attributestatement with the attributes. I even put in some bogus attribute values but the authentication process is successful with no errors. The last thing I tried was to set"Enable attributes in Single Sign-on" but it did not change anything.
  Does anyone know how to send attributes in Oracle Identity Federation 11g?
  Edited by: user4985735 on Oct 13, 2009 2:57 PM

  I solved my own problem. The "Enable Attribute Query Responder" needed to be checked on the SAML 2.0 tab in the IDP. Ensure you export the metadata after making this change and load in OIF. The other step was to set the "Enable attributes for single sign-on" check box and setting an attribute for testing. I set an attribute name of "mail" with assertion name of "email" and check the send Attribute with assertion. If you choose a bogus attribute the attributestatement will not showup with no errors. If you are doing local testing by setting up IDP and SP on the same OIF instance, only set the SP "Enable attribute for single sign-on" (not IDP). Logic was telling me to set the IDP "enable attribute for single sign-on" but this was wrong. It should be set in the SP metadata. There really is not that many steps once you know how the attributes work but if you try through trial-and-error, you can spend weeks before you get lucky with the right combination.

• SAML attribute mapper

  Hi,
  I am having an issue developing an attribute mapper for my SAML 1.1 scenario using Sun Access Manager 7.1 patch 1 (war deployment installer) as the IDP. It is deployed on Sun Java System Web Server 7.0U1 (B06/12/2007 21:15) for Solaris 10 x86.
  My class looks something like this:
  package matt.saml.sample;
  import java.util.ArrayList;
  import java.util.List;
  import java.util.Set;
  import com.iplanet.sso.*;
  import com.sun.identity.saml.assertion.*;
  import com.sun.identity.saml.common.SAMLException;
  import com.sun.identity.saml.plugins.PartnerSiteAttributeMapper;
  import com.sun.identity.idm.AMIdentity;
  import com.sun.identity.idm.IdRepoException;
  import com.sun.identity.idm.IdUtils;
  import org.w3c.dom.Document;
  public class TestSiteAttributeMapper implements PartnerSiteAttributeMapper {
      public List getAttributes(SSOToken token, String targetURL) throws SAMLException {
          //...code
          return list;
  }So, I put TestSiteAttributeMapper in the classpath and configured the Site Attribute Mapper. Now when I try SSO with SAML, attributes aren't passed through the assertion plus I get this in the amSAML debug log:
  SAML Service Manager: PartnerUrl List:siteattributemapper=matt.saml.sample.TestSiteAttributeMapper
  10/07/2008 12:14:41:518 PM EDT: Thread[service-j2ee-3,5,main]
  ERROR: SAMLServiceManager:Invalid site attribute mapperI tried compiling the class with the amserver/WEB-INF/lib/am_services.jar(the one AM is using) in the classpath.
  Also, I had to add amserver/WEB-INF/lib/am_services.jar(plus I added a couple other am_*.jar files) to the Web Server classpath, in the JVM settings to get rid of an error I was seeing in the web server logs:
  [05/Oct/2008:19:36:31] failure ( 3746): for host 192.168.200.1 trying to GET /amserver/SAMLPOSTProfileServlet, service-j2ee reports: Stand
  ardWrapperValve[SAMLPOSTProfileServlet]: PWC1406: Servlet.service() for servlet SAMLPOSTProfileServlet threw exception
  java.lang.NoClassDefFoundError: com/sun/identity/saml/plugins/PartnerSiteAttributeMapper
          at java.lang.ClassLoader.defineClass1(Native Method)
          at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
          at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
          at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
          at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
          at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
          at java.security.AccessController.doPrivileged(Native Method)
          at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
          at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
          at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)
          at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
          at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1461)
          at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
          at java.lang.Class.forName0(Native Method)
          at java.lang.Class.forName(Class.java:164)
          at com.sun.identity.saml.common.SAMLServiceManager.setValues(SAMLServiceManager.java:788)
          at com.sun.identity.saml.common.SAMLServiceManager.init(SAMLServiceManager.java:266)
          at com.sun.identity.saml.common.SAMLServiceManager.getAttribute(SAMLServiceManager.java:1015)
          at com.sun.identity.saml.servlet.SAMLPOSTProfileServlet.getDestSite(SAMLPOSTProfileServlet.java:242)
          at com.sun.identity.saml.servlet.SAMLPOSTProfileServlet.doGet(SAMLPOSTProfileServlet.java:118)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:796)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:917)
          at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
          at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:86)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:217)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
          at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:255)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
          at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
          at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
          at com.sun.webserver.connector.nsapi.NSAPIProcessor.service(NSAPIProcessor.java:160)
  [05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr: Exception in thread "Thread-29" java.lang.NullPointerException
  [05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr:       at com.sun.identity.saml.common.SAMLServiceManager.getAttribute(SAMLServic
  eManager.java:1017)
  [05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr:       at com.sun.identity.saml.servlet.POSTCleanUpThread.run(POSTCleanUpThread.j
  ava:101)I didn't really think that I should have had to add the jar to the classpath, considering it is in the WEB-INF/lib folder.
  In summary, my questions are:
  1. What am I doing wrong in implementing this attribute mapper that causes it to be invalid?
  2. Why did I have to add that jar to the classpath to remove that NoClassDefFoundError? Isn't it already in the classpath?
  Thanks in advance,
  Matt

