Write for OTN
Earn money and promote your technical skills by writing a technical article for Oracle Technology Network.
Learn more
Stay Connected
OTN Architect Community
OTN ArchBeat Blog Facebook Twitter YouTube Podcast Icon

Single Sign-On with Security Assertion Markup Language between Oracle and SAP

by Ronaldo Fernandes

Implementing Security Assertion Markup Language (SAML) to provide identity propagation from Oracle Web Service Manager (OWSM) in Oracle Service Bus (OSB) to SAP Enterprise Central Component (ECC)

July 2013

Downloads
download-icon13-1Oracle Service Bus
download-icon13-1Oracle SOA Suite

Tracking user activities is important when you're using an Enterprise Resource Planning (ERP) app to access and update data and processes. Because critical data (such as finance and sales figures) may be exposed through web services, you need to provide a secure environment capable of propagating the identity of users between different systems.

This article shows you how to implement Security Assertion Markup Language (SAML) to provide identity propagation from Oracle Web Service Manager (OWSM) in Oracle Service Bus (OSB) to SAP Enterprise Central Component (ECC) through web services, describes the necessary configuration, and provides an example on an Oracle Environment.

Scenario

The solution was applied for a customer on an environment using Oracle Web Service Manager with Oracle Service Bus 11g (11.1.1.6) and SAP ECC 6.06 SP2. Each authenticates the users on different storages. Previously, the SAP ERP was known as R/3.

In this scenario, Oracle Service Bus (acting as Identity Provider), accesses a web service using SAML 1.1 sender-vouches published on SAP ECC (acting as Service Provider). SAML 1.1, rather than SAML 2.0, was used because the customer is planning changes to the architecture.

1964573.gif
Figure 1: Oracle Service Bus / ECC environment

The user accesses the proxy service with his credentials; Oracle Service Bus authenticates him, executes the flow, and calls the Business Service.

An Oracle Web Services Manager policy applied to the Business Service requires generation of SAML Assertion. Oracle Web Services Manager generates a message with security information, including assertion, and with the body signed, and calls ECC.

ECC validates the security information with SAML Aassertion and verifies the existence of the user in the user store If the message is validated, ECC returns the response to Oracle Service Bus.

The service published on ECC receives only one text parameter; it returns this same parameter concatenated with the user name (authenticated using SAML). It's a simple test, but enough to verify the identity propagation between the platforms.

Configuration


WebLogic Server

Create a user in Oracle WebLogic (Example: testsamlclient).

In our test, this user will authenticate the client in the proxy service. This same user or an equivalent one has to exist in ECC.

Oracle Web Services Manager


Configure the keystore used by Oracle Web Services Manager and import the certificates used in the communication: Oracle Web Services Manager private key, ECC public key, and CAs. This scenario uses certificates generated by the customer, so the issuer is the company CA.

Access the Access Enterprise Manager console:

http://<host>:<port>/em


Enter the keystore configuration screen to set keystore and certificates values. In our test, the Signature Key signs the SAML Assertion and body of the SOAP requests.

Click <FARM>/Weblogic Domain/<domain_name>, access the menu WebLogic Domain > Security > Security Provider Configuration, and select Configure Keystore:

1964574.gif
Figure 2: Oracle Web Services Manager Keystore Configuration

Restart the server.

Access EM console again and configure a new security policy.

Click <FARM>/Weblogic Domain/<domain_name>, access the menu WebLogic Domain > Web Services > Policies.

On the Web Service Policies screen, search for policies that apply to Service Clients.

