SAML1.1 Assertion (Sender Vouches) policy

Hi,
I am trying to write SAML1.1 Assertion (Sender Vouches) policy that will not be used over HTTPS and will not use the message signing and encryption (I do not want to use the standard policies Wssp1.2-2007-Saml1.1-SenderVouches-Https.xml and Wssp1.2-2007-Saml1.1-SenderVouches-Wss1.0.xml for these reasons). Functionall this policy should be like:
<?xml version="1.0"?>
<wsp:Policy ........................>
<wssp:Identity>
<wssp:SupportedTokens>
<wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
But the above policy can be used with JAX-RPC only (I plan to use new policy in JAX-WS web services).
Could someone help me with this task?
Any help will be appreciated.
Regards,
Alex

Hi,
Thanks for the reply. Did you tell about the creation of the service request (SR) with Oracle support? May be I do not understand something, but this is not the Weblogic problem. I am just trying to create the custom SAML policy. Or may be you meant that Weblogic (or OASIS WSS1.0 SAML10 schema) doesn't normally support SAML assertion without the encryption (transport or message)?
Regards,
Alex

Similar Messages

  • Jax-ws ws client with saml 1.1 sender vouches policy

    Hi,
    In wls 10.3 I defined a SAML source site , now I want to use the sender voucher policy on a webservice. So far so good.
    Now I want to generate a jax-ws proxy client, but there are no sample how to use this policy in java, only some wlst examples.
    Is there some more information how to do this.
    thanks Edwin

    hi
    This is not an answer to your question but a question since you have created a SAML Source Site in wls 10.3.
    Have you been able to use SAML Authenication from a weblogic client to web-service on different domain ?
    I am not able get this work ?
    I am done the following
    SAML relying party on SAML Credential Mapper on domain1
    with
    target url =endpoint of webservice at domain2
    and asserting Party on SAML Identity Asserter
    with target url= relative url of the web service.
    At Source Site , I saw that wls is not attaching any security information in the SOAP header .
    Can someone Help me with Configuration .
    The end goal is to access a secure web-service
    Thanks
    Sanyam

  • SAML Sender Vouches Assertion in ABAP only environment

    All u2013 apologies for a length postu2026
    subject: Standard logon - SAML Authentication (logon using SAML).
    We are testing if an external app u2013 like Oralce (consumer), can render a web service via SAML assertion into an AS ABAP (provider) environment. Per OSS note 1254821, we have setup a trusted environment, and were able to successfully test a bapi function via Certificate Authentication (logon using a client certificate), one of the standard logons.
    This test validates that the SOAP message can be processed through SAP, from the secured transport layer to decrypting and processing the SOAP message.
    When we move to test the SAML assertion piece, we are not able to find the logon of u201CSAML Authenticationu201D via the standard logon through trnx SICF.
    We nonetheless moved to test with all the available logon options without success:
    1     Fields Authentication
    2     SSO Authentication
    3     Basic Authentication
    4     SAP Authentication
    5     Certificate Authentication (we deactivated the USEREXTIDu2019s DN user)
    6     Service Authentication
    While researching, we come across that there should be a u201CSAML Authenticationu201D standard logon option, yet this is not available in our test system.
    Our system information is as follow:
    SAP ECC 6.0
    SAP_BASIS      700      SAPKB70017    
    SAP_ABA         700      SAPKA70017    
    We are testing in an ABAP stack environement.
    We have crossed reference with note 1254821, and have satisfied all the requirements.
    We expect the standard logon to contain the u201CSAML Authenticationu201D through SICF since we have configured the web service through SOAMANAGER using u201CSAML 1.1. Sender Vouches Assertionu201D.
    Question:
    Is u201CSAML Authenticationu201D standard logon necessary to facilitate the SAML sender vouches solution (we have only AS ABAP)?
    If needed, what configuration, or support pack we need to be on.
    Better yet, have anyone out there make it work? If so, please share.
    Thanks much,
    Alex

    Hi Jens,
    yes, it's  keystore view TicketKeystore. The idea is that a logon ticket trust suffices to get the SAML 1.1 Sender Vouches trust as well.
    The next thing you should take care of is to make sure that your SAP Portal system trusts the SAML issuer of your SAML assertion. This is to be configured in NetWeaver Administrator under Configuration Management  Security >  Trusted Systems. There you add the issuer string of your SAML Assertion into the Trusted Partners section.
    Please follow paragraph "Configuring the Trusted Partners (Provider)" on this documentation link for details: http://help.sap.com/saphelp_nw73/helpdata/en/48/b264916b156ff4e10000000a42189b/frameset.htm
    Another thing. Please see that for SOAP Web Services SAP (both AS ABAP and AS Java) for Sender-Vouches only SAML 1.1 is supported. Holder-of-key SAML assertions are supported with SAML 1.1 and SAML 2.0.
    Regards,
    Mathias

  • SAML2.0 for web services - sender-vouches scenario

    We would like to configure this scenario using SAML2.0 assertion tickets. We are on ECC 6 EhP6.
    Configuration in SAML2 has been completed - no WS security policy has been configured in order to support the sender-vouches scenario.
    WSS_SETUP has run to use SAML.
    When configuring the web services we are using https for transport and SAML for authentication - the wsdl generated in this case references SAML1.1 and as result we get an error of  Wrong token type received. Endpoint expects SAML 1.1 token.
    The question is: can SAML2.0 be used for sender-vouches scenarios or not?
    Any input or help would be greatly appreciated.
    Thank you,
    Miklos

    Hi Miklos,
    Yes you can use SAML2.0 for Sendor-vouches scenarios.
    Please see the below link for configuration process:
    http://help.sap.com/saphelp_nw73/helpdata/en/b5/014086933d4576bba1b4c7e9533f4b/content.htm
    I hope it will be helpful for you.
    Regards,
    Gourav
    Message was edited by: Gourav Kumar Jena

  • Trying SAML sender-vouches, standalone Java client call to service bus.

