SAML settings

Similar Messages

• Disable Cookies in HTTP Destination

  Hi,
  Is there a possibility to disable cookies for the visual admin? Because we want to disable this for the HTTP destination service in the visual admin.
  br
  Steven

  Hi,
  that is a strange error message.
  I don't know how siteminder works but I guess your are using siteminder as SAML identity provider and configured the SAML Login Module in SAP to achieve SSO correct?
  For this purpose you need to define a HTTP Destination which is than used as SAML Receiver.
  What I do not get is the Cookie Problem.
  I don't know exactly how your process flow is but it should be something like
  - Your Client authenticates to your identity provider (let's say siteminder)
  - Any time later you try to access any resource that is configured to support SAML using SAML Assertions (e.g. SAP J2EE)
  - Your identitiy provider will generate an SAML Artifact an redirect you to the destination application (in your case some J2EE Application on SAP that is configured to validate your SAML Artifact (using the SAML Login Module)
  => This initial client request to your identity provider can contain cookies and you cannot avoid this since they are carried and sent by the client (Browser) => I hope this does not cause any problems because it really shouldn't
  Nevertheless:
  Your client request containing the SAML Articat (something like http://<j2eehost>:<j2eeport>/YourApp?TARGET=<YourApp>&SAMLArt=<Artifcat created by IDP>
  reaches the engine:
  Now the Engine creates an HTTP Post Request to your IDP that contains the SAML Assertion (SAML Assertion Request). This Assertion request also contains the Artifact and it does not contain any cookies!!! Your IDP now validates the Requests and sends an SAML Assertion Response to your engine (The SAML Login Module extracts the User from the Response (This one is carried in the NameIdentifier of the SOAP Message) and authenticates the user if it exists on the J2EE Engine
  You finally receive the response of your Destination Application.
  I don't really understand the cookie issue:
  Maybe it really helps if you allow unsecure connections for SAML in SAP J2EE  (You can enable this under Visual Admin > Configuration Adapter > saml > Settings > AllowUnsecureConnections > true)
  so you can use http instead of https. Now use Wireshark or tcpdump or something similar to create a dump of your traffic and analyze it to check where the problem is or maybe send it to me so I can have a look at it.
  Hope this helps
  Let me know if you need further assistance on this (Reward points for helpful answers are always appreciated )
  Cheers

• Issues to Configure SAML ,I tried alot but its not working ,Below Given instruction how to configure SAML

