Monday, August 22, 2011

Do SAML with OWSM

In this blogpost I will explain the different SAML options and the advanced configurations you can do when you use the SAML client and server policies of Oracle Web Service Manager FMW 11gR1.
The following will be explained and configured in this blogpost.
  • A basic SAML authentication with 2 OWSM Servers.
  • Change the default SAML issuer name.
  • Allow only trusted SAML clients.
  • SAML Identity switching.
  • Virtual Users with User roles.
Creating a working SAML setup. 
For this we need two WebLogic domains and both have at least the Enterprise Manager web application and enabled the OWSM option. For this demo I will have one domain with SOA Suite and one with only a WebLogic Adminserver where we will deploy a JAX-WS Web Service which has an OWSM server policy. You can replace the SOA Suite with a OSB server ( it works in the same way ) . For OWSM, every domain need to have it's own MDS repository to store all the OWSM policies and for SOA Suite you also need a soa-infra database repos.

This will be our setup.
  • A client ( soapUI or WS client proxy ) calls an exposed web service of a SOA Suite composite and the client needs to provide a username token.
  • The exposed service has oracle/wss_username_token_service_policy as OWSM Server policy. The username token will be validated by WebLogic and the username will be passed on by SAML and signed with the signing certificate of the SOA Suite OWSM. The exposed service has a wire to a Mediator with a simple routing rule.
  • The Mediator has a wire to the Reference Web Service. This reference WS binding has oracle/wss11_saml_token_with_message_protection_client_policy as OWSM client policy.
  • The Reference WS binding calls a JAX-WS Web Service deployed on the other WebLogic Domain and this Web Service has oracle/wss11_saml_token_with_message_protection_service_policy as OWSM server policy. OWSM will validate the SAML issuer and check if it knows the username ( the password does not matter, because it is trusted )
The SOA Composite I used.

The JAX-WS service
Before we can test this SAML service, we need to generate some keystores, configure OWSM and add some users to WebLogic.
Execute the following commands to generate some self signed private keys and exchange the public keys ( this will trust each other certificates )

Go to the bin folder of your JDK.
cd c:\oracle\jrockit-jdk1.6.0_26-R28\bin

Generate a certificate for SOA ( server.jks ) and one for the JAX-WS server (  saml.jks )
keytool -genkey -alias serverKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=server, C=US" -keypass welcome -keystore c:\temp\server.jks -storepass welcome -validity 3650
keytool -genkey -alias samlKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=saml, C=US" -keypass welcome -keystore c:\temp\saml.jks -storepass welcome  -validity 3650

Export the public key
keytool -exportcert -alias serverKey -storepass welcome -keystore c:\temp\server.jks -file c:\temp\server.cer
keytool -exportcert -alias samlKey -storepass welcome -keystore c:\temp\saml.jks -file c:\temp\saml.cer

Import the keys in each other keystore ( for the trust (
keytool -import -alias serverKey -file c:\temp\server.cer -storepass welcome -keystore c:\temp\saml.jks
keytool -import -alias samlKey -file c:\temp\saml.cer -storepass welcome -keystore c:\temp\server.jks

Show the certificates in each keystore.
keytool -list -storepass welcome -keystore c:\temp\server.jks
keytool -list -storepass welcome -keystore c:\temp\saml.jks

Copy the server.jks to the config\fmwconfig folder of your SOA Suite domain. Do the same for the saml.jks keystore but then to fmwconfig of the JAX-WS server domain.

Go the Enterprise Manager (EM) application of the SOA Suite.  Open the WebLogic Domain treenode and select your SOA domain. In the Domain menu (right window)  go to Security -> Security Provider Configuration. Click on the Configure button in the keystore section.

  
Use ./server.jks in the Keystore Path field and serverKey in the Key and Crypt Alias. Use welcome for all the password fields.

We need to do the same at the JAX-WS server but then use the following values.
Use ./saml.jks in the Keystore Path field and samlKey in the Key and Crypt Alias. Use welcome for all the password fields.

Add a user with client as name and with weblogic1 as password in the myrealm security realm of the SOA Suite server. Do the same at the JAX-WS server but now use welcome1 as password.

Do a restart of the all the servers.

We can test the SAML setup by generating a Web Service Client proxy in JDeveloper. Here is an example how I add the client credentials.

that is all for the basic SAML test.

How to change the SAML issuer name. 
The default SAML issuer name is www.oracle.com , We can change this at the JAX-WS server. For this we need to go the EM application of the JAX-WS Server. Open the WebLogic Domain treenode and select your JAX-WS domain. In the Domain menu (right window)  go to Security -> Security Provider Configuration. Click on the Configure button in the Advanced section.

