Write for OTN
Earn money and promote your technical skills by writing a technical article for Oracle Technology Network.
Learn more
Stay Connected
OTN Architect Community
OTN ArchBeat Blog Facebook Twitter YouTube Podcast Icon

Working with Oracle Security Token Service in an Architecture Involving Oracle WebLogic and Oracle Service Bus

by Ronaldo Fernandes

Using Oracle Security Token Service to generate Security Assertion Markup Language (SAML) tokens.

January 2014

Downloads
download-icon13-1Oracle Security Token Service
download-icon13-1Oracle WebLogic Server
download-icon13-1Oracle Service Bus

Recently, I've worked on a proof of concept for the use of Oracle Security Token Service (OSTS) in an architecture involving Oracle Fusion Middleware, focused on Oracle WebLogic Server (WLS), Oracle Web Service Manager (OWSM) and Oracle Service Bus (OSB). There are many security scenarios in which OSTS can be used, but the initial objective was to provide single sign-on between WLS and OSB using OSTS to generate Security Assertion Markup Language (SAML) tokens. This article describes the steps to implement this solution.

Scenario

The solution was applied on OWSM with OSB 11g (11.1.1.6), Oracle Access Manager (OAM) 11gR2 (11.1.2) and WLS 11g (10.3.6). A Security Token Service (STS) creates and validates security tokens, using protocols such as WS-Trust, acting as a centralizer point in security infrastructure architecture and simplifying identity propagation between heterogeneous environments.

OSTS is an Oracle Identity Management access management solution. For more information on OSTS, consult the following articles by Oracle Fusion Middleware A-Team solution architect Andre Correa:

The proof of concept required a client on WLS accessing a service provided by OSB using SAML. The SAML Assertion should be generated from OSTS.

WLS can use WS-Trust policies and communicate with OSTS, but OSB 11g still doesn't support WS-Trust policies. To work around this issue, configure OSB to trust messages signed by an OSTS certificate. Here is the complete scenario:

fernandes-osts-weblogic-osb-fig01
Figure 1: OSTS Scenario
  1. User invokes a web service on WLS with BASIC Authentication
  2. WLS authenticates the user and invokes OSTS with a Request Security Token (RST)
  3. OSTS validates RST
  4. OSTS returns a Request Security Token Response (RSTR) with SAML token
  5. WLS acquires SAML Assertion from RSTR and invokes a web service on OSB
  6. OSB validates SAML Assertion against OSTS certificate
  7. OSB returns the response to WLS
  8. WLS returns the response to OSB

Configuration

Oracle Security Token Service

Access the OAM console (e.g., http://<host>:<port>/oamconsole>) and be sure STS is enabled:

fernandes-osts-weblogic-osb-fig02
Figure 2: OSTS Enabled

Requester

The requester represents the client that needs to invoke a service. It's possible to configure "sign and encrypt" for the request, but in this scenario it isn't necessary.

In the Security Token Service section, access Partners > Requesters and create a requester with these configurations:

  • Partner Name: Test Client
  • Partner Profile: request-profiler
fernandes-osts-weblogic-osb-fig03
Figure 3: Create Requester

Relying Party

The relying party represents the resource to be accessed. In this scenario, it represents the service endpoint provided by OSB.

Create a relying party with these configurations:

  • Partner Name: OSB_Test
  • Partner Profile: Relying Party
  • Resource Pattern: https://osb.oracleads.com:8012/Testsec/Proxy_Service/Test
  • Description: OSB Test Service
fernandes-osts-weblogic-osb-fig04
Figure 4: Create Relying Party

Issuing Authority

The issuing authority is the entity responsible for issuing the required tokens.

Create an issuing authority with these configurations:

  • Partner Name: Test Issue Authority
  • Issuer ID: TestIssuerID
  • Partner Profile: issuingauthority-profile
fernandes-osts-weblogic-osb-fig05
Figure 5: Create Issuing Authority

The partner profile (issuingauthority-profile) issues SAML tokens.

Token Issuance Template

The token issuance template defines how a token is constructed. In our example, we are using the template saml20-issuance-template.

The template defines the assertion issuer. This value will be used later in OSB proxy service security. This template also informs how the on-behalf user will be validated. Because this user will be checked against the WebLogic realm, for this example change the Name Identifier Format value to Unspecified and Name Identifier User Attribute value to givenname.

fernandes-osts-weblogic-osb-fig06
Figure 6: SAML 2.0 Issuance Template

Application Domain

An application domain defines the access rules to resources.