  ok i fixed my issue. removing all additional jars from the class path, and putting my class under amserver/WEB-INF/classes got it working.
  I guess it's a classpath context issue

• Define a SAML Attribute whose value is not in any data store

  I attempting to define a SAML Attribute in Sun OpenSSO Ent 8.x, whose value is not in any data store. I need to assign static text. The SP requires a unique value for all assertions under the same company. This is their method to help ensure an employee and assertion are for the correct data. For example,
  <saml:Attribute Name="AccountID">
  <saml:AttributeValue>ref-193749900</saml:AttributeValue>
  </saml:Attribute>
  I have not found a way with the OpenSSO admin portal. Any assistance would be appreciated.
  Thanks.

  Any response to this? I have the same need.

• Capturing SAML attribute in OSB proxy

  Hi,
  We have a requirement of extracting one of the SAML attributes sent to our proxy service and send it to the business service as one of the SOAP body elements.
  I have done the following things:
  - Created the business service based on particular WSDL
  - Created the proxy service based on same WSDL and applied the policy oracle/wss10_saml_token_service_policy as per our requirements
  - In the Security tab of proxy service, i have checked the option 'Process WS-Security Header' as i want to restrict the access to my proxy service based on SAML subject that we recieve
  Following is the SAML header that i am using to test the OSB proxy from Soapui 2.0.2. I have to capture the saml:NameIdentifier from the below SAML assertion i receive. When i use $header variable i am unable to get this. But when i uncheck 'Process WS-Security Header' i am able to get the value but authentication is not working. So i think 'Process WS-Security Header' should always be checked.
  Please let me know asap on how can i extract saml:NameIdentifier from the request received in proxy service. Is there anyway to intercept the request to proxy just like SOAP handlers?
  <saml:Assertion AssertionID="Id-00000127f49c1cf3-0000000000900e24-2" IssueInstant="2010-04-19T00:40:24Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <saml:Conditions NotBefore="2010-06-16T00:40:24Z" NotOnOrAfter="2010-06-21T00:40:24Z"/>
  <saml:AttributeStatement>
  <saml:Subject>
  <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">weblogic</saml:NameIdentifier>
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
  </saml:AttributeStatement>
  </saml:Assertion>
  Thanks
  Siva

  Hi Siva,
  We have a requirement of extracting one of the SAML attributes sent to our proxy service and send it to the business service as one of the SOAP body elementsI think your requirement is not to do the authentication then why are you checking the option 'Process WS-Security Header'?
  If 'Process WS-Security Header' check-box is selected then it will process and consume the security headers and enforces the message level access control policies on the incoming message (This is called an Active Intermediary Proxy Service). if you don't select it the proxy will be pass-through and OSB will not make any modification to the security headers, encrypted body parts, etc (this is called a Pass-Through Proxy Service)
  I think in your case you require a pass-through proxy service.
  To know more about pass-through/active intermediary proxies and their configuration in OSB, please refer section "Configuring Proxy Service Message-Level Security" on below link -
  http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/message_level.html#wp1077884 ()
  Regards,
  Anuj

• SAML - USer Principal mapped on a SAML attribute - How to do ???