Here we can change the name attribute of saml.trusted.issuers.1 property to www.amis.nl and click on Ok. This way you will change the default trusted issuer for all the SAML login modules, if you only want to change this for SAML1.1 and not for SAML2 then you can open the saml.loginmodule instead (located at the Security Provider Configuration) and change it there. This will add an extra saml property name beside the one of www.oracle.com
You will need to restart the WebLogic server.

We also need to change an attribute on the reference web service binding of the SOA Composite. Select the reference binding and right click, to open the Configure WS Policies menu.

Click on the pencil to override the saml.issuer.name and use www.amis.nl

Deploy the composite and re-test it with the jdeveloper ws proxy client.

Allow only trusted SAML clients
In the current setup each public key found in the saml.jks keystore can sign a SAML token. In this part we can restrict this to only "CN=server, C=US", this is the DN of the signing certificate located at the SOA Suite server.

Go the Enterprise Manager (EM) application of the JAX-WS Server.  Open the WebLogic Domain treenode and select your JAX-WS domain. In the Domain menu (right window)  go to Web Services -> Platform Policy Configuration.

Go to the Trusted SAML clients Tab and add a new Trusted Issuer called www.amis.nl .
Select the just created Trusted Issuer and add a Trusted SAML Client and use CN=server, C=US as value.

Restart the JAX-WS Server and now only CN=server, C=US can sign the SAML token.

SAML Identity switching
In the last part of this blogpost we will change the identity of the SAML token. In the previous examples we used client as username and this is passed on to the JAX-WS server.  We will override this on the SOA Suite server.  In our test client we can now use weblogic as username and override to client in the SOA Composite.
Open the Mediator of the  SOA Composite where we will add an Assign to the request part of the Routing Rule.

Here we need to add the javax.xml.ws.security.auth.username property with client as value.

We also need to change the OWSM client policy to oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy on the reference web service binding.

Deploy your composite.

Too bad, this is not enough we also need to give my SOA Composite the right permissions to do identity switching. Go the Enterprise Manager (EM) application of the SOA Suite.  Open the WebLogic Domain treenode and select your SOA domain. In the Domain menu (right window)  go to Security -> System Policies.

Select Codebase as Type and search. Select a Codebase policy and do Create Like.

Use file:${common.components.home}/modules/oracle.wsm.agent.common_11.1.1/wsm-agent-core.jar as value in the Codebase field and click on Edit.

Enter oracle.wsm.security.WSIdentityPermission in the Permission Class field. The action is always assert. The Resource Name is your Composite Name which does the identity switching.


Virtual Users with User roles
The last part is virtual users, in this section will we add some roles and change some attributes on the SOA Suite client user. Change the policy back on the composite reference ( oracle/wss11_saml_token_with_message_protection_client_policy ) and also use client as username in the web service proxy client.

First change some client user attributes. We can do this in the security realm of the SOA Suite WebLogic Domain.


Normally the user is only mapped to the user located at the JAX-WS server. To make virtual servers work we need to add a property to the saml.loginmodule located at the JAX-WS server.  For this we need to go the EM application of the JAX-WS Server. Open the WebLogic Domain treenode and select your JAX-WS domain. In the Domain menu (right window)  go to Security -> Security Provider Configuration.

Click on Edit and add a custom property oracle.security.jps.assert.saml.identity with value true.


Restart the JAX-WS WebLogic server.

We also need to do something in the SOA Composite.
Override the following properties

user.attributes with value  displayname,employeenumber ( use , to separate ldap attributes you want to pass on )
user.roles.include with value true
subject.precedence with value true

Deploy the composite and when you test your test client. You will see the following output on the JAX-WS Server.


virtual found
saml issuer: www.amis.nl

SAML attribute: employeenumber
value: 100

SAML attribute: Roles
value: Operators
value: AdminChannelUsers
value: IntegrationOperators
value: IntegrationMonitors
value: Monitors

SAML attribute: displayname
value: SAML client





53 comments:

  1. Thank you for an article!
    I have a question about similar situation: an ADFS+AD server and WebLogic with bpel needed to be protect ed with adfs SAML tokens.
    A question i have: how Weblogic maps his own users-groups (created in wl /console) with ActiveDirectory users-groups? Where to configure this mapping?

    ReplyDelete
  2. Hi,

    Did you read this http://biemond.blogspot.com/2011/10/using-fmw-identitystore-for-your-user.html

    is your AD authenticator the first authenticator in the weblogic console.

    thanks

    ReplyDelete
  3. It looks similar.
    I have been thinking its can be done inside wl/console.
    Thank you!

