3 Replies Latest reply on Feb 28, 2014 8:22 AM by Abhijit Mitra

    SAML Authentication happening without trust




      How are you doing!

      This question is more related to SAML implementation in OSB/SOA.


      Here is my scenario


      I have a Service Provider which is a simple HelloWorld Service. I've attached oracle/wss10_saml_token_service_policy to it. This is in SAMLServiceDomain

      I have another domain SAMLClientDomain, in another machine in which I've created an OSB Service that just calls the Service in Domain 1.

      I've applied oracle/wss10_saml_token_service_policy to the Proxy Service and oracle/wss10_saml_token_client_policy to the Business Service. I've created a csf-key(Credential key) which I've used while applying the policy to the Business Service.


      When I invoked the Service through Proxy, supplying the csf-key, from OSB Console, it's invoking the actual service, and I got the response.

      But I was not expecting this. I haven't established any trust between the two machines yet, but still its working! How?


      My Understanding on how SAML works is like this.


      The first application, to which credentials are provided, validates against its identity store, in this case SAMLClientDomain, and generates an assertion in which the subject is stored. Now this is sent to the service provider - here SAMLServiceDomain. Now, SAMLServiceDomain validates the SAML token by first checking if the party that sent the token is in its trust store (This is achieved by importing the client certificate to its keystore). Once the client is identified as a trusted party, the subject from the SAML assertion is taken, checked if that user is existing in its identity store, and then actually cater the service.


      In this case, I haven't imported the certificate of the client in the server, so no trust established. Then how come its working?

      Is my understanding wrong?


      This blog(SAML with OWSM in OSB | Atheek's Blog) tells to establish trust using keystore/certificates.

      Does this apply only when message encryption occurs, and in pure pass through, or simple policies like oracle/wss10_saml_token_service_policy, trust is not required?


      I'm absolutely new to Security, would you please provide me your wisdom on this.




        • 1. Re: SAML Authentication happening without trust
          Abhijit Mitra



          Your understanding is correct. If my understanding is correct you are using Proxy test console to test the service.

          If that is the case then you are invoking a service within the domain from the domain itself that means the trust is already built hence it is not throwing error.

          If you invoke the service from a different server then you need to build the trust.




          • 2. Re: SAML Authentication happening without trust

            Hi Abhijit


            Thanks for the reply.



            Here, the Service Provider is completely in different domain than mine.



            I've tried various scenarios

            1. Tried from OSB Console of my Domain

            2. Tried from SOAP UI from my machine

            3. Tried from SOAP UI from a complete different machine from SP and IdP


            Everytime, the call is hapenning successfully without trust.

            Is it that oracle/wss10_saml_token_service_policy(& Client policy) does not require a trust as it is basic? I dont think so.

            And what exactly is the difference between a client and a server side policy?


            Since it is a simple passthru, can I use client policies at both Proxy nad Business Service in my OSB prj?




            • 3. Re: SAML Authentication happening without trust
              Abhijit Mitra

              Hi RaviKiran


              As per my understanding you have to build trust when you are dealing with certificates (e.g - You are encrypting message , signing message , using SSL) but if you are passing normal user id then don't think you have to build the trust before invoking the service.


              You can not use same policy in both proxy and business service. client policy and service policy is different. When you are using server policy you have to understand the soap header and process it. When you are using clientpolicy you are embedding the security details in SOAP header as it goes out of your binding layer. So i don't think they are same even though you are using normal pass through.