  Dear security experts,
  I have configured on my weblogic platform a Sender vouches SAML profile.
  I am trying to map the UserPrincipal (the one I get from the webServiceContext in my web service) to a SAML attribute (different from the SAML subject).
  I have written a class that implement the interfaces SAMLIdentityAssertionNameMapper and SAMLIdentityAssertionAttributeMapper .
  Here is an overview of the simplified implementation :
  public String mapNameInfo(SAMLNameMapperInfo info, ContextHandler handler) {
  return "user2";
  public void mapAttributeInfo(Collection<SAMLAttributeStatementInfo> attribStmts, ContextHandler contextHandler) {
  Set<Principal> principals = new HashSet<Principal>();
  principals.add(PrincipalFactory.getInstance().createWLSUser("user1"););
  ((SecurityTokenContextHandler)contextHandler).addContextElement(ContextElementDictionary.SAML_ATTRIBUTE_PRINCIPALS, principals);
  After weblogic has loaded my SAML assertion, I can see in the log that my uibject has two User Principal : user1, user2. When I call getUserPrincipal in my webservice, I always get "user1". I need to get "user2".
  Why mapNameInfo() always has the priority ? Is it the good way to implement this mechanism ?
  Thanks for your help.

  Gyan:
  How is that possible? If you import the VOImpl inside EOImpl, the import statement is ok. But how would you use that? There is no findViewObject method? The OADBTransaction class that I can use has only findObject method that one can use and I tried that but wasn't successful. Shouldn't you have to import OAApplicationModule and a host of other classes? Is that even possible?
  I thought about the entity expert approach but I don't have a need to execute any query. I just need to refer to the view attribute from within the EOImpl. That's what I am looking for. If there is a way to refer to a view attribute from within the EOImpl without having to populate that attribute in a session/transaction variable that would be a better solution for me because there may be more attributes that I need from different VOs later on and everytime I need some VO attribute I don't have to create and populate a session/transaction variable.
  Please let me know if it can be done. Can you please elaborate more on your proposal? I really appreciate your time and help. Thanks!
  - Muzammil