Create an application domain with the name Services:

fernandes-osts-weblogic-osb-fig07
Figure 7: Create Application Domain

It's necessary to access the application domain Services, and to map the resource to be accessed (OSB Web Service) and the access rules.

Resource

Access the Services application domain. In the Resources tab, create a resource referencing the resource created previously:

  • Type: TokenServiceRP
  • Resource URL: OSB_Test
  • Operations: All, ISSUE
fernandes-osts-weblogic-osb-fig08
Figure 8: Create Resource

Token Issuance Policy

In the Token Issuance Policies tab, create a policy with no authorization restrictions:

  • Name (Figure 9): Test Token Issuance Policy
  • Resources (Figure 10): OSB_Test
  • Conditions (Figure 11):
    • Name: TRUE
    • Type: true
  • Allow Rule (Figure 12): TRUE (True)
fernandes-osts-weblogic-osb-fig09
Figure 9: Create Token Issuance Policy
fernandes-osts-weblogic-osb-fig10
Figure 10: Create Token Issuance Policy Resources
fernandes-osts-weblogic-osb-fig11
Figure 11: Create Token Issuance Policy Conditions
fernandes-osts-weblogic-osb-fig12
Figure 12: Create Token Issuance Policy Rules

WebLogic Console

Access the OSTS WebLogic console and create a user called pocsamlclient.

As defined earlier, OSTS will validate the username against the attribute givenname. So change the value of this attribute to pocsamlclient:

fernandes-osts-weblogic-osb-fig13
Figure 13: Create User

Oracle Service Bus

Create a proxy service named Test, with the path Testsec/Proxy_Service:

Testsec/Proxy_Service/Test

The proxy service receives and returns a simple text:

<xsd:schema targetNamespace="http://www.example.org/Test/">

      <xsd:element name="hello">
       
        <xsd:complexType>
          
          <xsd:sequence>
            
            <xsd:element name="in" type="xsd:string"/>
               
          </xsd:sequence>
            
        </xsd:complexType>
          
      </xsd:element>
       
      <xsd:element name="helloResponse">
       
        <xsd:complexType>
          
          <xsd:sequence>
            
            <xsd:element name="out" type="xsd:string"/>
               
          </xsd:sequence>
            
        </xsd:complexType>
          
      </xsd:element>
       
    </xsd:schema>

The proxy will receive a message with security headers. Remove these headers before you send the answer back to the client with a replace node:

  • XPath: .
  • In Variable: header
  • Expression: <soap-env:Header/>

Replace the response with a message containing the username concatenated with the original text.

Example:

<soap-env:Body>
<ns0:helloResponse>
          <out>{ concat('username = ', $inbound/ctx:security/ctx:messageLevelClient,
           ', text = ', $hello1/in) }</out>
</ns0:helloResponse>
</soap-env:Body>

Associate this policy with the proxy service:

oracle/wss-saml20_token_bearer_over_ssl_service_policy

fernandes-osts-weblogic-osb-fig14
Figure 14: OSB Proxy Service Policy

This policy requires SAML 2.0 bearer and SSL usage.

In the Security tab, override the saml.trusted.issuers property with the OSTS issuer:

fernandes-osts-weblogic-osb-fig15
Figure 15: OSB proxy Service Security

The assertion received by OSB is signed with an OSTS certificate. You must get this certificate from the URL bellow and import it in the Oracle Web Services Manager (OWSM) keystore:

http://<osts_host>:<osts_port>/sts/servlet/samlcert?id=osts_encryption&encoding=der

WebLogic Console

Access the OSB WebLogic console and create a user called pocsamlclient.

WebLogic Server

In our example, the client will request a token from OSTS using the policy wss11user, which requires authentication by username and is password encrypted with an OSTS certificate:

