PB 12.5.2 and SAML

Hey Gang,
My company is implementing
SSO Authentication via Oracle's SAML offering; I don't have all of the details yet so I'm not even sure if I've phrased the following questions accurately:
Can a PowerBuilder application connect to/consume a SAML resource?
Is the Oracle SAML service accessable as a conventional web service?
Are there any tricks to authenticating a user of a PowerBuilder application via SAML?
At this point I don't know what I don't know, so any insight would be greatly appreciated.
Thanks,
Dale

Thank you, Bruce
Apparently, the sysAdmin forgot to allow 32bit apps to run on IIS.
The problem is now solved, thanks

Similar Messages

  • OWSM 11g : Authentication Providers for X.509 and SAML policies

    Hi All,
    I am currently trying to implement the X.509 and SAML policies. As per the documentation for these polices I need to configure an authentication provider(or Identity Assertion provider) that can handle perimeter authentication via the NameCallback. I had configured an authentication provider(default authentication provider) that handled the namecallback and passwordcallback. What I can't figure out is how do these two authentication providers differs. And, incase one has to configure for the X.509 and SAML policies how to do the same.
    Any pointers will be useful. Especially, from anyone who has worked and implemented the above policies.
    Thanks in advance.
    Edited by: Shomit Sahdev on ८ अप्रैल, २०१० १२:२५ पूर्वाह्न

    After research by Oracle Support it actually turns out that this problem was a combination of factors:
    1) some clients were effectively using an invalid certificate so it is corrrect they got an error and everything worked fine when they started using the right certificate
    2) it does, however, turn out that, in the case of an error the error handling has been obfuscated in WLS 10.3.6 as compared to WLS 10.3.4 which gives a more descriptive error stating the nature of the problem (missing certificate, invalid certificate, unknown user, ...). Apparently this was deemed a security issue and has thus been replaced by a generic "internal server error". It is however possible to re-activate this older behaviour using a couple of JAVA_OPTS that you pass during server startup:
    -Dweblogic.wsee.security.debug=true -Dweblogic.wsee.security.verbose=true
    The above reintroduced the behaviour we had in WLS 10.3.4 and thus solves our problem!

  • E-sourcing Single sign on and SAML 1.1

    Does anyone have experience of using SAML token 1.1 to authenticate external users in e-sourcing?
    We have an external IdP u201CIdentity Provideru201D or u201CSource Siteu201D in the SAML-based exchange.
    We have a Portal that plays the role of u201CIdentity Asserteru201D or u201CService Provideru201D or u201CDestination Siteu201D in the SAML-based exchange, SAP e-sourcing would be Assertion Consumer Service.

    Thanks. But it is based on two WEB applications deployed on two different weblogic domains. What I am looking for is one application which is launched using Java Web Start(JNLP) and other a web application. The Java Web Start application uses its proprietary authentication implementation and the web application used DefaultAuthenticator of weblogic. Hope this detail will help you to answer my question better. I should have given this information earlier.
    Thanks.
    Rama

