The following will be explained and configured in this blogpost.
- A basic SAML authentication with 2 OWSM Servers.
- Change the default SAML issuer name.
- Allow only trusted SAML clients.
- SAML Identity switching.
- Virtual Users with User roles.
Creating a working SAML setup.
For this we need two WebLogic domains and both have at least the Enterprise Manager web application and enabled the OWSM option. For this demo I will have one domain with SOA Suite and one with only a WebLogic Adminserver where we will deploy a JAX-WS Web Service which has an OWSM server policy. You can replace the SOA Suite with a OSB server ( it works in the same way ) . For OWSM, every domain need to have it's own MDS repository to store all the OWSM policies and for SOA Suite you also need a soa-infra database repos.
For this we need two WebLogic domains and both have at least the Enterprise Manager web application and enabled the OWSM option. For this demo I will have one domain with SOA Suite and one with only a WebLogic Adminserver where we will deploy a JAX-WS Web Service which has an OWSM server policy. You can replace the SOA Suite with a OSB server ( it works in the same way ) . For OWSM, every domain need to have it's own MDS repository to store all the OWSM policies and for SOA Suite you also need a soa-infra database repos.
This will be our setup.
- A client ( soapUI or WS client proxy ) calls an exposed web service of a SOA Suite composite and the client needs to provide a username token.
- The exposed service has oracle/wss_username_token_service_policy as OWSM Server policy. The username token will be validated by WebLogic and the username will be passed on by SAML and signed with the signing certificate of the SOA Suite OWSM. The exposed service has a wire to a Mediator with a simple routing rule.
- The Mediator has a wire to the Reference Web Service. This reference WS binding has oracle/wss11_saml_token_with_message_protection_client_policy as OWSM client policy.
- The Reference WS binding calls a JAX-WS Web Service deployed on the other WebLogic Domain and this Web Service has oracle/wss11_saml_token_with_message_protection_service_policy as OWSM server policy. OWSM will validate the SAML issuer and check if it knows the username ( the password does not matter, because it is trusted )
The SOA Composite I used.
The JAX-WS service
Before we can test this SAML service, we need to generate some keystores, configure OWSM and add some users to WebLogic.
Execute the following commands to generate some self signed private keys and exchange the public keys ( this will trust each other certificates )
Go to the bin folder of your JDK.
cd c:\oracle\jrockit-jdk1.6.0_26-R28\bin
Generate a certificate for SOA ( server.jks ) and one for the JAX-WS server ( saml.jks )
keytool -genkey -alias serverKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=server, C=US" -keypass welcome -keystore c:\temp\server.jks -storepass welcome -validity 3650
keytool -genkey -alias samlKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=saml, C=US" -keypass welcome -keystore c:\temp\saml.jks -storepass welcome -validity 3650
Export the public key
keytool -exportcert -alias serverKey -storepass welcome -keystore c:\temp\server.jks -file c:\temp\server.cer
keytool -exportcert -alias samlKey -storepass welcome -keystore c:\temp\saml.jks -file c:\temp\saml.cer
Import the keys in each other keystore ( for the trust (
keytool -import -alias serverKey -file c:\temp\server.cer -storepass welcome -keystore c:\temp\saml.jks
keytool -import -alias samlKey -file c:\temp\saml.cer -storepass welcome -keystore c:\temp\server.jks
Show the certificates in each keystore.
keytool -list -storepass welcome -keystore c:\temp\server.jks
keytool -list -storepass welcome -keystore c:\temp\saml.jks
Execute the following commands to generate some self signed private keys and exchange the public keys ( this will trust each other certificates )
Go to the bin folder of your JDK.
cd c:\oracle\jrockit-jdk1.6.0_26-R28\bin
Generate a certificate for SOA ( server.jks ) and one for the JAX-WS server ( saml.jks )
keytool -genkey -alias serverKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=server, C=US" -keypass welcome -keystore c:\temp\server.jks -storepass welcome -validity 3650
keytool -genkey -alias samlKey -keyalg "RSA" -sigalg "SHA1withRSA" -dname "CN=saml, C=US" -keypass welcome -keystore c:\temp\saml.jks -storepass welcome -validity 3650
Export the public key
keytool -exportcert -alias serverKey -storepass welcome -keystore c:\temp\server.jks -file c:\temp\server.cer
keytool -exportcert -alias samlKey -storepass welcome -keystore c:\temp\saml.jks -file c:\temp\saml.cer
Import the keys in each other keystore ( for the trust (
keytool -import -alias serverKey -file c:\temp\server.cer -storepass welcome -keystore c:\temp\saml.jks
keytool -import -alias samlKey -file c:\temp\saml.cer -storepass welcome -keystore c:\temp\server.jks
Show the certificates in each keystore.
keytool -list -storepass welcome -keystore c:\temp\server.jks
keytool -list -storepass welcome -keystore c:\temp\saml.jks
Copy the server.jks to the config\fmwconfig folder of your SOA Suite domain. Do the same for the saml.jks keystore but then to fmwconfig of the JAX-WS server domain.
