To interate ATG with SAML 2.0

Similar Messages

• Web Service Security with SAML - Invalid XML signature

  Hello together,
  we want to build a scenario where we want to use Web Service Security  with SAML.
  The scenario will be
  WS Client (Java Application) -> WS Adapter -> Integration Engine ->  WS Adapter-> CRM (Web AS ABAP 7.01 SP 3)
  SAP PI release is 7.11 (SP Level 4)
  We want to use the SAML Authentification from WS Client to PI and from PI to Web AS ABAP.
  The SAML authentifications between the WS Client and PI works when there is no SAML auth between PI and CRM.
  But we get following error at calling the CRM system when we want to communicate with SAML:
    <E_TEXT>CX_WS_SECURITY_FAULT:Invalid XML signature</E_TEXT>
  Has somebody an idea of the possible reason for the error.
  Thanks in advance
  Stefan

  Error Messages in the Trace/Log Viewer:
  CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
  A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48  with internal error id 1001  and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1  ).
  Invalid XML signature

• Steps to integrate ATG with siebel.

  What are Steps to integrate ATG with siebel?

  Refer to this thread on the same topic
  ATG Siebel Integration

• Best practice for integrating oracle atg with external web service

  Hi All
  What is the best practice for integrating oracle atg with external web service? Is it using integration repository or calling the web service directly from the java class using a WS client?
  With Thanks & Regards
  Abhishek

  Using Integration Repository might cause performance overhead based on the operation you are doing, I have never used Integration Repository for 3rd Party integration therefore I am not able to make any comment on this.
  Calling directly as a Java Client is an easy approach and you can use ATG component framework to support that by making the endpoint, security credentials etc as configurable properties.
  Cheers
  R
  Edited by: Rajeev_R on Apr 29, 2013 3:49 AM

• OSB calling BPM with SAML

  Hi all
  I have a composite service in my PBM server which has security WS-Policy forcing a SAML token to be passed together with the request (oracle/wss10_saml_token_with_message_protection_service_policy - method should be sender-vouches).
  In OSB, when I try to create my business service pointing to the WSDL with SAML, I receive this error (environment is 11g):
  *[OSB Kernel:398133]WSSP 1.2 policy assertions (Web Services Security Policy 1.2) are not allowed on this service*
  So what is the right way to make an OSB call to a BPEL/BPM SAML-protected service? Do i need to install OWSM on the same server as OSB and use the same policies?
  When I tested OSB proxy service calling a another OSB PS protected with SAML, I was able to add to the SAML WSDL this policy and it worked fine.
  +<wsp:Policy+
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/wls90/security/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
  wsu:Id="SAMLSenderVouches">
  +<wssp:Identity>+
  +<wssp:SupportedTokens>+
  +<wssp:SecurityToken+
  TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
  +<wssp:Claims>+
  +<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>+
  +</wssp:Claims>+
  +</wssp:SecurityToken>+
  +</wssp:SupportedTokens>+
  +</wssp:Identity>+
  +</wsp:Policy>+
  But on BPEL/BPM side, I have only a pre-defined set of policies and no matter what I chose I can't create my Business service based on that.
  Please, need some advice here.
  Regards
  Giovani

  Hi all
  I have a composite service in my PBM server which has security WS-Policy forcing a SAML token to be passed together with the request (oracle/wss10_saml_token_with_message_protection_service_policy - method should be sender-vouches).
  In OSB, when I try to create my business service pointing to the WSDL with SAML, I receive this error (environment is 11g):
  *[OSB Kernel:398133]WSSP 1.2 policy assertions (Web Services Security Policy 1.2) are not allowed on this service*
  So what is the right way to make an OSB call to a BPEL/BPM SAML-protected service? Do i need to install OWSM on the same server as OSB and use the same policies?
  When I tested OSB proxy service calling a another OSB PS protected with SAML, I was able to add to the SAML WSDL this policy and it worked fine.
  +<wsp:Policy+
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wssp="http://www.bea.com/wls90/security/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
  wsu:Id="SAMLSenderVouches">
  +<wssp:Identity>+
  +<wssp:SupportedTokens>+
  +<wssp:SecurityToken+
  TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
  +<wssp:Claims>+
  +<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>+
  +</wssp:Claims>+
  +</wssp:SecurityToken>+
  +</wssp:SupportedTokens>+
  +</wssp:Identity>+
  +</wsp:Policy>+
  But on BPEL/BPM side, I have only a pre-defined set of policies and no matter what I chose I can't create my Business service based on that.
  Please, need some advice here.
  Regards
  Giovani