  • SSO and SAML issue with Fiori

    Hi
    I have set up a Fiori system based on 7.4 and it is working fine.
    I attempted to use Single Sign using SAML based on ADFS as an identity provider which we are already using in our environment.
    I have followed this guide by Chris Wealy on  Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet
    However when I am trying to login to the FIori launchpad, I am redirected to the Idp site where I enter my credentials and I am not able to login. Checking the diagnostic tool I am getting the following error
    SAML20 SP (client 410 ): Exception raised:
    SAML20 SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration
    SAML20     at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)
    SAML20     at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)
    SAML20     at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)
    SAML20     at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
    SAML20     at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
    SAML20     at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
    SAML20     at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)
    SAML20     at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
    SAML20     at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)
    However checking the possible solution to the above error I came across this
    Problem: You are performing SAML 2.0 authentication and you get the following error:
    CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1.
    Reason: SSL server certificate of identity provider is not imported in “SSL Client Standard” PSE.
    Solution: Import SSL server certificate of the identity provider in “SSL Client Standard” PSE.
    I have imported the the SSL server certificate along with the root certificate of the the Identitiy provider which is ADFS and still I am getting the same error.
    The ICM trace is showing this
    Thr 140736331941632] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST
    Thr 140736331941632]    session uses PSE file "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"
    Thr 140736331941632] No LastError / ErrorStack available!
    Thr 140736331941632]   SSL_get_state()==0x2120 "SSLv3 read server hello A"
    Thr 140736331941632]   SSL NI-hdl 193: local=10.2.32.85:52039  peer=10.2.32.43:443
    Thr 140736331941632] <<- ERROR: SapSSLSessionStart(sssl_hdl=7fff90003a60)==SSSLERR_SSL_CONNECT
    Thr 140736331941632] *** ERROR => SSL handshake with adfs.sbm.com.sa:443 failed: SSSLERR_SSL_CONNECT (-57)
    Thr 140736331941632] SAPCRYPTO:SSL_connect() failed
    Thr 140736331941632]
    Thr 140736331941632] SapSSLSessionStart()==SSSLERR_SSL_CONNECT
    Thr 140736331941632] SSL_connnect() failed  (0/0x00) Huh??
    Thr 140736331941632]   SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"
    Thr 140736331941632]   SSL NI-hdl 193: local=10.2.32.85:52039  peer=10.2.32.43:443
    Thr 140736331941632]   cli SSL session PSE "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"
    Thr 140736331941632]   Target Hostname="adfs.sbm.com.sa"
    Can anybody help out.
    Do you need any other logs or configurations to check?

    Hi Simon,
    Thanks for your response.
    I am able to access the Netweaver Gateway Service URl's placed on the same DMZ using reverse proxy from internet.
    I have tried using the FQDN as well but no luck, do we need to do some configurations at the backend server in order to use Fiori Launchpad with reverse proxy?

  • WS adapter and SAML

    Hi All,
    Has anyone used the WS adapter in the following synchronous scenario, where the WS adapter was the Sender adapter:  non-SAP system -> PI 7.1 -> ECC 6.0.
    We are keen on using SAML to authenticate the non-SAP system to PI 7.1 but I am getting conflicting information in all the documents I have read.  It seems, to-date, the WS adapter only supports SAP to SAP communication. Can someone confirm or refute this for sure?   If this is not the case, can it be used for synchronous scenarios? 
    Thanks in advance.
    JM

    Hi,
    Thanks to everyone for their responses.  That has helped to clarify some things.  However, I need to confirm a couple more things before I mark this as answered.  In my synchronous scenario:
    non-SAP -> PI 7.1 -> SAP ECC
    I just want to confirm -
    1 - Can the non-SAP sender send through a SAML authentication token that the PI trusts and can perform authentication based on that?  That is, PI is not the issuer of the saml tokenf or the sender.  The link sent through by Gupta seems to say Yes but just want confirmation. 
    2 - If that can be done, is PI only trusting one SAML certificate for the sender system and the userid within that certificate can change?  Or is PI trusting one SAML certificate for every user of the sender application?
    Sorry, I hope what I am trying to ask makes sense. 
    Regards,
    JM

  • Oracle BPM and SAML Token

    Hi all,
    is there any way to use SAML token with OBPM?
    I need to invoke webservice from OSB and it needs authentication.
    So, i want to provide SAML Token to authenticate.
    I just want to know how to configure SAML token in OBPM. is it supported?
    With Regards,
    Wai Phyo
    Edited by: waiphyo on May 25, 2010 5:36 PM

    In the data control palette under the collection that represents the child you should see a node of operations - in there you should see next/previous - drag those onto the page to get the scrolling through the records going on.

  • New Segment of Access Manager-Federation Manager FAQ on Liberty and SAML

    Sun Developer Network just published a new segment of a Sun Java System Access Manager and Sun Java System Federation Manager FAQ on Liberty Alliance and Security Assertion Markup Language (SAML). See http://developers.sun.com/identity/overview/faq/libertysaml.jsp.
    The Q&As also shed light on those products' support for identity-based services in Access Manager, on the utilities for creating and maintaining federated connections, on the components in Federation Manager, and on other related topics.