Go the Enterprise Manager (EM) application of the SOA Suite. Open the WebLogic Domain treenode and select your SOA domain. In the Domain menu (right window) go to Security -> Security Provider Configuration. Click on the Configure button in the keystore section.
Use ./server.jks in the Keystore Path field and serverKey in the Key and Crypt Alias. Use welcome for all the password fields.
We need to do the same at the JAX-WS server but then use the following values.
Use ./saml.jks in the Keystore Path field and samlKey in the Key and Crypt Alias. Use welcome for all the password fields.
Add a user with client as name and with weblogic1 as password in the myrealm security realm of the SOA Suite server. Do the same at the JAX-WS server but now use welcome1 as password.
Do a restart of the all the servers.
We can test the SAML setup by generating a Web Service Client proxy in JDeveloper. Here is an example how I add the client credentials.
that is all for the basic SAML test.
How to change the SAML issuer name.
The default SAML issuer name is www.oracle.com , We can change this at the JAX-WS server. For this we need to go the EM application of the JAX-WS Server. Open the WebLogic Domain treenode and select your JAX-WS domain. In the Domain menu (right window) go to Security -> Security Provider Configuration. Click on the Configure button in the Advanced section.
Here we can change the name attribute of saml.trusted.issuers.1 property to www.amis.nl and click on Ok. This way you will change the default trusted issuer for all the SAML login modules, if you only want to change this for SAML1.1 and not for SAML2 then you can open the saml.loginmodule instead (located at the Security Provider Configuration) and change it there. This will add an extra saml property name beside the one of www.oracle.com
You will need to restart the WebLogic server.
We also need to change an attribute on the reference web service binding of the SOA Composite. Select the reference binding and right click, to open the Configure WS Policies menu.
Click on the pencil to override the saml.issuer.name and use www.amis.nl
Deploy the composite and re-test it with the jdeveloper ws proxy client.
Allow only trusted SAML clients
In the current setup each public key found in the saml.jks keystore can sign a SAML token. In this part we can restrict this to only "CN=server, C=US", this is the DN of the signing certificate located at the SOA Suite server.
Go the Enterprise Manager (EM) application of the JAX-WS Server. Open the WebLogic Domain treenode and select your JAX-WS domain. In the Domain menu (right window) go to Web Services -> Platform Policy Configuration.
Go to the Trusted SAML clients Tab and add a new Trusted Issuer called www.amis.nl .
Select the just created Trusted Issuer and add a Trusted SAML Client and use CN=server, C=US as value.
Restart the JAX-WS Server and now only CN=server, C=US can sign the SAML token.
SAML Identity switching
In the last part of this blogpost we will change the identity of the SAML token. In the previous examples we used client as username and this is passed on to the JAX-WS server. We will override this on the SOA Suite server. In our test client we can now use weblogic as username and override to client in the SOA Composite.
Open the Mediator of the SOA Composite where we will add an Assign to the request part of the Routing Rule.
Here we need to add the javax.xml.ws.security.auth.username property with client as value.
We also need to change the OWSM client policy to oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy on the reference web service binding.
Deploy your composite.
Too bad, this is not enough we also need to give my SOA Composite the right permissions to do identity switching. Go the Enterprise Manager (EM) application of the SOA Suite. Open the WebLogic Domain treenode and select your SOA domain. In the Domain menu (right window) go to Security -> System Policies.
Select Codebase as Type and search. Select a Codebase policy and do Create Like.
Use file:${common.components.home}/modules/oracle.wsm.agent.common_11.1.1/wsm-agent-core.jar as value in the Codebase field and click on Edit.
Enter oracle.wsm.security.WSIdentityPermission in the Permission Class field. The action is always assert. The Resource Name is your Composite Name which does the identity switching.
Virtual Users with User roles
The last part is virtual users, in this section will we add some roles and change some attributes on the SOA Suite client user. Change the policy back on the composite reference ( oracle/wss11_saml_token_with_message_protection_client_policy ) and also use client as username in the web service proxy client.
First change some client user attributes. We can do this in the security realm of the SOA Suite WebLogic Domain.
Normally the user is only mapped to the user located at the JAX-WS server. To make virtual servers work we need to add a property to the saml.loginmodule located at the JAX-WS server. For this we need to go the EM application of the JAX-WS Server. Open the WebLogic Domain treenode and select your JAX-WS domain. In the Domain menu (right window) go to Security -> Security Provider Configuration.
Click on Edit and add a custom property oracle.security.jps.assert.saml.identity with value true.
Restart the JAX-WS WebLogic server.
We also need to do something in the SOA Composite.
Override the following properties
user.attributes with value displayname,employeenumber ( use , to separate ldap attributes you want to pass on )
user.roles.include with value true
subject.precedence with value true
Deploy the composite and when you test your test client. You will see the following output on the JAX-WS Server.
virtual found
saml issuer: www.amis.nl
SAML attribute: employeenumber
value: 100
SAML attribute: Roles
value: Operators
value: AdminChannelUsers
value: IntegrationOperators
value: IntegrationMonitors
value: Monitors
SAML attribute: displayname
value: SAML client
Thank you for an article!
ReplyDeleteI have a question about similar situation: an ADFS+AD server and WebLogic with bpel needed to be protect ed with adfs SAML tokens.
