SAML set up
Hi
I'm have WLP 10.3.2 domain (wls 10.3.2) and I'm trying set up the WSRP feature between WLP (producer ) 10.3.2 domain and WLP (consumer) 10.3.2 domain
I'm following set up from this doc http://download.oracle.com/docs/cd/E15919_01/wlp.1032/e14235/chap_security_saml.htm
At section:
15.1.4 Configuring the Producer-->11)In the Certificate File Name field, enter the path to the certificate file, as shown in Figure 15-20.
I'm getting this error
####<May 19, 2011 12:55:27 PM EDT> <Error> <Console> <test.com> <AdminServer> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <> <1305824127062> <BEA-240003> <Console encountered the following error weblogic.management.utils.InvalidParameterException: Certificate that is not yet valid is being registered: NotBefore: Thu May 19 13:34:21 EDT 2011
at weblogic.security.providers.utils.CertRegLDAPDelegate.registerCertificateNoAudit(CertRegLDAPDelegate.java:789)
at weblogic.security.providers.utils.CertRegLDAPDelegate.registerCertificate(CertRegLDAPDelegate.java:822)
at weblogic.security.providers.utils.CertRegLDAPDelegate.registerCertificate(CertRegLDAPDelegate.java:2787)
at weblogic.security.providers.saml.SAMLIdentityAsserterV2Impl.registerCertificate(SAMLIdentityAsserterV2Impl.java:195)
at weblogic.security.providers.saml.SAMLIdentityAsserterV2MBeanImpl.registerCertificate(SAMLIdentityAsserterV2MBeanImpl.java:712)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:268)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:443)
at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:314)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
Can help me understand what is wrong here?
Thanks!
Resolved:
The key that was generated in machine with the timestamp different to the timestamp in the machine i was setting it up. The start and end time in the certificate need to verified before you use the certificate
Similar Messages
-
Hi
I'm trying to add producer through 10.3.2 WLP PAT console and when I search for the wsdl I get this error I'm not sure what it means.. I'm using the default SAML set up. Any idea what it is?
Both the producer and consumer is in WLP 10.3.2
Thanks!
com.bea.wsrp.faults.OperationFailedException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@18547e0[status: false][msg The SAML token is not valid, it is rejected by CSS ]; nested exception is:
com.bea.wsrp.faults.TransportException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@18547e0[status: false][msg The SAML token is not valid, it is rejected by CSS ]
at com.bea.wsrp.proxy.ProxyBase.isOptionSupported(ProxyBase.java:1233)
at com.bea.wsrp.proxy.ProxyBase.getPreferredVersion(ProxyBase.java:1096)
at com.bea.wsrp.proxy.ProxyBase.getMaxNSforOperation(ProxyBase.java:1031)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:446)
at $Proxy147.getMaxNSforOperation(Unknown Source)
at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:107)
at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:80)
at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:68)
at com.bea.wsrp.consumer.management.ProducerManagerImpl.getProducerServiceDescription(ProducerManagerImpl.java:740)
at com.bea.jsptools.portal.helpers.wsrp.ProducerRegistryControlImpl.getServiceDescription(ProducerRegistryControlImpl.java:206)
at com.bea.jsptools.portal.helpers.wsrp.ProducerRegistryControlBean.getServiceDescription(ProducerRegistryControlBean.java:135)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper.getProducerForWsdl(AddProducerHelper.java:758)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper.access$100(AddProducerHelper.java:63)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper$FindProducers.producerWsdl(AddProducerHelper.java:261)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper$FindProducers.run(AddProducerHelper.java:241)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.runAction(AddProducerWizardController.java:628)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.doIfValid(AddProducerWizardController.java:604)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.selectProducerAction(AddProducerWizardController.java:185)
Edited by: user10874417 on May 18, 2011 11:35 AMThanks Kevin
I have not set up any Custom SAML configuration. At present I'm using the default keystores (ootb)
I also found this information http://download.oracle.com/docs/cd/E15919_01/wlp.1032/e14247/relnotes.htm (see info below) ..is this related and my issue related?
CR360040
Administration Tools do not use wsrp-consumer-security-config.xml.
If you created a wsrp-consumer-security-config.xml in a consumer's WEB-INF directory, Administration tools will not use it when adding or editing producers or when viewing or setting proxy portlet preferences. This may result in incorrectly sending SAML or the following exception:
weblogic.xml.crypto.wss.WSSecurityException: Unable to add security token.
Platform: All
Workaround: Set up your producer to work with the consumer's default configuration.
I do see some difference though I dont see the same exception...and from the link(http://download.oracle.com/docs/cd/E15919_01/wlp.1032/e14235/chap_security_saml.htm#i1006730) you pasted ...you use wsrp-consumer-security-config.xml only when producer and consumer are in 9.2 and 8.1
Can you verify my understanding on this?
Thanks for your attention on this!
Edited by: user10874417 on May 18, 2011 2:56 PM -
I followed the link http://www.oracle.com/technetwork/middleware/id-mgmt/documentation/oam11g-oeg-integration-guide-428888.pdf to integrate OAM 11g with OEG 11g.
Access Server SDK Version: 10.1.4.0.1
OAM ersion: 11.1.1.5
OEG: 11.1.1.5
But I could not complete the integration. When I test the policy using Service Explorer, I always get Response[HTTP/1.1 500 ERROR].
In the OEG logs i get the below error.
