1 Reply Latest reply: Jul 17, 2013 12:51 AM by User504015-OC RSS

    Weblogic SAML 1.1 w/artifact assertion lookup problem

    973129
      Hello,

      I am trying to setup a test environment for SSO with two domains on a server running Weblogic 10.2. I was able to successfully utilize a login on a sample servlet on the SAML Source domain and connect with a link to a servlet on the SAML Destination domain. This was using SAML 1.1 with Browser/POST relying party, as this was the sample provided with two domains on the Oracle documentation, utilizing a dummy appA and appB. (I don't have the link handy to the sample instructions, but it worked well)

      However my goal was to test SAML 1.1 with Browser/artifact scenario. So I used the same security realms and setup a new AP for the Destination domain, and a new RP for the Source domain (keep in mind these are both running on the same machine). I used the same SSL info and keystores/truststores/aliases (actually they are all using the same self-signed certs with alias "localhost"). And It fails with a 403 error on the destination app. I can see the artifact generated in the string:

      https://localhost:7012/samlacs/acs?APID=ap_00002&SAMLart=AAH9R8ftHOp8ZwdBGik0ijXWFCYQZuUL%2FwTHd8JU%2Fo3aOkNGzkqbtuBm&TARGET=http://localhost:7010/appB/admin/services.jsp

      But there is an error in the assertion lookup (or just before it in the artifact dereferencing):
      (The artifacts do not match the log because I ran it again)
      (Source domain):

      Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: lookupStoredAssertions: fetching assertion for artifact 'AAH9R8ftHOp8ZwdBGik0ijXWFCYQZoF3demE97Ls8pVqYxvva+3Mka/9'>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: verifyDestinationSite: auth failure for partner 'rp_00002', client cert required but not provided>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: lookupStoredASsertions: auth failure: missing/invalid credentials for partner 'rp_00002'>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLSourceSite: dispatchAssertionRequest: destination site auth failure, returning FORBIDDEN>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@20065100 - /samlars/ars: Writing headers for HttpRequest@20065100 - /samlars/ars>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySSL> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 160>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <Response committed. request: 'HttpRequest@20065100 - /samlars/ars' response: weblogic.servlet.internal.ServletResponseImpl@ea013e[
      HTTP/1.1 403 Forbidden
      Date: : Wed, 07 Nov 2012 23:04:59 GMT
      Content-Length: : 1216
      Content-Type: : text/html; charset=UTF-8
      X-Powered-By: Servlet/2.5 JSP/2.1
      ]>


      (Destination domain):

      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLDestinationSiteHelper: Exception while sending/receiving request/response: org.opensaml.SAMLException: SAMLSOAPBinding.send(): Error response from server: '403 Forbidden'>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySAMLService> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <SAMLDestinationSiteHelper: Unable to dereference artifact -- returning SC_FORBIDDEN>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@6557952 - /samlacs/acs: Writing headers for HttpRequest@6557952 - /samlacs/acs>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <HttpRequest@6557952 - /samlacs/acs: Wrote cookie: JSESSIONID=bkLSQhphfgFQGRnZNprd2kHJ71GGyPjsF91TMsn4pKkTMgLxcxVr!-98623638; path=/; HttpOnly>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <SecuritySSL> <7PSS2Q1> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1352329499359> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 250>
      ####<Nov 7, 2012 5:04:59 PM CST> <Debug> <Http> <blah> <AdminServer> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1352329499359> <BEA-000000> <Response committed. request: 'HttpRequest@6557952 - /samlacs/acs' response: weblogic.servlet.internal.ServletResponseImpl@2c3cd3[
      HTTP/1.1 403 Forbidden
      Date: : Wed, 07 Nov 2012 23:04:58 GMT
      Content-Length: : 1216
      Content-Type: : text/html
      Set-Cookie: JSESSIONID=bkLSQhphfgFQGRnZNprd2kHJ71GGyPjsF91TMsn4pKkTMgLxcxVr!-98623638; path=/; HttpOnly
      X-Powered-By: Servlet/2.5 JSP/2.1
      ]>

      I can't see anywhere else to attach this missing client-cert in the relying party or assertion party. Does anyone know what may be the issue?