  SAML Overview
  Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and
  authorization data between security domains, that is, between an identity provider (a producer of assertions)
  and a service provider (a consumer of assertions). SAML is a product of the OASIS Security Services
  Technical Committee.
  SAML is relevant to those customers who already have a SAML implementation in use with other systems in
  their organization. Therefore, it is recommended you engage your technology team that has a working 
  knowledge of SAML and provide this document to them for their review.
  Key Roles
  • Identity Provider (IDP): The system in authority that provides the user information
  • Service Provider (SP): The system that trusts the asserting party’s information, and uses the data to
  provide an application to the user.
  • Subject: The user and their identity that is involved in the transaction.
  Note! In our context, Learning Maestro is the SP, the IDP is customer-specific, and the Subject is the user
  who is logged in.
  Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 2
  Typical SAML Components
  Source: http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
  Copyright © 2013 SumTotal Systems, LLC. All rights reserved. Duplication prohibited. 3
  Implementing SAML 2.0
  • SumTotal LMS supports only SAML 2.0 Standards.
  • We support only IDP-initiated SAML authentication.
  • The SAML Response should be signed and base64 Encoded.
  • UserName should be passed in NameID element under Assertion\Subject Keys.
  • We use the timestamp provided in IssueInstant attribute of SAML Assertion to find the valid period
  (+/- 5 min ) for the SAML Response.
  • Currently, we do not support signed or encrypted assertions.
  • Deep linked URLs can be passed through an additional URL parameter of “OriginalURL.”
  IDP Initiated Web SSO
  Source: http://www.ijcsi.org/papers/2-41-48.pdf
  4
  When Learning Maestro is Accessed from a Portal
  1. The user logs into the customer portal.
  2. The user clicks on a link to the LMS from the customer’s portal.
  3. The link points to an IDP page.
  4. The IDP pages posts an HTTP Request to Learning Maestro
  5. The request is an < ... > message.
  Typical Structure of a SAML Response
  • Below is the typical SAML Response received by LMS from IDP
  • Value of SAMLResponse parameter should be base64 Encoded.
  Please double-click to open the below XML file to view how the response looks after decoding:
  ExampleSuccessfulAssertion.xml
  5
  Configuring SAML 2.0
  SumTotal Maestro supports SAML 2.0 for the “Identity Provider Initialized SSO” protocol.
  To configure your Maestro domain to accept SAML 2.0 Assertions, the following steps must be taken:
  1. Confirm that Usernames are in sync
  2. Provide an X.509 Certificate to SumTotal Systems (SHA1 Hashed)
  SumTotal Systems will configure your environment with the X.509 cert you provide.
  3. Point your call to the following URL:
  https://gm1.geolearning.com/geonext/<your_domain>/saml.geo
  After authenticating to your Identity Provider, the provider will pass a user into Maestro IF:
  • The user has a username matching an existing Maestro username
  • The x509 certificates match on both sides
  If authentication fails, the user will be presented with a failure page.
  Assertions
  An optional assertion is available to specify the URL a user will be sent if there is an authentication error.
  ErrorRedirectURL Assertion
  • If ‘ErrorRedirectURL’ is not specified and an authentication error or other security exception 
  occurs it will redirect the user to the default secerror.geo page as it does today
  • If a value (URL) is specified for ‘ErrorRedirectURL’ and there is an authentication error the user 
  will be redirected to the URL specified
  Sample
  6
  Additional Information
  For additional information on SAML, please refer to the following sources:
  Wikipedia: Security Assertion Markup Language
  OASIS Executive Summary
  IJCSI Intermediate Concept
  OASIS Technical Overview
  FAQs
  Question Answer
  What .NET library are we using? SumTotal uses “Componentspace” net SAML 2.0 library
  Can users still log in via the login page? Yes. The SAML target page is different than the login page.
  Can we deep link into the LMS through 
  the SAML 2.0 authentication workflow?
  Can I get rid of the Logout button?
  What is the Session timeout setting? Session Hard Life and Idle Life settings can be configured in 
  What is the unique ID for SAML? The “username” field.
  Yes. “Deep Link Target” (target or original URL parameter) is 
  accepted. If none is provided, then it will default to the default 
  landing page as configured in Maestro.
  Yes, When using SAML, the logout button still exists 
  intentionally in the navigation but can be disabled in the 
  “configure Navigation” options.
  the security section of the administration interface of Maestro.
  What is the failure page if
  Authentication fails?
  If the authentication fails, by default an intentionally simple error
  is presented to the user stating “Authentication Failure”.
  For security purposes, no further information regarding the 
  specifics of the failure are defined to the user.
  An optional ErrorRedirectURL assertion can be used.
  What URL do we point to? https://gm1.geolearning.com/geonext/<your_domain>/saml.geo

  Hello,
  Thanks for posting your question to here. However, this forum is used to discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. For issues regarding configuring SAML, this is beyond
  the scope of our support.
  Regards.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Error while testing SAML service in PI7.1

  Hello all,
  I am creating a SAML secured service in PI 7.1
  I have used WS adapter in sender communication channel and reciever as RFC adapter to extract data from the system.
  I have done the necessary config in sender and receiver agreement and created the wsdl manually.
  Now to test that service i have created another component as the client.
  The sender is the SOAP channel and in the receiver, WS adapter is used.
  With these basic configurations, i have created another wsdl file which invokes my previous service.
  When i tested the new wsdl i get an error.
  <SAP:Code area="INTERNAL">WS_LOGICAL_PORT</SAP:Code>
    <SAP:P1 />
    <SAP:P2 />
    <SAP:P3 />
    <SAP:P4 />
    <SAP:AdditionalText />
    <SAP:Stack>Error while determining logical port Cannot find logical port for agreement 34CBAC01EBEC3F15813332AC002BD3CF and interface http://atl.tarpon.com/SAPGetAddressSAML_C.MI_Inbound_SAPGetAddSAML_C</SAP:Stack>
  Kindly guide me as to what is to be done for creation of logical port in *NWA as this tool is available for PI7.1 for me.
  Regards,
  Kevin

  Hi Kevin,
  What I meant to say is that there are multiple levels of settings required to enable SAML based communication. I wanted to ask you if you have already done those configurations.
  See the image given at following URL.
  http://help.sap.com/saphelp_nwpi71/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm
  As you can see there is multiple parties involved in the overall SAML authentication process.
  May be following blog will be helpful. 
  SAML Made Simple!
  Regards,
  Vandana.

