Skip Headers
Oracle® Fusion Middleware Developer's Guide for Oracle Service Bus
11g Release 1 (11.1.1.7)

Part Number E15866-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

53 Using SAML with Oracle Service Bus

This chapter describes how to use Security Assertion Markup Language (SAML) policies for exchanging authentication and authorization information between clients and services in Oracle Service Bus.

You can use SAML with either the WLS 9 policy framework or with Oracle Web Services Manager. Oracle recommends that you use Oracle Web Services Manager for service security, as described in Chapter 50, "Securing Oracle Service Bus with Oracle Web Services Manager."

For detailed instructions on setting up your environment to use SAML, see "Configuring SAML" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services and the SAML configuration topics in Oracle Fusion Middleware Securing Oracle WebLogic Server. The SAML configuration steps in those guides are a prerequisite to using SAML in Oracle Service Bus.

This chapter includes the following topics:

53.1 Mapping Identity to a SAML Token

If your clients do not provide SAML tokens but your business services require them, you can configure a proxy service to map the client's identity to a SAML token.

This technique requires the business service to be a Web service with WS-Policy statements that require authentication using SAML tokens.

To configure SAML credential mapping:

  1. Configure a proxy service to authenticate clients using any of the following techniques:

    • HTTP or HTTPS BASIC (client provides user name and password in the request)

    • HTTPS Client certificate

    • Message-level authentication (using any of the supported token profiles)

      If a client request includes a WS-Security security header, you must configure the proxy service to process this header on the proxy service side of the message. In Oracle Service Bus, you cannot add a SAML header (or any other WS-Security header) to a SOAP envelope that already contains a WS-Security header, neither can you add SAML (or other) security tokens to an existing security header.

    • Third-party authentication

    When the proxy service authenticates the user, the proxy automatically generates a Subject before forwarding the message to a business service.

  2. Configure the business service to include a SAML client policy. The policy generates a SAML token for the authenticated user in the Subject.

For a list of Oracle Web Services Manager SAML policies supported with Oracle Service Bus, see Section 50.2.8, "Supported Seed Policies and Unsupported Assertions."

Note:

The procedure in this section assumes a proxy-to-business service invocation. When your use case involves proxy-to-proxy invocations prior to the business service invocation, it is helpful to understand how Oracle Service Bus handles security headers. For that information, see Section 31.5, "Using Oracle WSM Security with Local Proxies."

53.2 Configuring SAML Pass-Through Identity Propagation

If your clients provide SAML tokens to a pass-through proxy service, you can propagate the client's SAML token to the business service.

This technique requires the business service to be a Web service with policy statements that require authentication using SAML tokens.

To configure SAML pass-through identity propagation:

53.3 Authenticating SAML Tokens in Proxy Service Requests

If your clients provide SAML tokens to an active intermediary proxy service, you can configure the proxy service to assert the client's identity.

To configure a proxy service to use SAML tokens to authenticate clients:

  1. When configuring the identity assertion provider, note the following requirements:

    • The confirmation method from the policy must match the SAML profile in the SAML asserting party.

    • Specify the asserting party target URL to be the relative URL of the proxy service (omitting the protocol and host information).

    • For signed assertions, add the certificate to the Identity Asserter registry.

  2. Create an active intermediary proxy service that communicates over the HTTP, HTTPS, or JMS protocol. The proxy service must be a Web service with a policy statement that requires authentication and accepts SAML tokens.

    A proxy service that communicates over the "local" transport type cannot use a SAML token profile to authenticate.

53.4 Configuring SAML Authentication with Service Bus (SB) Transport

If you are using SAML-based authentication with the SB transport, follow these configuration requirements:

53.5 Using SAML Identity Switching

Oracle Web Services Manager provides a wss11_saml_token_identity_switch_with_message_protection_client_policy that lets you perform identity switching. The policy, which you attach to a business service, propagates a different identity than the one based on the authenticated Subject from the proxy service. For more information about the policy, see "Configuring SAML Web Service Clients for Identity Switching" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.

If you set the policy property subject.precedence = false and provide a credential store format (CSF) key for the identity you want to switch to, the business service ignores the current subject and creates a SAML token with the credentials in the csf-key.

If you set subject.precedence = true, the current subject is used to create the SAML token. However, if the subject is anonymous, Oracle Web Services Manager attempts to use the csf-key to perform the identity switching.

For information on working with CSF, see "Overview of Application Development with CSF" in Oracle Fusion Middleware Application Security Guide.

53.5.1 Protecting the Identity-Switching Resource

To prevent malicious access to the identity-switching functionality, you must grant special permissions to the resources that perform identity switching. For example, in Oracle Service Bus, you give permissions to the project containing the identity-switching business service.

Use the Oracle Enterprise Manager Fusion Middleware Control to give the Oracle Service Bus project the proper permissions, as described in "Set the WSIdentityPermission Permission" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services. Using that topic for guidance, enter the following information in the permissions fields:

  • Permission Class – oracle.wsm.security.WSIdentityPermission

  • Resource Name – Name (not the path) of the Oracle Service Bus project containing the business service

  • Permission Actions – assert

53.6 Troubleshooting SAML with Oracle Service Bus

Question: I am trying to propagate my proxy service transport identity to a destination business service and keep receiving error, Unable to add security token for identity. What does this mean?

Answer: There are various causes for this error. Generally this means one of the following problems:

Question: I am trying to propagate my proxy service transport identity to a destination business service using SAML holder-of-key and keep receiving error, Failure to add signature. What does this mean?

Answer: There are various causes for this error, but most likely is that the credentials are not configured for the business service's service key provider. When Oracle Service Bus generates an outbound holder-of-key assertion, it also generates a digital signature over the message contents, so that the recipient can verify not only that a message is received from a particular user but that the message has not been tampered with. To generate the signature, the business service must have a service key provider with a digital signature credential associated with it.

Question: I am trying to configure an active intermediary proxy service that receives SAML identity tokens and keep receiving errors that look like: The SAML token is not valid. How do I fix this?

Answer: This is generally caused by a missing SAML Identity Asserter or SAML Identity Asserter asserting party configuration for the proxy service. For a proxy service to receive SAML assertions in active intermediary mode, it must have a SAML Identity Asserter configured. For more details, see "Configuring a SAML Identity Assertion Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.