    ReplyDelete
  4. Great article.

    I have a question. Where you have HelloService, I have Sharepoint web service. Which needs Kerberos authentication.

    How can I provide the credentials for Kerberos authentication for the Sharepoint web service in External References?

    Do you have any example for that like this one?

    Thanks

    Rakesh

    ReplyDelete
  5. Hi,

    For sharepoint I think you need to enable saml on that server or use OWSM this support kerberos.

    like I did in this blog http://biemond.blogspot.com/2011/09/using-owsm-kerberos-policies.html

    thanks

    ReplyDelete
  6. Edwin,
    thanks for contributing openly with your examples and advise.

    After setting up the "basic SAML test" according to your prescribed scenario and with your code we have run into a message on one of the servers looking for 'orakey' in one of the requests made by components involved.

    Would you know if there is any extra configuration needed? Oracle documentation mentions this key/alias as WebCenter required. Would it have gotten overwritten with the keystore setup according to the prescribed above steps?


    Thanks

    ReplyDelete
    Replies
    1. Hi,

      It is a OWSM setting and orakey is the default value , this key is in the OWSM credential store . When you configure the key for signing and encryption then these values are added.

      Good luck

      Delete
  7. Hi Edwin, thanks for your examples, have been very useful for me.
    Excuse my bad writing of English. I have a question:

    I have an scenario with 2 Weblogic Domains, the first have a Oracle Portal and the second is a SOA Domain.

    Between the 2 domains there is a configuration of SSO using SAML, from the portal is invoked an ADF Application deployed in the SOA Domain, this app no longer requires the credentials because of the SSO configuration.

    In the OSB of the SOA Domain there is a Proxy Service with the OWSM Policy "oracle/wss11_saml_token_with_message_protection_service_policy" attached; I want to consume this service from the ADF App or from a BPM Process propagating the same credentials of the user authenticathed in the ADF Application.

    Is this possible Edwin?, I have tried whit a Web Service Data Control in the ADF App and configuring the Web Service Security with the policy required and overriding the property csf-key and it works. But I require to consume the service with the credentials of the user authenticathed and not with the key "csf-key" configured.

    I hope I have explained the problem correctly.

    Thank you!!

    ReplyDelete
    Replies
    1. Hi,

      When you are authenticated in the adf Application, then, the user subject is automatically provided to the ws. When you an OWSM policy with a user name token it should work. You got everything on one domain so why don't you use username token instead of saml , the username of the saml sso will be used. Of course the user also need to exist on the SOA domain. So between portal and adf you use saml sso and on the OSB use username token policies.
      Don't know why you need to override Csf key , what username do you get on the OSB service. Saml is good for making a trust between 2 domain . Within one domain you can use username token policies and maybe with message protection ,for this you need to configure OWSM keystores.

      Thanks

      Delete
    2. Thanks Edwin,

      I did a test. I attached a policy without message protection, the "oracle/wss_username_token_service_policy" OWSM Policy to my proxy Service. In the ADF Application this WS is invoked from a backing bean, using the code generated by a Web Service Proxy, the code is like:

      SecurityPoliciesFeature securityFeatures = new SecurityPoliciesFeature(new String[] { "oracle/wss_username_token_client_policy" });

      RequisitosService requisitosService = requisitosService_Service.getRequisitosServicePort(securityFeatures);

      requisitosService.getRequisitosProductos.doOperation();


      Im authenticathed in the ADF Application, but the credentials are not provided to the WS. In the log appears the next message "oracle.wsm.common.sdk.WSMException: WSM-00015 : The user name is missing"

      If I agreggate the credentials in the code of the backing bean:

      reqContext.put(BindingProvider.USERNAME_PROPERTY, "weblogic");
      reqContext.put(BindingProvider.PASSWORD_PROPERTY, "welcome1");

      It works; but what I need is the credentials to propagate automatically and not programatically.

      It is possible?

      Thanks in advance...

      Delete
    3. Hi,

      the trick is when you use OPSS then it should work with ADF security and OWSM see http://docs.oracle.com/cd/E21764_01/core.1111/e10043/underjps.htm#BABBFFDC

      What do you use as authentication provider, do you use the internal wls ldap one ( this is the OPSS one ) and is the adf app deployed to the soa suite server or at least the same domain. else you need to enable cross domain security and use the same domain password )

      Can you test this.

      You can add your own ldap server as authentication provider and enable ovd. this should also work.
      http://biemond.blogspot.com/2011/10/using-fmw-identitystore-for-your-user.html

      hope this helps. I will also make a testcase.