    I've built a standalone Java client using Jax-ws. It produces a wsse header containing both a SAMLAttribute and an optional SAMLAuthentication statement.
    I've tried to configure a proxy service on the servicebus (10gR3) using ws-policy (weblogic version, not ws-1.2), configured a SAMLIdentityAsserter (v2), an identity provider partner and a SAMLIdentityNameMapper.
    I get the message weblogic.xml.crypto.wss.SecurityTokenValidateResult@ca32f2[status: false][msg The SAML token is not valid.]
    when sending SAML assertions which looks valid to me.
    If you see something missing or invalid in the SAML, something missing in the configuration or something else, I would be really glad.
    All examples are using a SAMLCredentialmapper, but I'm building a standalone client, so a weblogic SAMLCredentialMapper is out of the question (?).
    request header:
    <S:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:xs="http://www.w3.org/2001/XMLSchema" AssertionID="1246342701761" IssueInstant="2009-06-30T06:18:21.683Z" Issuer="http://openuri.org/service/customer/contact/contactInformationService" MajorVersion="1" MinorVersion="1">
    <saml:Conditions NotBefore="2009-06-30T06:17:21.683Z" NotOnOrAfter="2009-06-30T07:18:21.683Z"/>
    <saml:AuthenticationStatement AuthenticationInstant="2009-06-30T06:18:21.683Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
    <saml:Subject>
    <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="sb1sk">uid=vsb,ou=smn</saml:NameIdentifier>
    <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
    </saml:SubjectConfirmation>
    </saml:Subject>
    </saml:AuthenticationStatement>
    </saml:Assertion>
    </wsse:Security>
    response:
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    <env:Header/>
    <env:Body>
    <env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <faultcode>wsse:InvalidSecurityToken</faultcode>
    <faultstring>Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@1061c5e[status: false][msg The SAML token is not valid.]</faultstring>
    </env:Fault>
    </env:Body>
    </env:Envelope>
    If the client leaves out the wsse:security element in the header, the service complains
    <faultstring>No Security header in message but required by policy.</faultstring>
    The SAMLIdentity name mapper is never loaded at all (checked by logging at class loading)
    The configuration in the Identity provider partner:
    audience uri: target:*:/
    issuer uri: /service/customer/contact/contactInformationService (also tried with a unique string equal to what the client sends)
    virtual user: enabled
    confirmation method: sender-vouches
    I am not using any certificates (tryed both with and without)
    Policy in use for the proxy service:
    <?xml version="1.0"?>
    <wsp:Policy
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:wssp="http://www.bea.com/wls90/security/policy"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
    wsu:Id="samlSV"
    >
    <wssp:Identity>
    <wssp:SupportedTokens>
    <wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
    <wssp:Claims>
    <wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
    </wssp:Claims>
    </wssp:SecurityToken>
    </wssp:SupportedTokens>
    </wssp:Identity>
    </wsp:Policy>
    Stacktrace:
    weblogic.xml.crypto.wss.WSSecurityException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenVal
    idateResult@a4fc20[status: false][msg The SAML token is not valid.]
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSecurityToken(SecurityImpl.java:630)
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshalChildren(SecurityImpl.java:556)
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshalInternal(SecurityImpl.java:448)
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:416)
    at weblogic.xml.crypto.wss.api.WSSecurityFactory.unmarshalAndProcessSecurity(WSSecurityFactory.java:66)
    at weblogic.wsee.security.WssServerHandler.processRequest(WssServerHandler.java:35)
    at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:74)
    at com.bea.wli.sb.security.wss.WssInboundHandler.processRequest(WssInboundHandler.java:116)
    at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:201)
    at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:257)
    at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:66)
    at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:508)
    at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:506)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
    at weblogic.security.service.SecurityManager.runAs(Unknown Source)
    Edited by: user6080617 on Jun 29, 2009 11:39 PM

    Thank you for the tip. I've tried it, the result is below. It suspect something missing in my configuration, but I do not know what.
    <WSEE:17>Class of cred is: class weblogic.xml.saaj.SOAPElementImpl<SAMLCredentialImpl.<init>:85>
    <WSEE:17>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:87>
    <WSEE:17>Getting SAMLAssertionInfo from DOM Element<SAMLCredentialImpl.<init>:97>
    <WSEE:17>Got SAMLAssertionInfo<SAMLCredentialImpl.<init>:117>
    <WSEE:17>Assertion ID: 1246358297862<SAMLCredentialImpl.verbose:69>
    <WSEE:17>Assertion CM: urn:oasis:names:tc:SAML:1.0:cm:sender-vouches<SAMLCredentialImpl.verbose:70>
    <WSEE:17>Assertion Subject: uid=vsb,ou=smn<SAMLCredentialImpl.verbose:71>
    <WSEE:17>Assertion Version: 1.1<SAMLCredentialImpl.verbose:72>
    <WSEE:17>Attempting assertIdentity<CSSUtils.assertIdentity:310>
    <WSEE:17>SAML_TARGET_RESOURCE is: /service/customer/contact/contactInformationService<CSSUtils.assertIdentity:312>
    <WSEE:17>Got Principal Authenticator<CSSUtils.assertIdentity:314>
    <WSEE:17>Cred type is: SAML.Assertion.DOM, Node: [saml:Assertion: null]<CSSUtils.assertIdentity:320>
    <WSEE:17>Exception while asserting identity: javax.security.auth.login.LoginException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090380]Identity Assertion Failed, Unsupported Token Type: SAML.Assertion.DOM<CSSUtils.assertIdentity:325>
    <WSEE:17>javax.security.auth.login.LoginException: [Security:090377]Identity Assertion Failed, weblogic.security.spi.IdentityAssertionException: [Security:090380]Identity Assertion Failed, Unsupported Token Type: SAML.Assertion.DOM<CSSUtils.assertIdentity:326>