A question i have: how Weblogic maps his own users-groups (created in wl /console) with ActiveDirectory users-groups? Where to configure this mapping?
Hi,
ReplyDeleteDid you read this http://biemond.blogspot.com/2011/10/using-fmw-identitystore-for-your-user.html
is your AD authenticator the first authenticator in the weblogic console.
thanks
It looks similar.
ReplyDeleteI have been thinking its can be done inside wl/console.
Thank you!
Great article.
ReplyDeleteI have a question. Where you have HelloService, I have Sharepoint web service. Which needs Kerberos authentication.
How can I provide the credentials for Kerberos authentication for the Sharepoint web service in External References?
Do you have any example for that like this one?
Thanks
Rakesh
Hi,
ReplyDeleteFor sharepoint I think you need to enable saml on that server or use OWSM this support kerberos.
like I did in this blog http://biemond.blogspot.com/2011/09/using-owsm-kerberos-policies.html
thanks
Edwin,
ReplyDeletethanks for contributing openly with your examples and advise.
After setting up the "basic SAML test" according to your prescribed scenario and with your code we have run into a message on one of the servers looking for 'orakey' in one of the requests made by components involved.
Would you know if there is any extra configuration needed? Oracle documentation mentions this key/alias as WebCenter required. Would it have gotten overwritten with the keystore setup according to the prescribed above steps?
Thanks
Hi,
DeleteIt is a OWSM setting and orakey is the default value , this key is in the OWSM credential store . When you configure the key for signing and encryption then these values are added.
Good luck
Hi Edwin, thanks for your examples, have been very useful for me.
ReplyDeleteExcuse my bad writing of English. I have a question:
I have an scenario with 2 Weblogic Domains, the first have a Oracle Portal and the second is a SOA Domain.
Between the 2 domains there is a configuration of SSO using SAML, from the portal is invoked an ADF Application deployed in the SOA Domain, this app no longer requires the credentials because of the SSO configuration.
In the OSB of the SOA Domain there is a Proxy Service with the OWSM Policy "oracle/wss11_saml_token_with_message_protection_service_policy" attached; I want to consume this service from the ADF App or from a BPM Process propagating the same credentials of the user authenticathed in the ADF Application.
Is this possible Edwin?, I have tried whit a Web Service Data Control in the ADF App and configuring the Web Service Security with the policy required and overriding the property csf-key and it works. But I require to consume the service with the credentials of the user authenticathed and not with the key "csf-key" configured.
I hope I have explained the problem correctly.
Thank you!!
Hi,
DeleteWhen you are authenticated in the adf Application, then, the user subject is automatically provided to the ws. When you an OWSM policy with a user name token it should work. You got everything on one domain so why don't you use username token instead of saml , the username of the saml sso will be used. Of course the user also need to exist on the SOA domain. So between portal and adf you use saml sso and on the OSB use username token policies.
Don't know why you need to override Csf key , what username do you get on the OSB service. Saml is good for making a trust between 2 domain . Within one domain you can use username token policies and maybe with message protection ,for this you need to configure OWSM keystores.
Thanks
Thanks Edwin,
DeleteI did a test. I attached a policy without message protection, the "oracle/wss_username_token_service_policy" OWSM Policy to my proxy Service. In the ADF Application this WS is invoked from a backing bean, using the code generated by a Web Service Proxy, the code is like:
SecurityPoliciesFeature securityFeatures = new SecurityPoliciesFeature(new String[] { "oracle/wss_username_token_client_policy" });
RequisitosService requisitosService = requisitosService_Service.getRequisitosServicePort(securityFeatures);
requisitosService.getRequisitosProductos.doOperation();
Im authenticathed in the ADF Application, but the credentials are not provided to the WS. In the log appears the next message "oracle.wsm.common.sdk.WSMException: WSM-00015 : The user name is missing"
If I agreggate the credentials in the code of the backing bean:
reqContext.put(BindingProvider.USERNAME_PROPERTY, "weblogic");
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "welcome1");
It works; but what I need is the credentials to propagate automatically and not programatically.
It is possible?
Thanks in advance...
Hi,
Deletethe trick is when you use OPSS then it should work with ADF security and OWSM see http://docs.oracle.com/cd/E21764_01/core.1111/e10043/underjps.htm#BABBFFDC
What do you use as authentication provider, do you use the internal wls ldap one ( this is the OPSS one ) and is the adf app deployed to the soa suite server or at least the same domain. else you need to enable cross domain security and use the same domain password )
Can you test this.
You can add your own ldap server as authentication provider and enable ovd. this should also work.
http://biemond.blogspot.com/2011/10/using-fmw-identitystore-for-your-user.html
hope this helps. I will also make a testcase.
Hi,
Deleteit looks we need to use a SAML OWSM policy, this allows us identity propagation between ADF and OWSM. I will try to make a testcase where ADF and SOA are on the same domain.
Ok,
Deletei got it working on the same domain or on 2 domains
first deploy your jax-ws service or soa suite service with the following policy
oracle/wss11_saml_token_with_message_protection_service_policy
then deploy this to the soa server or the saml server.