<?xml version="1.0"?>

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    wsu:Id="wss11_username_token_with_message_protection_service_policy">
  <sp:SymmetricBinding
  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <wsp:Policy>
    <sp:ProtectionToken>
    <wsp:Policy>
      <sp:X509Token
    sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
        <wsp:Policy>
          <sp:RequireThumbprintReference />
          <sp:WssX509V3Token11 />
        </wsp:Policy>
      </sp:X509Token>
    </wsp:Policy>
    </sp:ProtectionToken>
     <sp:AlgorithmSuite>
          <wsp:Policy>
               <sp:Basic128 />
          </wsp:Policy>
     </sp:AlgorithmSuite>
     <sp:Layout>
          <wsp:Policy>
               <sp:Lax />
          </wsp:Policy>
     </sp:Layout>
     <sp:IncludeTimestamp />
     <sp:OnlySignEntireHeadersAndBody />
  </wsp:Policy>
  </sp:SymmetricBinding>
    <sp:SignedSupportingTokens
    xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
    <wsp:Policy>
      <sp:UsernameToken
      sp:IncludeToken=
     "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
          <sp:WssUsernameToken10 />
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
    </sp:SignedSupportingTokens>
     <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
          <wsp:Policy>
               <sp:RequireSignatureConfirmation />
               <sp:MustSupportRefEncryptedKey />
          </wsp:Policy>
     </sp:Wss11>
     <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
          <sp:Body />
          <sp:Header Namespace="http://www.w3.org/2005/08/addressing" />
          <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
          <sp:Header Name=
          "fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
     </sp:SignedParts>
     <sp:EncryptedParts
          xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
          <sp:Body />
          <sp:Header Name=
          "fmw-context" Namespace="http://xmlns.oracle.com/fmw/context/1.0" />
     </sp:EncryptedParts>
</wsp:Policy>

</pre>
</div>

With stub classes generated from the OSB proxy service WSDL file and OSTS information, we can create the web service client:

package test;

import java.io.File;
import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;

import javax.annotation.Resource;
import javax.jws.WebMethod;
import javax.jws.WebService;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPConstants;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.WebServiceContext;

import org.example.test.Test;
import org.example.test.Test_Service;

import weblogic.jws.WLHttpTransport;
import weblogic.wsee.jaxrpc.WLStub;
import weblogic.wsee.message.WlMessageContext;
import weblogic.wsee.security.WSEESecurityConstants;
import weblogic.wsee.security.unt.ClientUNTCredentialProvider;
import weblogic.wsee.security.util.CertUtils;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.xml.crypto.wss.provider.CredentialProvider;

@WebService
@WLHttpTransport(contextPath="TrustOSTSTest", 
                serviceUri="TrustOSTSTestService",
                portName="TrustOSTSTestServicePort")
public class TrustOSTSTest {

 private static final String TRUST_VERSION = 
 "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
 private static final String STS_URL = 
 "https://idm.oracleads.com:14101/sts/wss11user";
 private static final String STS_POLICY = 
 "StsWss11Unt_OSTS_Policy.xml";

     @Resource
     private WebServiceContext context;

     @WebMethod
     public String hello(String text) throws Exception {
      System.setProperty("javax.net.ssl.trustStore",
      "/opt/oracle/workspace/wls/11g/domains/testsec/config/fmwconfig/soa-keystore.jks");
      System.setProperty("javax.net.ssl.trustStorePassword", "weblogic");
      
      File wsdlPath = new File("/opt/oracle/workspace/wls/projects/saml/
       SamlClient/src/test/Test.wsdl");
      URL wsdlURL = new URL("file:" + wsdlPath.getCanonicalPath());
      QName serviceQName = new QName("http://www.example.org/Test/", 
       "Test");
      Test_Service service = new Test_Service(wsdlURL, serviceQName);

      Test test = service.getTestSOAP();

          // Add the credential providers to the request context  
          Map<String, Object> requestContext = 
               ((BindingProvider)test).getRequestContext();
     
          // Oracle STS endpoint URL
          requestContext.put(WLStub.WST_STS_ENDPOINT_ON_SAML, STS_URL);

          // Oracle STS encrypt cert
          requestContext.put(WLStub.STS_ENCRYPT_CERT, getServerCert());

          // WS-Policy to talk to Oracle STS
          requestContext.put(WlMessageContext.WST_BOOT_STRAP_POLICY, 
          this.getClass().getResourceAsStream(STS_POLICY));

          // WS-Trust version
          requestContext.put(WSEESecurityConstants.TRUST_VERSION, TRUST_VERSION);

          // SOAP version
          requestContext.put(WSEESecurityConstants.TRUST_SOAP_VERSION, 
          SOAPConstants.URI_NS_SOAP_1_2_ENVELOPE);

          // username for whom a token will be requested
          requestContext.put(WSEESecurityConstants.ON_BEHALF_OF_USER, 
          context.getUserPrincipal().getName());