    This may not be the same as the problem you are seeing, but I was recently struggling with debugging an SSL connection out of the amserver, and eventually noticed that the amserver uses its own protocol handler rather than the sun.net.www.protocol included in java 1.4 and above. My guess is that this is because the amserver is older than java 1.4 but I'm not sure, they may have some other reason for using their own implementation.
    If you look at the web server server.xml after the amserver install, you will see a line like:
    <JVMOPTIONS>-Djava.protocol.handler.pkgs=com.iplanet.services.comm</JVMOPTIONS>
    if you replace that with:
    <JVMOPTIONS>-Djava.protocol.handler.pkgs=sun.net.www.protocol</JVMOPTIONS>
    you might get the pre-amserver behaviour that you are after. Basically all of the httpsURLConnection things behave subtly differently otherwise, as when getting a HttpsURLConnection you are getting a com.iplanet.services.comm.https.HttpsURLConnection rather than a sun.net.www.protocol.https.HttpsURLConnection as you might be expecting.

  • STS and SAML 2 Security tokens

    For service based SSO, does IDM 7.2 issue WS-Security SAML2 assertion tokens? Specifically, I am looking for information on Holder-of-Key Subject confirmation method and related configuration on IDM.
    Thanks

    Hi Vinay,
    Sorry for the delayed answer. Although it might look strange but for the moment NW AS Java does not support SAML 2.0 HoK assertions. Only AS ABAP does support such tokens. Still you might be able to use X.509 client certificates issued by the STS for authentication to web services running on NW AS Java.
    Regards,
    Dimitar

  • SAML / OIF integration does not work - Could not extract SAML2 message

    Hi gurus,
    We are trying to establish SSO between SAP Portal 7.3 and OIF 11.1.5 (Oracle Identity federation). I configured SAP Portal as service provider and OIF is also configured. I changed Login Module and add SAMl as on top of my default auth stack. When we try to do end-to-end test is does not work and throws the following error:
    Default SAML2 configuration is selected because login module option [provider] is not configured.
    SAML2LoginModule is running in execution mode DEFAULT.
    SAML2Principal not found in current client context.
    Exiting method
    Entering method
    SAMLResponse: PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6
    <BR>U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL2ppZXB0ODIu
    <BR>dWsuY2VudHJpY2FwbGMuY29tOjgxODIvc2FtbDIvc3AvYWNzIiBJRD0iaWQtVVRW...........................
    Decoded SAMLResponse: <samlp:Response mlns:samlp="urn:oasis:names:tc:  4 пїЅГЈ"пїЅ пїЅ &пїЅFпїЅ6пїЅпїЅ" FW7FпїЅпїЅ.......................3E&saml2post=false
    Could not extract SAML2 message from request.
    [EXCEPTION]
    java.lang.SecurityException: com.sap.security.saml2.lib.common.SAML2Exception: SAML parsing failed..................
    No user name provided.
    Entering method
    Automatic IdP Selection mode configured for the Service Provider
    POST parameters set as HTTP request attribute [sap.com/login_post_parameters] to be re-submitted during login: [SAMLResponse, SAMLart, RelayState]
    Could not remove original application URL cookie because the provided name is invalid: <null>
    Exiting method with true
    LOGIN.FAILED
    User: N/A
    IP Address: 10.11.11.11
    Authentication Stack: ticket
    Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
    1. com.sap.security.saml2.sp.SAML2LoginModule                              REQUIRED    ok          exception             true       Service Provider could not extract SAML2 message from request.
            #1 AcceptedAuthenticationMethods = *
            #2 Mode = Standalone
    2. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
            #1 trusteddn1 = CN=ERT,OU=I0020100174,O=SAP Web AS
            #2 trustediss1 = CN=ERT,OU=I0020100174,O=SAP Web AS
            #3 trustedsys1 = ERT,010
            #4 ume.configuration.active = true
    3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     
    4. com.sap.security.core.server.jaas.CreateTicketLoginModule               OPTIONAL    ok          false                 true      
    Decoded SAMl response looks strange with all non-readable characters and as a result, there is no username passed to the portal and SAML login fails and portal offers a fall-back login with username/password
    Also, can you please comment the line from the help.sap.com (http://help.sap.com/saphelp_nw73/helpdata/en/bf/b0b879544740c8a3c8bdda87e50587/frameset.htm)
    "Prerequisites for SAML
    "Your service provider must be able to reach the identity provider over HTTP or HTTPS." "
    We have our identity provider / service provider in two different segment of the network and there is no http/https connection between these segments as we assumed that all the communication is going through the browser and we would not need the port to be opened on the firewall. Is it something which is absolutely necessary? In our opinion it negates all the benefits of SAML
    Help will be very much appreciated
    Many thanks in advance,
    Regards, Elena