Go to the ADF app which has ADF Security
create a adf ws datacontrol and provide the ws url. ( or ws proxy client )
select the datacontrol.dcx file and change the security settings in the structure window. clock on the ws and use right click -> define ws security
select the right owsm client policy -> wss11_saml_token_with_message_protection_client_policy
and override properties
saml.issuer.name = www.oracle.com (default ) or your own
ikeystore.recipient.alias = samlkey when you use above example or serverkey when you use it on 1 domain.
deploy it on the soa suite domain and log in , start it up and invoke service client
then you see the username is passed on ( protected ) .
I will make a blog about it.
thanks Edwin.
Thank you very much Edwin.
DeleteI was doing the same thing, and now it works!, I invoke the Proxy Service in 2 ways:
1. Using the code generated by a Web Service Proxy in a backing bean in the ADF App.
2. Using a WS Data Contorl like you explain me.
Thanks Edwin, i hope we keep in touch!!!
Hello!
ReplyDeleteI use WebLogic Sever as service provider and OWSM saml-based security policies. I want tags (from inbound request) involve in validation process. How can I validate values by means of OWSM saml_service_policy (or saml_bearer_over_ssl_policy is better)?
I find "user.attributes" property in policy setting's, but don't sure that is enough. Also I read You and several other blog's and find something about overriding "Default Name Mapper Class" in identity asserter settings. What way I must look? Must I write something like CustomIdentityAssertionAttributeMapperImpl for AttributeStatement validation? Or enough only configure OWSM settings and policy parameters?
Thanks for any help.
Hal
Hi,
Deleteuser.attributes , roles only passes on these values , you need to make your own validator.
Sorry I don't have experience on creating your weblogic validator.
thanks
Hi,
ReplyDeleteI've created a WebService for an ADF application (using JDeveloper 11.1.1.4.0) by exposing in the Service Interface of an Application Module some few methods.
The requirements of my task are: the WebService has to be deployed in a WebLogic server, to be protected by SSO (using OSSO) and to use it from another ADF application (that is also protected by SSO).
I am new in WebServices and in SSO configurations, so please let me know if you can help me with the following questions:
1. There are any special configurations or methods to protect a WebService with OSSO? I managed to protect the WebService by adding a rule for protecting his URL (like any other web application), this is enough?
2. The ideal case for me would be to login in the ADF application, by using the SSO credentials, and when the action that calls the WebService method is performed, then no other credentials to be asked from the user. This is possible? Do I need to use a security policy for this, if yes, then what security policy?
At the beginning of this task I thought that is enough just to protect the URL of the WebService, but is clearly that I was wrong because when I call the Web Service from the consuming application (using a WebService Data Control) I have the following error:
oracle.j2ee.ws.saaj.ContentTypeException: Not a valid SOAP Content-Type: text/html; charset=iso-8859-1
Not a valid SOAP Content-Type: text/html; charset=iso-8859-1
Thank you and best regards,
Alex
Hi,
DeleteJust protect your web service with a saml OWSM policy and implement adf security in your web application.
Like described in my blog about identiy propagation with OWSM.
Saml is the only way for identity propagation..
Good luck
Hi Edwin,
DeleteThank you for your feedback! The problem is that my consuming application has it's own authentication and authorization mechanism (using a filter).
Therefore implementing the adf security ( running the "Configure ADF Security..." wizard from JDeveloper) is not a solution for me.
Instead using Web Services, is possible to achieve this by creating an EJB Session Bean on my application module?
Best regards,
Alex
hi,
Deleteyou must use the container security else it is hopeless to pass on subject, principal. what do you mean with filter.
We are getting following when we followed the same approch
ReplyDeleteWSM-00263 : Failed to create SAML token as anonymous user principal found in Subject.
I am not sure why request is going with anonymous user. This error we are getting client side.
Can you please let us know how we can attache user name?
Hi,
DeleteDo you authenticate on the client side , provide an username , password and then this username will be used.
thanks
Hi,
ReplyDeletePlease let me know your comments on my requirement specified below.
1. Domain1 (with em and owsm enabled)
2. Domain2 (contains SoaSuite11.1.1.5).
3. Domain1 has my custom web application which has worklist client code (soap client contains
wss11_saml_token_with_message_protection_client_policy)
4. It calls humantask application (wss11_saml_token_with_message_protection_service_policy)
deployed in Domain2.
5. jks files are copied in to both domains config folders, updated keystore info in both
domains using em as you specified.
So in order to work this setup, Do we need to have users information (ex: user jstein should be available in Domain1 and Domain2 'users and groups' section) in both domains?
Because currently I have list of users in database which my custom web app uses in Domain1 and
I have duplicated the same db users in Domian2 myrealm which human task application uses.
Please provide your valuable inputs.
Thanks in advance.
Hi,
Deleteyes you can use the same users on domain 1 or 2 , the password does not matter. Or you can enable virtual users. I made a blogpost about this, don't know if this works in OWSM.