• Read SAML attributes in Proxy service

  Hi,
  I need to read SAML attributes in a proxy service in OSB. But the SAML is not available.
  The client call a service with encrypted SAML im Header, but when I read the header in Proxy service, the SAML is no more available.
  Client call with:
  Authorization: Basic MTAyOjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjxzYW1sMnA6UmVzcG9uc2UgSUQ9IlJlc3BvbnNlX2YzY2ZkZjM5NWIyNzI3ZWFhZWEyZDlhYTRkMWNhY2RhNzgzNGMxZWMiIElzc3VlSW5zdGFudD0iMjAxMi0wOC0zMFQwNjoyMDoyMC43MDNaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj48c2FtbDI6SXNzdWVyIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5uZXZpc0F1dGg8L3NhbWwyOklzc3Vlcj48c2FtbDJwOlN0YXR1cz48c2FtbDJwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6QXNzZXJ0aW9uIElEPSJBc3NlcnRpb25fM2MxYzZlZGM1NWQ4ZDVhN2QzNmQ2NTkzMzlmMzgxNzBhOWU1Mzk0NiIgSXNzdWVJbnN0YW50PSIyMDEyLTA4LTMwVDA2OjIwOjIwLjM4OVoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSI+PHNhbWwyOklzc3Vlcj5uZXZpc0F1dGg8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KPGRzOlNpZ25lZEluZm8+CjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KPGRzOlJlZmVyZW5jZSBVUkk9IiNBc3NlcnRpb25fM2MxYzZlZGM1NWQ4ZDVhN2QzNmQ2NTkzMzlmMzgxNzBhOWU1Mzk0NiI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgUHJlZml4TGlzdD0ieHMiIHhtbG5zOmVjPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L2RzOlRyYW5zZm9ybT4KPC9kczpUcmFuc2Zvcm1zPgo8ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4KPGRzOkRpZ2VzdFZhbHVlPnRvUzBGM3lxSjdPTXpUZmYzQ05oVFlvQ0x1Yz08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU+ClNjTlJBc0cvY2loSFB2cVRPTHhOSkNOQUhjdVNoU0NCZDQ4UTNDK1ZieHQ3OHVoZDZNbHdVdDhuaDVJc1hJK2k4SldWRFJiMnJVMUYKcGxYeUdrcWRDYWRtcVB5bjRUb00wZ2tLRTF3R05wb1lLYkFtaGl5ZDZyai9yK2E0SEVmUUxvQmxxWTQ4TTBzZWRra1dlY0orcGE1NwppbUM3ekNzWlhWbWFSNzdvZEZPVVhsR1FwNFlpbnlBaExrbVk1QjlkNjVZSE91akh3UFhLTURaT3VwSlExMURIcFE3N1p1WjE5WjNWClRWK2ZkRzl1RThBUmpKYVZobnJSdWdETWVEOWNaYnRDbkRyRWdaeFYwanAvWHB2TTg3cTEwYXNuWFZMaDRwWlA5eCtGSkNQQis4MS8KV21PK2VwRVZSZU0rLy85WU1xdlNTaXBaTXJ1N1AxZGs5K3R3eHc9PQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlERERDQ0FmU2dBd0lCQWdJR0FUY3dvTzBVTUEwR0NTcUdTSWIzRFFFQkJRVUFNRll4Q3pBSkJnTlZCQVlUQW1Ob01SUXdFZ1lEClZRUUtEQXRVY21sMllXUnBjeUJCUnpFeE1DOEdBMVVFQXd3b2RISnBkbUZrYVhNZ1EwRWdLR3hqYlRBeE1ERXVZMnh2ZFdRdWRISnAKZG1Ga2FYTXVZMjl0S1RBZUZ3MHhNakExTURrd09EQTBNelphRncweU1qQTFNRGt3T0RBME5ERmFNRGd4Q3pBSkJnTlZCQVlUQW1ObwpNUlF3RWdZRFZRUUtEQXRVY21sMllXUnBjeUJCUnpFVE1CRUdBMVVFQXd3S1lYVjBhRk5wWjI1bGNqQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFKbWhjRTVWQ0JjVXNwTFVaa1JkRkxETFk2VFBjR3JmbUJmSkVFblVCUXF5MTZ5UG5LZmIKRVNFWjEzQnFCSVNKcEQ0aEpFRWJXZTFvY1hUSWJTSTNRaVE0Z1huMzdraXYwVmZkZmdmcGRDeW9zazIwbmRsWEsxbnFQcmdrREQzNwpSU0h5YXhYWW1QOExEWDF0UHNzbTJPT3lBdWtVcXgxVnJtRDc3SGttMHBuVGxKWWhlODVGZndiQnpQaGtJM3pWa0lZYmF5eHh2QkQrCldURjRZa0pQeUNRQmxxRUZGQ0I3enpsVUhRTzBTZngyK0Q0b3MyVSthbThjTHkvUUNQT2F0N0prQkZ0TXJOME5ZbWpOaEFBNWkyYkMKWHNnWldGNXM4bmZTU0Y4R0JYVWdTcXJyMVdKaHg2YVJ0V2xJcUl2ZFpGSStYbmttRHhiNjNtUDBDdVRmMnUwQ0F3RUFBVEFOQmdrcQpoa2lHOXcwQkFRVUZBQU9DQVFFQWF2YXdzMkFJM0NrZzhwclYrcFVOSGxlanV1aE5ZbEFlZGVFaUs3Z09jb29ScjEvV0N6cDA4cFdjCmE5ZThQWEhGTGJPeHJYMUNyeXA1bW9Xc3ZwRXFQMkhVbFZqK3d3ZWtnZERXVzFzaTdYZWI5YURyTmFvSnJQelp6ZzNvK2ZmaXRMM1EKeWYvRTcwemllZTladG5ZQk1Zc1ZIbituWHJzZlVsYVdjMzdYQzNPaWZtajc1WGYrZ0J0MmM1RUJLay8yV1cwaXlEZTJhQVpubisyNwpKTkU2bGE5SHVqWWlWS3pzMUpzRm5lNWJwT1dJZDZ5MW8rUnZSOVpsb1hSMjVMM2tMekd1ajBlRzdjaTE1eXBjY1o1NDlZaTdHRlhPClJxZTlKVnZPZERGcllCQnpEaHE4TWlEZG1aemVZbFEzS3NNNlU1SjE5ODVDRXJLa0NpNUdUTm9yanc9PTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQ+MTAyPC9zYW1sMjpOYW1lSUQ+PC9zYW1sMjpTdWJqZWN0PjxzYW1sMjpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAxMi0wOC0zMFQwNjoyMDoyMC4zODlaIiBOb3RPbk9yQWZ0ZXI9IjIwMTItMDgtMzBUMDY6MjU6MjAuMzg5WiIvPjxzYW1sMjpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTItMDgtMzBUMDY6MjA6MjAuMzg5WiI+PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9ImNsaWVudElkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+MTAwPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InJvbGVzIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ic2Vzc2lkIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyIvPjwvc2FtbDI6QXR0cmlidXRlPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0ibG9naW5JZCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciLz48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InByb2ZpbGVJZCI+PHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPjEwMjwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+PC9zYW1sMnA6UmVzcG9uc2U+
  Is the security filtered ?
  Thanks
  Yves