      Delete
    4. Hi,

      it looks we need to use a SAML OWSM policy, this allows us identity propagation between ADF and OWSM. I will try to make a testcase where ADF and SOA are on the same domain.

      Delete
    5. Ok,

      i got it working on the same domain or on 2 domains

      first deploy your jax-ws service or soa suite service with the following policy
      oracle/wss11_saml_token_with_message_protection_service_policy

      then deploy this to the soa server or the saml server.

      Go to the ADF app which has ADF Security
      create a adf ws datacontrol and provide the ws url. ( or ws proxy client )
      select the datacontrol.dcx file and change the security settings in the structure window. clock on the ws and use right click -> define ws security

      select the right owsm client policy -> wss11_saml_token_with_message_protection_client_policy

      and override properties
      saml.issuer.name = www.oracle.com (default ) or your own
      ikeystore.recipient.alias = samlkey when you use above example or serverkey when you use it on 1 domain.

      deploy it on the soa suite domain and log in , start it up and invoke service client

      then you see the username is passed on ( protected ) .

      I will make a blog about it.

      thanks Edwin.

      Delete
    6. Thank you very much Edwin.

      I was doing the same thing, and now it works!, I invoke the Proxy Service in 2 ways:

      1. Using the code generated by a Web Service Proxy in a backing bean in the ADF App.

      2. Using a WS Data Contorl like you explain me.

      Thanks Edwin, i hope we keep in touch!!!

      Delete
  8. Hello!
    I use WebLogic Sever as service provider and OWSM saml-based security policies. I want tags (from inbound request) involve in validation process. How can I validate values by means of OWSM saml_service_policy (or saml_bearer_over_ssl_policy is better)?
    I find "user.attributes" property in policy setting's, but don't sure that is enough. Also I read You and several other blog's and find something about overriding "Default Name Mapper Class" in identity asserter settings. What way I must look? Must I write something like CustomIdentityAssertionAttributeMapperImpl for AttributeStatement validation? Or enough only configure OWSM settings and policy parameters?

    Thanks for any help.
    Hal

    ReplyDelete
    Replies
    1. Hi,

      user.attributes , roles only passes on these values , you need to make your own validator.
      Sorry I don't have experience on creating your weblogic validator.

      thanks

      Delete
  9. Hi,

    I've created a WebService for an ADF application (using JDeveloper 11.1.1.4.0) by exposing in the Service Interface of an Application Module some few methods.
    The requirements of my task are: the WebService has to be deployed in a WebLogic server, to be protected by SSO (using OSSO) and to use it from another ADF application (that is also protected by SSO).
    I am new in WebServices and in SSO configurations, so please let me know if you can help me with the following questions:
    1. There are any special configurations or methods to protect a WebService with OSSO? I managed to protect the WebService by adding a rule for protecting his URL (like any other web application), this is enough?
    2. The ideal case for me would be to login in the ADF application, by using the SSO credentials, and when the action that calls the WebService method is performed, then no other credentials to be asked from the user. This is possible? Do I need to use a security policy for this, if yes, then what security policy?

    At the beginning of this task I thought that is enough just to protect the URL of the WebService, but is clearly that I was wrong because when I call the Web Service from the consuming application (using a WebService Data Control) I have the following error:
    oracle.j2ee.ws.saaj.ContentTypeException: Not a valid SOAP Content-Type: text/html; charset=iso-8859-1
    Not a valid SOAP Content-Type: text/html; charset=iso-8859-1

    Thank you and best regards,
    Alex

    ReplyDelete
    Replies
    1. Hi,

      Just protect your web service with a saml OWSM policy and implement adf security in your web application.
      Like described in my blog about identiy propagation with OWSM.

      Saml is the only way for identity propagation..

      Good luck

      Delete
    2. Hi Edwin,

      Thank you for your feedback! The problem is that my consuming application has it's own authentication and authorization mechanism (using a filter).
      Therefore implementing the adf security ( running the "Configure ADF Security..." wizard from JDeveloper) is not a solution for me.

      Instead using Web Services, is possible to achieve this by creating an EJB Session Bean on my application module?

      Best regards,
      Alex

      Delete
    3. hi,
      you must use the container security else it is hopeless to pass on subject, principal. what do you mean with filter.

      Delete
  10. We are getting following when we followed the same approch
    WSM-00263 : Failed to create SAML token as anonymous user principal found in Subject.
    I am not sure why request is going with anonymous user. This error we are getting client side.
    Can you please let us know how we can attache user name?

    ReplyDelete
    Replies
    1. Hi,

      Do you authenticate on the client side , provide an username , password and then this username will be used.

      thanks

      Delete
  11. Hi,

    Please let me know your comments on my requirement specified below.