ERROR 25/Sep/2011:01:01:07.640 [01bc] The message [Id-00013169
26867625-c1087d454e7eb5932f016c6c-1] logged Failure at 09.25.2011 01:01:07,640 with log description: Filter failed
ERROR 25/Sep/2011:01:01:07.640 [01bc] The message [Id-0001316926867625-c1087d454e7eb5932f016c6c-1] logged Failure at 09.25.2011 01:01:07,640 with log desc
ription: Filter failed
ERROR 25/Sep/2011:01:01:07.640 [01bc] Filter that caused failure: ServiceHandler for 'addition_withsyncbpel_client_ep'
ERROR 25/Sep/2011:01:01:07.640 [01bc] Policy '/soa-infra/services/default/Addition_Project/addition_withsyncbpel_client_ep' {
ERROR 25/Sep/2011:01:01:07.640 [01bc] Filter 'Service Handler for 'addition_withsyncbpel_client_ep'' Status: FAILED
ERROR 25/Sep/2011:01:01:07.640 [01bc] Filter '1. Request from Client' Status: FAILED
ERROR 25/Sep/2011:01:01:07.640 [01bc] Filter 'Before Operation-specific Policy' Status: FAILED
ERROR 25/Sep/2011:01:01:07.640 [01bc] Policy 'Request from Client: Before Operation Hooks' {
ERROR 25/Sep/2011:01:01:07.640 [01bc] Filter 'Validate Client's WS-Security UsernameToken' Status: FAILED
ERROR 25/Sep/2011:01:01:07.640 [01bc] }
ERROR 25/Sep/2011:01:01:07.640 [01bc] }
ERROR 25/Sep/2011:01:01:07.640 [01bc] Service Handler for 'addition_withsyncbpel_client_ep' filter failed
ERROR 25/Sep/2011:01:02:33.890 [0b08] java exception:
com.vordel.common.VordelException: Could not find the Soap Header block which should have WS block
at com.vordel.common.util.VersionHandler.createWSBlockInfo(VersionHandler.java:232)
at com.vordel.common.util.VersionHandler.getWSBlockInfo(VersionHandler.java:201)
at com.vordel.common.util.VersionHandler.getWSBlockInfo(VersionHandler.java:179)
at com.vordel.security.auth.WsAuthN.getWSUsernameTokenDetailsFromActor(WsAuthN.java:297)
at com.vordel.security.auth.WsAuthN.authenticate(WsAuthN.java:62)
at com.vordel.circuit.authn.WsUsernameTokenProcessor.invoke(WsUsernameTokenProcessor.java:78)
at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162)
at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:123)
at com.vordel.circuit.CircuitDelegateProcessor.invoke(CircuitDelegateProcessor.java:44)
at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162)
at com.vordel.circuit.DelegatingProcessor.callCircuit(DelegatingProcessor.java:50)
at com.vordel.circuit.DelegatingProcessor.callCircuit(DelegatingProcessor.java:42)
at com.vordel.circuit.ws.OperationProcessor.invoke(OperationProcessor.java:125)
at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162)
at com.vordel.circuit.ws.WSProcessor.callChain(WSProcessor.java:281)
at com.vordel.circuit.ws.WSProcessor.invoke(WSProcessor.java:251)
at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162)
at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:123)
at com.vordel.circuit.CircuitInvocation.processMessage(CircuitInvocation.java:264)
at com.vordel.circuit.SyntheticCircuitChainProcessor.invoke(SyntheticCircuitChainProcessor.java:27)
at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:197)
at com.vordel.dwe.http.WebServicePlugin.invokeDispose(WebServicePlugin.java:103)
at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:121)
ERROR 25/Sep/2011:01:02:33.890 [0b08] Failed to authenticate user [null]
ERROR 25/Sep/2011:01:02:33.890 [0b08] java exception:
com.vordel.circuit.authn.VordelAuthNException: No Username Security Token found in the WS block with actor: current actor
at com.vordel.security.auth.WsAuthN.getWSUsernameTokenDetailsFromActor(WsAuthN.java:301)
at com.vordel.security.auth.WsAuthN.authenticate(WsAuthN.java:62)
at com.vordel.circuit.authn.WsUsernameTokenProcessor.invoke(WsUsernameTokenProcessor.java:78)
at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162)
at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:123)
at com.vordel.circuit.CircuitDelegateProcessor.invoke(CircuitDelegateProcessor.java:44)
at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162)
at com.vordel.circuit.DelegatingProcessor.callCircuit(DelegatingProcessor.java:50)
at com.vordel.circuit.DelegatingProcessor.callCircuit(DelegatingProcessor.java:42)
at com.vordel.circuit.ws.OperationProcessor.invoke(OperationProcessor.java:125)
at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162)
at com.vordel.circuit.ws.WSProcessor.callChain(WSProcessor.java:281)
at com.vordel.circuit.ws.WSProcessor.invoke(WSProcessor.java:251)
at com.vordel.circuit.CircuitInvocation.invokeFilter(CircuitInvocation.java:162)
at com.vordel.circuit.CircuitInvocation.runCircuit(CircuitInvocation.java:123)
at com.vordel.circuit.CircuitInvocation.processMessage(CircuitInvocation
.java:264)
at com.vordel.circuit.SyntheticCircuitChainProcessor.invoke(SyntheticCircuitChainProcessor.java:27)
at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:197)
at com.vordel.dwe.http.WebServicePlugin.invokeDispose(WebServicePlugin.java:103)
at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:121)
ERROR 25/Sep/2011:01:02:33.890 [0b08] The message [Id-0001316926953890-1c7267a34e7eb5e9370b6c6c-1] logged Failure at 09.25.2011 01:02:33,890 w
ith log description: Filter failed
ERROR 25/Sep/2011:01:02:33.890 [0b08] The message [Id-0001316926953890-1c7267a34e7eb5e9370b6c6c-1] logged Failure at 09.25.2011 01:02:33,890 with log description: Filter failed
ERROR 25/Sep/2011:01:02:33.906 [0b08] Filter that caused failure: ServiceHandler for 'addition_withsyncbpel_client_ep'
ERROR 25/Sep/2011:01:02:33.906 [0b08] Policy '/soa-infra/services/default/Addition_Project/addition_withsyncbpel_client_ep' {
ERROR 25/Sep/2011:01:02:33.906 [0b08] Filter 'Service Handler for 'addition_withsyncbpel_client_ep'' Status: FAILED
ERROR 25/Sep/2011:01:02:33.906 [0b08] Filter '1. Request from Client' Status: FAILED
ERROR 25/Sep/2011:01:02:33.906 [0b08] Filter 'Before Operation-specific Policy' Status: FAILED
ERROR 25/Sep/2011:01:02:33.906 [0b08] Policy 'Request from Client: Before Operation Hooks' {
ERROR 25/Sep/2011:01:02:33.906 [0b08] Filter 'Validate Client's WS-Security UsernameToken' Status: FAILED
ERROR 25/Sep/2011:01:02:33.906 [0b08] }
ERROR 25/Sep/2011:01:02:33.906 [0b08] }
ERROR 25/Sep/2011:01:02:33.906 [0b08] Service Handler for 'addition_withsyncbpel_client_ep' filter failed
In OAM, I even changed the User Identity Store from Embedded LDAP to AD but no luck.
Does any one got this error?
