6 Replies Latest reply on Jan 28, 2013 11:49 AM by AigarsP

    Capturing SAML attribute in OSB proxy


      We have a requirement of extracting one of the SAML attributes sent to our proxy service and send it to the business service as one of the SOAP body elements.

      I have done the following things:
      - Created the business service based on particular WSDL
      - Created the proxy service based on same WSDL and applied the policy oracle/wss10_saml_token_service_policy as per our requirements
      - In the Security tab of proxy service, i have checked the option 'Process WS-Security Header' as i want to restrict the access to my proxy service based on SAML subject that we recieve

      Following is the SAML header that i am using to test the OSB proxy from Soapui 2.0.2. I have to capture the saml:NameIdentifier from the below SAML assertion i receive. When i use $header variable i am unable to get this. But when i uncheck 'Process WS-Security Header' i am able to get the value but authentication is not working. So i think 'Process WS-Security Header' should always be checked.

      Please let me know asap on how can i extract saml:NameIdentifier from the request received in proxy service. Is there anyway to intercept the request to proxy just like SOAP handlers?

      <saml:Assertion AssertionID="Id-00000127f49c1cf3-0000000000900e24-2" IssueInstant="2010-04-19T00:40:24Z" Issuer="www.oracle.com" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <saml:Conditions NotBefore="2010-06-16T00:40:24Z" NotOnOrAfter="2010-06-21T00:40:24Z"/>
      <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">weblogic</saml:NameIdentifier>

        • 1. Re: Capturing SAML attribute in OSB proxy
          Anuj Dwivedi--Oracle
          Hi Siva,
          We have a requirement of extracting one of the SAML attributes sent to our proxy service and send it to the business service as one of the SOAP body elements
          I think your requirement is not to do the authentication then why are you checking the option 'Process WS-Security Header'?

          If 'Process WS-Security Header' check-box is selected then it will process and consume the security headers and enforces the message level access control policies on the incoming message (This is called an Active Intermediary Proxy Service). if you don't select it the proxy will be pass-through and OSB will not make any modification to the security headers, encrypted body parts, etc (this is called a Pass-Through Proxy Service)

          I think in your case you require a pass-through proxy service.

          To know more about pass-through/active intermediary proxies and their configuration in OSB, please refer section "Configuring Proxy Service Message-Level Security" on below link -

          http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/message_level.html#wp1077884 ()

          • 2. Re: Capturing SAML attribute in OSB proxy
            Did you check $inbound ? For WS-Security Username token the authenticated user appears within $inbound ..Not sure about SAML.

            There could be some use cases where we need to do some processing within the message flow based on the security headers.( Eg . apply transformation based on WS-Security authenticated user). But if you make the proxy active intermediary by checking the Process WS-Security checkbox, OSB seems to delete the headers and you get a blank soap:header.

            Edited by: atheek1 on Jun 19, 2010 4:44 AM
            • 3. Re: Capturing SAML attribute in OSB proxy
              sorry for bringin up old thread, but I have now same problem.

              We configured proxy service authentication using SAML policy. Now we need to pass some SAML header values to business service, however, whole wsse:Security header is empty.

              $inbound does not contain anything useful.

              So, is there any solution to make OSB keep header ?
              • 4. Re: Capturing SAML attribute in OSB proxy
                Hi I can add on we have the same problem so if you got some kind of solution I am very interested.
                • 5. Re: Capturing SAML attribute in OSB proxy
                  I have the similar requirement. I need to pass in the header attributes to call the external services. Can anyone got around this problem? Thanks
                  • 6. Re: Capturing SAML attribute in OSB proxy
                    I can say that I made workaround by implementing custom OWSM policy and in the end Security element remains in proxy service.