  • SAML Sender-Vouches errors when using with OWSM

    Hi,
    We have configured OWSM Policy 'SAML - Verify WSS 1.0 Token' with Allow signed assertions only. We have created jks Trust store location and configured policy to refer to the file with appropriate password.
    We have created proxy security to Sender-Voches signed and to sign outbound message.
    We are getting following error when we try to run the proxy.
    javax.xml.rpc.soap.SOAPFaultException: SAML token verification failed
    at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:555)
    at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:396)
    at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
    at vigni4.oracle.srtutorial.datamodel.proxy.runtime.TimeServiceSoap_Stub.getTime(TimeServiceSoap_Stub.java:79)
    at vigni4.oracle.srtutorial.datamodel.proxy.TimeServiceSoapClient.getTime(TimeServiceSoapClient.java:41)
    at vigni4.oracle.srtutorial.datamodel.proxy.TimeServiceSoapClient.main(TimeServiceSoapClient.java:29)
    Process exited with exit code 0.
    and Error in gateway.log is
    2007-09-01 18:58:56,561 WARNING [RMICallHandler-58] saml.VerifySAMLStep - SAML Token verification failed:
    Can any provide information on how to resolve the issue?

    We have also noticed that correct message is reaching OWSM.
    Attaching the same.
    <?xml version="1.0" encoding="UTF-8" ?>
    - <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="urn:Test:GetTime">
    - <env:Header>
    - <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" wsu:Id="_FNfXFOVi1OcPKSyRUAHDyw22" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIICQjCCAasCBEbZZN4wDQYJKoZIhvcNAQEFBQAwaDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEDAOBgNVBAcTB3NhbUhvbWUxDzANBgNVBAoTBnNhbU9yZzEQMA4GA1UECxMHc2FtRGVwdDESMBAGA1UEAxMJU2FtIE1vb3JlMB4XDTA3MDkwMTEzMTA1NFoXDTA3MTEzMDEzMTA1NFowaDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExEDAOBgNVBAcTB3NhbUhvbWUxDzANBgNVBAoTBnNhbU9yZzEQMA4GA1UECxMHc2FtRGVwdDESMBAGA1UEAxMJU2FtIE1vb3JlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOrVJbJ/sPvZsgZEDUSIolP1UDT8hfyajfIaPqYHBLBK+FlywrhhrxESyzAsG/k7FSIRZvFg5vAk/W3LB+nPBtrbI2bBMEsQbznuSjzEVkQJVxZMlDjR4yNMHPLbniL64BKuTFnLEhWrnZTmpiThjwoWMPL9eK7/x7su9iDCP5NwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADWjdaRz0FBNHxXPiV9Ad0Kkm2Eag5LQXQoXUuC/VTXk56uQktVLtorp5fYAUsRD2o7ZuPGPJ6Q+5Owe8wXbxrCOX1diI5fxpH5TsS0k8Y/7/Hx3gq67JuPy8x8ApgNd+NagAKHKC0rgEP9ng1FGyhzuHICapPxmjrt2VI3SW2cJ</wsse:BinarySecurityToken>
    - <dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    - <dsig:SignedInfo>
    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    - <dsig:Reference URI="#mvDwzM5hZWAdG6n5tKLufA22">
    - <dsig:Transforms>
    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </dsig:Transforms>
    <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    <dsig:DigestValue>zBFquf+Y0ngNapyK4Xq0Jws1FPM=</dsig:DigestValue>
    </dsig:Reference>
    - <dsig:Reference URI="#nwWnNm69TPcdyp0yT8fa7g22">
    - <dsig:Transforms>
    - <dsig:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
    - <wsse:TransformationParameters xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </wsse:TransformationParameters>
    </dsig:Transform>
    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </dsig:Transforms>
    <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    <dsig:DigestValue>rgHU/BWcaOiwuP/Q72oybFcEQO8=</dsig:DigestValue>
    </dsig:Reference>
    </dsig:SignedInfo>
    <dsig:SignatureValue>R+RGFjzRYpGVPGINbzsFbXSQ7Slc04/mzQ+BX57oD7NhMKxCcO1C9cV2cJzWAeN5WuDlfsh3RZR/5sTsyEi3yO69ECcLUNDlbjey57GBr5W9PRRIWPs2fZVk2EH4+KOnXVghcAsrXPgm1Ai9UZQUXh0aPiOkQMDplnnhENTkKUo=</dsig:SignatureValue>
    - <dsig:KeyInfo>
    - <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:Reference URI="#_FNfXFOVi1OcPKSyRUAHDyw22" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
    </wsse:SecurityTokenReference>
    </dsig:KeyInfo>
    </dsig:Signature>
    - <wsse:SecurityTokenReference wsu:Id="nwWnNm69TPcdyp0yT8fa7g22" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">YFfqXnq2xlt426HB9uDInw22</wsse:KeyIdentifier>
    </wsse:SecurityTokenReference>
    - <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="YFfqXnq2xlt426HB9uDInw22" IssueInstant="2007-09-01T13:40:06Z" Issuer="https://phaos.com/idp" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2007-09-01T13:40:06Z" NotOnOrAfter="2007-09-02T13:40:06Z" />
    - <saml:AuthenticationStatement AuthenticationInstant="2007-09-01T13:40:06Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
    - <saml:Subject>
    <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">oc4jadmin</saml:NameIdentifier>
    - <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
    </saml:SubjectConfirmation>
    </saml:Subject>
    </saml:AuthenticationStatement>
    </saml:Assertion>
    </wsse:Security>
    </env:Header>
    - <env:Body wsu:Id="mvDwzM5hZWAdG6n5tKLufA22" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    - <ns0:getTime env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <format xsi:type="xsd:string" />
    </ns0:getTime>
    </env:Body>
    </env:Envelope>