• Call a Webservice with SAML securty in PI 7.0

  Hi experts,
  I need to call a Webservice with SAML security from PI 7.0, Is It possible? or only It is possible with PI 7.1?
  Thanks in advance,
  Jose Manuel

  Hi Jose,
  Let me answer your questuion first :
  No, using PI 7.0 I dont think its posible..
  Below is a brief overview on SAML.
  SAML: It stands for Security Assertion Markup Language, it is an XML standard which is used to exchange security information between a service provider and an identity provider.
  Why we need it ???
  We have a concept called Principal Propagation in PI 7.1, Principal Propagation allows to securely pass the identity of a user from a sender application to a receiver application. There are various adapters and protocols which support the Principal Propagation and one protocol amongst them is the Webservice Reliable Messaging Protocol or WS-RM. Principal Propagation solution for WS-RM protocol is based on SAML and uses the SAML assertions.
  There are some video recordings available for configuration and you can view the same as below,
  Configure a Trust Relationship between Sender and Integration Server: Exchange sender's digital certificate between sender and Integration Server.
  Configure Trusted Issuer: Map user in the Integration Server, and specify issuer. Default issuer is the sender's system ID, default attester is the sender's certificate.
  Configure Sender Agreement and Sender Communication Channel: In Integration Directory, select SAML Sender Vouches Assertion as authentication method.
  Regards,
  Divya

• Integration of Oracle ATG with external web service

  Hi All
  I am new to Oracle ATG 10.1 and am trying to integrate ATG with an external web service. I checked the documentation library and checked ATGWSFrameGuide but it only helped theoritically. Can anybody share any resource / docs to explain how to integrate ATG with web services.
  With Thanks & Regards
  Abhishek

  There is no rocket science involved here. Just create a component whose properties file can contain the required properties like the wsdl path,etc. Create the stub classes out of the wsdl, jar it and place it in your classpath. Populating the request data into stub and invoking an operation will be similar to the one that we use in normal java while working with web services

• Securing webservices with SAML

  Hi everybody,
  I'm trying to protect web services with SAML assertions using AM 7.1, I've alredy try to deploy some tutorials and samples provided by netbeans 6.0, AM7.1 and Java EE SDK, but I'm facing a lot of problems, I also found many contradictions between the tutorials and official Sun documentation and at this point I'm very confused
  It's really possible to implement web services security with SAML using AM 7/7.1 +AppServer 8.1/8.2 in the way Securing Identity Web  Services tutorial/lab (http://www.javapassion.com/handsonlabs/IdentityWebServices/) do it???
  in many tutorials and official Sun documents I found the library amWebServicesProvider.jar that is supposed to be the Sun Java Access Manager Policy Agent 2.2, this library it's supposed to implement the JSR196(Java Authentication Service Provider Interface for Containers), using this library imply modifications to the server.policy and domain.xml files, in order to add support for SOAP and HttpServlet message security providers.
  I've tryed to modify the server.policy in AppServer 8.1/8.2, but I found it's only possible to add support for SOAP message security providers, trying to add HttpServlet mesage security providers makes AppServer crash at the init. How can I add support for HttpServlet message security provider???
  library amWebServicesProvider.jar its supposed to be the Policy Agent 2.2 and its currently bundled with Java EE SDK, but the currrent relese of the Policy Agent 2.2 for SJAS 8.1/8.2 does not includes this library. Does someone know where to download this release of Policy Agent and also at least an installation guide???
  in the AM side, I'm refering to AM ( shall I say "THE HALF AM" ?) bundled with Java EE SDK I found that many agents are created at the installation time, this agents in combination with the library amWebServicesProvider.jar supposly protect the web services, these agents are not common agents, I'm refering to the agents usually we create following the Policy Agent installation guide where we only put agent name, password, a description (optional) and checkbox Device Status to true, the agents created in "THE HALF AM" are created with a lot of aditional properties despite the fact that Sun Java System Access Manager 7.1 Administration Guide(http://docs.sun.com/app/docs/doc/819-4670/gavwo?a=view)
  says that only one property (agentRootURL) is valid and all other properties will be ignored
  my real question is:
  It's really possible_+ to implement web services security with SAML using AM 7/7.1 +AppServer 8.1/8.2, I mean, using REAL TECHNOLOGIES+_, in the way Securing Identity Web  Services tutorial/lab (http://www.javapassion.com/handsonlabs/IdentityWebServices/) do it???
  Any help is aprecciated
  regards

