SAML implementation in OSB
Hi Guys,
I am trying to implement security (authentication) between OSB business service and the
SOA composite service. We need to implement SAML based authentication here.
Please guide me by providing some example/blog or some good document.
Thanks,
Yatan
You may refer -
http://download.oracle.com/docs/cd/E17904_01/integration.1111/e10224/sca_policy.htm#CHDHAJIH
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/saml.htm#i1062321
http://fusionsecurity.blogspot.com/2010/06/oracle-service-bus-soa-suite-human.html
Regards,
Anuj
Similar Messages
-
SAML Implementation for External third party portal
Hi Experts
I am trying to configure external third party portal to SAP Portal using SAML. Has anyone done that before?
I would appreciate if someone can provide details of this kind of implementation as Idendity provider and destination is on their side and external partner has custom SAML implementation.
Thank you
JSHi
Has anyone has configured Source Site and Responder Service on Portal J2EE ?
I would like to know if any one has done this kind of implementation and can share some light on the same.
Thank you
Jinal Shah -
Propogating SAML tokens from OSB to BPEL and the reverse
Hi
Is there a way to propogate SAML tokens from OSB to BPEL and vise-versa. There are lots of references on using OWSM policies. Can I achieve passing tokens and asserting without them?
Thanks
SumanStarting from 11gR1 (11.1.1.3) Release, we have new feature to start transaction. OSB proxy can be configured to start a transaction.Refer to message flow transaction http://download.oracle.com/docs/cd/E14571_01/relnotes.1111/e10132/osb.htm#CJACHEHJ
So with this feature, all we need a create a proxy say HTTP and enable this feature. OSB will start a transaction before your pipeline is invoked. Let me know if you need clarification.
Manoj
Edited by: Manoj Neelapu on Jun 22, 2010 8:39 AM
Edited by: Manoj Neelapu on Jun 22, 2010 8:39 AM -
WS reliable messaging implementation in OSB
Hi All,
I have to implement relaible messaging through OSB service. I want to know
1. how reliable messaging can be implemented in OSB with proxy and bussiness service and how it can be tested?
2. The advantages of using WS transport to implement reliable messaging over JMS queues ?
3. How WS transport ensures guaranteed delivery?
please post your valuable ideas.
Thanks
HariniWSRM is not fully supported in ALSB.
-
Capturing SAML attribute in OSB proxy
Hi,
We have a requirement of extracting one of the SAML attributes sent to our proxy service and send it to the business service as one of the SOAP body elements.
I have done the following things:
- Created the business service based on particular WSDL
- Created the proxy service based on same WSDL and applied the policy oracle/wss10_saml_token_service_policy as per our requirements
- In the Security tab of proxy service, i have checked the option 'Process WS-Security Header' as i want to restrict the access to my proxy service based on SAML subject that we recieve
Following is the SAML header that i am using to test the OSB proxy from Soapui 2.0.2. I have to capture the saml:NameIdentifier from the below SAML assertion i receive. When i use $header variable i am unable to get this. But when i uncheck 'Process WS-Security Header' i am able to get the value but authentication is not working. So i think 'Process WS-Security Header' should always be checked.
Please let me know asap on how can i extract saml:NameIdentifier from the request received in proxy service. Is there anyway to intercept the request to proxy just like SOAP handlers?
<saml:Assertion AssertionID="Id-00000127f49c1cf3-0000000000900e24-2" IssueInstant="2010-04-19T00:40:24Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:Conditions NotBefore="2010-06-16T00:40:24Z" NotOnOrAfter="2010-06-21T00:40:24Z"/>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">weblogic</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AttributeStatement>
</saml:Assertion>
Thanks
SivaHi Siva,
We have a requirement of extracting one of the SAML attributes sent to our proxy service and send it to the business service as one of the SOAP body elementsI think your requirement is not to do the authentication then why are you checking the option 'Process WS-Security Header'?
If 'Process WS-Security Header' check-box is selected then it will process and consume the security headers and enforces the message level access control policies on the incoming message (This is called an Active Intermediary Proxy Service). if you don't select it the proxy will be pass-through and OSB will not make any modification to the security headers, encrypted body parts, etc (this is called a Pass-Through Proxy Service)
I think in your case you require a pass-through proxy service.