  • SAML sender-vouches using SSL

    Hi,
    I have an WLS 9.2 sending a SOAP with SAML:
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="0">
    <Assertion AssertionID="cb5d35763849418c060580753c16b334" IssueInstant="2008-12-03T09:27:59.121Z" Issuer="ISSUER_URL" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
    <AuthenticationStatement AuthenticationInstant="2008-12-03T09:27:59.121Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
    <Subject>
    <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="notRelevant">USER_NAME</NameIdentifier>
    <SubjectConfirmation>
    <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>
    </SubjectConfirmation>
    </Subject>
    </AuthenticationStatement>
    <AttributeStatement>
    <Subject>
    <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="notRelevant">USER_NAME</NameIdentifier>
    <SubjectConfirmation>
    <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>
    </SubjectConfirmation>
    </Subject>
    <Attribute AttributeName="Groups" AttributeNamespace="urn:bea:security:saml:groups" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <AttributeValue>XX_ATN_X509_HTTPS</AttributeValue>
    <AttributeValue>XX_SERVER</AttributeValue>
    <AttributeValue>XX_GROUP</AttributeValue>
    </Attribute>
    </AttributeStatement>
    </Assertion>
    </wsse:Security>
    I have configured a standard WLS 9.2 as destination. It looks like it understands the SAML token. But I get this SOAP response:
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header/>
    <soapenv:Body>
    <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <faultcode>wsse:InvalidSecurityToken</faultcode>
    <faultstring>Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@1a2f279[status: false][msg The SAML token is not valid.]</faultstring>
    </soapenv:Fault>
    </soapenv:Body>
    </soapenv:Envelope>
    On the console I see this exception:
    java version "1.5.0_10"
    Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_10-b03)
    Java HotSpot(TM) Client VM (build 1.5.0_10-b03, mixed mode)
    weblogic.xml.crypto.wss.WSSecurityException: Security token failed to validate.
    weblogic.xml.crypto.wss.SecurityTokenValidateResult@1be496b[status: false][msg The SAML token is not valid.]
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSecurityToken(SecurityImpl.java:476)
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:392)
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:338)
    at weblogic.xml.crypto.wss.api.WSSecurityFactory.unmarshalAndProcessSecurity(WSSecurityFactory.java:65)
    at weblogic.wsee.security.WssServerHandler.processRequest(WssServerHandler.java:35)
    at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:72)
    at weblogic.wsee.handler.HandlerIterator.handleRequest(HandlerIterator.java:127)
    at weblogic.wsee.ws.dispatch.server.ServerDispatcher.dispatch(ServerDispatcher.java:85)
    at weblogic.wsee.ws.WsSkel.invoke(WsSkel.java:80)
    at weblogic.wsee.server.servlet.SoapProcessor.handlePost(SoapProcessor.java:66)
    at weblogic.wsee.server.servlet.SoapProcessor.process(SoapProcessor.java:44)
    at weblogic.wsee.server.servlet.BaseWSServlet$AuthorizedInvoke.run(BaseWSServlet.java:173)
    at weblogic.wsee.server.servlet.BaseWSServlet.service(BaseWSServlet.java:92)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3231)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2002)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1908)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1362)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
    weblogic.xml.crypto.wss.WSSecurityException: Security token failed to validate.
    weblogic.xml.crypto.wss.SecurityTokenValidateResult@1a2f279[status: false][msg The SAML token is not valid.]
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSecurityToken(SecurityImpl.java:476)
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:392)
    at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:338)
    at weblogic.xml.crypto.wss.api.WSSecurityFactory.unmarshalAndProcessSecurity(WSSecurityFactory.java:65)
    at weblogic.wsee.security.WssServerHandler.processRequest(WssServerHandler.java:35)
    at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:72)
    at weblogic.wsee.handler.HandlerIterator.handleRequest(HandlerIterator.java:127)
    at weblogic.wsee.ws.dispatch.server.ServerDispatcher.dispatch(ServerDispatcher.java:85)
    at weblogic.wsee.ws.WsSkel.invoke(WsSkel.java:80)
    at weblogic.wsee.server.servlet.SoapProcessor.handlePost(SoapProcessor.java:66)
    at weblogic.wsee.server.servlet.SoapProcessor.process(SoapProcessor.java:44)
    at weblogic.wsee.server.servlet.BaseWSServlet$AuthorizedInvoke.run(BaseWSServlet.java:173)
    at weblogic.wsee.server.servlet.BaseWSServlet.service(BaseWSServlet.java:92)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3231)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2002)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1908)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1362)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
    What do I need to configure on the destination server so that this SAML token is correctly validated?
    My understanding is that I use a SAML token with sender-vouches for that the trust is based on the SSL connection. Is my understanding correct?
    I have configured 2way-SSL and this works fine between the two machines. Do I need additional certificates on the destination side?
    Thanks
    Jochen

    Hi Bethune,
    you replied to a request that I posted in December 2008.
    Hopefully you are still in this business ... :)
    I need to consume a SAML 1.1 Sender-Vouches assertion on WLS 10.3 now.
    The 2way-SSL is established fine and I am able to send the SOAP request with the SAML 1.1.
    On the sending server I see that 2way SSL is fully established and the SOAP is sent to the destination.
    I get this response:
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
    <env:Header/>
    <env:Body>
    <env:Fault xmlns:fault="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <faultcode>fault:MustUnderstand</faultcode>
    <faultstring>MustUnderstand header not processed '{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security'</faultstring>
    </env:Fault>
    </env:Body>
    </env:Envelope>
    The above means nothing is configured to process the SAML 1.1 Assertion.
    But I did the following:
    Security Realm > myrealm > Providers
    I have added: SAMLIdentityAsserterV2
    SAMLIdentityAsserter > Managment > Asserting Party
    I have added an Asserting Party
    - WSS/Sender-Vouches
    - Enabled
    - Issuer URI: "the one used in the SAML assertion"
    - Target URL: https://localhost:7002/webservice/WebServiceOpteration (URL used to call the webservice)
    I am not quite sure if the TargetURL is correct? What is the format here?
    For me it looks pretty much complete but still I get this mustUnderstand issue.
    Looks like my config is ignored. What might I have missed?
    I have enabled debug for saml and saml2 but I do not see any SAML related entries in the output on the console.
    Do you have any ideas? It was working on WLS 9.2 but now I am stuck on WLS 10.3.
    Thanks for your support
    Jochen