    Hi Elena,
    The issue was discovered and fixed during the SAML Interoperability Tests early last year (2011). I'm not sure I will be able to find a dedicated note because the fix was not downported but just submitted in the latest SP in correction. If you need a justification then you can open a support ticket with SAP and this will be the official answer there. If you do so please to not forget to attach traces from the system - use the tool described in 1332726 with type "SAML 2.0 (Info)". If you send me the ticket number I can speed-up the processing of the ticket.
    Regards,
    Dimitar

  • SAML Sender Vouches Assertion in ABAP only environment

    All u2013 apologies for a length postu2026
    subject: Standard logon - SAML Authentication (logon using SAML).
    We are testing if an external app u2013 like Oralce (consumer), can render a web service via SAML assertion into an AS ABAP (provider) environment. Per OSS note 1254821, we have setup a trusted environment, and were able to successfully test a bapi function via Certificate Authentication (logon using a client certificate), one of the standard logons.
    This test validates that the SOAP message can be processed through SAP, from the secured transport layer to decrypting and processing the SOAP message.
    When we move to test the SAML assertion piece, we are not able to find the logon of u201CSAML Authenticationu201D via the standard logon through trnx SICF.
    We nonetheless moved to test with all the available logon options without success:
    1     Fields Authentication
    2     SSO Authentication
    3     Basic Authentication
    4     SAP Authentication
    5     Certificate Authentication (we deactivated the USEREXTIDu2019s DN user)
    6     Service Authentication
    While researching, we come across that there should be a u201CSAML Authenticationu201D standard logon option, yet this is not available in our test system.
    Our system information is as follow:
    SAP ECC 6.0
    SAP_BASIS      700      SAPKB70017    
    SAP_ABA         700      SAPKA70017    
    We are testing in an ABAP stack environement.
    We have crossed reference with note 1254821, and have satisfied all the requirements.
    We expect the standard logon to contain the u201CSAML Authenticationu201D through SICF since we have configured the web service through SOAMANAGER using u201CSAML 1.1. Sender Vouches Assertionu201D.
    Question:
    Is u201CSAML Authenticationu201D standard logon necessary to facilitate the SAML sender vouches solution (we have only AS ABAP)?
    If needed, what configuration, or support pack we need to be on.
    Better yet, have anyone out there make it work? If so, please share.
    Thanks much,
    Alex

    Hi Jens,
    yes, it's  keystore view TicketKeystore. The idea is that a logon ticket trust suffices to get the SAML 1.1 Sender Vouches trust as well.
    The next thing you should take care of is to make sure that your SAP Portal system trusts the SAML issuer of your SAML assertion. This is to be configured in NetWeaver Administrator under Configuration Management  Security >  Trusted Systems. There you add the issuer string of your SAML Assertion into the Trusted Partners section.
    Please follow paragraph "Configuring the Trusted Partners (Provider)" on this documentation link for details: http://help.sap.com/saphelp_nw73/helpdata/en/48/b264916b156ff4e10000000a42189b/frameset.htm
    Another thing. Please see that for SOAP Web Services SAP (both AS ABAP and AS Java) for Sender-Vouches only SAML 1.1 is supported. Holder-of-key SAML assertions are supported with SAML 1.1 and SAML 2.0.
    Regards,
    Mathias

  • Seeking recommendations for handling large binary documents with security(preferable) for inbound and outbound scenarios from OSB- SOA and SOA- OSB

