Webservice security through SAML

I am in need of securing an ejb webservice by using SAML Tokens.I am using weblogic 10.3
I was looking at your company’s website for the same.
It will be an immense help if you can please publish some straight forward stepts for the same.

Similar Messages

Disable Webservices access through web

Hi All,
In OFMW and AIA 11g ps3, how can we disable webservices access through web i.e. restrict webservice call from outside
world using OWSM security policies?
We dont want to use username based authentication or any other policies that is based on authentication and authorization.
Please let me know how can we achieve this?
Thanks in advance.

Hi,
I think the best way would be to block the access to services at firewall so that these services have restricted access within the network. This can be achieved only if none of the services need to be exposed over to the internet.
Regards,
Neeraj Sehgal

Web Service Security with SAML - Invalid XML signature

Hello together,
we want to build a scenario where we want to use Web Service Security with SAML.
The scenario will be
WS Client (Java Application) -> WS Adapter -> Integration Engine -> WS Adapter-> CRM (Web AS ABAP 7.01 SP 3)
SAP PI release is 7.11 (SP Level 4)
We want to use the SAML Authentification from WS Client to PI and from PI to Web AS ABAP.
The SAML authentifications between the WS Client and PI works when there is no SAML auth between PI and CRM.
But we get following error at calling the CRM system when we want to communicate with SAML:
<E_TEXT>CX_WS_SECURITY_FAULT:Invalid XML signature</E_TEXT>
Has somebody an idea of the possible reason for the error.
Thanks in advance
Stefan

Error Messages in the Trace/Log Viewer:
CX_WS_SECURITY_FAULT : Invalid XML signature | program: CL_ST_CRYPTO==================CP include: CL_ST_CRYPTO==================CM00G line: 48
A SOAP Runtime Core Exception occurred in method CL_ST_CRYPTO==================CM00G of class CL_ST_CRYPTO==================CP at position id 48 with internal error id 1001 and error text CX_WS_SECURITY_FAULT:Invalid XML signature (fault location is 1 ).
Invalid XML signature