To know more about pass-through/active intermediary proxies and their configuration in OSB, please refer section "Configuring Proxy Service Message-Level Security" on below link -
http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/message_level.html#wp1077884 ()
Regards,
Anuj -
Implementation of OSB service to Http GET XML payload
Hi,
I am new to OSB.I have a requirement where Ecommerce system will post a XML over HTTP.
Our OSB service has to receive that XML using Http GET and send it to a SOA composite as a SOAP.
My doubt are
1.can we implement the proxy service with service type any XML structure
2.Will Ecommerce provide any WSDL so that we can configure it in our proxy service.
Pls help.
thanksHi,
947423 wrote:
1.can we implement the proxy service with service type any XML structureYes, that should be alright...
2.Will Ecommerce provide any WSDL so that we can configure it in our proxy service.\Probably not, if they are just sending an XML over HTTP that is probably not SOAP, if at least they can provide you an XSD that would be nice... Otherwise you may have to write one...
Cheers,
Vlad
It is considered good etiquette to reward answerers with points (as "helpful" - 5 pts - or "correct" - 10pts)
https://forums.oracle.com/forums/ann.jspa?annID=893 -
Is SAML 2.0 supported in OSB 11g?
Thanks,
jayHello Jay,
OSB 11g supports SAML V1.1
http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15866/saml.htm#i1062321
Regards,
Anuj -
Did anyone implement SAML for siebel outbound web services?
Can they please share the high level processYou may refer -
http://download.oracle.com/docs/cd/E17904_01/integration.1111/e10224/sca_policy.htm#CHDHAJIH
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/saml.htm#i1062321
http://fusionsecurity.blogspot.com/2010/06/oracle-service-bus-soa-suite-human.html
Regards,
Anuj -
Hi,
I am beginner in OSB . I am trying to create a sample application that uses JMS queue. I went through documentation on OSB and Weblogic, however couldn't create it.
Could you pls help in creating a sample application that uses JMS queue or point me to an URL where such sample is available?
Thanks,
VijayYes there are but not as straight forward as using JCA transport with AQ adapter in OSB.
JMS-JMS integration: JMSQ OC4J--->Foreign JMS Q (Weblogic)---->JMS Transport inbound.
JMS-JMS integration: AQ JMS interface --->Foreign JMS Q (Weblogic)---->JMS Transport inbound.
BPEL-OSB integration: JMSQ OC4J--->BPEL--->Invoke OSB Proxy--->Your custom logic
JMS
Normally application are designed other way around. OSB interfaces with AQ and then routes to other process/transport as required.
Endpoint A ----OSB --------Endpoint B It makes more sense to use OSB for all end points (connectivity) where it adds maximum value in routing to various end points
I'm sure you have valid reason to decide using OSB like AQ-->OC4J JMS-->OSB rather than AQ-->OSB--->Endpoint . Based on your architecture there are other integration options like JMS Bridge etc
Thanks
Manoj
Edited by: mneelapu on Dec 24, 2009 2:52 PM -
Can I secure a "http" transport type and "Text" messaging proxy service using SAML tokens?
I am reading SAML is applicable only for wsdl webservices.Is this true?
Please guide me on using SAML for http/text proxy services if that is possible.
Thanks.any help..
-
Hello All
I think I'm on a bit of a long shot with this one unfortunately, but I am trying to implement an OSB solution on a production HACMP cluster. The configuration would look as follows:
OSB Admin & Media Host : Windows 2003 x86 (Host: FPTXOSB01)
OSB Clients : Server 'pserver1' is node 1 in an HACMP cluster, public IP address 192.168.14.6
: Server 'pserver2' is node 2 in the same HACMP cluster, pubic IP address 192.168.14.10
: Server 'ptest1' is a stand alone AIX 5.2 host)
OSB Version : 10.2.0.2.0
I have implemented the solution on the stand alone host 'ptest1' without any problems, and performed a full database RMAN backup on this test servr at the first time of asking. The problem I am running into is with adding the HACMP clients to the OSB admin domain.