Select oracle/wss10_saml_token_with_message_integrity_client_policy

Click Create Like:

1964575.gif
Figure 3: Creating a web service policy

Rename the policy. (Example: oracle/wss10_saml_token_with_message_integrity_client_policy_sap)

1964578.gif
Figure 4: Rename the policy

Because ECC SAML Web Service requires a message with a signed timestamp, check the option Include Timestamp in the Settings Tab:

1964579.gif
Figure 5: Include timestamp

Oracle Web Services Manager thereby adds a signed timestamp in the request and expects a signed timestamp in the response. However, ECC sends an unsigned timestamp in the response, an error that occurs in Oracle Service Bus:

oracle.wsm.security.policy.scenario.policycompliance.PolicyComplianceException: WSM-00036 : 
The signed message elements or parts do not comply with the policy. The following 
headers/elements (<name space: local name>) or attachments (<attachment ID: 
attachment type>) must be signed:-
< http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd: Timestamp >


To solve this issue, go to the Configurations Tab, add a property called ignore.timestamp.in.response, and set its value to true. With this configuration, Oracle Web Services Manager will not validate the timestamp in the response:

1964580.gif
Figure 6: Add a property

The field saml.issuer.name defines the issuer of the SAML Assertion — by default, www.oracle.com. You can change this value, but the issuer has to be configured in SAP ECC to accept the SAML Assertion coming from Oracle Service Bus.

The property csf-key is defined to use basic.credentials as default. Click <FARM>/Weblogic Domain/<domain_name>, and access the menu WebLogic Domain > Security > Credentials. Create a new key below oracle.wsm.security with the name basic.credentials informing the testsamlclient user:

1964582.gif
Figure 7: Create Key

Optionally, you can define a new credential key and change the value in the property csf-key.

Implementation

Open Oracle Enterprise Pack for Eclipse (OEPE) and create a business service from ECC WSDL and name it (Example: TestSamlClient).

Here is an ECC wsdl example:

