Problem: Failure to map the AppliesTo element to a Relying Party Partner
When Security Token Service processes a WS-Trust request with an AppliesTo element referencing the Web Service Provider, the server will attempt to map the location contained in the AppliesTo element to an Security Token Service Relying Party Partner using the Resource URL defined in the Partner entry. If such a mapping fails, the server will log an Info message in the logs indicating that the operation failed and indicating what was the AppliesTo address used.
Error Message
The following is a sample of an error message:
[2011-04-22T15:08:12.632-07:00] [oam_server1] [NOTIFICATION] [STS-15542] [oracle.security.fed.eventhandler.sts.creation.v13.CreateV13TokenEventHandler] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: f00aacae2d3f3ded:125005ed:12f7f412274:-8000-0000000000000016,0] [WEBSERVICE_PORT.name: wssuser-port] [APP: oam_server] [J2EE_MODULE.name: sts] [WEBSERVICE.name: wssuser-serviceSoap12] [J2EE_APP.name: oam_server] The mapping of the AppliesTo element from the WS-Trust Request to a Relying Party Partner failed: could not map http://relying.party.test.com/testing/service
Solution
If the AppliesTo location should have been mapped to a Relying Party Partner, then the Partner settings should be verified to ensure that the Resource URLs are correctly defined to:
be the exact match of the AppliesTo address
be a parent of the AppliesTo address.
For example, if the AppliesTo address is http://relying.party.test.com/testing/service, a parent could be http://relying.party.test.com/testing/ or http://relying.party.test.com/. In both cases, the AppliesTo location would be mapped to a Relying Party Partner with any of those Resource URLs defined.
Note:
this message is recorded at Notification level, thus in order for Security Token Service to record it, the appropriate logging level must be set to include the Notification:1 level.
In certain cases, failure to correctly map the AppliesTo address to a Relying Party Partner will result in errors due to:
Authorization evaluation failures
Security Token Service not being able to retrieve certificate belonging to the Relying Party Partner.