• SAML authentication Secure store service target ID Project server integration with excel service

  I installed and configured share Point 2013 Project server 2013, and Created web application Trusted Identity Provider (SAML 2.0) ,it is working as we expected means
  ..end user are able to access application(User Login through email and alies(account NAME) )
  My problem here CA is working NTLM authentication ,Web application is working SAML
  while creating service application(LIKE SSSA Excel Performance ... ( it automatically take NTLM) I CREATED TARGET ID in secure store service application ,I chooser "GROUPS" under SSSA,and
  we added members "group to account and email id.
  I configure Excel service application and i SSSA Target ID in this excel service application  also added trusted location for PWA site
  while opening excel sheet under Project server (An error occurred while accessing application id ProjectServerApplication from Secure
  Store Service. The following connections failed to refresh)
  I tried target ID choose option " Group Ticket" 
  Is it CA required for SAML authentication? .. (extend web application 
  How Service application like SSSA will work for SAML  authentication? 

  Hi SridharMandipudi, 
  as i know, usually when the error appear, you need to check the member.
  The domain group that was specified the Secure Store Service ID ProjectServerApplication did not have any members in the group. 
  and please also have a try in a testing secure store service application:
  Created new secure store service application with new target application ID. and added this ID in excel service application -----global settings----Application ID.
  went to Central admin---manage web application---selected web application ---click on Service Connection---associated newly created secure store service application.
  edited data connection string of excel file.
  went to site and tried refresh that excel file and able to refresh the file.
  Regards,
  Aries
  Microsoft Online Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• SAML attribute mapper

  Hi,
  I am having an issue developing an attribute mapper for my SAML 1.1 scenario using Sun Access Manager 7.1 patch 1 (war deployment installer) as the IDP. It is deployed on Sun Java System Web Server 7.0U1 (B06/12/2007 21:15) for Solaris 10 x86.
  My class looks something like this:
  package matt.saml.sample;
  import java.util.ArrayList;
  import java.util.List;
  import java.util.Set;
  import com.iplanet.sso.*;
  import com.sun.identity.saml.assertion.*;
  import com.sun.identity.saml.common.SAMLException;
  import com.sun.identity.saml.plugins.PartnerSiteAttributeMapper;
  import com.sun.identity.idm.AMIdentity;
  import com.sun.identity.idm.IdRepoException;
  import com.sun.identity.idm.IdUtils;
  import org.w3c.dom.Document;
  public class TestSiteAttributeMapper implements PartnerSiteAttributeMapper {
      public List getAttributes(SSOToken token, String targetURL) throws SAMLException {
          //...code
          return list;
  }So, I put TestSiteAttributeMapper in the classpath and configured the Site Attribute Mapper. Now when I try SSO with SAML, attributes aren't passed through the assertion plus I get this in the amSAML debug log:
  SAML Service Manager: PartnerUrl List:siteattributemapper=matt.saml.sample.TestSiteAttributeMapper
  10/07/2008 12:14:41:518 PM EDT: Thread[service-j2ee-3,5,main]
  ERROR: SAMLServiceManager:Invalid site attribute mapperI tried compiling the class with the amserver/WEB-INF/lib/am_services.jar(the one AM is using) in the classpath.
  Also, I had to add amserver/WEB-INF/lib/am_services.jar(plus I added a couple other am_*.jar files) to the Web Server classpath, in the JVM settings to get rid of an error I was seeing in the web server logs:
  [05/Oct/2008:19:36:31] failure ( 3746): for host 192.168.200.1 trying to GET /amserver/SAMLPOSTProfileServlet, service-j2ee reports: Stand
  ardWrapperValve[SAMLPOSTProfileServlet]: PWC1406: Servlet.service() for servlet SAMLPOSTProfileServlet threw exception
  java.lang.NoClassDefFoundError: com/sun/identity/saml/plugins/PartnerSiteAttributeMapper
          at java.lang.ClassLoader.defineClass1(Native Method)
          at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
          at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
          at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
          at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
          at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
          at java.security.AccessController.doPrivileged(Native Method)
          at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
          at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
          at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)
          at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
          at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1461)
          at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
          at java.lang.Class.forName0(Native Method)
          at java.lang.Class.forName(Class.java:164)
          at com.sun.identity.saml.common.SAMLServiceManager.setValues(SAMLServiceManager.java:788)
          at com.sun.identity.saml.common.SAMLServiceManager.init(SAMLServiceManager.java:266)
          at com.sun.identity.saml.common.SAMLServiceManager.getAttribute(SAMLServiceManager.java:1015)
          at com.sun.identity.saml.servlet.SAMLPOSTProfileServlet.getDestSite(SAMLPOSTProfileServlet.java:242)
          at com.sun.identity.saml.servlet.SAMLPOSTProfileServlet.doGet(SAMLPOSTProfileServlet.java:118)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:796)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:917)
          at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:398)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
          at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:86)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:217)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
          at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:255)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
          at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
          at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:586)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:556)
          at com.sun.webserver.connector.nsapi.NSAPIProcessor.service(NSAPIProcessor.java:160)
  [05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr: Exception in thread "Thread-29" java.lang.NullPointerException
  [05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr:       at com.sun.identity.saml.common.SAMLServiceManager.getAttribute(SAMLServic
  eManager.java:1017)
  [05/Oct/2008:19:36:32] warning ( 3746): CORE3283: stderr:       at com.sun.identity.saml.servlet.POSTCleanUpThread.run(POSTCleanUpThread.j
  ava:101)I didn't really think that I should have had to add the jar to the classpath, considering it is in the WEB-INF/lib folder.
  In summary, my questions are:
  1. What am I doing wrong in implementing this attribute mapper that causes it to be invalid?
  2. Why did I have to add that jar to the classpath to remove that NoClassDefFoundError? Isn't it already in the classpath?
  Thanks in advance,
  Matt