<?xml version="1.0" encoding="utf-8"?>
<wsdl:definitions targetNamespace="urn:sap-com:document:sap:soap:functions:mc-style"
     xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"	 
	 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
     xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
	 xmlns:wsoap12="http://schemas.xmlsoap.org/wsdl/soap12/"
	 xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
     xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
     xmlns:tns="urn:sap-com:document:sap:soap:functions:mc-style"
     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
     xmlns:n1="urn:sap-com:document:sap:rfc:functions">
     <wsdl:documentation>
     <sidl:sidl xmlns:sidl="http://www.sap.com/2007/03/sidl" />
     </wsdl:documentation>
     <wsp:UsingPolicy wsdl:required="true" />
     <wsp:Policy wsu:Id="BN_BN_YS_SAMLTEST">
          <saptrnbnd:OptimizedXMLTransfer 
uri="http://xml.sap.com/2006/11/esi/esp/binxml"
xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/"
wsp:Optional="true" />
          <saptrnbnd:OptimizedMimeSerialization
xmlns:saptrnbnd="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization"
               wsp:Optional="true" />
          <wsp:ExactlyOne xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
               <wsp:All>
                    <sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
               <wsp:Policy>
                 <sp:InitiatorSignatureToken>
               <wsp:Policy>
                 <sp:X509Token
                   sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
               <wsp:Policy>
                 <sp:WssX509V3Token10 />
               </wsp:Policy>
                 </sp:X509Token>
               </wsp:Policy>
                </sp:InitiatorSignatureToken>
                <sp:AlgorithmSuite>
               <wsp:Policy>
                <sp:Basic128Rsa15 />
               </wsp:Policy>
                </sp:AlgorithmSuite>
                <sp:Layout>
               <wsp:Policy>
                <sp:Strict />
               </wsp:Policy>
                </sp:Layout>
                 <sp:IncludeTimestamp />
                 <sp:OnlySignEntireHeadersAndBody />
               </wsp:Policy>
                 </sp:AsymmetricBinding>
                 <sp:Wss10
                  xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                  xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
		  xmlns:wsa="http://www.w3.org/2005/08/addressing"
		  xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                  xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
                  xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
                <wsp:Policy>
                  <sp:MustSupportRefKeyIdentifier />
                  <sp:MustSupportRefIssuerSerial />
                </wsp:Policy>
                   </sp:Wss10>
                   <sp:SignedParts
                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                    xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
                    xmlns:wsa="http://www.w3.org/2005/08/addressing"
		    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                    xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
                    xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
                   <sp:Body />
                   <sp:Header Name="Trace"
                    Namespace="http://www.sap.com/webas/630/soap/features/runtime/tracing/" />
                   <sp:Header Name="messageId"
                    Namespace="http://www.sap.com/webas/640/soap/features/messageId/" />
                   <sp:Header Name="CallerInformation"
                    Namespace="http://www.sap.com/webas/712/soap/features/runtime/metering/" />
                   <sp:Header Name="Session"
                    Namespace="http://www.sap.com/webas/630/soap/features/session/" />
                   <sp:Header Name="To"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="From"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="FaultTo"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="ReplyTo"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="MessageID"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="RelatesTo"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="Action"
                    Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
                   <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="ReferenceParameters" 
                    Namespace="http://www.w3.org/2005/08/addressing" />
                   <sp:Header Name="Sequence"
                    Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
                   <sp:Header Name="SequenceAcknowledgement"
                    Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
                   <sp:Header Name="AckRequested"
                    Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
                   <sp:Header Name="SequenceFault"
                    Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
                   <sp:Header Name="Sequence"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="AckRequested"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="SequenceAcknowledgement"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="SequenceFault"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="UsesSequenceSTR"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   <sp:Header Name="UsesSequenceSSL"