By the way for FMW when you use your own authenticator then it should be a ldap one and use the virtualize parameter, or create the users in the weblogic ldap or use Oracle virtual directory then you can the sql authenticator again.
thanks
Hi,
ReplyDeleteAfter doing the above specified setup (the previous query), I am getting following exception at client side domain. The same I asked in otn https://forums.oracle.com/forums/thread.jspa?threadID=2414330&tstart=15 but no help :(
Please let me know where I am doing wrong
Thanks,
Cdhar
...initialising the Task Query Service
Got wfSvcClient oracle.bpel.services.workflow.client.SOAPWorkflowServiceClient@1
5a0cbc
Got taskQuerySvc oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAP
Client@fa1dcc
createContext oracle.bpel.services.workflow.query.client.TaskQueryServiceSOAPCli
ent@fa1dcc jstein
<Failure in Oracle WSM Agent processRequest, category=security, function=ag
ent.function.client, application=MyWebApp, composite=null, modelObj=TaskQueryServ
ice, policy=oracle/wss11_saml_token_with_message_protection_client_policy, polic
yVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolic
y}wss11-saml-with-certificates.
oracle.wsm.common.sdk.WSMException: WSM-00263 : Failed to create SAML token as a
nonymous user principal found in Subject.
at oracle.wsm.security.policy.scenario.executor.Wss11SamlWithCertsScenar
ioExecutor.sendRequest(Wss11SamlWithCertsScenarioExecutor.java:170)
Hi,
DeleteDid you authenticate with a username , password then this username will be passed on in the saml token.
thanks
Hi,
ReplyDeleteThanks for your reply. I am passing the username and pwd using worklist authenticate method which was authenticated against db by my web app initially. Please find clear information specified below.
1. User1 log in to my web app which has been authenticated against oracle db (the same web app works in different app server environments weblogic, websphere so there is no app server dependency for authentication)
2. one of the functionality of the web app is to show human tasks, so the worklist client code developed as separate project and added in web-inf/lib as jar
3. After User1 log in to the web app I am passing the same to human task app using worklist api (the same user available in both domain relams). Please find my sample code as below.
wfsc = WorkflowServiceClientFactory.getWorkflowServiceClient(WorkflowServiceClientFactory.SOAP_CLIENT, getProperties(), null);
taskQuerySvc= wfsc.getTaskQueryService();
wfCtx = taskQuerySvc.authenticate(user, USER_PASSWORD.toCharArray(), "myrealm");// This line throwing the specified error
getProperties() method code:
propertiesMap.put(IWorkflowServiceClientConstants.CONNECTION_PROPERTY.SOAP_END_POINT_ROOT,
"http://localhost:7001");
propertiesMap.put(CONNECTION_PROPERTY.SOAP_IDENTITY_PROPAGATION,"saml");
propertiesMap.put(CONNECTION_PROPERTY.SOAP_IDENTITY_PROPAGATION_MODE,"dynamic");
propertiesMap.put(CONNECTION_PROPERTY.SECURITY_POLICY_URI,"oracle/wss11_saml_token_with_message_protection_client_policy");
propertiesMap.put(CONNECTION_PROPERTY.MANAGEMENT_POLICY_URI,"oracle/log_policy");
return propertiesMap;
Please let me know how to resolve this.
Thanks,
cdhar
Hi,
Deleteis the username know on the soa suite server , is it the first authenticator or did you enable the virtualize parameter , is it a ldap and does it work in the bpm worklist app.
thanks
Hi Edwin,
ReplyDeleteThanks for your response.
Yes the username is is known to soa suite server as it is available in server realm.
Yes It is first authenticator against weblogic ldap. I did not enable virtual parameter.
The worklist application works fine if SOAP_IDENTITY_PROPAGATION is non-saml.
So I think I have to authenticate the username against weblogic ldap before calling worklist authenticate method in saml mode.
Since the previous approach is giving error Now I was trying 2 different approaches.
Approach 1:
1. Get the httpRequest of my webapp in side my worklist client class
ExternalContext extcontext = FacesContext.getCurrentInstance().getExternalContext();
HttpServletRequest httpRequest = ( HttpServletRequest )extcontext.getRequest();
2. Authenticate against ldap using weblogic security api to populate REMOTE-USER in httpRequest
ServletAuthentication sAuth = new ServletAuthentication(null,null);
int i = sAuth.assertIdentity(httpRequest, httpResponse, "myrealm");
3. Create worklist workflow context using createContext (I believe this looks for REMOTE USER value in httpRequest and return the workflow context) instead of authenticate method
ctx = taskQuerySvc.createContext(httpRequest);
// ctx = taskQuerySvc.authenticate(user, USER_PASSWORD.toCharArray(), REALM_NAME);
Approach2:
1. Does the following code supported by worklist api
prop.put(CONNECTION_PROPERTY.SECURITY_POLICY_URI,"oracle/wss_username_token_client_policy");
prop.put(CONNECTION_PROPERTY.SECURITY_POLICY_URI,"oracle/wss11_saml_token_with_message_protection_client_policy");
Since I want to do username authentication first and then execute saml stuff, Is it possible to execute both policies at once?
Your example specified here is working fine since it is doing username authentication (username policy) and then doing saml (saml policy) one after another. In my case both username and saml should execute at first 'exposed service' of my composite application or user should be authenticated before reaching the 'exposed service'.