Exception while accessing web service secure through web services Manager

Hi All,
I deployed sime Hello World web service on JWSDP1.6 and secure it through web service manager(gateway) using Certificate based security.But when I try to access this web service using JWSDP client,I got the following Error while monitoring the soap messages through TCP-Monitor:
/////////////////////////////////Request///////////////////////////////////////////////////////////////
POST /gateway/services/SID0003009 HTTP/1.1
Content-Type: text/xml; charset=utf-8
Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 5631
SOAPAction: ""
User-Agent: Java/1.5.0_05
Host: ivy.cs.ucl.ac.uk:8082
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://hello.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">eN9famBBWzHNUIwWRhMPktcM+VQ=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>MHjtgA4wOtvI1B+SuRVEmD07yE+jl6axd4XbJ0nvQ3EzSuVVoST9vHzURh+B47yj41187s8T+yjt
Bmpk9OB278Jghonkacv6r+q+LVlxRrQDudNGir7plzFeM6bUadMxf+FLgn5O0a44vU/tvy6V9+zi
yqFdhTvS21No/aW62No=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#XWSSGID-1155126003241-1198323932"/></xenc:ReferenceList></xenc:EncryptedKey><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-11551260018331598979688">MIIC3TCCAkagAwIBAgIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEMMAoGA1UECBMD
U0NBMQwwCgYDVQQKEwNTVU4xHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTAeFw0wNjAz
MTkxMzQ5MDJaFw0xNjAzMTYxMzQ5MDJaMEcxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAK
BgNVBAoTA1NVTjEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAzNDPKUz1MhUH1LsrLqXKxciOKSWeTrdoe/SVwe/4uy5eobAWSsSTposaOYFy
uxf3cGCCIs7u0jMAXLQ9jzobDbt9XQ4tXPoBzKKzS+yU6hDk2TcOCkioeT9A9db5LF8yevhwXKB4
AJ1Eh//Dp/djoonXCCxsxupQZp3ueRJrR98CAwEAAaOB1jCB0zAJBgNVHRMEAjAAMCwGCWCGSAGG
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUECH05VC3/WGW
H4AGD6tnH0h+kFUweQYDVR0jBHIwcIAUdry1wGRZ2fyJSKisVSxpMEmIiaahTaRLMEkxCzAJBgNV
BAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAKBgNVBAoTA1NVTjEeMBwGA1UEAxMVY2VydGlmaWNhdGUt
YXV0aG9yaXR5ggkA4HaEvd6hq8YwDQYJKoZIhvcNAQEEBQADgYEA0RhOk67pCrO6MgZZGqrmAMW6
76fZowBxTKlFq88nrf8v1MUxV8H9wgbTDrwR0HtxY3TGpDFw2tNAww2pyDX/pQ2Wt46ichluGxjf
aEV53loKTOM7syAmlicWqViGzBfgzriIl918TzFaX9BD/Y55bKZQk057maBCSkUuFfF453s=</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse enc env ns0 xsd xsi"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#XWSSGID-1155126002593447652186"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UJ1kuwI+WuF/RkrQpZrj1GvraLI=</ds:DigestValue></ds:Reference><ds:Reference URI="#XWSSGID-1155126002602761294100"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>sKG/z5OIGgqJ2nw7JtpXyJzr8pY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SBc65VTG1xpEkRUTz70H0fVGIgoBJ0QnNad0k07RMSfw4vG1WHJdt19R05pO2AvU5aoYuBSaguJe
ZGEjmWzw8mnSWKBi+zeDMeJiwgqwW6HHHX9P7JDslxuTIqoJIVUbSjUTSVz6ww8siIK65quXdkMT
ZzLfp7Cd0gBuA3EEZpg=</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11551260025411896275738">
<wsse:Reference URI="#XWSSGID-11551260018331598979688" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002602761294100"><wsu:Created>2006-08-09T12:20:02Z</wsu:Created><wsu:Expires>2006-08-09T12:20:07Z</wsu:Expires></wsu:Timestamp></wsse:Security></env:Header><env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002593447652186"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="XWSSGID-1155126003241-1198323932" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><xenc:CipherData><xenc:CipherValue>XNqEzHNp47ILtOagAUNCXYkxOCWv4CjHqmZ7j6VKN/NO96ce4BsNSL6lKzqa9dPxHB1sTVGZQ8KA
COQ6DGwyWCP8ip+CU2hor3uUAml7nzHTx1LUw3Db+0p31VAT3EqKJA3aFy38GQrBTr9ojMOUA6tm
Cj71yucN3UCKRUl3RpE8qU68y7AwNxPsyAZeSa2AVm2cmWvSDZlxgMsx+JCEZaf3+D0o1zMp0Fxb
MSISPt/JrEolt1H5UM1AoFGU4QkckWrQNLPyEF9oxEgZ8oCE5U8v/YJwZIAHFrx67XfaLwQLjzXw
VPigsH9gLkfbP2BU8Vp31GsPwBZtUeNz9S35+CZPD7EiqoAB1QuAxZkJV7n00VChYH+scT64tNja
c81bcD8tf4sAr7toCMNDAU6+74+Qy0EyPqgwLtotDxErn4kF8e72cONMMQBQ91tQs+iI+D6C1I6+
f9UiSfgtm/MTuKQK1CRqarEtI9N6lpqVH8k7ulUwH/jFstihxmhMJ3aZY+qQgSwSs3pwSSim+e18
eR7dOEq4vG8ivKuGvTDO4sSV2RP/nL/3eXr0y7eM0kMFKwTUA4JqL4Y/l8Bo/rie/ZXkkbF6hwEu
dX1QmB0gf5k=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
////////////////////////////////Response///////////////////////////////////////////////////////////////
HTTP/1.1 100 Continue
Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
Date: Wed, 09 Aug 2006 12:28:47 GMT
HTTP/1.1 500 Internal Server Error
Date: Wed, 09 Aug 2006 12:28:47 GMT
Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
Connection: Keep-Alive
Keep-Alive: timeout=15, max=100
Content-Type: text/xml
Transfer-Encoding: chunked
157
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
0
So basically, what I am doing here as follows:
HelloClient(using JWSPD1.6)->gateway(web service manager for securing the web service using message level security through certificate )->helloservice(deployed using JWSDP1.6)
I would appreciate if someone could tell me the cause of this errror.Thanks.
Kashif