                    Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
                   </sp:SignedParts>
                   <sp:SignedSupportingTokens
                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                    xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
                    xmlns:wsa="http://www.w3.org/2005/08/addressing" 
                    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
                    xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
                    xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
                  <wsp:Policy>
                   <sp:SamlToken
                    sp:IncludeToken=
 "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                  <wsp:Policy>
                   <sp:WssSamlV11Token10 />
                  </wsp:Policy>
                  </sp:SamlToken>
                  </wsp:Policy>
                  </sp:SignedSupportingTokens>
               </wsp:All>
          </wsp:ExactlyOne>
          <wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
               wsp:Optional="true" />
     </wsp:Policy>
     <wsp:Policy wsu:Id="BN_BN_YS_SAMLTEST_SOAP12">
          <saptrnbnd:OptimizedXMLTransfer
            uri="http://xml.sap.com/2006/11/esi/esp/binxml"
xmlns:saptrnbnd="http://www.sap.com/webas/710/soap/features/transportbinding/"
               wsp:Optional="true" />
          <saptrnbnd:OptimizedMimeSerialization
xmlns:saptrnbnd="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization"
               wsp:Optional="true" />
          <wsp:ExactlyOne xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
               <wsp:All>
                 <sp:AsymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing" 
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
        <wsp:Policy>
         <sp:InitiatorSignatureToken>
        <wsp:Policy>
         <sp:X509Token
          sp:IncludeToken=
 "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
        <wsp:Policy>
         <sp:WssX509V3Token10 />
        </wsp:Policy>
        </sp:X509Token>
        </wsp:Policy>
        </sp:InitiatorSignatureToken>
        <sp:AlgorithmSuite>
        <wsp:Policy>
        <sp:Basic128Rsa15 />
        </wsp:Policy>
        </sp:AlgorithmSuite>
        <sp:Layout>
        <wsp:Policy>
         <sp:Strict />
        </wsp:Policy>
         </sp:Layout>
         <sp:IncludeTimestamp />
         <sp:OnlySignEntireHeadersAndBody />
        </wsp:Policy>
         </sp:AsymmetricBinding>
          <sp:Wss10
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
        <wsp:Policy>
         <sp:MustSupportRefKeyIdentifier />
         <sp:MustSupportRefIssuerSerial />
       </wsp:Policy>
       </sp:Wss10>
      <sp:SignedParts
 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
 xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
 xmlns:wsa="http://www.w3.org/2005/08/addressing" 
 xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
 xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
 xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
      <sp:Body />
      <sp:Header Name="Trace"
        Namespace="http://www.sap.com/webas/630/soap/features/runtime/tracing/" />
      <sp:Header Name="messageId"
        Namespace="http://www.sap.com/webas/640/soap/features/messageId/" />
      <sp:Header Name="CallerInformation"
        Namespace="http://www.sap.com/webas/712/soap/features/runtime/metering/" />
      <sp:Header Name="Session"
        Namespace="http://www.sap.com/webas/630/soap/features/session/" />
      <sp:Header Name="To"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="From"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="FaultTo"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="ReplyTo"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="MessageID"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="RelatesTo"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="Action"
        Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
      <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="ReferenceParameters" 
        Namespace="http://www.w3.org/2005/08/addressing" />
      <sp:Header Name="Sequence"
        Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
      <sp:Header Name="SequenceAcknowledgement"
        Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
      <sp:Header Name="AckRequested"
        Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
      <sp:Header Name="SequenceFault"
        Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" />
      <sp:Header Name="Sequence"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="AckRequested"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="SequenceAcknowledgement"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="SequenceFault"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="UsesSequenceSTR"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      <sp:Header Name="UsesSequenceSSL"
        Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
      </sp:SignedParts>