  ok i fixed my issue. removing all additional jars from the class path, and putting my class under amserver/WEB-INF/classes got it working.
  I guess it's a classpath context issue

• SAP to consume third party webservice that requires saml authentication

  Hi All,
  I am able to invoke our thirdparty webservice from soapUI, but it is a two step procedure, This is how it works in SoapUI:
  step 1) first send below predefined message, embeded with username and pwd in the header:
  <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
       <SOAP:Header>
            <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                 <wsse:UsernameToken>
                      <wsse:Username>myusername</wsse:Username>
                      <wsse:Password>mypwd</wsse:Password>
                 </wsse:UsernameToken>
            </wsse:Security>
       </SOAP:Header>
       <SOAP:Body>
            <samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
                 <samlp:AuthenticationQuery>
                      <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
                           <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myusername</saml:NameIdentifier>
                      </saml:Subject>
                 </samlp:AuthenticationQuery>
            </samlp:Request>
       </SOAP:Body>
  </SOAP:Envelope>
  after this, we are got the response as:
  <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
       <SOAP:Header>
            <header xmlns="http://schemas.thirdparty.com/General/1.0/">
            </header>
       </SOAP:Header>
       <SOAP:Body>
            <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
                 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                      <SignedInfo>
                           <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                           <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                           <Reference URI="#A18A90576-64FD-71E0-A9BC-286444658733">
                                <Transforms>
                                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </Transforms>
                                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                <DigestValue>LzlvRhszr3qlOTG7AZX8i+yKvRI=</DigestValue>
                           </Reference>
                      </SignedInfo>
                      <SignatureValue>qc1x+84wkkPrf76dHW2HJ...</SignatureValue>
                      <KeyInfo>
                           <X509Data>
                                <X509Certificate>MIIB3I.....NBgkqhk</X509Certificate>
                           </X509Data>
                      </KeyInfo>
                 </Signature>
                 <samlp:Status>
                      <samlp:StatusCode Value="samlp:Success"/>
                 </samlp:Status>
                 <saml:Assertion AssertionID="A18A90576.." xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
                      <saml:Conditions NotBefore="2011-01-25T09:14:54.045Z" NotOnOrAfter="2011-01-25T17:19:54.045Z"/>
                      <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
                           <saml:Subject>
                                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myusername</saml:NameIdentifier>
                           </saml:Subject>
                      </saml:AuthenticationStatement>
                 </saml:Assertion>
                 <samlp:AssertionArtifact>MDGH....RbY6qHUFcO</samlp:AssertionArtifact>
            </samlp:Response>
       </SOAP:Body>
  </SOAP:Envelope>
  step 2) from the above response body, use the Signature elemenent, and saml:Assertion element as part of header of the original request, so the actual request in soapUI has become:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:product="http://mytp/myfunctionality">
       <soapenv:Header>
            <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                 <Signature> ...</Signature>
                 <saml:Assertion>..</saml:Assertion>
            </wsse:Security>
       </soapenv:Header>
       <soapenv:Body>
            <product:isProductAvailable>
                 <product:ProductNAME>myproduct</product:ProductNAME>
                 <product:ProductYEAR>2010</product:ProductYEAR>
            </product:isProductAvailable>
       </soapenv:Body>
  </soapenv:Envelope>
  after sending this above request, we are getting the desired response:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:product="http://mytp/myfunctionality">
       <soapenv:Header>
       </soapenv:Header>
       <soapenv:Body>
            <isProductAvailableResponse xmlns="http://mytp/myfunctionality">
                 <isProductAvailable>true</isProductAvailable>
            </isProductAvailableResponse>
       </soapenv:Body>
  </soapenv:Envelope>
  If we want to implement the same functionality using abap consumer proxy, do we need to invoke with two different requests,
  is there any efficient way, where we can specify the values of <wsse:Username> and <wsse:Password>, and invoke with original payload.
  is there any config in SOAMANAGER, to specify the saml releated settings, for the consumer proxy.
  what could be the simplest way to consume this webservice in sap.
  thanks in advance, BJagdishwar.