time to look into the gateway logs as stated by the fault ..
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
looks like the cipher step might have failed

Java web services through SAML

I have a clint application lets take swing. i need to access a web service through SAML single sign on. for that i will use another server as a mediator which will authenticate the web service.
please respon with example.
thanks in advance.

The link: Developer Survey
on that page, doesn't work. :)
-G

BPEL to invoke a webservice secured by BASIC auth

Hi
I have been trying to write a simple BPEL process to invoke a remote webservice secured by basic authentication. I was able to build the BPEL process and then the composite application that I deployed successfully to glassfish, all within NetBeans IDE. As per the wiki notes: http://wiki.open-esb.java.net/Wiki.jsp?page=HTTPBasicAuthentication, I also added the Policy element to the wsdl for the service that I am trying to invoke as follows:
<wsdl:service name="PMSDatabase">
        <wsdl:port name="PMSDatabaseSOAP11port_http" binding="ns2:PMSDatabaseSOAP11Binding">
            <soap:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
        </wsdl:port>
        <wsdl:port name="PMSDatabaseSOAP12port_http" binding="ns2:PMSDatabaseSOAP12Binding">
            <soap12:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
        </wsdl:port>
        <wsdl:port name="PMSDatabaseHttpport" binding="ns2:PMSDatabaseHttpBinding">
            <http:address location="http://namadgi:9999/MessageCentre/services/PMSDatabase"/>
            <wsp:PolicyReference URI="#HttpBasicAuthBindingBindingPolicy"/>
        </wsdl:port>
    </wsdl:service>
    <wsp:Policy wsu:Id="HttpBasicAuthBindingBindingRealmPolicy">
        <mysp:MustSupportBasicAuthentication on="true">
            <mysp:BasicAuthenticationDetail>
               <mysp:WssTokenCompare/>
            </mysp:BasicAuthenticationDetail>
        </mysp:MustSupportBasicAuthentication>
        <mysp:UsernameToken mysp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
           <wsp:Policy>
                <sp:WssUsernameToken10>mcs_user</sp:WssUsernameToken10>
                <sp:WssPassword>${pass_token}</sp:WssPassword>
           </wsp:Policy>
      </mysp:UsernameToken>
    </wsp:Policy>When i try to run a testcase, the BPEL process fails during the invoke activity and I get the following error in the output:
<detailText>BPCOR-6135:A fault was not handled in the process scope; Fault Name is {http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling}systemFault; Fault Data is <?xml version="1.0" encoding="UTF-8"?><jbi:message xmlns:sxeh="http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/ErrorHandling" type="sxeh:faultMessage" version="1.0" xmlns:jbi="http://java.sun.com/xml/ns/jbi/wsdl-11-wrapper"><jbi:part>HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
    URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
    QUERY:
    PATH_INFO:
    Exception detail: request requires HTTP authentication: User mcs_user not found in directory.</jbi:part></jbi:message>. Sending errors for the pending requests in the process scope before terminating the process instance
   Caused by: BPCOR-6131:An Error status was received while doing an invoke (partnerLink=PartnerLink1, portType={http://service.messagecentre.dha.gov.au}PMSDatabasePortType, operation=deletePMSVoidPeriod)
BPCOR-6129:Line Number is 48
BPCOR-6130:Activity Name is Invoke1
   Caused by: HTTPBC-E00753: HTTP POST request failed, portType {http://service.messagecentre.dha.gov.au}PMSDatabaseHttpport
    URL: http://namadgi:9999/MessageCentre/services/PMSDatabase/deletePMSVoidPeriod
    QUERY:
    PATH_INFO:
    Exception detail: request requires HTTP authentication: User mcs_user not found in directory.
   Caused by: request requires HTTP authentication: User mcs_user not found in directory.</detailText>Where else do i need to configure the BASIC auth details to get this to work?