Appreciate your help.Hi community,
I have a problem with the integration between oracle access manager 11g and Oracle identity Federation. I want propagate the credential from an application called WSebra to Oracle Access Manager with a SAML Assertion. I have tested the procedure of the integration guide of Oracle "Integration Guide for Oracle Access Manager E15740-04" but not work.
I want know if is possible propagate the credentials betwen an application that send SAML Assertion like WSebra and Oracle Access Manager 11G and if is possible the procedure of integration, i don´t use WebGate i just need propagate the credentials from wsebra to Access Manager. Wsebra has an authentication mechanism with an LDAP system and make the work of authentication, Access Manager must create the Session.
At this point, i create and identity provider and service provider with Oracle Single Sign-On like the integrattion manual describe and i get the message:
Resultado de Autenticación de SSO: Fallo de Autenticación
Código de Estado Secundario de SSOUNKNOWN_PRINCIPAL
And in the log i get the next message:
Authentication instant was not sent from the authentication engine.
Please i need help with this topic because we must integrate this products for a migration process, we want migrate from SUN ACCESS MANAGER to Oracle Access Manager 11g, the SUN ACCESS MANAGER has the SAML setting out of the box. Oracle Access Manager 11g doesn't has SAML and RSA authenticacion is very bad, and we have many problems for this features.
Thanks. -
OIF11g-OAM11g integration - Auth mode?
I'm tying to get OIF11g-OAM11g auth mode integration work. I'm following the OIF integration mode doc and followed all the steps. I'm getting redirected to the OAM forum login. Authentication is going through successfull, but I'm getting this error from OIF:
<Mar 13, 2012 1:17:36 PM CDT> <Error> <oracle.security.fed.eventhandler.authn.engines.oam.OAMAuthnEventHandler> <FED-18068> <Authentication failed: WebGate did not authenticate the user>
<Mar 13, 2012 1:17:36 PM CDT> <Warning> <oracle.security.fed.http.handlers.authn.LoginRequestHandler> <FED-18051> <Authentication instant was not sent from the authentication engine.>
Installed OHS server (for Webgate 11g agent) on the same server hosting OIF (configured for both IdP and SP). I'm NOT using OSSO agent.
The index.html of OHS server was modified and set to redirect the loopback testing URL of fed server as below. The reason I did this was to suppress the OIF login page and make OIF understand the OAM cookie.
http://oifhost:7499/fed/idp/initiatesso?providerid=http://oifhost:7499/fed/sp&returnurl=http://anyresouce
Under Authentication Engine, made OAM as the default authentication engine and added "OAM_REMOTE_USER" as the header attribute
Create OAM policy in OAM. The host identifier has both OHS proxy and OIF host URL
Added "OAM_REMOTE_USER" as the header attribute under authorization policy
Has someone faced this issue before. I have seen many threads with the same issue but no solutions yet. Please help.Hi community,
I have a problem with the integration between oracle access manager 11g and Oracle identity Federation. I want propagate the credential from an application called WSebra to Oracle Access Manager with a SAML Assertion. I have tested the procedure of the integration guide of Oracle "Integration Guide for Oracle Access Manager E15740-04" but not work.
I want know if is possible propagate the credentials betwen an application that send SAML Assertion like WSebra and Oracle Access Manager 11G and if is possible the procedure of integration, i don´t use WebGate i just need propagate the credentials from wsebra to Access Manager. Wsebra has an authentication mechanism with an LDAP system and make the work of authentication, Access Manager must create the Session.
At this point, i create and identity provider and service provider with Oracle Single Sign-On like the integrattion manual describe and i get the message:
Resultado de Autenticación de SSO: Fallo de Autenticación
Código de Estado Secundario de SSOUNKNOWN_PRINCIPAL
And in the log i get the next message:
Authentication instant was not sent from the authentication engine.
Please i need help with this topic because we must integrate this products for a migration process, we want migrate from SUN ACCESS MANAGER to Oracle Access Manager 11g, the SUN ACCESS MANAGER has the SAML setting out of the box. Oracle Access Manager 11g doesn't has SAML and RSA authenticacion is very bad, and we have many problems for this features.
Thanks. -
OWSM: Setting up SAML token verification with Novell Access manager
Hello,
We are trying to set-up communication between an OWSM gateway and a Novell Accces Manager to do the following:
All requests to our services should be secured using Web Services Security SAML Token Profile 1.0. OWSM will validate this token using the SAML – Verify WSS 1.0 Token step. The assertion will be issued by a Novell Access Manager. Are we right that OWSM needs to communicate with the Novell Access Manager for this? In that case Novell requires us to deliver metadata to establish a trust relation between the Identity Provider (Novell) and the Service Provider (OWSM). This metadata should look something like this:
odysseus:/var/opt/novell/tomcat4/webapps/nidp # cat application.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application PUBLIC '-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN' 'http://java.sun.com/j2ee/dtds/application_1_2.dtd'>
<application>
<display-name>NIDPJ2EEApp</display-name>
<description>Novell Identity Provider</description>
<module>
<web>
<web-uri>nidp.war</web-uri>
<context-root>nidp</context-root>
</web>
</module>
</application>
However I cannot find anything on this in the OWSM documentation.To answer my own question. We found 4 application.xml files which seem to contain the metadata in the folders ccore, coreman, gateway and policymanager of $AS_HOME/owsm/config/.