    1. Domain1 (with em and owsm enabled)
    2. Domain2 (contains SoaSuite11.1.1.5).
    3. Domain1 has my custom web application which has worklist client code (soap client contains
    wss11_saml_token_with_message_protection_client_policy)
    4. It calls humantask application (wss11_saml_token_with_message_protection_service_policy)
    deployed in Domain2.
    5. jks files are copied in to both domains config folders, updated keystore info in both
    domains using em as you specified.

    So in order to work this setup, Do we need to have users information (ex: user jstein should be available in Domain1 and Domain2 'users and groups' section) in both domains?

    Because currently I have list of users in database which my custom web app uses in Domain1 and
    I have duplicated the same db users in Domian2 myrealm which human task application uses.

    Please provide your valuable inputs.

    Thanks in advance.

    ReplyDelete
    Replies
    1. Hi,

      yes you can use the same users on domain 1 or 2 , the password does not matter. Or you can enable virtual users. I made a blogpost about this, don't know if this works in OWSM.
      By the way for FMW when you use your own authenticator then it should be a ldap one and use the virtualize parameter, or create the users in the weblogic ldap or use Oracle virtual directory then you can the sql authenticator again.

      thanks

      Delete
  12. Hi,

    After doing the above specified setup (the previous query), I am getting following exception at client side domain. The same I asked in otn https://forums.oracle.com/forums/thread.jspa?threadID=2414330&tstart=15 but no help :(
    Please let me know where I am doing wrong

    Thanks,
    Cdhar


    ...initialising the Task Query Service
    Got wfSvcClient oracle.bpel.services.workflow.client.SOAPWorkflowServiceClient@1
    5a0cbc
    Got taskQuerySvc oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAP
    Client@fa1dcc
    createContext oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAPCli
    ent@fa1dcc jstein



    <Failure in Oracle WSM Agent processRequest, category=security, function=ag
    ent.function.client, application=MyWebApp, composite=null, modelObj=TaskQueryServ
    ice, policy=oracle/wss11_saml_token_with_message_protection_client_policy, polic
    yVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolic
    y}wss11-saml-with-certificates.
    oracle.wsm.common.sdk.WSMException: WSM-00263 : Failed to create SAML token as a
    nonymous user principal found in Subject.
    at oracle.wsm.security.policy.scenario.executor.Wss11SamlWithCertsScenar
    ioExecutor.sendRequest(Wss11SamlWithCertsScenarioExecutor.java:170)

    ReplyDelete
    Replies
    1. Hi,

      Did you authenticate with a username , password then this username will be passed on in the saml token.

      thanks

      Delete
  13. Hi,

    Thanks for your reply. I am passing the username and pwd using worklist authenticate method which was authenticated against db by my web app initially. Please find clear information specified below.

    1. User1 log in to my web app which has been authenticated against oracle db (the same web app works in different app server environments weblogic, websphere so there is no app server dependency for authentication)
    2. one of the functionality of the web app is to show human tasks, so the worklist client code developed as separate project and added in web-inf/lib as jar
    3. After User1 log in to the web app I am passing the same to human task app using worklist api (the same user available in both domain relams). Please find my sample code as below.

    wfsc = WorkflowServiceClientFactory.getWorkflowServiceClient(WorkflowServiceClientFactory.SOAP_CLIENT, getProperties(), null);
    taskQuerySvc= wfsc.getTaskQueryService();
    wfCtx = taskQuerySvc.authenticate(user, USER_PASSWORD.toCharArray(), "myrealm");// This line throwing the specified error


    getProperties() method code:
    propertiesMap.put(IWorkflowServiceClientConstants.CONNECTION_PROPERTY.SOAP_END_POINT_ROOT,
    "http://localhost:7001");
    propertiesMap.put(CONNECTION_PROPERTY.SOAP_IDENTITY_PROPAGATION,"saml");
    propertiesMap.put(CONNECTION_PROPERTY.SOAP_IDENTITY_PROPAGATION_MODE,"dynamic");
    propertiesMap.put(CONNECTION_PROPERTY.SECURITY_POLICY_URI,"oracle/wss11_saml_token_with_message_protection_client_policy");
    propertiesMap.put(CONNECTION_PROPERTY.MANAGEMENT_POLICY_URI,"oracle/log_policy");
    return propertiesMap;


    Please let me know how to resolve this.