  • Which truststore for SAML Sender Vouches signatures in SOAP message

    Hi Experts,
    I try to consume a Web Service provided by SAP Portal 7.3 EHP 2, which is secured using SAML 2.0.
    My intention is to send SAML assertion using the Sender Vouches confirmation method and looking at the sample message from the Wiki and my message side-by-side, I am confident that the message should be understandable for SAP (having the correct signatures etc.)
    However, using the Security Troubleshooting Wizard, I collected some traces on the SAP Portal side and I can see that the certificate I use seems to untrusted.
    The Exception thrown somewhere near the WSSAMLLoginModule is:
    Caused by: javax.security.auth.login.LoginException: com.sap.exception.io.SAPIOException: [com.sap.ASJ.wssec.020359] An exception was thrown during the verify of the SAMLTokenHandler: The certificate Subject DN: ....... is not in the list of trusted certificates.
    at com.sap.security.core.server.wssec.jaas.WSSAMLLoginModule.login(WSSAMLLoginModule.java:91)
    at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
    ... 52 more
    I already imported the cert in almost all trust stores. Where do I specify the trusted certs?
    Thanks.
    Jens

    Hi Jens,
    yes, it's  keystore view TicketKeystore. The idea is that a logon ticket trust suffices to get the SAML 1.1 Sender Vouches trust as well.
    The next thing you should take care of is to make sure that your SAP Portal system trusts the SAML issuer of your SAML assertion. This is to be configured in NetWeaver Administrator under Configuration Management  Security >  Trusted Systems. There you add the issuer string of your SAML Assertion into the Trusted Partners section.
    Please follow paragraph "Configuring the Trusted Partners (Provider)" on this documentation link for details: http://help.sap.com/saphelp_nw73/helpdata/en/48/b264916b156ff4e10000000a42189b/frameset.htm
    Another thing. Please see that for SOAP Web Services SAP (both AS ABAP and AS Java) for Sender-Vouches only SAML 1.1 is supported. Holder-of-key SAML assertions are supported with SAML 1.1 and SAML 2.0.
    Regards,
    Mathias

  • Can't get sender-vouches SAML SSO (webservice) to work

    Hi,
    I have a small test configuration, with a webservice and a webservice client developed using Workshop. This is on WebLogic 9.2.
    I am trying to get the sender-vouches SAML SSO profile to work between my webservice client and the webservice, but I keep getting an "Unable to add identity to token" error.
    I enabled debugging, and it looks like the problem is that the webservice client side is trying to check to see if the relying party is in the "relying party mapping", but not finding a match, even though I do have the RP URL correctly in the SAML Credential Mapper->Management->Relying Parties configuration.
    I have been trying all kinds of variations, changing the URL, etc., but to no avail.
    Has anyone been able to get this profile working between webservice client and webservice, and if so, any ideas what might be the problem?
    Thanks,
    Jim

    P.S. Here's the log output:
    ####<Jun 17, 2007 3:25:32 PM EDT> <Debug> <SecuritySAMLCredMap> <WD5WLS92A> <AdminServer> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1182108332447> <000000> <SAMLCredentialMapperV2: getCredentials: Subject initiator>
    ####<Jun 17, 2007 3:25:32 PM EDT> <Debug> <SecuritySAMLCredMap> <WD5WLS92A> <AdminServer> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1182108332447> <000000> <SAMLCredentialMapperV2: getCredentials(Subject): getCredentialInternal() called>
    ####<Jun 17, 2007 3:25:32 PM EDT> <Debug> <SecuritySAMLCredMap> <WD5WLS92A> <AdminServer> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1182108332447> <000000> <SAMLCredentialMapperV2: getCredentialInternal(): requestor = Subject: 1
         Principal = class weblogic.security.principal.WLSKernelIdentity("<WLS Kernel>")
    >
    ####<Jun 17, 2007 3:25:32 PM EDT> <Debug> <SecuritySAMLCredMap> <WD5WLS92A> <AdminServer> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1182108332517> <000000> <SAMLCredentialMapperV2: getCredentialInternal(): initiator = Subject: 2
         Principal = class weblogic.security.principal.WLSUserImpl("samltest1")
         Principal = class weblogic.security.principal.WLSGroupImpl("TestGroup")
    >
    ####<Jun 17, 2007 3:25:32 PM EDT> <Debug> <SecuritySAMLCredMap> <WD5WLS92A> <AdminServer> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1182108332517> <000000> <SAMLCredentialMapperV2: getCredentialInternal(): resource = (null)>
    ####<Jun 17, 2007 3:25:32 PM EDT> <Debug> <SecuritySAMLCredMap> <WD5WLS92A> <AdminServer> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1182108332517> <000000> <SAMLRPConfigManager.findPartnerInTargetMap():Searching with key 'sender-vouches:http://localhost:7001/ServicesWeb/MailingListService'>
    ####<Jun 17, 2007 3:25:32 PM EDT> <Debug> <SecuritySAMLCredMap> <WD5WLS92A> <AdminServer> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1182108332517> <000000> <SAMLRPConfigManager.findPartnerInTargetMap():No partner found>
    ####<Jun 17, 2007 3:25:32 PM EDT> <Debug> <SecuritySAMLCredMap> <WD5WLS92A> <AdminServer> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1182108332517> <000000> <SAMLCredentialMapperV2: getCredentialInternal(): No matching relying party found>
    Note the "No partner found" msg...
    Jim