-
Failing to Validate SAML Token : while setting WSRP security using SAML
Hi All,
I am trying to configure SAML on WLP 10.2 consumer domain along with WLS 10.2 producer domain ( extended domain to use as WSRP producer ) on single machine. I followed the steps as per the bea edocs - http://edocs.bea.com/wlp/docs92/federation/Chap-Security-SAML.html , which talks about how easy its to configure SAML with WSRP. But i am stuck at this point where the TransportException says the SAML token is not valid , stacktrace below:
Error invoking portlet "Cportlet"
The source of this error is:
*com.bea.wsrp.faults.TransportException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@1e5d6b9[status: false][msg The SAML token is not valid.] at com.bea.wsrp.faults.FaultInstanceFactory.getException(FaultInstanceFactory.java:94) at com.bea.wsrp.proxy.ProxyBase.raiseFault(ProxyBase.java:768) at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:478) at $Proxy110.getMarkup(Unknown Source) at com.bea.wsrp.consumer.markup.GetMarkupService.invoke(GetMarkupService.java:44) at com.bea.wsrp.consumer.markup.GetMarkupService.invoke(GetMarkupService.java:27) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:85) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:68) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:61) at com.bea.wsrp.consumer.markup.MarkupServicesFacade.invoke(MarkupServicesFacade.java:44) at com.bea.wsrp.consumer.controls.ProxyPortletContent.invokeGetMarkup(ProxyPortletContent.java:664) at com.bea.wsrp.consumer.controls.ProxyPortletContent.beginRender(ProxyPortletContent.java:316) at com.bea.netuix.servlets.controls.application.laf.ContentControlRenderer.beginRender(ContentControlRenderer.java:48) at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:481) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:352) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:326) at com.bea.netuix.nf.UIControl.render(UIControl.java:582) at com.bea.netuix.servlets.controls.PresentationContext.render(PresentationContext.java:486) at com.bea.netuix.servlets.util.RenderToolkit.renderChild(RenderToolkit.java:146) at com.bea.netuix.servlets.jsp.taglib.skeleton.Child.doTag(Child.java:63) at jsp_servlet._framework._skeletons._bighorn.__flowlayout._jspService(__flowlayout.java:192) at weblogic.servlet.jsp.JspBase.service(JspBase.java:34) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175) at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:528) at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:454) at com.bea.netuix.servlets.controls.application.laf.JspTools.renderJsp(JspTools.java:130) at com.bea.netuix.servlets.controls.application.laf.JspControlRenderer.beginRender(JspControlRenderer.java:72) at com.bea.netuix.servlets.controls.application.laf.PresentationControlRenderer.beginRender(PresentationControlRenderer.java:65) at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:481) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:199) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at com.bea.netuix.servlets.manager.PortalServlet.service(PortalServlet.java:686) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at com.bea.portal.tools.servlet.http.HttpContextFilter.doFilter(HttpContextFilter.java:60) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:336) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(Unknown Source) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)*
Have tried a lot of different things but no luck proceeding further. Configured all the producer domain as per the link mentioned above., reconfigured the consumer again. Also tested by crearting a new keystore, but all this does not help me proceed further.
Any help is greatly appreciated.
Thanks in Advance.
MauryaI am also facing the same kind of issue. see the error message below. Please help me to kill this error.
\com.bea.wsrp.faults.TransportException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@1423066[status: false][msg The SAML token is not valid.]
at com.bea.wsrp.proxy.ProxyBase.raiseFault(ProxyBase.java:578)
at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:464)
at $Proxy118.getServiceDescription(Unknown Source)
at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:93)
at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:55)
at com.bea.jsptools.portal.helpers.wsrp.ProducerRegistryControlImpl.getServiceDescription(ProducerRegistryControlImpl.java:205)
at com.bea.jsptools.portal.helpers.wsrp.ProducerRegistryControlBean.getServiceDescription(ProducerRegistryControlBean.java:133)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper.getProducerForWsdl(AddProducerHelper.java:704)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper.access$100(AddProducerHelper.java:61)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper$FindProducers.producerWsdl(AddProducerHelper.java:249)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper$FindProducers.run(AddProducerHelper.java:235)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.runAction(AddProducerWizardController.java:566)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.doIfValid(AddProducerWizardController.java:542)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.selectProducerAction(AddProducerWizardController.java:172)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:878)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:808)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:477)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:305)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:335)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:51)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:95)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2042)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2114)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:554)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:851)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:630)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:157)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1169)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:688)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.processActionInternal(ScopedContentCommonSupport.java:144)
at com.bea.portlet.adapter.scopedcontent.PageFlowStubImpl.processAction(PageFlowStubImpl.java:107)
at com.bea.portlet.adapter.NetuiActionHandler.raiseScopedAction(NetuiActionHandler.java:99)
at com.bea.netuix.servlets.controls.content.NetuiContent.raiseScopedAction(NetuiContent.java:180)
at com.bea.netuix.servlets.controls.content.NetuiContent.raiseScopedAction(NetuiContent.java:168)
at com.bea.netuix.servlets.controls.content.NetuiContent.handlePostbackData(NetuiContent.java:222)
at com.bea.netuix.nf.ControlLifecycle$2.visit(ControlLifecycle.java:178)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:351)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:128)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:339)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:330)
at com.bea.netuix.nf.Lifecycle.runInbound(Lifecycle.java:162)
at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:137)
at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:370)
at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:229)
at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:183)
at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:221)
at com.bea.netuix.servlets.manager.PortalServlet.service(PortalServlet.java:600)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:223)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at com.bea.jsptools.servlet.PagedResultServiceFilter.doFilter(PagedResultServiceFilter.java:82)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:251)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3243)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2003)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1909)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1359)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181) -
Hi
I have set up a Fiori system based on 7.4 and it is working fine.
I attempted to use Single Sign using SAML based on ADFS as an identity provider which we are already using in our environment.
I have followed this guide by Chris Wealy on Using SAML 2.0 Authentication to Access Fiori Apps from the Public Internet
However when I am trying to login to the FIori launchpad, I am redirected to the Idp site where I enter my credentials and I am not able to login. Checking the diagnostic tool I am getting the following error
SAML20 SP (client 410 ): Exception raised:
SAML20 SAML20 CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Diagnosis System Response Status 401 was returned. Access denied. Procedure Contact the administrator of the entity, to which access was attempted. The logon data prevent communication. Use an HTTP destination and configure the logon data and the SSL client values as needed. Procedure for System Administration
SAML20 at CL_SAML20_ABSTRACT_PROFILE->SOAP_SEND(Line 160)
SAML20 at CL_SAML20_ARTIFACT->RESOLVE_ARTIFACT(Line 61)
SAML20 at CL_SAML20_ABSTRACT_MSG->PARSE_MESSAGE(Line 216)
SAML20 at CL_SAML20_RESPONSE->CREATE_FROM_MSG(Line 46)
SAML20 at CL_SAML20_ABSTRACT_PROFILE->CREATE_MSG_OBJECT(Line 46)
SAML20 at CL_SAML20_SSO->VALIDATE_RESPONSE(Line 32)
SAML20 at CL_HTTP_SAML20->PROCESS_LOGON(Line 303)
SAML20 at CL_ICF_SAML_LOGIN->PROCESS_LOGON(Line 62)
SAML20 at CL_HTTP_SERVER_NET->AUTHENTICATION(Line 2491)
However checking the possible solution to the above error I came across this
Problem: You are performing SAML 2.0 authentication and you get the following error:
CX_SAML20_CORE: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1. Long text: Access by the SOAP request to COMMUNICATION_ERROR was denied with status 1.