Please provide your inputs as this is bit urgent.
Thanks,
Cdhar
Hi,
DeleteCan you do adf security first on the adf application and then call the saml policy , that should work. like in this blog
http://biemond.blogspot.nl/2012/02/identity-propagation-with-owsm.html
thanks
Hi Edwin,
ReplyDeleteI have a Proxy Service based on WSDL. The client call the WS with a SAML encoded in Base Auth (not in SOAP-header). The SAML contains attribute like roles, name, ... and I need to know these informations in my WS.
How can I read these Informations in my WS ? How to configure the Server ? With OWSM ?
thanks
Yves
Hi,
Deleteyou can't do this , maybe you can read some soap or http header properties in BPEL. like I describe here
http://biemond.blogspot.nl/2012/04/retrieve-or-set-http-header-from-oracle.html
thanks
Excellent post!
ReplyDeleteHi Edwin,
ReplyDeleteI have the following scenario: ESB -> BPEL1 -> BPEL2 -> BPEL3
In ESB composite.xml, ESB endpoint is secured with "oracle/wss_username_token_service_policy". I call the ESB with WSS Username Token and password.
BPEL1 reference WS is secured with "oracle/wss11_saml_token_with_message_protection_client_policy".
In BPEL1 composite.xml, BPEL1 endpoint is secured with "oracle/wss11_saml_token_with_message_protection_service_policy".
And so on, until BPEL3.
They are all in different composites.
I create my own self signed certificate issued by "myIssuer". I import the root CA and the self signed certificate in the keystore. This is located in DOMAIN_HOME/config/fmwconfig.
For all reference WS, I add:
myIssuer
Also, for all service endpoints I add:
So it's setup exactly like you suggested.
However, when I test it, I get the same error as the guys above:
oracle.wsm.security.SecurityException: WSM-00263 : Failed to create SAML token as anonymous user principal found in Subject
I do authenticate at ESB endpoint with wss username/password. Username is "weblogic". It seems SAML sends the username token correctly ESB -> BPEL1 -> BPEL2 but here it fails with WSM-00263 and I'm unable to connect to BPEL3 endpoint.
Any idea how to debug this?
Can I check if javax.xml.ws.security.auth.username is "weblogic" during the entire flow?
Thank you,
Catalin
Hi,
Deleteindeed this is correct , username + password on the ESB service are validated, and the username is passed on in the saml token for BPEL1. Don't know if identity propagation with saml works. I think you need to set the username, password again on the BPEL 1 reference service
but when you are inside the soa server (everything after BPEL1) you can swith to a normal saml policy or use an other secure policy which is based on the private en public key.
thanks
I am trying use your sample as the basis for connecting from BPEL to Oracle EBS Integrated SOA GAteway servic.
ReplyDeleteInstead of using a JAX-WS as a end point, I am using EBS SOA Gateway. I have tested the EBS webservice from a SOAP UI using SAML encryption.
I am trying to do the same from BPEL. Do you have any specific process for that. If not atleast can you please explain the part talks about "Security -> System Policies for the SOA Domain". What codebase do I need to use?
Hi,
Deleteyou need to use the right saml owsm client policy on the reference adapter and configure the EM with your certificates, like you did in SOAP UI.
maybe you need to change the owsm client policy so it matches with the server policy.
thanks
Hi, Edwin:
ReplyDeleteon February 15, 2012 9:54 PM, you mentioned that you will create a blog on the identity propagation from ADF security to OWSM (see the text I copied below). Do you have the link to this blog post?
I have additional question on how the identity can be propagated from Web Center to OWSM.
Thanks
Ken
=================
Ok,
i got it working on the same domain or on 2 domains
first deploy your jax-ws service or soa suite service with the following policy
oracle/wss11_saml_token_with_message_protection_service_policy
then deploy this to the soa server or the saml server.
Go to the ADF app which has ADF Security
create a adf ws datacontrol and provide the ws url. ( or ws proxy client )
select the datacontrol.dcx file and change the security settings in the structure window. clock on the ws and use right click -> define ws security
select the right owsm client policy -> wss11_saml_token_with_message_protection_client_policy
and override properties
saml.issuer.name = www.oracle.com (default ) or your own
ikeystore.recipient.alias = samlkey when you use above example or serverkey when you use it on 1 domain.
deploy it on the soa suite domain and log in , start it up and invoke service client
then you see the username is passed on ( protected ) .
I will make a blog about it.
thanks Edwin.
Hi,
Deleteindeed you mean like this http://biemond.blogspot.nl/2012/02/identity-propagation-with-owsm.html
For webcenter , you need to be authenticated and call a SAML protected OWSM service.
thanks
Hi Edwin,
ReplyDeleteI have an XML gateway which does the LDAP authentication and sends a signed SAML assertion(not encrypted, only signed) to a Oracle SOA 11g Server. Also I get the public key in the input request itself. I need to use an OWSM policy to do SAML assertion on the Oracle SOA 11g. Can I use the OWSM policy "SAML token with message protection". I dont have the senders public certificate (x509) in keystore but instead I get it in the input request itself. Could you please help me on how to handle this.