Please post your request to [email protected] for quick response.
Error states "mcs_user" is invalid user. Please make sure that the user is valid.

SAP to consume third party webservice that requires saml authentication

Hi All,
I am able to invoke our thirdparty webservice from soapUI, but it is a two step procedure, This is how it works in SoapUI:
step 1) first send below predefined message, embeded with username and pwd in the header:
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
     <SOAP:Header>
          <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <wsse:UsernameToken>
                    <wsse:Username>myusername</wsse:Username>
                    <wsse:Password>mypwd</wsse:Password>
               </wsse:UsernameToken>
          </wsse:Security>
     </SOAP:Header>
     <SOAP:Body>
          <samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
               <samlp:AuthenticationQuery>
                    <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
                         <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myusername</saml:NameIdentifier>
                    </saml:Subject>
               </samlp:AuthenticationQuery>
          </samlp:Request>
     </SOAP:Body>
</SOAP:Envelope>
after this, we are got the response as:
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
     <SOAP:Header>
          <header xmlns="http://schemas.thirdparty.com/General/1.0/">
          </header>
     </SOAP:Header>
     <SOAP:Body>
          <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
               <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                         <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                         <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                         <Reference URI="#A18A90576-64FD-71E0-A9BC-286444658733">
                              <Transforms>
                                   <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                              </Transforms>
                              <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                              <DigestValue>LzlvRhszr3qlOTG7AZX8i+yKvRI=</DigestValue>
                         </Reference>
                    </SignedInfo>
                    <SignatureValue>qc1x+84wkkPrf76dHW2HJ...</SignatureValue>
                    <KeyInfo>
                         <X509Data>
                              <X509Certificate>MIIB3I.....NBgkqhk</X509Certificate>
                         </X509Data>
                    </KeyInfo>
               </Signature>
               <samlp:Status>
                    <samlp:StatusCode Value="samlp:Success"/>
               </samlp:Status>
               <saml:Assertion AssertionID="A18A90576.." xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
                    <saml:Conditions NotBefore="2011-01-25T09:14:54.045Z" NotOnOrAfter="2011-01-25T17:19:54.045Z"/>
                    <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
                         <saml:Subject>
                              <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">myusername</saml:NameIdentifier>
                         </saml:Subject>
                    </saml:AuthenticationStatement>
               </saml:Assertion>
               <samlp:AssertionArtifact>MDGH....RbY6qHUFcO</samlp:AssertionArtifact>
          </samlp:Response>
     </SOAP:Body>
</SOAP:Envelope>
step 2) from the above response body, use the Signature elemenent, and saml:Assertion element as part of header of the original request, so the actual request in soapUI has become:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:product="http://mytp/myfunctionality">
     <soapenv:Header>
          <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
               <Signature> ...</Signature>
               <saml:Assertion>..</saml:Assertion>
          </wsse:Security>
     </soapenv:Header>
     <soapenv:Body>
          <product:isProductAvailable>
               <product:ProductNAME>myproduct</product:ProductNAME>
               <product:ProductYEAR>2010</product:ProductYEAR>
          </product:isProductAvailable>
     </soapenv:Body>
</soapenv:Envelope>
after sending this above request, we are getting the desired response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:product="http://mytp/myfunctionality">
     <soapenv:Header>
     </soapenv:Header>
     <soapenv:Body>
          <isProductAvailableResponse xmlns="http://mytp/myfunctionality">
               <isProductAvailable>true</isProductAvailable>
          </isProductAvailableResponse>
     </soapenv:Body>
</soapenv:Envelope>
If we want to implement the same functionality using abap consumer proxy, do we need to invoke with two different requests,
is there any efficient way, where we can specify the values of <wsse:Username> and <wsse:Password>, and invoke with original payload.
is there any config in SOAMANAGER, to specify the saml releated settings, for the consumer proxy.
what could be the simplest way to consume this webservice in sap.
thanks in advance, BJagdishwar.