Reason: SSL server certificate of identity provider is not imported in “SSL Client Standard” PSE.
Solution: Import SSL server certificate of the identity provider in “SSL Client Standard” PSE.
I have imported the the SSL server certificate along with the root certificate of the the Identitiy provider which is ADFS and still I am getting the same error.
The ICM trace is showing this
Thr 140736331941632] *** ERROR during SecuSSL_SessionStart() from SSL_connnect()==SSL_ERROR_CONNECTION_LOST
Thr 140736331941632] session uses PSE file "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"
Thr 140736331941632] No LastError / ErrorStack available!
Thr 140736331941632] SSL_get_state()==0x2120 "SSLv3 read server hello A"
Thr 140736331941632] SSL NI-hdl 193: local=10.2.32.85:52039 peer=10.2.32.43:443
Thr 140736331941632] <<- ERROR: SapSSLSessionStart(sssl_hdl=7fff90003a60)==SSSLERR_SSL_CONNECT
Thr 140736331941632] *** ERROR => SSL handshake with adfs.sbm.com.sa:443 failed: SSSLERR_SSL_CONNECT (-57)
Thr 140736331941632] SAPCRYPTO:SSL_connect() failed
Thr 140736331941632]
Thr 140736331941632] SapSSLSessionStart()==SSSLERR_SSL_CONNECT
Thr 140736331941632] SSL_connnect() failed (0/0x00) Huh??
Thr 140736331941632] SSL:SSL_get_state()==0x2120 "SSLv3 read server hello A"
Thr 140736331941632] SSL NI-hdl 193: local=10.2.32.85:52039 peer=10.2.32.43:443
Thr 140736331941632] cli SSL session PSE "/usr/sap/UI5/DVEBMGS00/sec/SAPSSLC.pse"
Thr 140736331941632] Target Hostname="adfs.sbm.com.sa"
Can anybody help out.
Do you need any other logs or configurations to check?Hi Simon,
Thanks for your response.
I am able to access the Netweaver Gateway Service URl's placed on the same DMZ using reverse proxy from internet.
I have tried using the FQDN as well but no luck, do we need to do some configurations at the backend server in order to use Fiori Launchpad with reverse proxy? -
Jsessionid - weblogic 10.3.5, saml 2.0 & adfs 2.0 with peopletools 8.5x
We have set up SAML 2.0 to enable sso into peoplesoft (idp is adfs 2.0).
On a simple sample web application SAML is working correctly.
However when we tried to enable this for one of our Peoplesoft systems we ran into the issue that after the final
redirect to the target access is denied.
Peoplesoft is using a non-standard cookie name:
from weblogic.xml
<session-param>
<param-name>CookieName</param-name>
<param-value>PSDev2-0-PORTAL-PSJSESSIONID</param-value>
</session-param>
According to http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/saml.html
\quote
Use of Non-default Cookie Name
When the Assertion Consumer Service logs in the Subject contained in an assertion, an HTTP servlet session is created using the default cookie name JSESSIONID. After successfully processing the assertion, the ACS redirects the user’s request to the target web application. If the target web application uses a cookie name other than JSESSIONID, the Subject’s identity is not propagated to the target web application. As a result, the servlet container treats the user as if unauthenticated, and consequently issues an authentication request.
To avoid this situation, do not change the default cookie name when deploying web applications in a domain that are intended to be accessed by SAML 2.0 based single sign-on.
\endquote
This is exactly the issue we encounter. SAML itself is working properly. However, on redirect to the target application access is denied.
Now, if we disable the non-default cookie name in the peoplesoft application we get the error message 'cookies must be enabled' when trying to access i.e. \signon.html.
What can we do to make SAML 2.0 work with Peoplesoft?
Is there a way to change the cookie name for SAML or share the SAML session with the peoplesoft application?
Any help in this matter is greatly appreciated.
Thank you
Karl Weber
Systems Analyst
NAIT - Department of Information ServicesHi Karl,
I have reproduced your issue in my environment:
<session-descriptor>
<cookie-name>HELLO_WORLD_SSO</cookie-name>
</session-descriptor>What I am seeing is that Weblogic is not able to fix the user session (JSESSIONID), so it sends again the authentication request. Actually, in my case, it performs 5-6 retries. If you take a look at THE ADFS2 log you will see an exception like this: "The same client browser has made 6 request in the last 4 seconds..." At the end the IdP sends you a SAMLResponse with the status urn:oasis:names:tc:SAML:2.0:status:Responder. Weblogic +"translates"+ that message in a *403 Forbidden Error*.
Maybe you could feed that cookie, PSDev2-0-PORTAL-PSJSESSIONID, by yourself, i.e. implementing a filter:
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.addCookie(new Cookie("PSDev2-0-PORTAL-PSJSESSIONID", yourValue));
.../...Hope it helps,
Luis -
SAML Overview
Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and
authorization data between security domains, that is, between an identity provider (a producer of assertions)
and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services
Technical Committee.
SAML is relevant to those customers who already have a SAML implementation in use with other systems in
their organization. Therefore, it is recommended you engage your technology team that has a working
knowledge of SAML and provide this document to them for their review.
Key Roles
• Identity Provider (IDP): The system in authority that provides the user information
• Service Provider (SP): The system that trusts the asserting party’s information, and uses the data to
provide an application to the user.
• Subject: The user and their identity that is involved in the transaction.
Note! In our context, Learning Maestro is the SP, the IDP is customer-specific, and the Subject is the user
who is logged in.
Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 2
Typical SAML Components
Source: http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 3
Implementing SAML 2.0
• SumTotal LMS supports only SAML 2.0 Standards.
• We support only IDP-initiated SAML authentication.
• The SAML Response should be signed and base64 Encoded.
• UserName should be passed in NameID element under Assertion\Subject Keys.
• We use the timestamp provided in IssueInstant attribute of SAML Assertion to find the valid period
(+/- 5 min ) for the SAML Response.
• Currently, we do not support signed or encrypted assertions.
• Deep linked URLs can be passed through an additional URL parameter of “OriginalURL.”