    Thanks,
    cdhar

    ReplyDelete
    Replies
    1. Hi,

      is the username know on the soa suite server , is it the first authenticator or did you enable the virtualize parameter , is it a ldap and does it work in the bpm worklist app.

      thanks

      Delete
  14. Hi Edwin,

    Thanks for your response.
    Yes the username is is known to soa suite server as it is available in server realm.
    Yes It is first authenticator against weblogic ldap. I did not enable virtual parameter.
    The worklist application works fine if SOAP_IDENTITY_PROPAGATION is non-saml.

    So I think I have to authenticate the username against weblogic ldap before calling worklist authenticate method in saml mode.
    Since the previous approach is giving error Now I was trying 2 different approaches.

    Approach 1:

    1. Get the httpRequest of my webapp in side my worklist client class
    ExternalContext extcontext = FacesContext.getCurrentInstance().getExternalContext();
    HttpServletRequest httpRequest = ( HttpServletRequest )extcontext.getRequest();
    2. Authenticate against ldap using weblogic security api to populate REMOTE-USER in httpRequest
    ServletAuthentication sAuth = new ServletAuthentication(null,null);
    int i = sAuth.assertIdentity(httpRequest, httpResponse, "myrealm");
    3. Create worklist workflow context using createContext (I believe this looks for REMOTE USER value in httpRequest and return the workflow context) instead of authenticate method
    ctx = taskQuerySvc.createContext(httpRequest);
    // ctx = taskQuerySvc.authenticate(user, USER_PASSWORD.toCharArray(), REALM_NAME);

    Approach2:

    1. Does the following code supported by worklist api
    prop.put(CONNECTION_PROPERTY.SECURITY_POLICY_URI,"oracle/wss_username_token_client_policy");
    prop.put(CONNECTION_PROPERTY.SECURITY_POLICY_URI,"oracle/wss11_saml_token_with_message_protection_client_policy");

    Since I want to do username authentication first and then execute saml stuff, Is it possible to execute both policies at once?

    Your example specified here is working fine since it is doing username authentication (username policy) and then doing saml (saml policy) one after another. In my case both username and saml should execute at first 'exposed service' of my composite application or user should be authenticated before reaching the 'exposed service'.

    Please provide your inputs as this is bit urgent.

    Thanks,
    Cdhar

    ReplyDelete
    Replies
    1. Hi,

      Can you do adf security first on the adf application and then call the saml policy , that should work. like in this blog
      http://biemond.blogspot.nl/2012/02/identity-propagation-with-owsm.html

      thanks

      Delete
  15. Hi Edwin,
    I have a Proxy Service based on WSDL. The client call the WS with a SAML encoded in Base Auth (not in SOAP-header). The SAML contains attribute like roles, name, ... and I need to know these informations in my WS.
    How can I read these Informations in my WS ? How to configure the Server ? With OWSM ?

    thanks
    Yves

    ReplyDelete
    Replies
    1. Hi,

      you can't do this , maybe you can read some soap or http header properties in BPEL. like I describe here
      http://biemond.blogspot.nl/2012/04/retrieve-or-set-http-header-from-oracle.html

      thanks

      Delete
  16. Hi Edwin,

    I have the following scenario: ESB -> BPEL1 -> BPEL2 -> BPEL3
    In ESB composite.xml, ESB endpoint is secured with "oracle/wss_username_token_service_policy". I call the ESB with WSS Username Token and password.
    BPEL1 reference WS is secured with "oracle/wss11_saml_token_with_message_protection_client_policy".

    In BPEL1 composite.xml, BPEL1 endpoint is secured with "oracle/wss11_saml_token_with_message_protection_service_policy".

    And so on, until BPEL3.
    They are all in different composites.

    I create my own self signed certificate issued by "myIssuer". I import the root CA and the self signed certificate in the keystore. This is located in DOMAIN_HOME/config/fmwconfig.

    For all reference WS, I add:
    myIssuer

    Also, for all service endpoints I add:


    So it's setup exactly like you suggested.
    However, when I test it, I get the same error as the guys above:
    oracle.wsm.security.SecurityException: WSM-00263 : Failed to create SAML token as anonymous user principal found in Subject

    I do authenticate at ESB endpoint with wss username/password. Username is "weblogic". It seems SAML sends the username token correctly ESB -> BPEL1 -> BPEL2 but here it fails with WSM-00263 and I'm unable to connect to BPEL3 endpoint.

    Any idea how to debug this?
    Can I check if javax.xml.ws.security.auth.username is "weblogic" during the entire flow?