  Hi Sura,
  The number of thread-count configured in your proxy-scheme is the number of concurrent client request that you proxy servers can handle. Ideally your (thread-count * proxy servers) = (clients * max requests). Also, you need to check that the byte/message backlog on the proxy servers is close to zero.
  Hope this helps!
  Cheers,
  NJ

• Reading SAML attributes inside BPEL on weblogic 11g

  Hi,
  My customer wants to access to SAML token attributes and username inside BPEL workflow on weblogic 11g.
  This workflow is exposed as a webservice and is protected by attached policy.
  My question is if it is possible to access SAML token attributes inside BPEL, is yes how to do it.
  Thanks
  Hubert

  Is this what you are looking for??
  http://lesterrebollos.blogspot.co.uk/2008/02/extracting-wsse-security-headers-from.html??
  best regards Nicolas

• Dynamically add/change SAML attributes

  Hi,
  Is it possible to dynamically adding assertion attributes to SAML
  depending on the authentication method?
  From what I see in the LocalAuthenticationClass ( NACM API ), there is
  a method called:
  addPrincipalAttributes(java.lang.String strAttr, java.lang.String[]
  values)
  Sets attributes for a user that has been authenticated.
  Does it mean that these attributes will be added to the SAML when NAM
  responses to the AuthnRequest?
  If so, will they be automatically added to the e-Directory?
  Basically, my boss wants me to send, say attributes 1,2,3 when a user
  authenticates with username/password contract. However, when a user
  logins with digital certificate, then I need to send attributes
  1,2,3,4,5. Can this be done?
  Thanks in advance,
  Annon
  anonaye2
  anonaye2's Profile: http://forums.novell.com/member.php?userid=60294
  View this thread: http://forums.novell.com/showthread.php?t=381618

  http://forums.novell.com/novell-deve...injection.html
  Although this post above does solve my problem; some tech. wiz. at work
  suggests that it will not work in concurrent condition when multiple
  users of the same ID login at the same time with different
  authentication method.
  Is there other solutions without modifying e-Directory?
  anonaye2
  anonaye2's Profile: http://forums.novell.com/member.php?userid=60294
  View this thread: http://forums.novell.com/showthread.php?t=381618

• Custom SAML Attributes

  Does anyone have any pointers on how I can add some custom attributes to a SAML assertion using either SAML 1.1 or 2.0? This would be for web SSO, when the user logs in, I'd like to pass some more information along to the service provider, such as an account number.
  Thanks,
  ..Mel

  Hi finally I get it (thank you Gautam!!!),
  public class CustomWlsPrincipal extends WLSAbstractPrincipal implements WLSUser {
          public CustomWlsPrincipal(String name) {
            super();
            // Feed the WLSAbstractPrincipal.name. Mandatory
            this.setName(name);
  }So you need to invoke the parent class setName(String) method. If not you will get a NullPointerException.
  Implementing the equals and hashCode is also convenient.
  Hope it helps,
  Luis

• OIF SAML 2.0 verification issue

  We are working with a partner on a SAML 2.0 setup and we are stuck with the following error. The partner is using Siteminder. We have uploaded the metadata file in our system, and when we test the connection an error occurs and this is showing up in the logs. Any ideas?
  10/01/04 15:04:07: ERROR oracle.security.fed.controller.ApplicationController.processServletRequest() - oracle.security.fed.controller.web.action.RequestHandlerRuntimeException: Could not locate XML signature verification service. Invalid EventReponse: could not locate the verification key for: xxxxxxxxx; oracle.security.fed.security.exceptions.NoSuchServiceException: Invalid EventReponse: could not locate the verification key for: xxxxxxxxx

  Any ideas on this? This is an urgent issue.

• OIF SAML 2.0 issue

  We are working with a partner on a SAML 2.0 setup and we are stuck with the following error. The partner is using Siteminder. We have uploaded the metadata file in our system, and when we test the connection an error occurs and this is showing up in the logs. Any ideas?
  10/01/10 11:53:36: ERROR oracle.security.fed.controller.ApplicationController.processServletRequest() - oracle.security.fed.controller.web.action.RequestHandlerRuntimeException: Could not locate XML signature verification service. Invalid EventReponse: could not locate the verification key for: bms2inter; oracle.security.fed.security.exceptions.NoSuchServiceException: Invalid EventReponse: could not locate the verification key for:
  bms2inter

  Any ideas on this? This is an urgent issue.