IDP Initiated Web SSO
Source: http://www.ijcsi.org/papers/2-41-48.pdf
4
When Learning Maestro is Accessed from a Portal
1. The user logs into the customer portal.
2. The user clicks on a link to the LMS from the customer’s portal.
3. The link points to an IDP page.
4. The IDP pages posts an HTTP Request to Learning Maestro
5. The request is an < ... > message.
Typical Structure of a SAML Response
• Below is the typical SAML Response received by LMS from IDP
• Value of SAMLResponse parameter should be base64 Encoded.
Please double-click to open the below XML file to view how the response looks after decoding:
ExampleSuccessfulAssertion.xml
5
Configuring SAML 2.0
SumTotal Maestro supports SAML 2.0 for the “Identity Provider Initialized SSO” protocol.
To configure your Maestro domain to accept SAML 2.0 Assertions, the following steps must be taken:
1. Confirm that Usernames are in sync
2. Provide an X.509 Certificate to SumTotal Systems (SHA1 Hashed)
SumTotal Systems will configure your environment with the X.509 cert you provide.
3. Point your call to the following URL:
https://gm1.geolearning.com/geonext/<your_domain>/saml.geo
After authenticating to your Identity Provider, the provider will pass a user into Maestro IF:
• The user has a username matching an existing Maestro username
• The x509 certificates match on both sides
If authentication fails, the user will be presented with a failure page.
Assertions
An optional assertion is available to specify the URL a user will be sent if there is an authentication error.
ErrorRedirectURL Assertion
• If ‘ErrorRedirectURL’ is not specified and an authentication error or other security exception
occurs it will redirect the user to the default secerror.geo page as it does today
• If a value (URL) is specified for ‘ErrorRedirectURL’ and there is an authentication error the user
will be redirected to the URL specified
Sample
6
Additional Information
For additional information on SAML, please refer to the following sources:
Wikipedia: Security Assertion Markup Language
OASIS Executive Summary
IJCSI Intermediate Concept
OASIS Technical Overview
FAQs
Question Answer
What .NET library are we using? SumTotal uses “Componentspace” net SAML 2.0 library
Can users still log in via the login page? Yes. The SAML target page is different than the login page.
Can we deep link into the LMS through
the SAML 2.0 authentication workflow?
Can I get rid of the Logout button?
What is the Session timeout setting? Session Hard Life and Idle Life settings can be configured in
What is the unique ID for SAML? The “username” field.
Yes. “Deep Link Target” (target or original URL parameter) is
accepted. If none is provided, then it will default to the default
landing page as configured in Maestro.
Yes, When using SAML, the logout button still exists
intentionally in the navigation but can be disabled in the
“configure Navigation” options.
the security section of the administration interface of Maestro.
What is the failure page if
Authentication fails?
If the authentication fails, by default an intentionally simple error
is presented to the user stating “Authentication Failure”.
For security purposes, no further information regarding the
specifics of the failure are defined to the user.
An optional ErrorRedirectURL assertion can be used.
What URL do we point to? https://gm1.geolearning.com/geonext/<your_domain>/saml.geoHello,
Thanks for posting your question to here. However, this forum is used to discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. For issues regarding configuring SAML, this is beyond
the scope of our support.
Regards.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Using SAML policy while invoking a web service
I have to invoke a webservice which is secured using the policy wss10_saml_token_client_policy.
In order to achieve the above i have creates a stub using JAX-WS and while invoking the web service I pass the policy as a SecurityFeature.Code snippet given below:
SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeature(
getValueFromPropertyFile("oracle/wss10_saml_token_client_policy"))};
SomeStub stub =(UserManagementPortTypev1_0)SomeService.getPort("...","....",securityFeatures );
Once deployed in weblogic and when i invoke the service, the soap request formed is correct. It creates for me the soap header with the correct security nodes. The header formed is like below:
<S:Header>
<work:WorkContext xmlns:work="http://oracle.com/weblogic/soap/workarea/">rO0ABXoAAAJDADBvcmFjbGUuZG1zLmNvbnRleHQuaW50ZXJuYWwud2xzLldMU0NvbnRleHRGYW1pbHkAAAFPAAAAKXdlYmxvZ2ljLndvcmthcmVhLlNlcmlhbGl6YWJsZVdvcmtDb250ZXh0AAABSaztAAVzcgAxd2VibG9naWMud29ya2FyZWEuU2VyaWFsaXphYmxlV29ya0NvbnRleHQkQ2Fycmllcv1CAh9z5wpPAwACWgAHbXV0YWJsZUwADHNlcmlhbGl6YWJsZXQAFkxqYXZhL2lvL1NlcmlhbGl6YWJsZTt4cHcEAAAAAXNyAEFvcmFjbGUuZG1zLmNvbnRleHQuaW50ZXJuYWwud2xzLldMU0NvbnRleHRGYW1pbHkkU2VyaWFsaXphYmxlSW1wbAAAAAAAAAAAAwABTAARbVdMU0NvbnRleHRGYW1pbHl0ADJMb3JhY2xlL2Rtcy9jb250ZXh0L2ludGVybmFsL3dscy9XTFNDb250ZXh0RmFtaWx5O3hwdykAJzEuMDAwMEl6T0lYQ0swam9PTE1pcDJpZTFEbUNMdjAwMDAwMjt2MHh3AQF4ACZ3ZWJsb2dpYy5kaWFnbm9zdGljcy5EaWFnbm9zdGljQ29udGV4dAAAAX8AAAAyd2VibG9naWMuZGlhZ25vc3RpY3MuY29udGV4dC5EaWFnbm9zdGljQ29udGV4dEltcGwAAAAiMDAwMEl6T0lYQ0swam9PTE1pcDJpZTFEbUNMdjAwMDAwMgAAAAAAAAAAAAAA</work:WorkContext>
<wsse:Security S:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<saml:Assertion AssertionID="SAML-L0r20MS5CV0y7B6zHnGX5w22" IssueInstant="2011-05-10T05:03:49Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2011-05-10T05:03:49Z" NotOnOrAfter="2011-05-10T05:08:49Z"/>
<saml:AuthenticationStatement AuthenticationInstant="2011-05-10T05:03:49Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
*<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">anonymous</saml:NameIdentifier>* <saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
</wsse:Security>
</S:Header>
The node NameIdentifier is supposed to be populated with the logged in user id, which will be picked up from JAAS principal.