    Hi,
    I am currently working on a project with the following requirements
    1. Client transfers binary document (between 1-20MB in size) from OSB proxy to SOA composite to Content Management system
    2. Client retrieves binary document (between 1-20MB in size) from Content Management system to SOA composite to OSB proxy
    In otherwords, a inbound and outbound integration.
    What I have tried so far and my results:
    Scenario A
    1. Enabled MTOM on SOA composite by attaching wsmtom policy
    2. Created an OSB business service and consumed the SOA composite application
    3. Enabled MTOM on OSB proxy and business service and configured it to pass by reference
    Scenario B
    1. Enabled MTOM and security on SOA composite by attaching wsmtom policy and SAML policy
    2. Created an OSB business service and consumed the SOA composite application
    3. Enabled MTOM on OSB proxy and business service and configured it to pass by reference
    I have a demo integration setup that writes a binary document to a file using the above steps. My SOA composite has a file adapter that writes the binary data to an external file and it is exposed as a web service with a simple WSDL definition that has an inline XSD schema with an single element of base64binary type. I have added a mediator that maps this base64binary element node to the file adapter's input node.
    Result for Scenario A with file size less than 1 MB:
    Flawless execution with sub-second response times
    Result for Scenario A with file size of 8MB
    First attempt: SOA composite faults with database transaction related error, solved by increasing JTA timeout
    Second attempt: Flawless execution, but file transfer took over 100 seconds to complete. This is very poor performance and my suspicions are that this cannot be the expected behaviour, but I dont know the internal workings of the SOA composite and why its taking this long.
    Result for Scenario B:
    The OSB business service does not accept/recognize the SAML policy in the WSDL and suggests to configure OWSM policies manually, but OWSM policy in OSB does not have the wsmtom policy. Regardless of this, any permutation of MTOM + WSS security in this integration scenario either did not work outright or MTOM optimization was not happening ie binary data was materalizing in the message body.
    I have only about 3 weeks left to implement a viable solution and the closest ive come to a solution is Scenario A but that +100 second response time for an 8MB file is really worrying.
    I would appreciate any level of guidance, recommendations or suggestions as to how I go about tackling this problem.
    Thanks
    regards,
    Johnny

    I think this is due to the underlying mechanism of weblogic classloading..
    You can contact oracle support @ https://support.oracle.com to report issues. Roughly this is the process .
    1- get the Oracle Customer Support Identifier (CSI) for the client you are working for.
    2- Create a user profile quoting the CSI. This will send an approval request to oracle support admins at your client.
    3- Get the oracle support admins at your client site to approve your request for support access.
    4-Once they approve , you can access the support site and raise service requests.

  • Ask the Experts: Single Sign-On with Cisco WebEx Meetings Server, Internet Reverse Proxy, and Enterprise License Manager Solutions

    With Arun Kumar
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
    SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
    IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
    Example question topics include:
    SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
    Basic configuration of IdPs
    Interaction between IdPs and Cisco WMS
    Difference between the cloud client implementation and Cisco WMS
    Meeting access behavior in a split-horizon network topology with SSO
    How to enable public access to Cisco WMS
    Cisco WMS ELM operations
    Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
    Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
    Remember to use the rating system to let Arun know if you have received an adequate response.
    Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

    Hello Mobile Service,
    CWMS and Jabber integrations:
    http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
    In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
    then move to section: Add Cisco WebEx Meetings Server to a Profile
    Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
    Attached CWMS - AFDS integration doc.
    Please let me know if any furhter question.
    Thanks, Arun