          List credProviders = buildCredentialProviderList();
          requestContext.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);

          return ("response: " + test.hello(text));
     }

     private static List buildCredentialProviderList() throws Exception  {
      List credProviders = new ArrayList();
      credProviders.add(getClientUNTCredentialProvider());
      return credProviders;
     }

     private static CredentialProvider getClientUNTCredentialProvider() throws Exception {
      String username = System.getProperty("target.username", "weblogic");
      String password = System.getProperty("target.password", "welcome1");
      return new ClientUNTCredentialProvider(username.getBytes(), password.getBytes());
     }

     private static X509Certificate getServerCert() throws Exception {
      String defaultServerCert = "/opt/oracle/workspace/wls/11g/domains/
      testsec/osts_idm.der";
      final X509Certificate cert =  
          (X509Certificate)CertUtils.getCertificate(defaultServerCert);  
      cert.checkValidity(); 
      return cert;
     }

}

In the code, the following lines define the access to OSTS through WS-Trust:

requestContext.put(WLStub.WST_STS_ENDPOINT_ON_SAML, STS_URL);
requestContext.put(WLStub.STS_ENCRYPT_CERT, getServerCert());
requestContext.put(WlMessageContext.WST_BOOT_STRAP_POLICY, this.getClass()
.getResourceAsStream(STS_POLICY));
requestContext.put(WSEESecurityConstants.TRUST_VERSION, TRUST_VERSION);
requestContext.put(WSEESecurityConstants.TRUST_SOAP_VERSION, 
SOAPConstants.URI_NS_SOAP_1_2_ENVELOPE);

This operation tells RST the username authenticated in WLS, so OSTS can create the SAML Assertion from it:

requestContext.put(WSEESecurityConstants.ON_BEHALF_OF_USER, 
context.getUserPrincipal().getName());

The certificate osts_idm.der is used to encrypt usernametoken when building the RST to OSTS.

The code uses the soa-keystore.jks as a trusted keystore. You must import SSL certificates from OSTS and OSB in this keystore.

The web service client must require authentication, which we can accomplish, for example, by requiring BASIC Authentication with minor changes in web descriptor files. For example:

web.xml

<security-constraint>
     <display-name>SecurityConstraint</display-name>
     <web-resource-collection>
          <web-resource-name>TrustOSTSTestService</web-resource-name>
          <url-pattern>/TrustOSTSTestService</url-pattern>
     </web-resource-collection>
     <auth-constraint>
          <role-name>everyone</role-name>
     </auth-constraint>
     <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
     </user-data-constraint>
</security-constraint>
<security-role>
     <role-name>everyone</role-name>
</security-role>  
<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>default</realm-name>
</login-config>

weblogic.xml

<wls:security-role-assignment>
<wls:role-name>everyone</wls:role-name>
     <wls:principal-name>everyone</wls:principal-name>
</wls:security-role-assignment> 

WebLogic Console

Access the WebLogic console and create a user called pocsamlclient.

Testing

After deploying the web service to the WebLogic instance, you can test it using the pocsamlclient user.

When testing, WebLogic calls OSTS and, after a successful answer, calls OSB:

return ("response: " + test.hello(text));

WebLogic sends an RST to OSTS similar to this (WLS will encrypt it before sending to OSTS):

<env:Body xmlns:env="http://www.w3.org/2003/05/soap-envelope"
 xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
   wsu:Id="Body_y3YwSoICSy12S1vl">
    <wst:RequestSecurityToken
    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
    <wst:TokenType>
      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
    </wst:TokenType>
      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
        <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
          <wsa:Address>
            https://osb.oracleads.com:8012/Testsec/Proxy_Service/Test
        </wsa:Address>
     </wsa:EndpointReference>
    </wsp:AppliesTo>
    http://<osts_host>:<osts_port>/sts/servlet/samlcert?id=osts_encryption&encoding=der
    <wst:Lifetime>
      <wsu:Created>2013-11-21T13:33:45.243Z</wsu:Created>
      <wsu:Expires>2013-11-21T13:34:45.243Z</wsu:Expires>
    </wst:Lifetime>
    <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
    <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
    <wst:OnBehalfOf>
      <wsse:UsernameToken
      xmlns:wsse=
       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        wsu:Id="unt_38uGcc6Uow5fCMIk">
        <wsse:Username>pocsamlclient</wsse:Username>
      </wsse:UsernameToken>
    </wst:OnBehalfOf>
  </wst:RequestSecurityToken>
</env:Body>