Now I am invoking the service hosted in weblogic from outside using JSON protocol, I do not have a portal ready to invoke the service.
My question is, is there any way in which i can replicate/ simulate the JAAS principal such that the nameidentifier is populated even when invoked from outside. THis is a requirement from testing perspective.Hi,
Thanx it is working now.
BTW can you give me some urls with info of this kind of setting which i need to do for other kind of integarions in J2EE platform.Sorry if i am asking too much as i am a starter in this technology. -
Help needed in implementing Cisco Unity SSO using SAML
Hello,
I am aware that Cisco Unity 8.x has a SSO checklist that requires:
- Cisco Unity
- MS AD on Win2003/8
- Open AM
- Apache Tomcat 7.0
We already have a single sign-on solution at our organization that uses the Novell Access Manager (NAM). Would we be able to do Federated solution between another SSO product and the OpenAM on the Cisco Unity product. In this architecture all we will do is setup Open AM as Service Provider (SP) fronting the Cisco Unity Apps and then do a SAML 2.0 protocol with an Identity Provider (IdP) which would the NAM.
The idea is that we have single Identity Provider (IdP). I have a difficult time understanding why setting up SSO for Cisco Unity app requires installing a full suite of OpenAM SSO. I imagine most companies have their SSO solutions that have been implemented using products such as Oracle AM, Tivoli etc and all they would need to do is federate with the Cisco App, instead of of setting up a parallel SSO suite.
Thanks in advance!Instead of registering the plug-in can u try placing it in the plugins folder under Oracle_IDM1/server folder.
at times restart is required. esp when the server is running in production mode.
Regards
user12841694 -
SAML / OIF integration does not work - Could not extract SAML2 message
Hi gurus,
We are trying to establish SSO between SAP Portal 7.3 and OIF 11.1.5 (Oracle Identity federation). I configured SAP Portal as service provider and OIF is also configured. I changed Login Module and add SAMl as on top of my default auth stack. When we try to do end-to-end test is does not work and throws the following error:
Default SAML2 configuration is selected because login module option [provider] is not configured.
SAML2LoginModule is running in execution mode DEFAULT.
SAML2Principal not found in current client context.
Exiting method
Entering method
SAMLResponse: PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6
<BR>U0FNTDoyLjA6cHJvdG9jb2wiIERlc3RpbmF0aW9uPSJodHRwczovL2ppZXB0ODIu
<BR>dWsuY2VudHJpY2FwbGMuY29tOjgxODIvc2FtbDIvc3AvYWNzIiBJRD0iaWQtVVRW...........................
Decoded SAMLResponse: <samlp:Response mlns:samlp="urn:oasis:names:tc: 4 пїЅГЈ"пїЅ пїЅ &пїЅFпїЅ6пїЅпїЅ" FW7FпїЅпїЅ.......................3E&saml2post=false
Could not extract SAML2 message from request.
[EXCEPTION]
java.lang.SecurityException: com.sap.security.saml2.lib.common.SAML2Exception: SAML parsing failed..................
No user name provided.
Entering method
Automatic IdP Selection mode configured for the Service Provider
POST parameters set as HTTP request attribute [sap.com/login_post_parameters] to be re-submitted during login: [SAMLResponse, SAMLart, RelayState]
Could not remove original application URL cookie because the provided name is invalid: <null>
Exiting method with true
LOGIN.FAILED
User: N/A
IP Address: 10.11.11.11
Authentication Stack: ticket
Login Module Flag Initialize Login Commit Abort Details
1. com.sap.security.saml2.sp.SAML2LoginModule REQUIRED ok exception true Service Provider could not extract SAML2 message from request.
#1 AcceptedAuthenticationMethods = *
#2 Mode = Standalone
2. com.sap.security.core.server.jaas.EvaluateTicketLoginModule SUFFICIENT ok false true
#1 trusteddn1 = CN=ERT,OU=I0020100174,O=SAP Web AS
#2 trustediss1 = CN=ERT,OU=I0020100174,O=SAP Web AS
#3 trustedsys1 = ERT,010
#4 ume.configuration.active = true
3. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule REQUISITE ok false false
4. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false true
Decoded SAMl response looks strange with all non-readable characters and as a result, there is no username passed to the portal and SAML login fails and portal offers a fall-back login with username/password
Also, can you please comment the line from the help.sap.com (http://help.sap.com/saphelp_nw73/helpdata/en/bf/b0b879544740c8a3c8bdda87e50587/frameset.htm)
"Prerequisites for SAML
"Your service provider must be able to reach the identity provider over HTTP or HTTPS." "
We have our identity provider / service provider in two different segment of the network and there is no http/https connection between these segments as we assumed that all the communication is going through the browser and we would not need the port to be opened on the firewall. Is it something which is absolutely necessary? In our opinion it negates all the benefits of SAML
Help will be very much appreciated
Many thanks in advance,
Regards, ElenaHi Elena,
The issue was discovered and fixed during the SAML Interoperability Tests early last year (2011). I'm not sure I will be able to find a dedicated note because the fix was not downported but just submitted in the latest SP in correction. If you need a justification then you can open a support ticket with SAP and this will be the official answer there. If you do so please to not forget to attach traces from the system - use the tool described in 1332726 with type "SAML 2.0 (Info)". If you send me the ticket number I can speed-up the processing of the ticket.
Regards,
Dimitar -
How to develop a webservice with SAML on Weblogic 8.1
I will develop some webservices on Weblogic 8.1. On the security part, we will
use SAML. Is there somebody who can tell me how to do it? Do I need third party
product? And where I can find samples?
Thanks.
JianI will develop some webservices on Weblogic 8.1. On the security part,
we will use SAML. Is there somebody who can tell me how to do it? Do I
need third party product? And where I can find samples?Currently, we don't offer any support for SAML in WLS -- so you would
have to use a third party product. Depending on how you want to use it,
you may be able to use a third party product to create a handler for your
service or client.
However, if you want to use the handler in the server to set the subject
for the invoke, the handler architecture will prevent you from doing
this -- the API you use to set the user
(weblogic.security.service.SecurityManager.runAs() -- see
http://edocs.bea.com/wls/docs81/javadocs/weblogic/security/service/SecurityManager.html)
cannot be successfully used in handler methods. If you wish to do this,
I'm afraid the only way we have to support this is to use a servlet filter.