HACMP is configured in such a way (rightly or wrongly I do not know as yet) with boot, public and cluster service addresses. Eg. Server 'pserver1' will return 'pserver1' if you enter the 'hostname' command at the AIX command prompt. Entering the 'uname -a' command also returns 'pserver1' as the machine host name. However, in the folder '/usr/local/oracle/backup/bin there is a link to a binary called 'hostinfo' and this is called by the installob routine during the installation phase. When I run this command manually, it returns the HACMP host boot address 'pserver1_boot'. The /etc/hosts file looks like this on one of the nodes:
# Internet Address Hostname # Comments
# 192.9.200.1 net0sample # ethernet name/address
# 128.100.0.1 token0sample # token ring name/address
# 10.2.0.2 x25sample # x.25 name/address
127.0.0.1 loopback localhost
10.10.10.86 pserver1_boot1 pserver1
10.10.10.87 pserver2_boot1 pserver2
10.11.10.86 pserver1_boot2
10.11.10.87 pserver2_boot2
10.12.10.86 pserver1_hb
10.12.10.87 pserver2_hb
192.168.14.5 pserver_svc
192.168.14.6 pserver1_pers
192.168.14.10 pserver2_pers
As you can see, the main host name is tagged on the same line as the boot1 IP addresses. Unfortunately, the 10.10.10.xx range is private and dedicated to the HACMP cluster configuration. So the situation is, all of the clients on the network access the cluster via the 'pserver_svc' virtual IP, which is fine. The Oracle databases listen on that VIP too, no problems. For telnet/SSH access to the host, we log on via the '?_pers' addresses (persistent addresses), no problem. However, two hosts themselves see their own respective hosts as the '?boot1' name. So, on 'pserver1' if I were to ping 'pserver1' it resolves to the 10.10.10.86 IP. All good, however the OSB admin server is going to come in on the 192.168.14 public network.
When adding the host using either the 'mkhost' command or the web tool, the host creation just sits there and eventually times out. If I change the '/etc/hosts' file such that 'pserver1' as en entry sits on a line on its own and configured with the correct persistent address of 192.168.14.6 and then try adding the host in OSB, the host adds okay. However, if I then try and ping the host using OSB, it returns the following:
ob> pingh pserver1
Error: can't connect to NDMP server on pserver1 (address 192.168.14.6) - timeout waiting for connection status message
pserver1 (address 192.168.14.6): Oracle Secure Backup services are available
Additionally, we have to switch the '/etc/hosts' configuration back because the HACMP cluster services expect that configuration and it will fail over if it performs a cluster host state check.
With this in mind, we've introduced cabling on to another unused NIC port on the two hosts, and put these NICs on the network on 192.168.13.110 and 111. I have retried adding the hosts with the machines actual host name, with the boot address (pserver1_boot1) and also with a new alias for the new NICs of 'pserver1_en1'. In most of these cases, adding the host actually comes back with a success status. However, the OSB ping consistently fails.
I believe that the mismatch in host names on each of the cluster hosts is causing the OSB trust relationships to break down as the certificates will be created with the non routable host/IP combination. The following is an extract of the 'observiced.log' from 'pserver2' following the host addition specifying the '192.168.13 .xxx' network:
2009/01/07.14:33:53 listening for requests on --
2009/01/07.14:33:53 en0 (10.10.10.87) port 400
2009/01/07.14:33:53 en2 (10.11.10.87) port 400
2009/01/07.14:33:53 en1 (192.168.13.111) port 400
2009/01/07.14:34:01 listening for NDMP connections on --
2009/01/07.14:34:01 en0 (10.10.10.87) port 10000
2009/01/07.14:34:01 en2 (10.11.10.87) port 10000
2009/01/07.14:34:01 en1 (192.168.13.111) port 10000
2009/01/07.14:38:54 failure to negotiate SSL connection with component obtool on fd 6 - SSL fatal alert during negotation (FSP Oracle network security functions)
I am clearly looking for help from anyone else who has had the unfortunate experience of implementing OSB in an HACMP environment. Speaking to people who work with HACMP tell me that the configuration is perfectly normal. To me, its odd that machine called one thing should return another value when it looks up itself, one that isn't routable.
If anyone can suggest anything that might help, additional tracing, manually creating SSL certificates to work around the host name, disabling SSL, anything that might allow two way communications on ports 400 and 10000 using the OSB tools.
Any helps here would be much appreciated.
Regards
SimonI already have.