  Hi,
  Please create logical port using wsdl directly it will apply required settings in LP. You can also ask for client certificate which you can apply while calling 3rd party services. To me this seems X509 client certificate authentication.
  You can also create LP manually by giving SAP SAML authentication and save. Next time when you edit LP you will be able to see plenty of option to configure required settings.
  Please note that not all security methods are supported by SAP.
  Regards,
  Gourav

• Owsm saml policies

  Hello,
  In the Oracle documentation, the following is said about some saml policies:
  oracle/wss10_saml_token_service_policy
  oracle/wss10_saml_token_client_policy
  This policy is not secure and is provided for demonstration purposes only. Although the SAML issuer name is present, the SAML token is not endorsed. Therefore, it is possible to spoof the message.
  I really have no idea what is meant by this. Can anyone explain?
  Thanks and regards, Jeroen

  Hi, I am using Weblogic Oracle 12c and standalone server no clusters. I have a webservice configured which is working from the Weblogic, using DemoTrust.jks I just downloaded the SOAP-UI and having issues with this, I set up the aut Tab to use Global HTTP Settings for the authorization type and added a keystore which is pointing to the DemoTrust.jks.
  When I run a test, I receive this error
  Tue Jul 31 09:40:38 PDT 2012:DEBUG:<< "<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurity</faultcode><faultstring>Error on verifying message against security policy Error code:1000</faultstring></env:Fault></env:Body></env:Envelope>"
  You wouldn't know what this is about, from what I am reading it seems I need to pass a policy to the server from the client but unsure what to configure.
  If you have any insight I would appreciate it.