Hi,
Please create logical port using wsdl directly it will apply required settings in LP. You can also ask for client certificate which you can apply while calling 3rd party services. To me this seems X509 client certificate authentication.
You can also create LP manually by giving SAP SAML authentication and save. Next time when you edit LP you will be able to see plenty of option to configure required settings.
Please note that not all security methods are supported by SAP.
Regards,
Gourav

InfoPath unable to call OOTB webservices in a SAML claims web application

We have InfoPath Path forms with Nintex workflows that we are planning to move to SharePoint 2013. The SharePoint 2013 web app is using SAML claims , ping federate is the identity provider.
We are unable to make a call from InfoPath to the OOTB webservices. We tried using the Secure store and UDCX file but that also does not seem to work with SAML based claims. Has anyone come across this scenario who can suggest an alternate solution?

Hi Supriya,
From the link below, InfoPath forms service does not work with SAML authentication.
Features that do not work with forms-based authentication or SAML security tokens:
http://technet.microsoft.com/en-us/library/hh706161(v=office.14).aspx
There is no dedicated clarify for SharePoint 2013. However, I found some threads that also reports that InfoPath form won't work with claim-based except NTLM claim, such as:
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/707b0a7b-8a2c-4b5c-b7f3-a3ba928a8d07/do-infopath-soap-calls-work-in-a-saml-environment?forum=sharepointdevelopmentlegacy
Regards,
Rebecca Tu
TechNet Community Support

Webservice - security error

Hi All,
We are receiving the security error provided below while invokingthe LegalReportingUnitService -http://Host:Port/finLeLegalEntitiesModel/LegalReportingUnitService?WSDL using HTTP Analyzer (Jdeveloper) or SOAP UI.
Also we find that the web service is having OWSM Policies - Directly Attached Policy - oracle/wss11_saml_or_username_token_with_message_protection_service_policy
Please let us know what information has to be provided apart from username/password credentials to this webservice.
a. Error message while invoking the web service using ext port & SSL url :
https://xxxx-fin-ext.example.com:xxxxx/finLeLegalEntitiesModel/LegalReportingUnitService?WSDL
Error Message: 401 Unauthorized.
Log details:
Response Header-----------------=_Part_9_498083750.1342417354448
Content-Type: application/xop+xml;charset=UTF-8;type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <a1759cc915eb4db6ab48a1b97d3f1386>
<?xml version="1.0" encoding="UTF-8" ?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns2="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/types/" xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/"><env:Header><ns1:Security><ns1:UsernameToken><ns1:Username>Fusion</ns1:Username><ns1:Password>welcome</ns1:Password></ns1:UsernameToken></ns1:Security></env:Header><env:Body><ns2:createLegalReportingUnit><ns2:legalReportingUnit xmlns:ns2="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/types/"><ns3:PartyId xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">300000002842377</ns3:PartyId><ns3:LegalEntityId xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">300000002842369</ns3:LegalEntityId><ns3:GeographyId xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">300000000225396</ns3:GeographyId><ns3:Name xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">Test123</ns3:Name><ns3:MainEstablishmentFlag xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">Y</ns3:MainEstablishmentFlag><ns3:MainEffectiveFrom xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">2011-07-03+05:30</ns3:MainEffectiveFrom><ns3:MainEffectiveTo xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">2012-07-16+05:30</ns3:MainEffectiveTo><ns3:EffectiveFrom xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">2012-07-16+05:30</ns3:EffectiveFrom><ns3:EffectiveTo xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">2012-07-16+05:30</ns3:EffectiveTo><ns3:ObjectVersionNumber xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/">1</ns3:ObjectVersionNumber><ns3:ActivityCode xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/"/><ns3:SubActivityCode xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/"/><ns3:TypeOfCompany xmlns:ns3="http://xmlns.oracle.com/apps/financials/legalEntity/legalEntities/legalReportingUnitService/"/></ns2:legalReportingUnit></ns2:createLegalReportingUnit></env:Body></env:Envelope>
------=_Part_9_498083750.1342417354448—
b. Error message while invoking this web service using int port –
http://xxx-fin-int.example.com:xxxx/finLeLegalEntitiesModel/LegalReportingUnitService?WSDL
Error Message: 500 Internal Server error.
Log details:
Response Header: ------=_Part_8_481967515.1342415673437
Content-Type: application/xop+xml;charset=UTF-8;type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <f4ef59739fc64cacb9829403d3a171d5>
<?xml version="1.0" encoding="UTF-8" ?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:ns0="http://schemas.oracle.com/owsm/policy-enforcement-2007-06"><faultcode>ns0:GenericFault</faultcode><faultstring>GenericFault : generic error</faultstring><faultactor></faultactor></env:Fault></env:Body></env:Envelope>
------=_Part_8_481967515.1342415673437—
Regards,
Ramesh