Thanks, -
OSB (ALSB) to implement a Resequencer? (EIP Pattern)
Hello *,
has somebody ever tried to implement using OSB (BEA ALSB) the Resequencer EIP Pattern (Hohpe, Woolf)?
http://www.enterpriseintegrationpatterns.com/Resequencer.html
Generally I wonder how the OSB product concept maps to the EIP Patterns. Are there some guidelines for scenarios like Splitter/Aggregator , Enricher/Filter, etc.?
my customer want's to implement at least the Resequence and Splitter. Any tips are very welcome here!!
grtx,
\thomasHi Thomas,
Depending on your exact requirement for your Resequencer you may be able to use the underlying WebLogic JMS Unit of Order to get this. Read more here:
http://download-llnw.oracle.com/docs/cd/E11035_01/wls100/jms/uoo.html
With regards the other patterns, OSB supports all the ones you mention:
Splitter/Aggregator - use the split/join functionality described here:
http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/userguide/splitjoin.html
Enricher - this can be achieved in a number of ways depending on where you are getting your enrichment data from. Service callouts allow you to invoke a service from within the proxy message flow, Java callouts allows you to implement Java code, and there is an XQuery function to allow you to read content from a database (note in the next release of OSB we will have support for the Oracle database adapter and so will have richer functionality here)
Filter - again this depends on the exact requirement but there are a number of options here including routing tables, if/then capability, operational branching, etc.
Hope that is useful.
Chris -
SAML Overview
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and
authorization data between security domains, that is, between an identity provider (a producer of assertions)
and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services
Technical Committee.
SAML is relevant to those customers who already have a SAML implementation in use with other systems in
their organization. Therefore, it is recommended you engage your technology team that has a working
knowledge of SAML and provide this document to them for their review.
Key Roles
• Identity Provider (IDP): The system in authority that provides the user information
• Service Provider (SP): The system that trusts the asserting party’s information, and uses the data to
provide an application to the user.
• Subject: The user and their identity that is involved in the transaction.
Note! In our context, Learning Maestro is the SP, the IDP is customer-specific, and the Subject is the user
who is logged in.
Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 2
Typical SAML Components
Source: http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 3
Implementing SAML 2.0
• SumTotal LMS supports only SAML 2.0 Standards.
• We support only IDP-initiated SAML authentication.
• The SAML Response should be signed and base64 Encoded.
• UserName should be passed in NameID element under Assertion\Subject Keys.
• We use the timestamp provided in IssueInstant attribute of SAML Assertion to find the valid period
(+/- 5 min ) for the SAML Response.
• Currently, we do not support signed or encrypted assertions.
• Deep linked URLs can be passed through an additional URL parameter of “OriginalURL.”
IDP Initiated Web SSO
Source: http://www.ijcsi.org/papers/2-41-48.pdf
4
When Learning Maestro is Accessed from a Portal
1. The user logs into the customer portal.
2. The user clicks on a link to the LMS from the customer’s portal.
3. The link points to an IDP page.
4. The IDP pages posts an HTTP Request to Learning Maestro
5. The request is an < ... > message.
Typical Structure of a SAML Response
• Below is the typical SAML Response received by LMS from IDP
• Value of SAMLResponse parameter should be base64 Encoded.
Please double-click to open the below XML file to view how the response looks after decoding:
ExampleSuccessfulAssertion.xml
5
Configuring SAML 2.0
SumTotal Maestro supports SAML 2.0 for the “Identity Provider Initialized SSO” protocol.
To configure your Maestro domain to accept SAML 2.0 Assertions, the following steps must be taken:
1. Confirm that Usernames are in sync
2. Provide an X.509 Certificate to SumTotal Systems (SHA1 Hashed)
SumTotal Systems will configure your environment with the X.509 cert you provide.
3. Point your call to the following URL:
https://gm1.geolearning.com/geonext/<your_domain>/saml.geo
After authenticating to your Identity Provider, the provider will pass a user into Maestro IF:
• The user has a username matching an existing Maestro username
• The x509 certificates match on both sides
If authentication fails, the user will be presented with a failure page.
Assertions
An optional assertion is available to specify the URL a user will be sent if there is an authentication error.
ErrorRedirectURL Assertion
• If ‘ErrorRedirectURL’ is not specified and an authentication error or other security exception
occurs it will redirect the user to the default secerror.geo page as it does today
• If a value (URL) is specified for ‘ErrorRedirectURL’ and there is an authentication error the user
will be redirected to the URL specified
Sample
6
Additional Information
For additional information on SAML, please refer to the following sources:
Wikipedia: Security Assertion Markup Language
OASIS Executive Summary
IJCSI Intermediate Concept
OASIS Technical Overview
FAQs
Question Answer
What .NET library are we using? SumTotal uses “Componentspace” net SAML 2.0 library
Can users still log in via the login page? Yes. The SAML target page is different than the login page.