  • SAML Validation Error  - Proxy Service - Process WS-Security Header

    I am testing a Proxy Service that inspects the WS-Security Header which contains a WS-Policy for a SAML Assertion sender-vouches. The SAML Assertion that is produced is valid according to the oassis schema, but ALSB 2.6 returns a SOAP Fault that the SAML Assertion is not valid. Is there any next steps I should take to diagnose the problem? Also, are there any good tools available for validating a SAML Assertion?
    Here is the response of the ALSB 2.6 running on WebLogic 9.2. It is a simple proxy service we use to test whether SAML is working correctly or not. The client correctly sends the sender-voucher with the username/password/certificate alias and so forth.
    <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
    <soapenv:Body>
    <soapenv:Fault
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <axis2ns1:Code xmlns:axis2ns1="http://www.w3.org/2003/05/soap-envelope">
    <axis2ns1:Value>soapenv:Sender</axis2ns1:Value>
    <axis2ns1:Subcode>
    <axis2ns1:Value>wsse:InvalidSecurityToken</axis2ns1:Value>
    </axis2ns1:Subcode>
    </axis2ns1:Code>
    <axis2ns2:Reason xmlns:axis2ns2="http://www.w3.org/2003/05/soap-envelope">
    <axis2ns2:Text xml:lang="en-US"
    >Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@563c52a[status: false][msg The SAML token is not valid.]</axis2ns2:Text>
    </axis2ns2:Reason>
    </soapenv:Fault>
    </soapenv:Body>
    </soapenv:Envelope>
    Thanks,
    Jay Blanton

    Hi, Pls send your client code to my mail [email protected]

  • WLS10.3 and wssp1.1 policies support

    Hi,
    I try to use SAML policies in OSB 10.3 ( ALSB). But the OSB only supports the wssp1.1 policies and the web services I try to call in the OSB are deployed on a wls 10.3 server which supports the wssp1.2 policies
    Can I use the wss1.1 policies on a wls 10.3 server
    I want to use the wssp1.1 saml1.1 sender vouches policy
    thanks Edwin

    Try this policy:
    <?xml version="1.0"?>
    <wsp:Policy
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
    >
    <sp:AsymmetricBinding>
    <wsp:Policy>
    <sp:InitiatorToken>
    <wsp:Policy>
    <sp:X509Token
    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <wsp:Policy>
    <sp:WssX509V3Token10/>
    </wsp:Policy>
    </sp:X509Token>
    </wsp:Policy>
    </sp:InitiatorToken>
    <sp:RecipientToken>
    <wsp:Policy>
    <sp:X509Token
    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
    <wsp:Policy>
    <sp:WssX509V3Token10/>
    </wsp:Policy>
    </sp:X509Token>
    </wsp:Policy>
    </sp:RecipientToken>
    <sp:AlgorithmSuite>
    <wsp:Policy>
    <sp:Basic256/>
    </wsp:Policy>
    </sp:AlgorithmSuite>
    <sp:Layout>
    <wsp:Policy>
    <sp:Lax/>
    </wsp:Policy>
    </sp:Layout>
    <sp:IncludeTimestamp/>
    <sp:ProtectTokens/>
    <sp:OnlySignEntireHeadersAndBody/>
    </wsp:Policy>
    </sp:AsymmetricBinding>
    <sp:SignedSupportingTokens>
    <wsp:Policy>
    <sp:SamlToken
    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
    <wsp:Policy>
    <sp:WssSamlV11Token10/>
    </wsp:Policy>
    </sp:SamlToken>
    </wsp:Policy>
    </sp:SignedSupportingTokens>
    <sp:Wss10>
    <wsp:Policy>
    <sp:MustSupportRefKeyIdentifier/>
    <sp:MustSupportRefIssuerSerial/>
    </wsp:Policy>
    </sp:Wss10>
    </wsp:Policy>

  • Using SAML policy while invoking a web service

    I have to invoke a webservice which is secured using the policy wss10_saml_token_client_policy.
    In order to achieve the above i have creates a stub using JAX-WS and while invoking the web service I pass the policy as a SecurityFeature.Code snippet given below:
    SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new SecurityPolicyFeature(
                        getValueFromPropertyFile("oracle/wss10_saml_token_client_policy"))};
    SomeStub stub =(UserManagementPortTypev1_0)SomeService.getPort("...","....",securityFeatures );
    Once deployed in weblogic and when i invoke the service, the soap request formed is correct. It creates for me the soap header with the correct security nodes. The header formed is like below:
    <S:Header>
    <work:WorkContext xmlns:work="http://oracle.com/weblogic/soap/workarea/">rO0ABXoAAAJDADBvcmFjbGUuZG1zLmNvbnRleHQuaW50ZXJuYWwud2xzLldMU0NvbnRleHRGYW1pbHkAAAFPAAAAKXdlYmxvZ2ljLndvcmthcmVhLlNlcmlhbGl6YWJsZVdvcmtDb250ZXh0AAABSaztAAVzcgAxd2VibG9naWMud29ya2FyZWEuU2VyaWFsaXphYmxlV29ya0NvbnRleHQkQ2Fycmllcv1CAh9z5wpPAwACWgAHbXV0YWJsZUwADHNlcmlhbGl6YWJsZXQAFkxqYXZhL2lvL1NlcmlhbGl6YWJsZTt4cHcEAAAAAXNyAEFvcmFjbGUuZG1zLmNvbnRleHQuaW50ZXJuYWwud2xzLldMU0NvbnRleHRGYW1pbHkkU2VyaWFsaXphYmxlSW1wbAAAAAAAAAAAAwABTAARbVdMU0NvbnRleHRGYW1pbHl0ADJMb3JhY2xlL2Rtcy9jb250ZXh0L2ludGVybmFsL3dscy9XTFNDb250ZXh0RmFtaWx5O3hwdykAJzEuMDAwMEl6T0lYQ0swam9PTE1pcDJpZTFEbUNMdjAwMDAwMjt2MHh3AQF4ACZ3ZWJsb2dpYy5kaWFnbm9zdGljcy5EaWFnbm9zdGljQ29udGV4dAAAAX8AAAAyd2VibG9naWMuZGlhZ25vc3RpY3MuY29udGV4dC5EaWFnbm9zdGljQ29udGV4dEltcGwAAAAiMDAwMEl6T0lYQ0swam9PTE1pcDJpZTFEbUNMdjAwMDAwMgAAAAAAAAAAAAAA</work:WorkContext>
    <wsse:Security S:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <saml:Assertion AssertionID="SAML-L0r20MS5CV0y7B6zHnGX5w22" IssueInstant="2011-05-10T05:03:49Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <saml:Conditions NotBefore="2011-05-10T05:03:49Z" NotOnOrAfter="2011-05-10T05:08:49Z"/>
    <saml:AuthenticationStatement AuthenticationInstant="2011-05-10T05:03:49Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
    <saml:Subject>
    *<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">anonymous</saml:NameIdentifier>* <saml:SubjectConfirmation>
    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
    </saml:SubjectConfirmation>
    </saml:Subject>
    </saml:AuthenticationStatement>
    </saml:Assertion>
    </wsse:Security>
    </S:Header>
    The node NameIdentifier is supposed to be populated with the logged in user id, which will be picked up from JAAS principal.
    Now I am invoking the service hosted in weblogic from outside using JSON protocol, I do not have a portal ready to invoke the service.
    My question is, is there any way in which i can replicate/ simulate the JAAS principal such that the nameidentifier is populated even when invoked from outside. THis is a requirement from testing perspective.