      <sp:SignedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sapsp="http://www.sap.com/webas/630/soap/features/security/policy"
xmlns:wsa="http://www.w3.org/2005/08/addressing" 
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
     <wsp:Policy>
      <sp:SamlToken
       sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
     <wsp:Policy>
       <sp:WssSamlV11Token10 />
     </wsp:Policy>
       </sp:SamlToken>
     </wsp:Policy>
     </sp:SignedSupportingTokens>
     </wsp:All>
     </wsp:ExactlyOne>
     <wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
       wsp:Optional="true" />
     </wsp:Policy>
     <wsp:Policy wsu:Id="IF_IF_YS_SAMLTEST">
     <sapsession:Session
xmlns:sapsession="http://www.sap.com/webas/630/soap/features/session/">
       <sapsession:enableSession>false</sapsession:enableSession>
     </sapsession:Session>
       <sapcentraladmin:CentralAdministration
xmlns:sapcentraladmin="http://www.sap.com/webas/700/soap/features/CentralAdministration/"
        wsp:Optional="true">
       <sapcentraladmin:BusinessApplicationID>4FF6C4A0570F00E9E10000000A1D140F
       </sapcentraladmin:BusinessApplicationID>
       </sapcentraladmin:CentralAdministration>
     </wsp:Policy>
     <wsp:Policy wsu:Id="OP_IF_OP_YsSamltest">
       <sapcomhnd:enableCommit
xmlns:sapcomhnd="http://www.sap.com/NW05/soap/features/commit/">false</sapcomhnd:enableCommit>
       <sapblock:enableBlocking
xmlns:sapblock="http://www.sap.com/NW05/soap/features/blocking/">true</sapblock:enableBlocking>
       <saptrhnw05:required
xmlns:saptrhnw05="http://www.sap.com/NW05/soap/features/transaction/">no</saptrhnw05:required>
       <saprmnw05:enableWSRM xmlns:saprmnw05="http://www.sap.com/NW05/soap/features/wsrm/">false
     </saprmnw05:enableWSRM>
     </wsp:Policy>
     <wsdl:types>
   <xsd:schema attributeFormDefault="qualified"
      targetNamespace="urn:sap-com:document:sap:rfc:functions">
   <xsd:simpleType name="char10">
   <xsd:restriction base="xsd:string">
   <xsd:maxLength value="10" />
   </xsd:restriction>
   </xsd:simpleType>
   <xsd:simpleType name="char40">
   <xsd:restriction base="xsd:string">
     <xsd:maxLength value="40" />
   </xsd:restriction>
   </xsd:simpleType>
   </xsd:schema>
   <xsd:schema attributeFormDefault="qualified"
     targetNamespace="urn:sap-com:document:sap:soap:functions:mc-style"
xmlns:n0="urn:sap-com:document:sap:rfc:functions">
   <xsd:import namespace="urn:sap-com:document:sap:rfc:functions" />
   <xsd:element name="YsSamltest">
   <xsd:complexType>
   <xsd:sequence>
     <xsd:element name="Text" type="n0:char10" minOccurs="0" />
   </xsd:sequence>
   </xsd:complexType>
     </xsd:element>
      <xsd:element name="YsSamltestResponse">
      <xsd:complexType>
    <xsd:sequence>
    <xsd:element name="Result" type="n0:char40" />
   </xsd:sequence>
   </xsd:complexType>
   </xsd:element>
   </xsd:schema>
   </wsdl:types>
   <wsdl:message name="YsSamltest">
   <wsdl:part name="parameters" element="tns:YsSamltest" />
   </wsdl:message>
   <wsdl:message name="YsSamltestResponse">
   <wsdl:part name="parameter" element="tns:YsSamltestResponse" />
   </wsdl:message>
   <wsdl:portType name="YS_SAMLTEST">
   <wsp:Policy>
    <wsp:PolicyReference URI="#IF_IF_YS_SAMLTEST" />
   </wsp:Policy>
   <wsdl:operation name="YsSamltest">
    <wsp:Policy>
    <wsp:PolicyReference URI="#OP_IF_OP_YsSamltest" />
   </wsp:Policy>
   <wsdl:input message="tns:YsSamltest" />
   <wsdl:output message="tns:YsSamltestResponse" />
   </wsdl:operation>
   </wsdl:portType>
   <wsdl:binding name="YS_SAMLTEST" type="tns:YS_SAMLTEST">
         <wsp:Policy>
           <wsp:PolicyReference URI="#BN_BN_YS_SAMLTEST" />
          </wsp:Policy>
          <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
               style="document" />
          <wsdl:operation name="YsSamltest">
               <soap:operation style="document" />
               <wsdl:input>
                    <soap:body use="literal" />
               </wsdl:input>
               <wsdl:output>
                    <soap:body use="literal" />
               </wsdl:output>
          </wsdl:operation>
     </wsdl:binding>
     <wsdl:binding name="YS_SAMLTEST_SOAP12" type="tns:YS_SAMLTEST">
          <wsp:Policy>
               <wsp:PolicyReference URI="#BN_BN_YS_SAMLTEST_SOAP12" />
          </wsp:Policy>
          <wsoap12:binding transport="http://schemas.xmlsoap.org/soap/http"
               style="document" />
          <wsdl:operation name="YsSamltest">
               <wsoap12:operation style="document" />
               <wsdl:input>
                    <wsoap12:body use="literal" />
               </wsdl:input>
               <wsdl:output>
                    <wsoap12:body use="literal" />
               </wsdl:output>
          </wsdl:operation>
     </wsdl:binding>
     <wsdl:service name="YS_SAMLTEST">
          <wsdl:port name="YS_SAMLTEST" binding="tns:YS_SAMLTEST">
            <soap:address
 location="http://poc-sap:8021/sap/bc/srt/rfc/sap/ys_samltest/200/ys_samltest/ys_samltest" />
          </wsdl:port>
          <wsdl:port name="YS_SAMLTEST_SOAP12" binding="tns:YS_SAMLTEST_SOAP12">
             <wsoap12:address
 location="http://poc-sap:8021/sap/bc/srt/rfc/sap/ys_samltest/200/ys_samltest/ys_samltest" />
          </wsdl:port>
     </wsdl:service>
</wsdl:definitions>


