Skip to Main Content

Integration

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SAML Authentication happening without trust

RaviKiranSaviriganaFeb 24 2014 — edited Feb 28 2014

Hi

How are you doing!

This question is more related to SAML implementation in OSB/SOA.

Here is my scenario

I have a Service Provider which is a simple HelloWorld Service. I've attached oracle/wss10_saml_token_service_policy to it. This is in SAMLServiceDomain

I have another domain SAMLClientDomain, in another machine in which I've created an OSB Service that just calls the Service in Domain 1.

I've applied oracle/wss10_saml_token_service_policy to the Proxy Service and oracle/wss10_saml_token_client_policy to the Business Service. I've created a csf-key(Credential key) which I've used while applying the policy to the Business Service.

When I invoked the Service through Proxy, supplying the csf-key, from OSB Console, it's invoking the actual service, and I got the response.

But I was not expecting this. I haven't established any trust between the two machines yet, but still its working! How?

My Understanding on how SAML works is like this.

The first application, to which credentials are provided, validates against its identity store, in this case SAMLClientDomain, and generates an assertion in which the subject is stored. Now this is sent to the service provider - here SAMLServiceDomain. Now, SAMLServiceDomain validates the SAML token by first checking if the party that sent the token is in its trust store (This is achieved by importing the client certificate to its keystore). Once the client is identified as a trusted party, the subject from the SAML assertion is taken, checked if that user is existing in its identity store, and then actually cater the service.

In this case, I haven't imported the certificate of the client in the server, so no trust established. Then how come its working?

Is my understanding wrong?

This blog(SAML with OWSM in OSB | Atheek's Blog) tells to establish trust using keystore/certificates.

Does this apply only when message encryption occurs, and in pure pass through, or simple policies like oracle/wss10_saml_token_service_policy, trust is not required?

I'm absolutely new to Security, would you please provide me your wisdom on this.

Regards

RaviKiran

Comments

Please provide the following information so we can help:

What version of SQL Developer are you using?

What are the results of opening the properties for the connection and doing a test?

Does the navigation tree open correctly?

Are you having trouble with all of your Oracle connections?

When running those queries are they using the same connection as the export?

Provide the details of the NPE when using the Export Wizard.

Exactly what steps are you taking to do the export? (eg, from the Navigator/tools...)

Are there any other errors in the SQL Developer log?

Joyce Scapicchio

SQL Developer Team

1 - 1
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Mar 28 2014
Added on Feb 24 2014
3 comments
357 views