    Thank you,
    Catalin

    ReplyDelete
    Replies
    1. Hi,

      indeed this is correct , username + password on the ESB service are validated, and the username is passed on in the saml token for BPEL1. Don't know if identity propagation with saml works. I think you need to set the username, password again on the BPEL 1 reference service

      but when you are inside the soa server (everything after BPEL1) you can swith to a normal saml policy or use an other secure policy which is based on the private en public key.

      thanks

      Delete
  17. I am trying use your sample as the basis for connecting from BPEL to Oracle EBS Integrated SOA GAteway servic.
    Instead of using a JAX-WS as a end point, I am using EBS SOA Gateway. I have tested the EBS webservice from a SOAP UI using SAML encryption.
    I am trying to do the same from BPEL. Do you have any specific process for that. If not atleast can you please explain the part talks about "Security -> System Policies for the SOA Domain". What codebase do I need to use?

    ReplyDelete
    Replies
    1. Hi,

      you need to use the right saml owsm client policy on the reference adapter and configure the EM with your certificates, like you did in SOAP UI.
      maybe you need to change the owsm client policy so it matches with the server policy.

      thanks

      Delete
  18. Hi, Edwin:

    on February 15, 2012 9:54 PM, you mentioned that you will create a blog on the identity propagation from ADF security to OWSM (see the text I copied below). Do you have the link to this blog post?

    I have additional question on how the identity can be propagated from Web Center to OWSM.

    Thanks
    Ken


    =================
    Ok,

    i got it working on the same domain or on 2 domains

    first deploy your jax-ws service or soa suite service with the following policy
    oracle/wss11_saml_token_with_message_protection_service_policy

    then deploy this to the soa server or the saml server.

    Go to the ADF app which has ADF Security
    create a adf ws datacontrol and provide the ws url. ( or ws proxy client )
    select the datacontrol.dcx file and change the security settings in the structure window. clock on the ws and use right click -> define ws security

    select the right owsm client policy -> wss11_saml_token_with_message_protection_client_policy

    and override properties
    saml.issuer.name = www.oracle.com (default ) or your own
    ikeystore.recipient.alias = samlkey when you use above example or serverkey when you use it on 1 domain.

    deploy it on the soa suite domain and log in , start it up and invoke service client

    then you see the username is passed on ( protected ) .

    I will make a blog about it.

    thanks Edwin.

    ReplyDelete
    Replies
    1. Hi,

      indeed you mean like this http://biemond.blogspot.nl/2012/02/identity-propagation-with-owsm.html

      For webcenter , you need to be authenticated and call a SAML protected OWSM service.

      thanks

      Delete
  19. Hi Edwin,

    I have an XML gateway which does the LDAP authentication and sends a signed SAML assertion(not encrypted, only signed) to a Oracle SOA 11g Server. Also I get the public key in the input request itself. I need to use an OWSM policy to do SAML assertion on the Oracle SOA 11g. Can I use the OWSM policy "SAML token with message protection". I dont have the senders public certificate (x509) in keystore but instead I get it in the input request itself. Could you please help me on how to handle this.

    ReplyDelete
    Replies
    1. Hi,

      I think you need to build your own OWSM policy , in this everything is possible. Current OWSM policies need all the keys inside a keystore.

      Thanks

      Delete
  20. Hi Edwin,

    It is really great post with clear explanation.
    I was trying to implement a prototype with similar requirement:
    I have implemented one SCA service in place of JAX-WS ,else everything is same.

    But I am getting following error :

    oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: Client received SOAP Fault from server : Unable to invoke endpoint URI "http://172.17.30.192:8001/soa-infra/services/default/SAMLSCAApplication!1.0*soa_a95b5561-3c2e-4339-a301-ec79172914ad/bpelprocess1_client_ep" successfully due to: oracle.fabric.common.PolicyEnforcementException: WSM-00276 : Validation failed for the identity published in the WSDL endpoint "http://172.17.30.192:8001/soa-infra/services/default/SAMLSCAApplication!1.0*soa_a95b5561-3c2e-4339-a301-ec79172914ad/bpelprocess1_client_ep". Caused By: oracle.wsm.security.SecurityException: WSM-00138 : The path to the certificate is invalid. Validation failed for the certificate "Subject DN:- CN=saml, C=US, Serial Number:- 1373350479, Issuer DN:- CN=saml, C=US" Certificates in cert path used for validation are:- "Subject DN:- CN=saml, C=US, Issuer DN:- CN=saml, C=US" at


    I tried my best but could not figure out what I am missing here to make it work. It will be great help if you can assist me to resolve my problem.


    Thanks,
    Nitil

    ReplyDelete
    Replies
    1. Hi,

      looks like you need to import this cert also in the truststore , and is the sca service running on a different domain.

      Thanks

      Delete
  21. Hi Edwin,

    Many thanks for your great post with clear explanation.
    I was trying to developing proof of concept for client:
    I have implemented one BPEL service in place of JAX-WS ,rest everything same.