After creating the business service, you will see this error:

"[OSB Kernel:398133]The service is based on WSDL with Web Services Security Policies that are not natively supported by Oracle Service Bus. Please select OWSM Policies - From OWSM Policy Store option and attach equivalent OWSM security policy." (See Figure 8)

1964583.gif
Figure 8: Policy Error

This error happens because Oracle WebLogic, unlike Oracle Web Services Manager, doesn't support the policies inside ECC WSDL. For now, to avoid this error, change the service policy configuration to From OWSM Policy Store. We'll set the policy only through Oracle Service Bus Console. Optionally, you can add the Oracle Web Services Manager policy through OEPE if the Oracle Service Bus server is started.

Create a proxy service from the business service. You will see the same policy error. In the Policy tab, change the Service Policy Configuration to From Pre-defined Policy or WS-Policy Resource. In Figure 9, the proxy service doesn't need any policy.

1964584.gif
Figure 9: Create proxy service

In the HTTP Transport tab, change the Authentication to Basic. This is necessary because, in Business Service, Oracle Web Services Manager uses the name of authenticated user in the generation of SAML assertion.

Export the Oracle Service Bus configuration JAR.

Oracle Service Bus Configuration


Access the Oracle Service Bus console and import the OSB configuration JAR to the server.

Configure the business service, adding the custom policy created in Oracle Web Services Manager:

1964585.gif
Figure 10:  Service Policy Configuration

After applying the policy, you can change the value of any property in the Security tab:

1964586.gif
Figure 11: Policy Overrides

Note: You can change any property of the policy if you want a different behavior from the business service (e.g., a different signature certificate).

Before Testing


There are some points to verify before testing.

Certify that Oracle and SAP machines have their clocks synchronized, and configure an appropriated clock skew in ECC. ECC will refuse calls if Oracle Service Bus sends a request with a time that's in the future or greater than the defined clock skew. The user included in SAML Assertion has to be mapped in ECC to an existing one in its user store. The user names are case-sensitive in ECC.

Certify that ECC is configured to accept the SAML Issuer used by Oracle Web Services Manager.

Certify that all required certificates were imported in Oracle Web Services Manager keystore and ECC environment.

Testing


Get the proxy service WSDL URL and test the service. For example:

http://<host>:<port>/TestSecSap/ProxyServices/TestSamlClient?WSDL


You can test the service using any web service client tool (such as SoapUI).

Remember to set the credentials of the user created in WebLogic.

Here is the request example:

<soapenv:Envelope
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style">    
  <soapenv:Header/>
   <soapenv:Body>
      <urn:YsSamltest>
         <Text>test</Text>
      </urn:YsSamltest>
   </soapenv:Body>
</soapenv:Envelope>