  • Which truststore for SAML Sender Vouches signatures in SOAP message

    Hi Experts,
    I try to consume a Web Service provided by SAP Portal 7.3 EHP 2, which is secured using SAML 2.0.
    My intention is to send SAML assertion using the Sender Vouches confirmation method and looking at the sample message from the Wiki and my message side-by-side, I am confident that the message should be understandable for SAP (having the correct signatures etc.)
    However, using the Security Troubleshooting Wizard, I collected some traces on the SAP Portal side and I can see that the certificate I use seems to untrusted.
    The Exception thrown somewhere near the WSSAMLLoginModule is:
    Caused by: javax.security.auth.login.LoginException: com.sap.exception.io.SAPIOException: [com.sap.ASJ.wssec.020359] An exception was thrown during the verify of the SAMLTokenHandler: The certificate Subject DN: ....... is not in the list of trusted certificates.
    at com.sap.security.core.server.wssec.jaas.WSSAMLLoginModule.login(WSSAMLLoginModule.java:91)
    at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
    ... 52 more
    I already imported the cert in almost all trust stores. Where do I specify the trusted certs?
    Thanks.
    Jens

    Hi Jens,
    yes, it's  keystore view TicketKeystore. The idea is that a logon ticket trust suffices to get the SAML 1.1 Sender Vouches trust as well.
    The next thing you should take care of is to make sure that your SAP Portal system trusts the SAML issuer of your SAML assertion. This is to be configured in NetWeaver Administrator under Configuration Management  Security >  Trusted Systems. There you add the issuer string of your SAML Assertion into the Trusted Partners section.
    Please follow paragraph "Configuring the Trusted Partners (Provider)" on this documentation link for details: http://help.sap.com/saphelp_nw73/helpdata/en/48/b264916b156ff4e10000000a42189b/frameset.htm
    Another thing. Please see that for SOAP Web Services SAP (both AS ABAP and AS Java) for Sender-Vouches only SAML 1.1 is supported. Holder-of-key SAML assertions are supported with SAML 1.1 and SAML 2.0.
    Regards,
    Mathias

  • SAP to consume third party webservice that requires saml authentication

    Hi All,
    I am able to invoke our thirdparty webservice from soapUI, but it is a two step procedure, This is how it works in SoapUI:
    step 1) first send below predefined message, embeded with username and pwd in the header:
    <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
         <SOAP:Header>
              <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                   <wsse:UsernameToken>
                        <wsse:Username>myusername</wsse:Username>
                        <wsse:Password>mypwd</wsse:Password>
                   </wsse:UsernameToken>
              </wsse:Security>
         </SOAP:Header>
         <SOAP:Body>
              <samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
                   <samlp:AuthenticationQuery>
                        <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
                             <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myusername</saml:NameIdentifier>
                        </saml:Subject>
                   </samlp:AuthenticationQuery>
              </samlp:Request>
         </SOAP:Body>
    </SOAP:Envelope>
    after this, we are got the response as:
    <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
         <SOAP:Header>
              <header xmlns="http://schemas.thirdparty.com/General/1.0/">
              </header>
         </SOAP:Header>
         <SOAP:Body>
              <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
                   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <SignedInfo>
                             <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                             <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                             <Reference URI="#A18A90576-64FD-71E0-A9BC-286444658733">
                                  <Transforms>
                                       <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                  </Transforms>
                                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                  <DigestValue>LzlvRhszr3qlOTG7AZX8i+yKvRI=</DigestValue>
                             </Reference>
                        </SignedInfo>
                        <SignatureValue>qc1x+84wkkPrf76dHW2HJ...</SignatureValue>
                        <KeyInfo>
                             <X509Data>
                                  <X509Certificate>MIIB3I.....NBgkqhk</X509Certificate>
                             </X509Data>
                        </KeyInfo>
                   </Signature>
                   <samlp:Status>
                        <samlp:StatusCode Value="samlp:Success"/>
                   </samlp:Status>
                   <saml:Assertion AssertionID="A18A90576.." xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
                        <saml:Conditions NotBefore="2011-01-25T09:14:54.045Z" NotOnOrAfter="2011-01-25T17:19:54.045Z"/>
                        <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
                             <saml:Subject>
                                  <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myusername</saml:NameIdentifier>
                             </saml:Subject>
                        </saml:AuthenticationStatement>
                   </saml:Assertion>
                   <samlp:AssertionArtifact>MDGH....RbY6qHUFcO</samlp:AssertionArtifact>
              </samlp:Response>
         </SOAP:Body>
    </SOAP:Envelope>
    step 2) from the above response body, use the Signature elemenent, and saml:Assertion element as part of header of the original request, so the actual request in soapUI has become:
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:product="http://mytp/myfunctionality">
         <soapenv:Header>
              <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                   <Signature> ...</Signature>
                   <saml:Assertion>..</saml:Assertion>
              </wsse:Security>
         </soapenv:Header>
         <soapenv:Body>
              <product:isProductAvailable>
                   <product:ProductNAME>myproduct</product:ProductNAME>
                   <product:ProductYEAR>2010</product:ProductYEAR>
              </product:isProductAvailable>
         </soapenv:Body>
    </soapenv:Envelope>
    after sending this above request, we are getting the desired response:
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:product="http://mytp/myfunctionality">
         <soapenv:Header>
         </soapenv:Header>
         <soapenv:Body>
              <isProductAvailableResponse xmlns="http://mytp/myfunctionality">
                   <isProductAvailable>true</isProductAvailable>
              </isProductAvailableResponse>
         </soapenv:Body>
    </soapenv:Envelope>
    If we want to implement the same functionality using abap consumer proxy, do we need to invoke with two different requests,
    is there any efficient way, where we can specify the values of <wsse:Username> and <wsse:Password>, and invoke with original payload.
    is there any config in SOAMANAGER, to specify the saml releated settings, for the consumer proxy.
    what could be the simplest way to consume this webservice in sap.
    thanks in advance, BJagdishwar.