• Saml.audience.uri property

  Hi!
  I'm begin working with Oracle Fusion Middleware. I'm use Oracle Weblogic Server + Oracle Service Bus + Oracle Web Service Manager. I have a test web service with saml_token_service_policy.
  I'm trying call test service from Oracle Service Bus Test console, but have a some problem.
  When I'm override "csf-key" and\or "saml.issuer.name" property all is OK.
  I have request:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SAML-PgSlISxQrN9kOBHeYdZpDg22" IssueInstant="2011-11-14T10:38:01Z" Issuer="www.oracle.com" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Conditions NotBefore="2011-11-14T10:38:01Z" NotOnOrAfter="2011-11-14T10:43:01Z"/>
  <saml:AuthenticationStatement AuthenticationInstant="2011-11-14T10:38:01Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
  <saml:Subject>
  <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">f768dd90-a3c2-405f-bce4-4772df1500dd</saml:NameIdentifier>
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>
  urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
  </saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
  </saml:AuthenticationStatement>
  </saml:Assertion>
  </wsse:Security>
  </soap:Header>
  But! When I'm override "saml.audience.uri" property, I have error "Audience URI for SAML assertion is invalid".
  Request with SAML Audience:
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SAML-PgSlISxQrN9kOBHeYdZpDg22" IssueInstant="2011-11-14T10:38:01Z" Issuer="www.oracle.com" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Conditions NotBefore="2011-11-14T10:38:01Z" NotOnOrAfter="2011-11-14T10:43:01Z">
  <saml:AudienceRestrictionCondition>
  <saml:Audience>
  https://localhost:7002/Test/TestService
  </saml:Audience>
  </saml:AudienceRestrictionCondition>
  </saml:Conditions>
  <saml:AuthenticationStatement AuthenticationInstant="2011-11-14T10:38:01Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
  <saml:Subject>
  <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">f768dd90-a3c2-405f-bce4-4772df1500dd</saml:NameIdentifier>
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>
  urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
  </saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
  </saml:AuthenticationStatement>
  </saml:Assertion>
  </wsse:Security>
  </soap:Header>
  I'm try:
  1) Add to OWSM->Web services->Policies->saml_token_service_policy->Configuration "saml.audience.uri" property and my value, but it's no effect.
  2) Go to WebLogic Administration Console->Security realms->myrealm->Providers->Authentitication and create SAML Identity Aseerter with Asserting party.
  It's no effect too.
  Can you help me? Where I must write "grants" for my "saml:Audience" value?
  Thanks!

  It's actual again. How I can add permitted "audience uri" value in OWSM settings?

• Where is SAML Relying Party configuration stored?

  We are successfully configuring SSO using SAML 1.1 using either the console or WLST scripts. We have 3 different Relying Parties and everything works great. However, after restarts, our Relying Parties are gone! I assume that WLST and console both are updating the Mbean behind the scenes, but where does the SAML Relying Party configuration get persisted since we are not using the RDBMS store. Internal LDAP? An XML file? I can't find it documented anywhere.

  The StationGlobals.ini file is in your TestStand Config directory, which is found at <TestStand Application Data>\Cfg.
  On Windows 7, this is C:\ProgramData\National Instruments\TestStand 4.2\Cfg. I don't remember off-hand what the exact path is on versions of Windows earlier than Vista... Somewhere under C:\Documents and Settings\<Username>\. You can just search for StationGlobals.ini if you need to.

• OBIEE & SAML

  We have a fresh installed OBIEE 11.1.1.6. In our 10g environment, we had a custom application for our authentication. I would like to integrate the authentication directly in OBI 11g.
  In the company, there is an authentication app that uses SAML to provide authentication.
  My question is:
  - how ready is weblogic to use SAML? Do I need both an asserter and authenticator? Is it possible that SAML also returns the groups/roles for the users? Can WebLogic use these roles?
  - do I need to create all users and roles also in weblogic, so that the users from SAML can be mapped to those?
  I found some documentation on SAML and SAML integration, but most of that is unclear to me... I hope to learn a little bit more about the use of SAML so that I can find out if I can use the SAML solution for our OBI authentication & authorization

  Hi sunshiva,
  that blog is indeed the article I read over and over to try and figure out which parts I am missing. I'm afraid I can't use the same setup, because of the specific, custom, authentication app that is being used here. This means that you can't setup an integration between SAML and OBI, apparently.
  SAML is begin used to communicate with (and in) the authentication app, but it is not used anymore once you are back in weblogic.
  I found following settings to watch which http header and cookie information is being sent to OBI PS:
  <FilterRecord writerClassGroup="File" disableCentralControl="true" path="saw.httpserver.request" information="16" warning="32" error="32" trace="32" incident_error="32"/>
  <FilterRecord writerClassGroup="File" disableCentralControl="true" path="saw.httpserver.response" information="16" warning="32" error="32" trace="32" incident_error="32"/>
  I can see that REMOTE_USER is filled in with the information that is returned by the authentication app. That is a good sign in my opinion. I enabled SSO in WebLogic EM and I hoped that the passed-through REMOTE_USER would be picked up and used, but no luck so far.
  What is the best way to debug my current situation?