    But I am getting following error :
    Unable to invoke endpoint URI "http://172.17.30.192:8001/soa-infra/services/default/SAMLSCAApplication!1.0*soa_a95b5561-3c2e-4339-a301-ec79172914ad/bpelprocess1_client_ep" successfully due to: oracle.fabric.common.PolicyEnforcementException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key read)</

    I tried my best but could not figure out what I am missing here to make it work. It will be great help if you can assist me to resolve my problem.

    Regards,
    Bharat

    ReplyDelete
    Replies
    1. Hi,

      can you check in the EM if you have this key and are you doing identity switching like this
      right permissions to do identity switching. Go the Enterprise Manager (EM) application of the SOA Suite. Open the WebLogic Domain treenode and select your SOA domain. In the Domain menu (right window) go to Security -> System Policies.

      Thanks

      Delete
  22. Thanks Edwin !

    I am using WebLogic 12c and SAML20. Done SAML20 using your earlier article. Two applications in source and destination domains work well.

    - Now I want to add "Oracle Web Service" with OWSM SAML20 policy to destination (sp) domain.
    - I can't use any service bus (is it possible without ESB) ?

    I guess I just need to add "New WebService Identity Provider Partner" in destination domain, any more hints please ?

    I am getting
    weblogic "No Handler" for OWSM Security Policy found exception

    only if I use class annotation:
    @SecurityPolicy(uri = "oracle/http_saml20_token_bearer_service_policy")

    What's wrong ? missing some jar ? or Oracle ESB ?

    Very big *please* to help... no resources on web for this exception.

    ReplyDelete
    Replies
    1. Hi,

      Did you install EM on your WebLogic domain together with a MDS repository or use WebLogic11g with OSB and the OWSM add-on.

      Application SAML SSO is not the same as WS SAML 2 , you need to have a saml owsm ws client to call this protected service

      Thanks

      Delete
  23. Hi Edwin,

    First of all thanks for the article and overall nice posts.

    I'm trying perform dynamic identity switching on a OSB Business Services.
    Apparently there is no way to set javax.xml.ws.security.auth.username property, and the policy always falls back to the CSF.

    Are you aware of any way to achieve this?

    The use case is that sometimes the identity is to be propagated, others to use a service account which resides on CSF, but some others the value needs to be extracted from payload, and on the receiving end there is an OSB or SOA WS protected OWSM + SAML.

    Thanks

    ReplyDelete
    Replies
    1. Hi,

      I don't think a policy is that flexible.

      Thanks Edwin

      Delete
  24. Hi Biemond

    This is a wonderful post. I’m absolutely new to security, and this explained very clearly.
    I have a scenario where my OSB service is a pure passthrough. I have oracle/wss10_saml_token_service_policy at Proxy and oracle/wss10_saml_token_client_policy at BusinessService (with a credential key) side.
    Its working without establishing trust (importing keystore/certificate). Is it that for simple policies, trust is not required?
    I’ve expalined clearly in oracle forum https://community.oracle.com/thread/3520733

    Would you please chk it?

    Regards
    Ravi

    ReplyDelete
  25. Hi Biemond,

    I am testing signed SAML from SoapUI to be verified on OSB (11.1.1.6) with OWSM wss_saml20_token_over_ssl_service_policy. Signed SAML fails on OSB.
    I see
    Caused By: java.lang.NullPointerException
    at oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor.verifyAssertionIssuerCert(WssSamlTokenProcessor.java:8299

    Any pointers to resolve this

    Thanks
    SG

    ReplyDelete
  26. Hi Edwin,

    I have a similar problem to Jose.

    In my case, I have a tasklist adf application that invokes an OSB service via a managed bean.

    The OSB service is secured with oracle/wss10_saml20_token_client_policy and this is something I cannot change because it is an established service.

    I followed your example above to generate web service proxy code and proceeded to set the username and password with the requestContext.

    My code works fine when I run it in Jdeveloper but when I deploy it to the SOA suite server and it is executed from the managed bean, it always throws the following exception

    WSM-00263 : Failed to create SAML token as anonymous user principal found in Subject

    I dont understand why the username and password I have set does not seem to be enforced somehow.

    Is there a trick to get this working from an ADF application? I am not interested in propagating the ADF user credentials Is there a way to do this?

    Your help is very much appreciated.

    Thanks

    Johnny

    ReplyDelete
    Replies
    1. Actually my problem is different to Jose. When I invoke the SAML secured web service from my ADF application, it is ignoring the username and password setting in my code and using the ADF login instead. How can I stop this from happening?

      Thanks

      Johnny

      Delete