    Hi,
    Please create logical port using wsdl directly it will apply required settings in LP. You can also ask for client certificate which you can apply while calling 3rd party services. To me this seems X509 client certificate authentication.
    You can also create LP manually by giving SAP SAML authentication and save. Next time when you edit LP you will be able to see plenty of option to configure required settings.
    Please note that not all security methods are supported by SAP.
    Regards,
    Gourav

  • SAML generation using weblogic

    Hi,
    I am using weblogic as an Identity Provider and Oracle Identity federation (OIF) as a service Provider. The federation will be IDP(weblogic) initiated.
    I have configured both the sides , published and exchanged metadata .
    Is any out of box feature of weblogic there by which we can use SAML after configuration only or we need to write a separate java code in order to create login page and using the entire configuration which I made in weblogic. (Will any application need to be deployped in weblogic?).
    What URL I need to hit for SAML if there is out of box feature in weblogic for using SAML(after configuring everything in weblogic).
    Thanks
    Piyush

    Maybe the example given here can help you out: http://biemond.blogspot.com/2009/05/sso-with-weblogic-103-and-saml.html and http://docs.oracle.com/cd/E21764_01/web.1111/e13707/saml.htm#i1112531
    and the whitepaper (tutorial) that is referenced in the latter: http://www.oracle.com/technetwork/articles/entarch/sso-with-saml-099684.html

Maybe you are looking for

  • I'd like to know how to get the SIM Network Unlock PIN for my DROID2 GLOBAL

    I am living in Haiti and I made someone buy a Droid2 Global for me in USA. I have had the phone for 2 months but I never could operate it.  Any time I open it, it requires that I enter a SIM Network Unlock PIN that I have not. I' d appreciate you hel

  • Starting New Project

    When I drag MLV_0802.MOV to iMovie 09's Drag and Drop it just bounces off. How do I get this video into iMovie 09 so I can edit it?

  • Dynamic 3Dmove for a component or bordercontainer

    Hi I trying to move a component and a border bordercontainer by using 3Dmove. During the runtime of the application the target of the 3Dmove will change. I do not wish to Bind the target dirclty to the 3Dmove but use the same 3Dmove on diffrent targe

  • Illustrator CS5 Crashes when scrolling fonts

    Hi there! I have seen the past posts about this issue - but none recently. I have cleared my font cache and validated all my fonts and still this happens. Any suggestions? Process:     Adobe Illustrator [1335] Path:        /Applications/Adobe Illustr

  • Why does iTunes invite me to log on every time I launch it?

    Why does iTunes invite me to log on every time I launch it? It never used to do this. How can I stop it ? When I open the app I usually want to just listen to the music collection I have in it, not download anything or buy from the store. How can I s