Hi, I am using Weblogic Oracle 12c and standalone server no clusters. I have a webservice configured which is working from the Weblogic, using DemoTrust.jks I just downloaded the SOAP-UI and having issues with this, I set up the aut Tab to use Global HTTP Settings for the authorization type and added a keystore which is pointing to the DemoTrust.jks.
When I run a test, I receive this error
Tue Jul 31 09:40:38 PDT 2012:DEBUG:<< "<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurity</faultcode><faultstring>Error on verifying message against security policy Error code:1000</faultstring></env:Fault></env:Body></env:Envelope>"
You wouldn't know what this is about, from what I am reading it seems I need to pass a policy to the server from the client but unsure what to configure.
If you have any insight I would appreciate it.

Webservices Security in SOAP Receiver Adapter

Hi All,
I am configuring web services security settings in my File To Webservice scenario.
The scneario is:
File -
asynch--XISynch-Webservice(X.509)
The webservice is using X.509 certificates for security.
I have configured SOAP receiver channel with webservices secuirty settings and same with Receiver agreement.
But when I run this scenario in the SOAP Receiver channel monitoring I get below error.
Message processing failed. Cause: com.sap.aii.af.ra.ms.api.RecoverableException: java.security.PrivilegedActionException: com.sap.aii.af.security.impl.exception.MessageSecurityException: MessageSecurityException in Method: ApplyMessageLevelSecurity.run(). AccessControlException. Please check that your Code has the XiSecurityRuntimePermission.Context: com.sap.aii.af.security.impl.exception.MessageSecurityException: Exception in Method: apply( Message, CPALookupObject ). General exception, no further informations. Message: MessageSecurityContext in Method: apply( Message, CPALookupObject ). ApplyThread-Exception Message: ProcessException in Method: run(). Key: 0700; To-String: com.sap.aii.af.security.impl.exception.MessageSecurityException: ProcessException in Method: run(). Key: 0700. To-String: com.sap.aii.af.security.impl.exception.MessageSecurityException: MessageSecurityContext in Method: apply( Message, CPALookupObject ). ApplyThread-Exception Message: ProcessException in Method: run(). Key: 0700; To-String: com.sap.aii.af.security.impl.exception.MessageSecurityException: ProcessException in Method: run(). Key: 0700.
Does anybody have idea about this error?
Please help me to resolve this.
Thanks,
Shweta.