Hi,
DeleteI think you need to build your own OWSM policy , in this everything is possible. Current OWSM policies need all the keys inside a keystore.
Thanks
Hi Edwin,
ReplyDeleteIt is really great post with clear explanation.
I was trying to implement a prototype with similar requirement:
I have implemented one SCA service in place of JAX-WS ,else everything is same.
But I am getting following error :
oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: Client received SOAP Fault from server : Unable to invoke endpoint URI "http://172.17.30.192:8001/soa-infra/services/default/SAMLSCAApplication!1.0*soa_a95b5561-3c2e-4339-a301-ec79172914ad/bpelprocess1_client_ep" successfully due to: oracle.fabric.common.PolicyEnforcementException: WSM-00276 : Validation failed for the identity published in the WSDL endpoint "http://172.17.30.192:8001/soa-infra/services/default/SAMLSCAApplication!1.0*soa_a95b5561-3c2e-4339-a301-ec79172914ad/bpelprocess1_client_ep". Caused By: oracle.wsm.security.SecurityException: WSM-00138 : The path to the certificate is invalid. Validation failed for the certificate "Subject DN:- CN=saml, C=US, Serial Number:- 1373350479, Issuer DN:- CN=saml, C=US" Certificates in cert path used for validation are:- "Subject DN:- CN=saml, C=US, Issuer DN:- CN=saml, C=US" at
I tried my best but could not figure out what I am missing here to make it work. It will be great help if you can assist me to resolve my problem.
Thanks,
Nitil
Hi,
Deletelooks like you need to import this cert also in the truststore , and is the sca service running on a different domain.
Thanks
Hi Edwin,
ReplyDeleteMany thanks for your great post with clear explanation.
I was trying to developing proof of concept for client:
I have implemented one BPEL service in place of JAX-WS ,rest everything same.
But I am getting following error :
Unable to invoke endpoint URI "http://172.17.30.192:8001/soa-infra/services/default/SAMLSCAApplication!1.0*soa_a95b5561-3c2e-4339-a301-ec79172914ad/bpelprocess1_client_ep" successfully due to: oracle.fabric.common.PolicyEnforcementException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oracle.wsm.security,keyName=keystore-csf-key read)</
I tried my best but could not figure out what I am missing here to make it work. It will be great help if you can assist me to resolve my problem.
Regards,
Bharat
Hi,
Deletecan you check in the EM if you have this key and are you doing identity switching like this
right permissions to do identity switching. Go the Enterprise Manager (EM) application of the SOA Suite. Open the WebLogic Domain treenode and select your SOA domain. In the Domain menu (right window) go to Security -> System Policies.
Thanks
Hi Edwin,
ReplyDeleteFirst of all thanks for the article and overall nice posts.
I'm trying perform dynamic identity switching on a OSB Business Services.
Apparently there is no way to set javax.xml.ws.security.auth.username property, and the policy always falls back to the CSF.
Are you aware of any way to achieve this?
The use case is that sometimes the identity is to be propagated, others to use a service account which resides on CSF, but some others the value needs to be extracted from payload, and on the receiving end there is an OSB or SOA WS protected OWSM + SAML.
Thanks
Hi,
DeleteI don't think a policy is that flexible.
Thanks Edwin
Hi,
ReplyDeleteDid you install EM on your WebLogic domain together with a MDS repository or use WebLogic11g with OSB and the OWSM add-on.
Application SAML SSO is not the same as WS SAML 2 , you need to have a saml owsm ws client to call this protected service
Thanks
Hi Biemond
ReplyDeleteThis is a wonderful post. I’m absolutely new to security, and this explained very clearly.
I have a scenario where my OSB service is a pure passthrough. I have oracle/wss10_saml_token_service_policy at Proxy and oracle/wss10_saml_token_client_policy at BusinessService (with a credential key) side.
Its working without establishing trust (importing keystore/certificate). Is it that for simple policies, trust is not required?
I’ve expalined clearly in oracle forum https://community.oracle.com/thread/3520733
Would you please chk it?
Regards
Ravi
Hi Biemond,
ReplyDeleteI am testing signed SAML from SoapUI to be verified on OSB (11.1.1.6) with OWSM wss_saml20_token_over_ssl_service_policy. Signed SAML fails on OSB.
I see
Caused By: java.lang.NullPointerException
at oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor.verifyAssertionIssuerCert(WssSamlTokenProcessor.java:8299
Any pointers to resolve this
Thanks
SG
Hi Edwin,
ReplyDeleteI have a similar problem to Jose.
In my case, I have a tasklist adf application that invokes an OSB service via a managed bean.
The OSB service is secured with oracle/wss10_saml20_token_client_policy and this is something I cannot change because it is an established service.
I followed your example above to generate web service proxy code and proceeded to set the username and password with the requestContext.
My code works fine when I run it in Jdeveloper but when I deploy it to the SOA suite server and it is executed from the managed bean, it always throws the following exception
WSM-00263 : Failed to create SAML token as anonymous user principal found in Subject
I dont understand why the username and password I have set does not seem to be enforced somehow.
Is there a trick to get this working from an ADF application? I am not interested in propagating the ADF user credentials Is there a way to do this?