After Oracle Web Services Manager applies the policy, the request sent to ECC is changed:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style">
<soapenv:Header>
 <wsse:Security soapenv:mustUnderstand="1"
  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
 <wsse:SecurityTokenReference wsu:Id="STR-SAML-bCgQ6C7G7d3xvJEZ0Ap9Ag22"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <wsse:KeyIdentifier
  ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">
  SAML-l0sKvVtSFWBxVSfO8DOYOQ22</wsse:KeyIdentifier>
 </wsse:SecurityTokenReference>
 <wsu:Timestamp wsu:Id="Timestamp-B8oMUcneIEM0FBP1WSzqiw22"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsu:Created>2013-04-15T20:04:41Z</wsu:Created>
  <wsu:Expires>2013-04-15T20:09:41Z</wsu:Expires>
 </wsu:Timestamp>
  <wsse:BinarySecurityToken
   ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-soap-message-security-1.0#Base64Binary"
   wsu:Id="BST-umEAXBVw2Neuu90Yk43M6A22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   MIIG1jCCBb6gAwI...CreDzVTHZz/xXtD2Vl8JsTN/QaKkZ1n88=</wsse:BinarySecurityToken>
  <saml:Assertion MajorVersion="1" MinorVersion="1"
    AssertionID="SAML-l0sKvVtSFWBxVSfO8DOYOQ22" IssueInstant="2013-04-15T20:04:41Z"
    Issuer="www.oracle.com" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
  <saml:Conditions NotBefore="2013-04-15T20:04:41Z"
    NotOnOrAfter="2013-04-15T20:09:41Z" />
  <saml:AuthenticationStatement
    AuthenticationInstant="2013-04-15T20:04:41Z" 
    AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
  <saml:Subject>
  <saml:NameIdentifier
    Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
    testsamlclient</saml:NameIdentifier>
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
  </saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
  </saml:AuthenticationStatement>
  </saml:Assertion>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
    <dsig:SignedInfo>
    <dsig:CanonicalizationMethod
      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    <dsig:Reference URI="#BST-umEAXBVw2Neuu90Yk43M6A22">
      <dsig:Transforms>
        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <dsig:DigestValue>buSz7W4V5OQ4FTBZKf8YBIpBC1Y=</dsig:DigestValue>
    </dsig:Reference>
    <dsig:Reference URI="#Timestamp-B8oMUcneIEM0FBP1WSzqiw22">
      <dsig:Transforms>
        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <dsig:DigestValue>psj9Sjk+bPTxUbqu1h8xUahVkrA=</dsig:DigestValue>
    </dsig:Reference>
    <dsig:Reference URI="#STR-SAML-bCgQ6C7G7d3xvJEZ0Ap9Ag22">
      <dsig:Transforms>
        <dsig:Transform
          Algorithm=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
	   <wsse:TransformationParameters>
	   <dsig:CanonicalizationMethod
	   Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
	   </wsse:TransformationParameters>
        </dsig:Transform>
       </dsig:Transforms>
       <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
       <dsig:DigestValue>gMV488pINPLCAhWMzF6YGmBXySc=</dsig:DigestValue>
      </dsig:Reference>
      <dsig:Reference URI="#Body-qp7LuhCcRiNgYpIFe3OIyA22">
        <dsig:Transforms>
	 <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
	</dsig:Transforms>
	<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
	<dsig:DigestValue>n6fRqeZ5AOg7GUSST0Y23bIftSg=</dsig:DigestValue>
      </dsig:Reference>
      </dsig:SignedInfo>
      <dsig:SignatureValue>
f6TPUUzWLbpPCnpbBBNeIhmy8vp+03V7YWLxCPcSbbPeN1AcUBijFPsH35V90IBmhgbPX366S9Ouu52lYiKNTgWn8UPIEVe
KHYKp742dHBSlqyxxVagJ7ddHjHgNbNn5QFuu/re6gcDAOVYwcGRDwpNPg+RnywQKkOfpgxtSdkLWz5ok7TjQcfApnur5gC
QvmRsBJwuQcaI3WTuFfWLg5gCj+yazOgUkwb+l7Vbssl8LdTQ1WiQdBKmoAbWci2GL+VFfkaq0dGcYd2/oJLJtrehPiTW6GY
/o7TmWY9L8cJOCJo86YPbKjfjn8WHuANe/AQRMAMkKnymUd424xS+C8g==
      </dsig:SignatureValue>
      <dsig:KeyInfo Id="KeyInfo-KYpO2OdhC7Q6fmBL1fonww22">
        <wsse:SecurityTokenReference>
	<wsse:Reference URI="#BST-umEAXBVw2Neuu90Yk43M6A22"
	  ValueType=
       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
	</wsse:SecurityTokenReference>
       </dsig:KeyInfo>
      </dsig:Signature>
     </wsse:Security>
    </soapenv:Header>
    <soapenv:Body wsu:Id="Body-qp7LuhCcRiNgYpIFe3OIyA22"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<urn:YsSamltest>
	  <!--Optional: -->
	  <Text>test</Text>
	</urn:YsSamltest>
     </soapenv:Body>
</soapenv:Envelope>


The ECC validates the request and sends the response back to Oracle Service Bus:

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
  <soap-env:Header
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <wsu:Timestamp wsu:Id="ts-516B5F24AE9D1010E10080000A1D123D">
     <wsu:Created>2013-04-15T20:04:41Z</wsu:Created>
     <wsu:Expires>2013-04-15T20:06:11Z</wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
    </soap-env:Header>
    <soap-env:Body>
       <n0:YsSamltestResponse
	  xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style">
	  <Result>Hello testsamlclient - PARAM: test</Result>
       </n0:YsSamltestResponse>
	</soap-env:Body>
</soap-env:Envelope>


Oracle Service Bus sends the response to the client:

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">
   <soap-env:Header 
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
   <soap-env:Body>       
      <n0:YsSamltestResponse 
         xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style">          
   <Result>Hello testsamlclient - PARAM: test</Result>
      </n0:YsSamltestResponse>
   </soap-env:Body>
</soap-env:Envelope>


Conclusion


Identity propagation is very important in secure integrations, but how to apply technologies like SAML to the issue is not always clear. I hope this article will help others with similar scenarios.


About the Author

Ronaldo Fernandes is a principal consultant for Oracle Consulting in Brazil. He specializes in Oracle Fusion Middleware, SOA, and security, and has worked with Java technologies since 1996. He has more than 15 years of experience in defining architectures, problem solving, technical leadership and software development. LinkedIn