    Hi,
    Thanx it is working now.
    BTW can you give me some urls with info of this kind of setting which i need to do for other kind of integarions in J2EE platform.Sorry if i am asking too much as i am a starter in this technology.

  • Problem signing SAML assertion

    Folks,
    I’m having some issues trying to generate a proper signed SAML assertion using JDeveloper 10.1.3. I am securing a java proxy class using the wizard as described in http://www.oracle.com/technology/products/jdev/howtos/1013/wssecure/10gwssecurity_howto.html .
    On the OWSM side, I have a service that I am securing with SAML - Verify WSS 1.0 Token. If I set the "Allow signed assertions only" property to false I can complete the service call. However, when it is set to true I am receiving the following fault:
    javax.xml.rpc.soap.SOAPFaultException: SAML token verification failed.
    When I examine the message going to OWSM in a packet analyzer, it is missing the signature in the SAML assertion. The <saml:Assertion> tags looks like:
          <saml:Assertion MajorVersion="1" MinorVersion="1"
                          xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
                          xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
                          AssertionID="yM0oqZgF0N1a1td6yzKgOQ22"
                          IssueInstant="2007-01-23T17:15:27Z"
                          Issuer="HealthMarkets_s3">
            <saml:Conditions NotBefore="2007-01-23T17:15:27Z"
                             NotOnOrAfter="2007-01-24T17:15:27Z"/>
            <saml:AuthenticationStatement AuthenticationInstant="2007-01-23T17:15:27Z"
                                          AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
              <saml:Subject>
                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">client_s3</saml:NameIdentifier>
                <saml:SubjectConfirmation>
                  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
                </saml:SubjectConfirmation>
              </saml:Subject>
            </saml:AuthenticationStatement>
          </saml:Assertion>I have selected the Sign Outbound Messages in step 3 of the Secure Web Proxy Wizard. This step uses the DSA-SHA1 algorithm.
    Any help is greatly appreciated.
    Thanks in advance,
    Joseph

    I do believe that JDev will produce a deployment descriptor that contains the WS-Security policy information. Can you post this? It should look something like this:
    <oracle-webservice-clients>
    <webservice-client>
    <saml-token>
    <signature-methods>RSA-SHA1</signature-methods>
    </saml-token>
    </webservice-client>
    </oracle-webservice-clients>

  • OWSM POlicy -11g

    Hi All,
    We are working on attaching OWSM policies of SOA suite 11g to secure the composites.
    Attached 'oracle/wss10_saml_token_service_policy' to the composite keeping configurations as default in saml login module.
    When we are trying to test this composite with the below payload
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="Id-00000127b711fabc-0000000001bda657-2" IssueInstant="2010-04-01T01:52:41Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1"> <saml:Conditions NotBefore="2010-04-01T01:52:41Z" NotOnOrAfter="2010-04-06T01:52:41Z"/> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2010-04-01T01:52:41Z"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">orcladmin</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <saml:AttributeStatement> <saml:Attribute Name="username" NameFormat="www.oracle.com"> <saml:AttributeValue>weblogic</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="password" NameFormat="www.oracle.com"> <saml:AttributeValue>Password1</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </wsse:Security> </soap:Header> <soap:Body> <cli:process xmlns:cli="http://xmlns.oracle.com/UserProvisioning_jws/Project1/BPELProcess1"> <!--Element must appear exactly once --><cli:input>abc</cli:input> </cli:process> </soap:Body> </soap:Envelope>
    it is throwing an error
    OWSM Policy Fault : FailedAuthentication : The security token cannot be authenticated.
    Do we need to make any changes in the input payload or configuration files.
    Any pointers on the same will be more helpfull.
    Thanks,
    Sowmya

    Ok got it! Just followed the oracle documentation and copied it in below path and Jdev 11.1.1.4 picked it up!
    C:\Users\Amit\AppData\Roaming\JDeveloper\system11.1.1.4.37.59.23\DefaultDomain\oracle\store\gmds\owsm\policies (not copying it within oracle folder within policies as its a custom policy)
    Strange, I have Jdev 11.1.1.3 in office and it doesnt pick up the policy but Jdev 11.1.1.4 (at home) picks it up without a problem.
    is this a bug in Jdev 11.1.1.3 or my jdev in offic is corrupt?

