Security Assertion Markup Language (SAML) defines a framework for exchanging authentication and authorization information between online business partners. Oracle Service Bus enables the following techniques for using SAML:
If your clients to do not provide SAML tokens but your business services require them, you can configure a proxy service to map the client's identity to a SAML token. See Section 53.1, "Configuring SAML Credential Mapping: Main Steps."
If your clients provide SAML tokens to a pass-through proxy service, you can propagate the client's SAML token to the business service. See Section 53.2, "Configuring SAML Pass-Through Identity Propagation."
If your clients provide SAML tokens to an active intermediary proxy service, you can configure the proxy service to assert the client's identity. See Section 53.3, "Authenticating SAML Tokens in Proxy Service Requests."
For an overview of SAML, see the OASIS technical overview at the following URL:
http://www.oasis-open.org/committees/download.php/6837/sstc-saml-tech-overview-1.1-cd.pdf
The complete SAML specification set of documents are available at the following URL:
http://www.oasis-open.org/committees/download.php/3400/oasis-sstc-saml-1.1-pdf-xsd.zip
If your clients do not provide SAML tokens but your business services require them, you can configure a proxy service to map the client's identity to a SAML token.
This technique requires the business service to be a Web service with WS-Policy statements that require authentication using SAML tokens.
To configure SAML credential mapping:
Configure a trust relationship between Oracle Service Bus and the system (message consumer) that the business service represents.
The message consumer acts as a relying party and must have a trust relationship with Oracle Service Bus.
See "Important Information Regarding Cross-Domain Security Support" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Configure the SAML providers:
For Oracle Web Services Manager policies: See "Configuring SAML" (WSSEC2376) in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
For WLS 9.2 policies: Configure the WebLogic SAML Identity Assertion Provider V2 and the WebLogic SAML Credential Mapping Provider V2 in your security domain. See "Configuring a SAML Identity Assertion Provider" and "Configuring a SAML Credential Mapping Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Configure a proxy service to authenticate clients using any of the following techniques:
HTTP or HTTPS BASIC (client provides user name and password in the request)
HTTPS Client certificate
Message-level authentication (using any of the supported token profiles)
If a client request includes a WS-Security security header, you must configure the proxy service to process this header on the proxy service side of the message. In Oracle Service Bus, you cannot add a SAML header (or any other WS-Security header) to a SOAP envelope that already contains a WS-Security header, neither can you add SAML (or other) security tokens to an existing security header.
Third-party authentication
Configure the proxy service to include a SAML token in the WS-Security header of its outbound request.
Note:
If you configured the proxy service for dynamic routing, the message context determines the target URL for the request. If the assertion is signed, you must configure the certificate.When the proxy service sends its outbound request, it generates a SAML assertion on behalf of the client. When the business service processes the WS-Security header, it validates the SAML assertion, creates a security context for the identity in the SAML assertion, and invokes the Web service with this security context.
If your clients provide SAML tokens to a pass-through proxy service, you can propagate the client's SAML token to the business service.
This technique requires the business service to be a Web service with WS-Policy statements that require authentication using SAML tokens.
To configure SAML pass-through identity propagation:
Configure a trust relationship between Oracle Service Bus and the back-end service.
See "Important Information Regarding Cross-Domain Security Support" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Configure the back-end service to act as a SAML relying party.
For Oracle Web Services Manager policies: See "How to Configure Oracle Platform Security Services (OPSS) for SAML Policies" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
For WLS 9.2 policies: See "Create a SAML Relying Party" in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.
Configure a pass-through proxy service.
SeeSection 52.3.2, "Creating a Pass-Through Proxy Service: Main Steps."
Configure a SOAP-HTTP or SOAP-JMS business service with WS-Policy statements that require authentication using SAML tokens.
See Section 52.4, "Configuring Business Service Message-Level Security: Main Steps."
If your clients provide SAML tokens to an active intermediary proxy service, you can configure the proxy service to assert the client's identity.
To configure a proxy service to use SAML tokens to authenticate clients:
Configure a trust relationship between the client software and Oracle Service Bus.
Oracle Service Bus relies on SAML assertions issued by the client, or on behalf of the client.
See "Important Information Regarding Cross-Domain Security Support" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Configure SAML.
For Oracle Web Services Manager policies: See "Configuring SAML" (WSSEC2376) in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
For WLS 9.2 policies: Configure the WebLogic SAML Identity Assertion Provider V2 to validate tokens issued by the client's SAML authority. See "Configuring a SAML Identity Assertion Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
When configuring the identity assertion provider, note the following requirements:
The confirmation method from the policy must match the SAML profile in the SAML asserting party.
Specify the asserting party target URL to be the relative URL of the proxy (not including the protocol and host information).
For signed assertions, add the certificate to the Identity Asserter registry.
Configure the SAML credential mapping provider.
For Oracle Web Services Manager policies: See "Configuring SAML" (WSSEC2376) in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
For WLS 9.2 policies: Configure the WebLogic SAML Credential Mapping Provider V2 in your security domain. See "Configuring a SAML Credential Mapping Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Create an active intermediary proxy service that communicates over the HTTP, HTTPS, or JMS protocol. The proxy service must be a Web service with a WS-Policy statement that requires authentication and accepts SAML tokens.
A proxy service that communicates over the "local" transport type cannot use a SAML token profile to authenticate.
If you are using SAML-based authentication with the SB transport, be sure to follow these configuration requirements:
On the asserting party, configure the SAML Credential mapper with URI http://openuri.org/<OSBProxyServiceURI>, where <OSBProxyServiceURI> is the SB transport service URI.
When configuring the Identity Assertion provider on the Oracle Service Bus side (the relying party), use the asserting party target URL as the proxy endpoint URI. Do not include the protocol and host information. For example, /<OSBProxyServiceURL>.
Question: I am trying to propagate my proxy service transport identity to a destination business service and keep receiving error, Unable to add security token for identity. What does this mean?
Answer: There are various causes for this error. Generally this means one of the following problems:
The SAML Credential Mapper is not configured correctly. Double check that the configuration is in accordance with the following instructions:
For Oracle Web Services Manager policies: "Configuring SAML" (WSSEC2376) in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
For WLS 9.2 policies: "Configuring a SAML Credential Mapping Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Another common source of this error is that there is no subject information to propagate. To generate a SAML token, you must have a transport-level or message-level subject. Make sure that the client has a subject. This can be done by inspecting $security message context variable.
Question: I am trying to propagate my proxy service transport identity to a destination business service using SAML holder-of-key and keep receiving error, Failure to add signature. What does this mean?
Answer: There are various causes for this error, but most likely is that the credentials are not configured for the business service's service key provider. When Oracle Service Bus generates an outbound holder-of-key assertion, it generally also generates a digital signature over the message contents, so that the recipient can verify not only that a message is received from a particular user, but that the message has not been tampered with. To generate the signature, the business service must have a service key provider with a digital signature credential associated with it.
Question: I am trying to configure an active intermediary proxy service that receives SAML identity tokens and keep receiving errors that look like: The SAML token is not valid. How do I fix this?
Answer: This is generally caused by a lack of a SAML Identity Asserter or SAML Identity Asserter asserting party configuration for the proxy. For a proxy service to receive SAML assertions in active intermediary mode, it must have a SAML Identity Asserter configured. For more details, see "Configuring a SAML Identity Assertion Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.