If OSTS successfully validates the RST, it sends an RSTR with SAML Assertion. For example:

<env:Body xmlns:env="http://www.w3.org/2003/05/soap-envelope"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    wsu:Id="Body-27ud8azsQTUkMSMvp3x8TQ22">
    <wst:RequestSecurityTokenResponseCollection
    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
      <wst:RequestSecurityTokenResponse>
        <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
          </wst:TokenType>
          <wst:RequestedSecurityToken>
            <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
              ID="id-1-HL01wfKQhzlwD-z-9IfJTO8d0-" IssueInstant="2013-11-21T13:33:45Z"
              Version="2.0">
              <saml:Issuer>oel01n01</saml:Issuer>
                <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
                  <dsig:SignedInfo>
                    <dsig:CanonicalizationMethod
                           Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                         </dsig:CanonicalizationMethod>
                      <dsig:SignatureMethod
                        Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1">
                           </dsig:SignatureMethod>
                        <dsig:Reference URI="#id-1-HL01wfKQhzlwD-z-9IfJTO8d0-">
                          <dsig:Transforms>
                            <dsig:Transform
                              Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature">
                            </dsig:Transform>
                            <dsig:Transform 
                              Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            </dsig:Transform>
                          </dsig:Transforms>
                            <dsig:DigestMethod 
                              Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
                            </dsig:DigestMethod>
                              <dsig:DigestValue>Bp00jLYXrUXzx6FAB6Jq6fq2+7Q=</dsig:DigestValue>
                            </dsig:Reference>
                  </dsig:SignedInfo>
                    <dsig:SignatureValue>glMt ... nI8M=</dsig:SignatureValue>
                      <dsig:KeyInfo>
                        <dsig:X509Data>
                          <dsig:X509Certificate>MIIB ... Z48V</dsig:X509Certificate>
                        </dsig:X509Data>
                      </dsig:KeyInfo>
                    </dsig:Signature>
                    <saml:Subject>
                      <saml:NameID
                        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                          pocsamlclient
                      </saml:NameID>
                        <saml:SubjectConfirmation Method=
                                "urn:oasis:names:tc:SAML:2.0:cm:bearer">
                        </saml:SubjectConfirmation>
                      </saml:Subject>
                    <saml:Conditions NotBefore="2013-11-21T13:33:45Z"
                      NotOnOrAfter="2013-11-21T14:33:45Z"></saml:Conditions>
                    <saml:AttributeStatement>
                      <saml:Attribute Name="sn"
                        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                        <saml:AttributeValue xmlns:xsi=
                                "http://www.w3.org/2001/XMLSchema-instance"
                          xsi:type="xs:string">pocsamlclient
                        </saml:AttributeValue>
                      </saml:Attribute>
                    </saml:AttributeStatement>
                  </saml:Assertion>
          </wst:RequestedSecurityToken>
          <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
            <ns2:EndpointReference 
              xmlns:ns2="http://www.w3.org/2005/08/addressing">
              <ns2:Address>
                   https://osb.oracleads.com:8012/Testsec/Proxy_Service/Test
              </ns2:Address>
            </ns2:EndpointReference>
          </wsp:AppliesTo>
          <wst:RequestedAttachedReference>
            <wsse:SecurityTokenReference
              xmlns:wsse=
                "http://docs.oasis-open.org/wss/2004/01/
                    oasis-200401-wss-wssecurity-secext-1.0.xsd">
              <wsse:KeyIdentifier 
                 ValueType="http://docs.oasis-open.org/wss/
                    oasis-wss-saml-token-profile-1.1#SAMLID">
                  id-1-HL01wfKQhzlwD-z-9IfJTO8d0-
              </wsse:KeyIdentifier>
            </wsse:SecurityTokenReference>
          </wst:RequestedAttachedReference>
          <wst:RequestedUnattachedReference>
            <wsse:SecurityTokenReference
              xmlns:wsse=
              "http://docs.oasis-open.org/wss/2004/01/
                  oasis-200401-wss-wssecurity-secext-1.0.xsd">
              <wsse:KeyIdentifier
                ValueType="http://docs.oasis-open.org/wss/
                    oasis-wss-saml-token-profile-1.1#SAMLID">
                  id-1-HL01wfKQhzlwD-z-9IfJTO8d0-
              </wsse:KeyIdentifier>
            </wsse:SecurityTokenReference>
          </wst:RequestedUnattachedReference>
            <wst:Lifetime>
              <wsu:Created>2013-11-21T13:33:45Z</wsu:Created>
              <wsu:Expires>2013-11-21T14:33:45Z</wsu:Expires>
            </wst:Lifetime>
            <wst:KeyType>
                 http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
            </wst:KeyType>
      </wst:RequestSecurityTokenResponse>
     </wst:RequestSecurityTokenResponseCollection>
</env:Body>