Hi,
I am doubtful if after add ing all the security realted settings you could be able to test it via RWB monitoring.
Its better to test this kind of scenario with either real time application where all security certificates and settings will on right place.
Thanks
Swarup

BPEL to invoke Webservice secured with HTTP Basic authentication

Hi All,
Iam trying to call a Synchronous BPEL porcess from BPEL by passing HTTP basic authentication.I have done below steps to achieve this.
1) Created Target Synchronous process ex : B
2) Created Source Syncronous Process ex : A
Iam trying to call B(Target) from A(source).
3) Open Composite.xml of A(Source)
4) Right Click on External Refernce B(Target) parter link and click Configure WS policies
5) Under Security tab attach oracle/wss_username_token_client_policy
6) Login to em/console
7) Right click on A(Source) Composite and click Service/Refence Properties>>B(Target)
8) Enter username and password under HTTP Basic Authentication.
9)Test from em.console(when we are testing under security tab I have checked None radio button)
So this is the Error message which is throwing.
==================================
The selected operation process could not be invoked.
An exception occured while invoking the webservice operation. Please see logs for more details.
oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security.
java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:570) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:298) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.el.parser.AstValue.invoke(AstValue.java:157) at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:283) at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53) at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1245) at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:298) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:91) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:87) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:298) at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:91) at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:81) at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:475) at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:756) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._invokeApplication(LifecycleImpl.java:673) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:273) at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:165) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:85) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420) at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:54) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:247) at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:157) at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emSDK.license.LicenseFilter.doFilter(LicenseFilter.java:101) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:191) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.emas.fwk.MASConnectionFilter.doFilter(MASConnectionFilter.java:41) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:159) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.AuditServletFilter.doFilter(AuditServletFilter.java:179) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.EMRepLoginFilter.doFilter(EMRepLoginFilter.java:203) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.core.app.perf.PerfFilter.doFilter(PerfFilter.java:141) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.sysman.eml.app.ContextInitFilter.doFilter(ContextInitFilter.java:527) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:202) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3588) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173) Caused by: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emas.model.wsmgt.PortName.invokeOperation(PortName.java:712) at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:564) ... 68 more Caused by: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.sysman.emSDK.webservices.wsdlapi.dispatch.DispatchUtil.invoke(DispatchUtil.java:260) at oracle.sysman.emSDK.webservices.wsdlparser.OperationInfoImpl.invokeWithDispatch(OperationInfoImpl.java:843) at oracle.sysman.emas.model.wsmgt.PortName.invokeOperation(PortName.java:664) ... 69 more Caused by: javax.xml.ws.soap.SOAPFaultException: SOAP must understand error:{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security, {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security. at oracle.j2ee.ws.client.jaxws.DispatchImpl.throwJAXWSSoapFaultException(DispatchImpl.java:874) at oracle.j2ee.ws.client.jaxws.DispatchImpl.invoke(DispatchImpl.java:707) at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.synchronousInvocationWithRetry(OracleDispatchImpl.java:226) at oracle.j2ee.ws.client.jaxws.OracleDispatchImpl.invoke(OracleDispatchImpl.java:97) at oracle.sysman.emSDK.webservices.wsdlapi.dispatch.DispatchUtil.invoke(DispatchUtil.java:256) ... 71 more
=======================================
Please let me know if Iam missing any steps.
Thanks
SSV

Followed this post.......
This is avery good question
in 11g i have taken out the steps from my document which i created for one our customer
go to composite
Right click on the external reference service and select “Configure WS policies” :done
Under the security tab, click add button and select “oracle/ wss_username_token_client_policy :done
6. Now Open the property Inspector window and click the add button under “Binding properties” tab. :done
7. Include the “oracle.webservices.auth.username--> :done
value-->password :done
8. Include the “oracle.webservices.auth.password”-->name :done
value-->password :done
Thanks
SSV