Your help is very much appreciated.
Thanks
Johnny
Actually my problem is different to Jose. When I invoke the SAML secured web service from my ADF application, it is ignoring the username and password setting in my code and using the ADF login instead. How can I stop this from happening?
DeleteThanks
Johnny
Hi Edwin,
ReplyDeleteDoes virtual user work for jax-ws in OWSM 12c with roles? I enabled "Allow Virtual Users" in WSM Domain Configuration, authentication. I set propagate.identity.context, user.role.include to true in the page of the configuration properties for the policy. But seems that roles doesn't works. Any idea or thing that i can check?
thx in advance.
javier
Hi,
ReplyDeleteI am getting Error occurred while sending SOAP Request to Server
javax.xml.ws.WebServiceException: No Handler for OWSM Security Policy found.
at weblogic.wsee.jaxws.owsm.TubelineDeploymentListener.loadHandler(TubelineDeploymentListener.java:135)
at weblogic.wsee.jaxws.owsm.ClientTubelineDeploymentListener.getHandler(ClientTubelineDeploymentListener.java:139)
at weblogic.wsee.jaxws.owsm.ClientTubelineDeploymentListener.createClient(ClientTubelineDeploymentListener.java:62)
at weblogic.wsee.jaxws.WLSTubelineAssemblerFactory$TubelineAssemblerImpl.createClient(WLSTubelineAssemblerFactory.java:100)
Do we require EM on webservice client side also to attach security poilcy file to webservice ?
I am new on this implementation so need some help regarding calling a webservice implementing cert based authentication.
So far I have imprted certs in keystore and configured same in weblogic.
I have written code to create a securityFeature and pass it to getPort constructor.
During getPort method only I ma getting this error mentioned above that no OWSM policy handler exists.
Regards,
..
Yogesh
hello Edwin ,
ReplyDeleteNice blog !! .I was able to achieve partially .Did my best to summarize my usecase .Could you please help below.
I am working on SOA Suite12C.
I am trying to call OSB12C service from SOA12c .I have configured the
SOA Composite
---------------
1) Attached custome service policy customWSAuthservicepolicy like (oracle/wss_username_token_service_policy) at servicelevel (SOA composite exposed as webservice)
2 ) Attched custome client policy customSAMLAuthpolicy like ( oracle/wss11_saml_token_with_message_protection_client_policy) to reference calling OSB 12c service
3) Attached custome service policy WS_SAMLAuthpolicy like ( oracle/wss11_saml_token_with_message_protection_service_policy) in OSB service
The user passed is "Test1" This user is configured in LDAP and is created in both the domains .
I am able to do succesful auhenitcation and was able to get the response as well from the OSB.
Now i want to change the SAML Issuer name from "www.oracle.com" to "www.testissuer.com" .I have followed steps guided by you but still its failing with "www.testissuer.com" but still it's working with
default issuer name "www.oracle.com".
There are some difference in which i have done .
1) There is a additional csf-key in SOA client policy , i hope that should not matter because the authenticated user at service level is propogated back to OSB .
2)The "user.roles.include" is false .Does it make any difference ?
3) You have mentioned "keystore.reciepent.alias" as "orakey".Wat is this key .Is this target domains keystore key .In my case is it OSB doamin or caller SOA doamain .Is this key required ?
SOA Suite
Reference to OSB
customSAMLAuthpolicy like ( oracle/wss11_saml_token_with_message_protection_client_policy) .The below are the contents of the client policy
www.testissuer.com
false
osb.credentials
true
OSB domain
------------
/Domain_OSBDomain/OSBDomain > Security Provider Configuration > Advanced Properties
Property Sets - > name -- > www.testissuer.com
ReplyDeleteHi Edwin,
I am calling secured webservice (SAML security) and able to get the response with the sand alone java program. Now i have to deploy the same code in weblogic server as part of web application.
So, what are the configurations to be done in weblogic and the necessary changes in the below mentioned code?
Below is the policy used for calling the webservice.
SecurityPoliciesFeature securityFeatures = new SecurityPoliciesFeature(new String[] { "oracle/wss10_saml_token_with_message_integrity_client_policy" });
WebServiceFeature[] features = new WebServiceFeature[] {securityFeatures};
Map reqContext = ((BindingProvider)wsrequest).getRequestContext();
reqContext.put(ClientConstants.WSSEC_KEYSTORE_LOCATION, "src\\com\\client.jks");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_PASSWORD, " ");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_ALIAS, " ");
reqContext.put(ClientConstants.WSSEC_KEYSTORE_TYPE, "JKS");
reqContext.put(ClientConstants.WSSEC_SIG_KEY_PASSWORD, " ");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_ALIAS, " ");
reqContext.put(ClientConstants.WSSEC_ENC_KEY_PASSWORD, " ");
reqContext.put(ClientConstants.WSSEC_RECIPIENT_KEY_ALIAS, " ");
Thank you,
Tiru.
The exposed service has oracle/wss_username_token_service_policy as OWSM Server policy. The username token will be validated by WebLogic and the username will be passed on by SAML and signed with the signing certificate of the SOA Suite OWSM.
ReplyDeleteOxford Security