  Hi,
  I have installed Glashfish 9.1 and NetBeans 6.0 seperately on Windows XP, and want to configure the Access Manager 7.1 and Policy Agent 2.2 to run the Blue Prints for Secured WebServices.
  If I install the Access Manager from jdk15 version of AccessManager7_1RTM from Sun site, AM gets installed properly, but StockQuoteService blueprint not deployed properly (throws exceptions even after configuring the amWebServicesProvider.jar and amclientsdk.jar manually). But the AM documentation refers to the installation for Solaris not for Windows platform. I am not sure my configuration of amWebServicesProvider.jar is valid or not.
  I ran the blueprint StockQuoteService and StockQuoteClient successfully with all the variations of WSSecurities when I installed using the "java-tools-bundle-update3-beta-windows.exe" application which installs all the Glashfish, NetBeans, AM, OpenESB, Portal etc and configures automatically after installation and Start of Glasfish server.
  I have even tried to install the AM and configure from the "access_manager-7_1-p1-ea-b5" download installer, but it throws "ClassNotFoundException: com.sun.identity.setup.AMSetupFilter" exception when i deployed the amserver.war file.
  My requirement is, to run the AccessManager and have secured WebServices working properly when installed individually the Glashfish, AccessManager etc.
  Can anyone point me where i get the AccessManager 7.1 for Windows XP, and integrate with Glashfish 9.1, and able to run the blueprints StockQuoteService and StockQuoteClient with SAML and LibertyBeareToken security pofiles.
  Thanks in advance for the help,
  krishna

• Hyperion Verion 11.1.1.3 Compatibility with SAML

  Hi All ,
  Can anyone let me know whether 11.1.1.3 Version is compatible with SAML . Can how to go about Single sign on implementation ?

  Support Matrix > Supported Platforms Matrices - Oracle Enterprise Performance Management System
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Integration of ATG with Flex

  Hi
  I'm new to ATG but have experience with Adobe Flex. I'm thinking about a website with Flex as UI and ATG as the back end. Please suggest the various methods to integrate ATG with Adobe Flex.
  Suggestions at the earliest will be really helpful.
  Thanx
  Bala

  same thread:
  ATG and SAP integration

• Need help on SAP SSO with SAML & SSO2

  Dear expert,
  We met an SSO issue on launchpad.
  Here is our scenario and SSO structure. We use fiori launchpad to display all SAP apps.
  1. When  an user visit launchpad URL, URL will redirect user to identity provider (IDP) for SAML authentication.
  2. Then IDP authenticate with SAML2.0 token back to gateway.
  3. Gateway accept the SAML2.0 token and issue SSO2 logon ticket.
  4. Use logon ticket to backend ABAP ERP system for transaction apps.
  5. Use logon ticket to HANA system for factsheet.
  Now the first step above is OK as SAML token can be authenticated back to gateway. But after that, the basic form authentication pop-up for user credential on both backend system and HANA, which should not. We found out that launchpad was stucked with error message "/sap/es/ina/GetServerInfo HTTP/1.1 401 Unauthorized" at ERP backend service "GetServerInfo". By checking the cookies, we found out that after SAML token accepted by gateway, gateway did not issue any MYSAPSSO2 ticket.
  However, when we disabled SAML and use form authentication for launchpad, SSO2 logon ticket works perfectly among GW, ERP and HANA.  So, there should be no issue configuration regarding SSO2 logon ticket in SAP GUI.
  here is the system information:
  GW: NW740 SP5
  ERP: ECC6 on NW740 SP5
  HANA: v70
  Please kindly help us out on this issue. Please ask if other information is needed. thanks.
  Best regards,
  Xian' an

  This discussion thread belongs to the SAP Gateway space. For generic SSO related queries where portal is not involved the correct space is SAP NetWeaver Application Server. This space is for NetWeaver Single Sign-On (NWSSO, the separately purchasable product) topics only.