• WebLogic SAML 1.1 & Apache as proxy & SSL between browser and Apache

  Hi,
  I'm trying to configure SAML 1.1 to work with WebLogic Server 10.3.
  Here is a short description of the configuration
  - Browser connects to Apache front end with ssl https://myserver:444/...
  - Apache proxies requests to WebLogic Server instances in http. In the following example one of the WLS instances is listening on the port 555 on myserver.
  During the SAML 1.1 requests the following url appears:
       https://myserver:444/mysamlits?RPID=rp_00001&TARGET=http://myserver:555/myapp
  Here http://myserver:555/myapp is the backend server listening address. Instead it should be the frontend server address instead:
       https://myserver:444/mysamlits?RPID=rp_00001&TARGET=https://myserver:444/myapp
  Problem:
  Despite of all My efforts, WLS picks up the backend protocol and port and puts them in the TARGET. I can't find how to set up WebLogic Server to supply the frontend address as TARGET, so I'm asking help here.
  Details:
  I try to describe the setup in more detail below.
  I have NOT installed mod_wl to Apache because My intention is to employ Apache to simulate a hardware load balancer (HLB).
  I have appended the following lines to Apache httpd.conf:
  # Added so that we can set the "WL-Proxy-SSL: true"
  # HTTP header which tells a back-end WebLogic Server
  # that requests are being proxied through a front-end
  # SSL load-balancer or proxy server.
  <IfModule headers_module>
  RequestHeader set WL-Proxy-SSL true
  </IfModule>
  I have also verified that the header WL-Proxy-SSL is present in requests arriving at the backend WebLogic Server.
  On the WebLogic Server side I have
  - Frontend Host: myserver
  - Frontend HTTP Port:0
  - Frontend HTTPS Port:444
  I have also tried setting WebLogic Plugin Enabled:true.
  Regards,
  Kari
  Edited by: 858107 on May 11, 2011 10:00 PM: Removed a duplicated subject line.

  I was mistaken. TARGET can very well be the backend address. The actual problem was that the browser was getting redirected to the backend address.
  That was fixed by resetting the frontend settings:
  Frontend Host: <empty>
  Frontend HTTP Port:0
  Frontend HTTPS Port:0
  Kari

• How validate user.attributes in SAML assertation?

  Hello!
  I'm using WebLogic Server 10.3.6.0 + Oracle Service Bus 11.1.1.6 + Oracle Enterprise Manager 11g.
  I deploy my Web Service on Weblogic Server and protect this by OWSM SAML-based policy (now it is oracle/wss_saml_token_bearer_over_ssl_service_policy).
  It is working, but some things I don't understand.
  My main question: how can I configure to validation of user.attributes in the saml assertation?
  For example, inbound requests has 3 attributes in saml assertation tag: role, email and dept.
  <?xml version="1.0" encoding="utf-8"?>
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance">
  <soap:Header>
  <wsse:Security>
  <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="Id-0000010a3c4ff12c-0000000000000002"
  IssueInstant="2006-03-27T15:26:12Z" Version="2.0">
  <saml:Issuer Format="urn:oasis ... WindowsDomainQualifiedName">
  TestCA
  </saml:Issuer>
  <saml:Subject>
  <saml:NameIdentifier Format="urn:oasis ... WindowsDomainQualifiedName">
  TestUser
  </saml:NameIdentifier>
  </saml:Subject>
  <saml:Conditions NotBefore="2005-03-27T15:20:40Z"
  NotOnOrAfter="2028-03-27T17:20:40Z"/>
  *<saml:AttributeStatement>*
  *<saml:Attribute Name="role" NameFormat="http://www.oracle.com">*
  *<saml:AttributeValue>admin</saml:AttributeValue>*
  *</saml:Attribute>*
  *<saml:Attribute Name="email" NameFormat="http://www.oracle.com">*
  *<saml:AttributeValue>[email protected]</saml:AttributeValue>*
  *</saml:Attribute>*
  *<saml:Attribute Name="dept" NameFormat="">*
  *<saml:AttributeValue>engineering</saml:AttributeValue>*
  *</saml:Attribute>*
  *</saml:AttributeStatement>*
  </saml:Assertion>
  </wsse:Security>
  </soap:Header>
  <soap:Body>
  <product>
  <name>Enterprise Gateway</name>
  <company>Oracle</company>
  <description>Web Services Security</description>
  </product>
  </soap:Body>
  </soap:Envelope>
  But I want permit only request's with 4 attibutes (for example, role + email + dept + city) or something like? How I can configure this in OWSM-policy settings or WebLogic settings?
  Thanks for any help.