SAP PI calling the webservice generated through BRF+

Hi All,
The scenario is
SAP ECC(IDoc) --> PI --> SAP MII
. The data coming from ECC in the IDoc will be in a third party format, but we want MII to receive data in SAP format.
For this we have decided to use BRF. I want to know that how can I use the webservice which we generate from BRF in SAP PI. Which adapter supports calling of webservice or if there is any other section of SAP PI where this transformation can be done using BRF+ webservice? Please help
Thanks,
NehaSingh

Hi,
The message coming from ECC has values in ISO format and MII needs values in SAP format. For this conversion to happen I need to use the BRF+ and when I raised the same request on "Business Rule Management/BRF+" forum. I got the following reply.
ht[Re: Calling web service generated through BRF+ in SAP PI|Re: Calling web service generated through BRF+ in SAP PI]
Now, Can anyone please help me with answers to following question:
Since my Source Message is an IDoc, I cannot directly use the RFC that will call the Function Module that I require for format conversion,
Can I use RFC Lookup to satisfy the requirement. If yes how to go about it. Actually I am using RFC LookUp for the first time, so the basic steps that we need to follow for RFC Lookup are needed. I went through some Blogs but did not understand how it will be applicable in my case. Please Help
Thanks and Regards,
NehaSingh

Essbase filter assignment while importing the security through LCM

Hi Experts,
My source server is Essbase standalone 11.1.2.1 and my destination is Essbase 11.1.2.4, obviously shared services security.
I just created some test users/ groups/ filters in 11.1.2.4 and did export through LCM and got the actual format of users/ groups/ roles CSV files. Then I just did edit all these CSV files with my source 11.1.2.1 users/ groups details with the respective roles and tried importing it in the same 11.1.2.4 server.
I was successfully able to create all the users groups and its roles assignment. But I got stuck up with the filter assignment for the groups... I mean my groups are assigned with the role 'Filter' at the 11.1.2.4 environment but I dont know how to get the actual filter assigned to these groups.
I know in Applications group we can assign filters manually using Assign access control but how to do it with the LCM import itself? is there any options/ tricks available or do we need to do it only by manually?
Thanks,
Siva

Not tried the maxl create group but it is deprecated in 11.1.2.4
Anyway there is nothing wrong with groups in EAS 11.1.2.4
Cheers
John

Transportation of security through header from proxy to business service

Hi,
I have an application in which i have implemented web security at proxy service level. I couldnt transport that to business service.
I have embedded USERNAME and PASSWORD in the header of the proxy service. This authentication should pass through to the business service, which in turn calls the SOA composite. How can i transport my credentials from proxy to business service.
Thanks
Karthick

Solved

Transport Authentication (webservice security)

HI,
I want to provide security for my webservices.so
I have choosed Transport Authentication. and i succeded but even i set the usename and passwords in the visualadministrator>webservicesecurityservice>select webservice clientproxy-->Transportsecurity and set the authentication to Basic and enter the user name and password.
my webservice is valid only for username:admin and password:admin.(i have entered different username and pwd at above step)
even i set the username and password in visualstudio i cannot use that username and password while running the webservice, whenever i give the username:admin and password:admin it is valid .
how to set the new username and password.can anybody help me about this transport authentication
Thanks and Regards
Srinivas

HI,
I want to provide security for my webservices.so
I have choosed Transport Authentication. and i succeded but even i set the usename and passwords in the visualadministrator>webservicesecurityservice>select webservice clientproxy-->Transportsecurity and set the authentication to Basic and enter the user name and password.
my webservice is valid only for username:admin and password:admin.(i have entered different username and pwd at above step)
even i set the username and password in visualstudio i cannot use that username and password while running the webservice, whenever i give the username:admin and password:admin it is valid .
how to set the new username and password.can anybody help me about this transport authentication
Thanks and Regards
Srinivas

Webservice security through SAML

Similar Messages

Maybe you are looking for