-Pete -
Null Pointer Exception while configuring SAML Credential Mapper
Hi,
I am trying to set up my customised SAML code for WLS 10.3. To test it , I have created a standalone suite with 2 applications,one as a source where the authentication will be through simple username and password and second as destination where the identity assertion will take place based on token generated in first app.
So to achieve this , I am using a default SAMLCredentialMapperV2 for credential mapping at source site. But While configuring it, the management tab of the credential mapper shows null pointer exception.
Can anyone point out whats wrong or if I am missing on anything?
Steps to create:-
1. Create a security realm
2.Goto security realm ->Provider ->Credential Mapping tab.
3.Create a credential mapper of type SAMLCredentialMapperV2 and with specifications as mentioned in http://www.oracle.com/technetwork/articles/entarch/sso-with-saml3-086457.html
4. Click on the newly created mapper and go to management tab. It throws null pointer exception which is visible on the screen.
Log Entries are as follows:-
<Error> <Console> <BEA-240003> <Console encountered the following error java.lang.NullPointerException
at com.bea.common.security.saml.registry.SAMLPartnerRegistry.<init>(SAMLPartnerRegistry.java:153)
at com.bea.common.security.saml.registry.SAMLRelyingPartyRegistry.<init>(SAMLRelyingPartyRegistry.java:26)
at weblogic.security.providers.saml.SAMLCredentialMapperV2Impl.init(SAMLCredentialMapperV2Impl.java:65)
at weblogic.security.providers.saml.SAMLCredentialMapperV2Impl.listRelyingParties(SAMLCredentialMapperV2Impl.java:81)
at weblogic.security.providers.saml.SAMLCredentialMapperV2MBeanImpl.listRelyingParties(SAMLCredentialMapperV2MBeanImpl.java:206)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:268)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444)
at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
at java.security.AccessController.doPrivileged(Native Method)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222)
at javax.management.remote.rmi.RMIConnectionImpl_1033_WLStub.invoke(Unknown Source)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993)
at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544)
at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380)
at $Proxy144.listRelyingParties(Unknown Source)
at com.bea.console.actions.security.providers.SAMLCredentialMapperV2ManagementPartnersTableAction.getSAMLCredentialMapperV2Partners(SAMLCredentialMapperV2ManagementPartnersTableAction.java:60)
at com.bea.console.actions.security.providers.SAMLCredentialMapperV2ManagementPartnersTableAction.getCollection(SAMLCredentialMapperV2ManagementPartnersTableAction.java:42)
at com.bea.console.actions.security.ManagementBaseTableAction.execute(ManagementBaseTableAction.java:82)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116)
at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:261)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158)
at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:256)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:133)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266)
at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107)
at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292)
at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208)
at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162)
at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388)
at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258)
at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211)
at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196)
at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:47)
at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)I've got the same issue too.
My setup is to have one domain acting as both Source and Destination.
For every 10 seconds, I'm seeing 4 of these logs, and the CPU consumption is 100% consistently.
####<2-Jun-2009 11:00:27 o'clock AM EDT> <Debug> <SecuritySAMLCredMap> <MYHOST> <AdminServer> <[ACTIVE] ExecuteThread: '18' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1243954827839> <BEA-000000> <SAMLCredentialMapperV2: getCredentials: Subject initiator>
####<2-Jun-2009 11:00:27 o'clock AM EDT> <Debug> <SecuritySAMLCredMap> <MYHOST> <AdminServer> <[ACTIVE] ExecuteThread: '18' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1243954827839> <BEA-000000> <SAMLCredentialMapperV2: getCredentials(Subject): getCredentialInternal() called>
####<2-Jun-2009 11:00:27 o'clock AM EDT> <Debug> <SecuritySAMLCredMap> <MYHOST> <AdminServer> <[ACTIVE] ExecuteThread: '18' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1243954827839> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): SAML Credential Mapper does not support credential type: weblogic.UserPassword, returns null>
Does anyone know what's happening? I've got one of the Security Provider = Active Directory, and thus there's no password returning. Could it be the root cause of the problem? -
SAML in webservice to BPM scenario
Hello,
I have read the the "How to configure SAML..." but I am not sure if it works in my scenario.
We have a "SOAP(XML) to BPM to IDOC scenario"
and there is the request to secure the "SOAP to BPM" part with SAML.
The scenario works asynchron, so the SOAP(XML) is sent to the BPM.
And in the BMP there are several actions, messages sent and also an IDOC is sent to the R/3 system then
So in our case the WS provider is the BPM or the PI itself.
Do I just have to change from SOAP SENDER adapter to WS SENDER Adapter????
Or does the BPM also have to provide some SAML functionality or something like this.....
Who has implemented a scenario like this with using SAML security???
best regards
Werner MagerlWerner,
So in our case the WS provider is the BPM or the PI itself.
BPM has nothing to do with it. All the configuration for SAML is done at the server level.
Do I just have to change from SOAP SENDER adapter to WS SENDER Adapter????
Or does the BPM also have to provide some SAML functionality or something like this.....
Use WS Sender adapter. No setting in BPM is required. Any security / certificate related setting is done at the server level. Worth reading:-
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b04408cc-f10e-2c10-b5b7-af11026b2393?quicklink=index&overridelayout=true
Regards,
Neetesh
Maybe you are looking for
-
IPhone 6 - Printing iMessage Conversations
Hello, I am interested in printing a conversation in iMessage that was started in October 14, 2014. It is currently on my iPhone 6. I understand how to print an iMessage conversation via a MacBook Pro, but do not know how to do so from a phone. If I
-
HT202033 how to view photos in landscape view in i6
my i6 has stopped displaying pictures and videos in landscape view. how can i view the pictures and videos in landscape view in i6?
-
Setting a twinview to clone with scaling
Hi, I've got 2 displays, 24" and 20" connected to GeForce 9300, 24" is my main one, 20" is secondary i use to watch movies when i'm in bed. What i want to do is to setup twinview with second LCD in clone mode. The problem is with resolutions, 24" wor
-
1. Money got deducetd from my account in favor to iTunes store although i purchased nothing. 2. I checked with iTunes Purchases it confirms that nothing is purchased. 3. How can i know why the money has been deducted from my sccount ?
-
How can I update iWork using the Mac app store?
I bought iWork on DVD but would like to get the updates via the Mac app store. How can I do that?