Can we deep link into the LMS through
the SAML 2.0 authentication workflow?
Can I get rid of the Logout button?
What is the Session timeout setting? Session Hard Life and Idle Life settings can be configured in
What is the unique ID for SAML? The “username” field.
Yes. “Deep Link Target” (target or original URL parameter) is
accepted. If none is provided, then it will default to the default
landing page as configured in Maestro.
Yes, When using SAML, the logout button still exists
intentionally in the navigation but can be disabled in the
“configure Navigation” options.
the security section of the administration interface of Maestro.
What is the failure page if
Authentication fails?
If the authentication fails, by default an intentionally simple error
is presented to the user stating “Authentication Failure”.
For security purposes, no further information regarding the
specifics of the failure are defined to the user.
An optional ErrorRedirectURL assertion can be used.
What URL do we point to? https://gm1.geolearning.com/geonext/<your_domain>/saml.geoHello,
Thanks for posting your question to here. However, this forum is used to discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. For issues regarding configuring SAML, this is beyond
the scope of our support.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Read a file at a fixed time of day using PS in OSB
I have a proxy service which read a file, now I want to read that file at a fixed time in a day(suppose 12pm every day).
How do I make the JCA file/proxy configuration?
Pls suggest!Re: How to implement in OSB: Scheduling, Timers and Custom properties
Regards,
Anuj -
Dynamic timeout for OSB proxy or business services
The scenario we got here is that we will have multiple synchronous webservices implemented as OSB proxy services. These proxies will then invoke a common "routing" proxy that will determine which other OSB proxy or business services (JMS Request/Response) to call and does the dynamic routing.
I understand that you can set a timeout at the business service level how long to wait for a response (at least when using the JMS transport). The problem is we got the requirement that the timeout value would be dependent on the role of the caller invoking the frontend webservice (this is done via some kind of lookup to determine the appropriate timeout setting for the invocation).
Is this possible? I can't seem to find anything exposed in the transport header that allows me to set a timeout value during runtime. This means that the frontend proxy will be waiting for a response depending on the business service timeout setting. Can we implement a timeout in this frontend proxy somehow?
Stumped right now over this. Thanks in advance for helping out.>
Are there other reasons why you say it's not the most ideal way of development ?
>
Versioning binary files is always a pain. You can't compare them, you can't merge them ... Another point, if you put your jar archive with OSB artifacts under version control, you will most probably face issue related to end of line styles (mac, unix, windows).
However, the most important point is usability. I want to version .proxy and .biz services to see right in IDE that I changed something and I should check that in for the others. I don't want to risk that I forget something. And I also want to see what other users committed, what sources they work on ... You loose all of that by versioning jar file. I would never go this way.
Maybe you are looking for
-
Gereral differences between 4.7 and ECC 6.0 from FI/CO view
Hi Guys Can any one tell me key differences between 4.7 and ECC 6.0 from FI/CO view. In interview what i must tell? Thank you.
-
Macintosh HD and Bootcamp Installer Disagree on Free space on Hard Drive
Im having a hard drive issue. I have 500 gb and macosx shows about 300gb free. I'm attempting to install windows and the assistant gives about 100gb of space but I'd like 200 or so for windows. Theres a discrepancy in available hard drive space! I ha
-
OSB not adding SOAP-ENV:encodingStyle attribute, invoke fails
Hi, I have a WSDL that when inspected by XMLSpy, creates the following payload. <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001
-
Installed ITunes now system can not read my cd drive at all
Hello All, Have installed itunes but now my laptop will not read my cd/dvd drive which was previously working fine. No matter what program I use the cd drive just whirs and then nothing. Pleae help, here is my diagnostic: Microsoft Windows XP Home Ed
-
Clicking sound in FinalCutPro X effects,transitions etc.. previews
hello With my macbookpro retina 15 i get clicking sounds, like mechanical which happen when i move my mouse above the little preview's squares of effects,transitions and all my material in Final Cut Pro X i notice that s happening too during video ga