• How to integrate ATG with CRM (customer relationship management) VTIGER

  Hi,
  We are trying to integrate vtiger crm 5.4.0 with ATG platform. Is it possible to integrate with ATG ?
  ATG using oracle database,platform java.
  VTIGER using mysql database,platform php.
  Can anyone help me out?
  Thanks in advance,

  Hi,
  Try these links below
  http://www.sap-img.com/ab038.htm
  http://abapcode.blogspot.com/2007/06/program-to-get-user-exit-for-any.html
  Regards,
  Tush

• Jax-ws ws client with saml 1.1 sender vouches policy

  Hi,
  In wls 10.3 I defined a SAML source site , now I want to use the sender voucher policy on a webservice. So far so good.
  Now I want to generate a jax-ws proxy client, but there are no sample how to use this policy in java, only some wlst examples.
  Is there some more information how to do this.
  thanks Edwin

  hi
  This is not an answer to your question but a question since you have created a SAML Source Site in wls 10.3.
  Have you been able to use SAML Authenication from a weblogic client to web-service on different domain ?
  I am not able get this work ?
  I am done the following
  SAML relying party on SAML Credential Mapper on domain1
  with
  target url =endpoint of webservice at domain2
  and asserting Party on SAML Identity Asserter
  with target url= relative url of the web service.
  At Source Site , I saw that wls is not attaching any security information in the SOAP header .
  Can someone Help me with Configuration .
  The end goal is to access a secure web-service
  Thanks
  Sanyam

• Please guide on how to integrate ATG with RTD(Real-Time Decisions.

  Please post the steps on integration of RTD with ATG.

  Got the steps from RTD documentation. I just consumed one of the WSDL files provided with the installation.
  set all the request parameters and got the response.

• 12c: Signature digest verification failure with SAML msg protection policy

  Hi,
  I am using the policy wss10_saml_token_with_message_protection_service_policy for Service Bus 12c proxy service and getting the error while verifying the signature digest. I am doing the testing using SOAP Ui.
  I am able to understand it's an issue in verifying the signature digest but unable to debug and conclude the cause of this issue as i did the necessary setup. And using the appropriate keys for encryption and signing. Also tried overriding the policy configuration at policy level and Service bus end point level too.
  Policy Settings are:
  - Time Stamp included, Signing entire request body, no signing for SAML token and X 509 token.
  - No signature encryption checked and kept default values for all other attributes.
  Configured only Message Security section in WSM Domain Configuration and used JKS as the key store. Used the trusted certificate entry of client as signing alias and own public key as enc alias.
  Following is the error stack trace i am seeing. Please let me know if there is any thing missing or any other insights into this issue. The logs generated by setting xml.debug.verify also did not help much. I am thinking the issue may be something to do with Canonicalization of XML.
  Caused by: com.bea.wli.sb.security.wss.WssHandlerException: General web service security error
  at com.bea.wli.sb.security.wss.WssHandlerImpl.generateInboundRequestBLE(WssHandlerImpl.java:1499)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1457)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1444)
  at com.bea.wli.sb.service.disi.handlerchain.handlers.InboundWssPhase1DISIHandler.dispatch(InboundWssPhase1DISIHandler.java:107)
  ... 43 more
  Caused by: com.bea.wli.sb.security.wss.WssException: oracle.wsm.security.SecurityException: WSM-00061 : Signature digest verification failure. The system property xml.debug.verify should be enabled for the details about the digest calculations during verification phase (note xml.debug.verify slows down the signature verification for very large messages).
  Caused by:-
  at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.handleRequestException(WsmInboundHandler.java:350)
  at com.bea.wli.sb.security.wss.WssHandlerImpl.handleInboundRequestException(WssHandlerImpl.java:1442)
  ... 44 more
  Caused by: oracle.wsm.security.SecurityException: WSM-00061 : Signature digest verification failure. The system property xml.debug.verify should be enabled for the details about the digest calculations during verification phase (note xml.debug.verify slows down the signature verification for very large messages).
  Caused by:-
  at oracle.wsm.security.policy.scenario.processor.Wss10MessageSecurityProcessor.verify(Wss10MessageSecurityProcessor.java:482)
  at oracle.wsm.security.policy.scenario.processor.Wss10X509TokenProcessor.verify(Wss10X509TokenProcessor.java:301)
  at oracle.wsm.security.policy.scenario.executor.Wss10SamlWithCertsScenarioExecutor.receiveRequest(Wss10SamlWithCertsScenarioExecutor.java:184)
  at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:642)
  at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:44)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:515)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:427)
  at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:374)
  at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:103)
  at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1270)
  at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:563)
  at oracle.j2ee.ws.common.wsm.SecurityAgentTube.processRequest(SecurityAgentTube.java:201)
  at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
  at com.sun.xml.ws.api.pipe.Fiber.access$100(Fiber.java:127)

  Please do let me know if anybody has insights into this issue. I am testing it from SOAP UI and i am completely stuck and can't proceed further.. We did face similar issue in 11g which was gone after upgrading to later OSB releases.