WebLogic retires SAML Assertion from RSTR and creates a message with it to call OSB:

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
 <S:Header>
  <work:WorkContext xmlns:work="http://oracle.com/weblogic/soap/workarea/">rO0A ... AAAA==
  </work:WorkContext>
  <wsse:Security
   xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
   S:mustUnderstand="1">
   <saml:Assertion xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
      xmlns:enc="http://www.w3.org/2001/04/xmlenc#" 
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
        ID="id-1-HL01wfKQhzlwD-z-9IfJTO8d0-"
      IssueInstant="2013-11-21T13:33:45Z" Version="2.0">
      <saml:Issuer>oel01n01</saml:Issuer>
      <dsig:Signature>
        <dsig:SignedInfo>
        <dsig:CanonicalizationMethod
          Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
        <dsig:Reference URI="#id-1-HL01wfKQhzlwD-z-9IfJTO8d0-">
          <dsig:Transforms>
            <dsig:Transform
              Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
              <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          </dsig:Transforms>
            <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <dsig:DigestValue>Bp00jLYXrUXzx6FAB6Jq6fq2+7Q=</dsig:DigestValue>
        </dsig:Reference>
        </dsig:SignedInfo>
          <dsig:SignatureValue>glMt ... nI8M=</dsig:SignatureValue>
          <dsig:KeyInfo>
            <dsig:X509Data>  
              <dsig:X509Certificate>MIIB ... Z48V</dsig:X509Certificate>
            </dsig:X509Data>
          </dsig:KeyInfo>
          </dsig:Signature>
          <saml:Subject>
            <saml:NameID
              Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
                pocsamlclient
            </saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
          </saml:Subject>
          <saml:Conditions NotBefore="2013-11-21T13:33:45Z"
            NotOnOrAfter="2013-11-21T14:33:45Z" />
          <saml:AttributeStatement>
            <saml:Attribute Name="sn"
              NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
              xsi:type="xs:string">pocsamlclient</saml:AttributeValue>
            </saml:Attribute>
          </saml:AttributeStatement>
    </saml:Assertion>
    <wsu:Timestamp
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
       <wsu:Created>2013-11-21T13:33:44Z</wsu:Created>
       <wsu:Expires>2013-11-21T13:34:44Z</wsu:Expires>
    </wsu:Timestamp>
   </wsse:Security>
  </S:Header>
 <S:Body>
  <ns2:hello xmlns:ns2="http://www.example.org/Test/">
    <in>abc</in>
  </ns2:hello>
 </S:Body>
</S:Envelope>

OSB verifies the signature against the OSTS certificate and, if the signature is valid, executes a proxy service and returns the response to the client:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1"
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
      oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsu:Timestamp wsu:Id="Timestamp-Si0WdPuI4WlUbTbwbHAuhQ22"
          xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
          oasis-200401-wss-wssecurity-utility-1.0.xsd">
     <wsu:Created>2013-11-21T13:33:47Z</wsu:Created>
        <wsu:Expires>2013-11-21T13:38:47Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <test:helloResponse xmlns:test="http://www.example.org/Test/">
     <out>username = pocsamlclient, text = abc</out>
    </test:helloResponse>
  </soapenv:Body>
</soapenv:Envelope>

Note: Although OSB cannot yet use WS-Trust policies, there is no need for the client (WebLogic) to know any OSB-specific certificate, except for SSL communication. To encrypt the request, the client needs only to know the OSTS certificate. Thus, OSTS is still a central point of token management.

Conclusion

This article describes a procedure for configuring and using OSTS as a token generator for identity propagation between a client in WLS and a service provided by OSB and OWSM.

About the Author

Ronaldo Fernandes is a principal consultant for Oracle Consulting in Brazil. He specializes in Oracle Fusion Middleware, SOA, and security, and has worked with Java technologies since 1996. He has more than 15 years of experience in defining architectures, problem solving, technical leadership and software development. LinkedIn