• OIF 11g SSO assertion attributes

  I am using OIF 11g and acting as IDP. I am unable to send any attributes in the SAML assertion apart from the NameID. Has anyone faced this issue earlier?
  Regards,
  Vinod

  Hello Vinod
  Login to Enterprise Manager
  Federations > Trusted Provider
  Select SP Trusted Provider > Edit
  Under "Oracle Identity Federation Settings", Attribute Mappings and Filters, Click "Edit"
  Click Add
  Type an attribute (User Attribute Name) that you want to pass in the assertion
  Type a name (Assertion Attribute Name) that you want to pass the above value as (can be same as the User Attribute Name)
  Check "Send with SSO Assertion"
  Repeat this step for additional attributes
  Apply changes
  Hope this helps
  Shiva

• SAML assertion attributes and Web Services

  Just want to clarify for myself something about SAML token within Web Services Security.
  As I understand SAML attribute assertions cannot be used within Web Service business logic tier because all security header information are unavailable within Web Service implementation context. And the only one reason for sender to submit attributes along with SAML authentication assertion is to allow SecurityEnvironmentHandler more information about trusted identity. Is it right?

  Hi finally I get it (thank you Gautam!!!),
  public class CustomWlsPrincipal extends WLSAbstractPrincipal implements WLSUser {
          public CustomWlsPrincipal(String name) {
            super();
            // Feed the WLSAbstractPrincipal.name. Mandatory
            this.setName(name);
  }So you need to invoke the parent class setName(String) method. If not you will get a NullPointerException.
  Implementing the equals and hashCode is also convenient.
  Hope it helps,
  Luis

• How validate user.attributes in SAML assertation?

  Hello!
  I'm using WebLogic Server 10.3.6.0 + Oracle Service Bus 11.1.1.6 + Oracle Enterprise Manager 11g.
  I deploy my Web Service on Weblogic Server and protect this by OWSM SAML-based policy (now it is oracle/wss_saml_token_bearer_over_ssl_service_policy).
  It is working, but some things I don't understand.
  My main question: how can I configure to validation of user.attributes in the saml assertation?
  For example, inbound requests has 3 attributes in saml assertation tag: role, email and dept.
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance">
  <soap:Header>
  <wsse:Security>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="Id-0000010a3c4ff12c-0000000000000002"
  IssueInstant="2006-03-27T15:26:12Z" Version="2.0">
  <saml:Issuer Format="urn:oasis ... WindowsDomainQualifiedName">
  TestCA
  </saml:Issuer>
  <saml:Subject>
  <saml:NameIdentifier Format="urn:oasis ... WindowsDomainQualifiedName">
  TestUser
  </saml:NameIdentifier>
  </saml:Subject>
  <saml:Conditions NotBefore="2005-03-27T15:20:40Z"
  NotOnOrAfter="2028-03-27T17:20:40Z"/>
  *<saml:AttributeStatement>*
  *<saml:Attribute Name="role" NameFormat="http://www.oracle.com">*
  *<saml:AttributeValue>admin</saml:AttributeValue>*
  *</saml:Attribute>*
  *<saml:Attribute Name="email" NameFormat="http://www.oracle.com">*
  *<saml:AttributeValue>[email protected]</saml:AttributeValue>*
  *</saml:Attribute>*
  *<saml:Attribute Name="dept" NameFormat="">*
  *<saml:AttributeValue>engineering</saml:AttributeValue>*
  *</saml:Attribute>*
  *</saml:AttributeStatement>*
  </saml:Assertion>
  </wsse:Security>
  </soap:Header>
  <soap:Body>
  <product>
  <name>Enterprise Gateway</name>
  <company>Oracle</company>
  <description>Web Services Security</description>
  </product>
  </soap:Body>
  </soap:Envelope>
  But I want permit only request's with 4 attibutes (for example, role + email + dept + city) or something like? How I can configure this in OWSM-policy settings or WebLogic settings?
  Thanks for any help.

  That would be the easiest route but isn't it against the standards to use triggers on tables. I was thinking of doing the validation before the item is created on the page, by customizing the create item and update item pages.
  Did anyone work on PIM to do this sort of customization, the pages are all dynamic and are pretty complex, I am not able to figure out where to fit in my validation.