  • Help regarding SAML Assertion

    Can any one tell me what SAML assertion is all about?? and I just want to try out sample steps pertaining to SAML assertion in my policy editor.
    So Can any one of you kindly tell me a simple use case that you have tried out with SAML assertion. In the sense what all steps are to be added in the request pipeline ... and what are the configuration points in each step....
    I am stuck up with this usecase.
    Can any one of you owsm gurus can teach me with this...
    and at the same time can you guys suggest to me a sample document where I can get a usecase pertaining to SAML Assertion and WS-Security

    Thanks for your prompt reply Yogesh. I have created the keystore using the keytool utility. (say keystore location=C:\helloworld.jks and keystorepassword=welcome1)This is what the password that I created.
    Firstly,
    Creating keystore: I have used the commad some thing like;
    C:\>keytool -v -genkey -keyalg RSA -keysize 1024 -keystore owsm_client -storepas
    s clientpass -alias client -keypass client
    What is your first and last name?
    [Unknown]: manoj
    What is the name of your organizational unit?
    [Unknown]: ebi
    What is the name of your organization?
    [Unknown]: wipro
    What is the name of your City or Locality?
    [Unknown]: bangalore
    What is the name of your State or Province?
    [Unknown]: karnataka
    What is the two-letter country code for this unit?
    [Unknown]: IN
    Is CN="manoj ", OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
    [no]:
    Is CN="manoj ", OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
    [no]:
    What is your first and last name?
    [manoj ]: manoj
    What is the name of your organizational unit?
    [ebi]: ebi
    What is the name of your organization?
    [wipro]: wipro
    What is the name of your City or Locality?
    [bangalore]: bangalore
    What is the name of your State or Province?
    [karnataka]: karnataka
    What is the two-letter country code for this unit?
    [IN]: IN
    Is CN=manoj, OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN correct?
    [no]: yes
    Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
    for: CN=manoj, OU=ebi, O=wipro, L=bangalore, ST=karnataka, C=IN
    [Storing owsm_client]
    C:\>keytool -keystore Helloworld.jks -genkey -keyalg RSA -alias Helloworld -dnam
    e "cn=IN, ou=ebi, o=wipro, L=bangalore, ST=karnataka"
    Enter keystore password: welcome1
    Enter key password for <Helloworld>
    (RETURN if same as keystore password): welcome1
    This is what I did. So I guess creation part of the keystore is done.
    Now I ll tell you the steps that I have used:
    In my request pipeline (gateway):
    1>extract credentials
    2>file authenticate(against .htpasswd)
    3>insert saml token 1.0 vouches
    (Key store location is specified above)a nd signature method was RSA-MD5)
    After this I committed the policy and then tried to test my page.
    The fault that it was throwing was: FAULT MESSAGE: Signing error:FAULT CODE: InvalidSecurity FAULT MESSAGE: Signature key not found
    can you please tell me why is the signature key not found despite of creating a java key store. Is is possible that the signature key is not found because of that certificate?
    can you please tell me what kind of certificate that I should take from verisign SSL test certificate or anything else.
    I hope you would revert to me as soon as possible and could you kindly send me the link where I might get that test certificate.
    I do have some doubts in policy editor options:
    what does that "assertion issuer " do
    what is that "subject format" (I made it as unspecified. If so how do I send that format)
    what does this do User Attributes for attribute statements string[]
    what does this do Corresponding namespace URIs for the user attributes string[]
    ----------------------------------------------------------------------------------------------------------------------- I am thinking of a scenario something like this.
    In the test page I ll be sending the request
    The policy manager of the gateway intercepts and does the following:
    1)it ll extract credentials(based on standard user name and token(WS-Basic))
    2)It authenticates the user against a file(.htpasswd)
    3)upon successful authentication,the next step would be Inserting saml token1.0 sender's vouches)step
    This ends the gateway part.........
    The request is then passed to the webservice and the request is intercepted by the serveragent before sending the request to the webservice.
    The serveragent does the following:
    3)verifies saml token that is created by the gateway before and upon successful verification it sends the request to the webservice.
    So I think (correct me if I am wrong) I need to make the policies in the request pipelines of the gateway and the serveragent. I don't want to lay any policy on the response message as of now.
    Could you tell me if this scenario works fine with owsm?
    could you tell me what is that keystore doing for me?
    Hope you would do the needful and revert to me as soon as possible
    Thanks and regards
    Mahes

Maybe you are looking for

  • HELP! IPhoto 08' crashes every time I open it. (Crash log posted)

    So every time I open up IPhoto it crashes. I have a 15" Macbook Pro 2.4Ghz with 2 GB of 667Mhz DDR2 SDRAM with 92GB of hard drive space left on a 160GB hard drive. I've tried reinstalling, reparing disk permissions, deleting the Thumb32Segment.data,

  • Insert master, then details

    I'm using JDeveloper 10.1.3.5. I've set up ADF BC EO's and VO's for a master table and a detail table. There is also a 1:* Association, and a 1:* View Link between the master and details and this has all been added to an Application Module. The prima

  • Like operator in OBIEE

    hi, can any tellme.. how can i use database function ' LIKE ' in the obiee. thanks in advance

  • SYSTEM OPENING UP TOO SLOWLY

    hi all my system is taking a lot of time to start any kind of applications even though the startup time is nice and desktop appears quickly i cannot launch any applications and it takes atleast 10 mins to launch firefox or any other program. i have c

  • 1-wire temperature in LabView

    Hi I'm trying to write a driver for 1-wire (www.ibutton.com) to LabView. For starters I didn't have any contact at all! But now I can read the uniqe ID from temperature sensors connected to both my USB and my RS232 adapter. And then the fun stops. I