  That would be the easiest route but isn't it against the standards to use triggers on tables. I was thinking of doing the validation before the item is created on the page, by customizing the create item and update item pages.
  Did anyone work on PIM to do this sort of customization, the pages are all dynamic and are pretty complex, I am not able to figure out where to fit in my validation.

• SAML 2.0 Identity Provider Weblogic

  Morning, I have setup my weblogic server to run with only the admin server. I am following the links to run an instance of an identity provider http://docs.oracle.com/cd/E14571_01/web.1111/e13707/saml.htm#i1107127 but I am unable to connect to the site published, any ideas. When my service provider sends a request to the http post or http redirect link I get a failure message like the following:
  Error 400--Bad Request
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.1 400 Bad Request
  The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.
  I cannot see anything in the logs to indicate that my identity provider is up and running and do not see any output when attempting to hit the url http://read-auto-01-rv:7001/saml2/idp/sso/post any ideas?
  My issue is that I cannot use the identity provider, I've setup the credential mappings, enabled the identity provider and setup a service provider partner, I'm double checking my metadata but believe the issue is on the configuration end in weblogic.
  Edited by: Philip O on 10-Jan-2013 01:17

  found the answer: SAML2 -> Local Provider -> Service Provider Settings -> Selection Mode -> Automatic

• 12c: Signature digest verification failure with SAML msg protection policy

  Hi,
  I am using the policy wss10_saml_token_with_message_protection_service_policy for Service Bus 12c proxy service and getting the error while verifying the signature digest. I am doing the testing using SOAP Ui.
  I am able to understand it's an issue in verifying the signature digest but unable to debug and conclude the cause of this issue as i did the necessary setup. And using the appropriate keys for encryption and signing. Also tried overriding the policy configuration at policy level and Service bus end point level too.
  Policy Settings are:
  - Time Stamp included, Signing entire request body, no signing for SAML token and X 509 token.
  - No signature encryption checked and kept default values for all other attributes.
  Configured only Message Security section in WSM Domain Configuration and used JKS as the key store. Used the trusted certificate entry of client as signing alias and own public key as enc alias.
  Following is the error stack trace i am seeing. Please let me know if there is any thing missing or any other insights into this issue. The logs generated by setting xml.debug.verify also did not help much. I am thinking the issue may be something to do with Canonicalization of XML.
  Caused by: com.bea.wli.sb.security.wss.WssHandlerException: General web service security error
  at com.bea.wli.sb.security.wss.WssHandlerImpl.generateInboundRequestBLE(WssHandlerImpl.java:1499)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1457)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1444)
  at com.bea.wli.sb.service.disi.handlerchain.handlers.InboundWssPhase1DISIHandler.dispatch(InboundWssPhase1DISIHandler.java:107)
  ... 43 more
  Caused by: com.bea.wli.sb.security.wss.WssException: oracle.wsm.security.SecurityException: WSM-00061 : Signature digest verification failure. The system property xml.debug.verify should be enabled for the details about the digest calculations during verification phase (note xml.debug.verify slows down the signature verification for very large messages).
  Caused by:-
  at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.handleRequestException(WsmInboundHandler.java:350)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1442)
  ... 44 more
  Caused by: oracle.wsm.security.SecurityException: WSM-00061 : Signature digest verification failure. The system property xml.debug.verify should be enabled for the details about the digest calculations during verification phase (note xml.debug.verify slows down the signature verification for very large messages).
  Caused by:-
  at oracle.wsm.security.policy.scenario.processor.Wss10MessageSecurityProcessor.verify(Wss10MessageSecurityProcessor.java:482)
  at oracle.wsm.security.policy.scenario.processor.Wss10X509TokenProcessor.verify(Wss10X509TokenProcessor.java:301)
  at oracle.wsm.security.policy.scenario.executor.Wss10SamlWithCertsScenarioExecutor.receiveRequest(Wss10SamlWithCertsScenarioExecutor.java:184)
  at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:642)
  at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:44)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:515)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:427)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:374)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:103)
  at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1270)
  at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:563)
  at oracle.j2ee.ws.common.wsm.SecurityAgentTube.processRequest(SecurityAgentTube.java:201)
  at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
  at com.sun.xml.ws.api.pipe.Fiber.access$100(Fiber.java:127)

  Please do let me know if anybody has insights into this issue. I am testing it from SOAP UI and i am completely stuck and can't proceed further.. We did face similar issue in 11g which was gone after upgrading to later OSB releases.