Archive for the ‘Identity Manager’ Category

All Demo POC Videos

I’ve uploaded demo videos in above channel. Feel free to take a look and pass a feedback/like

Oracle STS – OnBehalfOf SAML Token Validation

There have been requests to my previous blog post on how to validate a SAML token issued by Oracle STS.

Here is the SOAP request format that should be fired on Oracle STS to validate the token:

<soap:Envelope xmlns:soap="" xmlns:trus="">
<wsse:Security soap:mustUnderstand="true" xmlns:wsse="">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="">
<wsse:Password Type="">Welcome1</wsse:Password>
<wst:RequestSecurityToken Context="Id-0001313145021190-00000000008d4682-1" xmlns:wst="" xmlns:wsse="">
<wsse:KeyIdentifier ValueType="">id-McjucPrvkxXpY6m3w-8iFtvmEYQ-</wsse:KeyIdentifier>

You get SecurityTokenReference from SAML token issued by STS. You need to use it for further validation, like above SOAP request.

This returns you with the response:



Hope this helps.

SAML2.0 Weblogic Sender-Vouches Configuration & POC

June 4, 2016 8 comments

This blog post intends to highlight on the SAML2.0 configuration for web services in Weblogic. It details step-by-step guide to configure weblogic domains with a sample test client to test the web service. We will look into SAML2.0 Sender Vouches web service configuration.

What is Sender Vouches?

Sender-Vouches – The asserting party (different from the subject) vouches for the verification of the subject. The receiver must have a trust relationship with the asserting party.

Sender Vouches
1. Rather than authenticating with the STS, here, Client authenticates with an intermediate service.
2. The intermediary gets the security token from the STS.
3. Then it signs the request and sends to the RP.
4. RP trusts both the intermediary and the STS. So, it validates both of them.

Here are the steps:

  • Configure STS (Weblogic Domain – Certificate used is wssipsts
  • Configure Weblogic domain for weblogic web service with SAML2.0 Sender Vouches policy – Bob is used for this
  • Create a stand alone client that which retrieves token from STS and fires a request to web service with SAML1.1 token retrieved from STS – Alice is used for this

Configure STS:

  1. Create a weblogic domain here ‘am using weblogic 10.3.5
  2. We need to configure SSL for this domain
  3. While creating the domain I configure weblogic to use 6001 for Non-SSL and 6002 for SSL port. Let domain name be STSDomain.
  4. Now go to http://localhost:6001/console
  5. Got to STSDomain –> Environment –> Admin Server –> Keystores
    • Select Custom Identity and Custom Trust
    • Custom Identity Keystore: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\oasis.jks
    • Type: JKS
    • password: password
    • Custom Trust Keystore: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\cacerts
    • Type: JKS
    • password: changeit
    • Save and restart server if it asks to do so
  6. Got to STSDomain –> Environment –> Admin Server –>SSL
    • Private Key Alias: WssIPSTS
    • Private Key passphrase: password
    • Save and restart if asked to do so
  7. Now build the web service and deploy it in the domain. Check after successful deployment whether you can open the WSDL url or not.
  8. STSDomain–>Security Realms –>myrealm
  9. We need to configure only ‘Credential Mapper’ here. Credential Mapper basically responsible for Issuing SAML tokens. Where as identity Asserter are responsible for validating the SAML tokens. So we will configure Credential Mapper for STS and Identity Asserter for webservice
  10. Go to Providers –> Credential Mapping
  11. Add PKI Credential Mapper
    • In Provider Specific tab, Keystore Provider: SUN
    • Keystore Type: JKS
    • Keystore file name: F:\Oracle\Middleware\user_projects\domains\STSDomain\certs\oasis.jks
    • Keystore pass phrase: password
    • Use resource hierarchy and Initator group names check boxes should be selected.
    • Click on save and restart if asked to do so
  12. Add SAML2CredentialMapper
    • In Configuration –> Provider specific tab, Issuer URI:
    • Name Qualifier:
    • Default time to live: 120
    • offset: 0
    • Webservice Assertion Signing key alias: WssIPSTS
    • Key pass phrase: password
    • Select check box ‘Generate Attributes’
    • Save and go to Management tab in the same section
    • New–>New Webservice Service Provider Partner
    • Add sender vouches relying party: Sendervouches:/echoservicesaml2/EchoServiceSAML2
    • Make sure to select ‘Enabled’ check box
    • Give description
    • Audience URIs:  target:*:http://HYD-69ZRV01-L:7001/echoservicesaml2
    • Generate Attributes checkbox to be selected
    • Select confirmation methods as ‘Sender-Vouches’
    • Save and restart the server if asked to do so
  13. That’s all the configuration from STS side.

Configure Weblogic Webservice:

  1. Create a weblogic domain here ‘am using weblogic 10.3.5
  2. We do not need to configure SSL for this domain
  3. While creating domain configure weblogic to use 7001 port and no SSL port required. Let the domain name be ‘WebserviceDomain’
  4. Login to weblogic console.
  5. WebserviceDomain–>servers–>Adminserver–>keystore
    • Custom Identity and Custom Trust store
    • Custom Identity Keystore: F:\Oracle\Middleware\user_projects\domains\WebserviceDomain\certs\oasis.jks
    • Key type: JKS
    • password: password
    • Trust Keystore: F:\Oracle\Middleware\user_projects\domains\WebserviceDomain\certs\cacerts
    • Type: JKS
    • password: changeit
    • Save and restart the server if asked to do so.
    • SSL
    • Private key alias: Bob
    • password: password
    • Save
  6. Build and deploy the weblogic web service. The scripts and the webservice code is given below.
  7. Go to security realm–>myrealm–>Providers–>Authentication
    • Add SAMLAuthenticator
    • Make control Flag as ‘SUFFICIENT’
    • Make control Flag of Default Authenticator too as ‘SUFFICIENT’
    • (optional step) Also in Default Authenticator’s ‘Provider Specific’ Enable password digest, minimum password length as 1 and save.
    • (optional step) In Default Identity Asserter’s –> Common. chose Active Types ‘wsse:passworddigest’ and ‘x.509’ send it to right and click on save.
    • (optional step) In Defaul Identity Asserter –> Provider Specific. Default Username as @, Mapper attribute type as ‘CN’, select ‘use default user name mapper’ and click on Save button. Restart if asked to do so
  8. Got to security realm–>myrealm–>Providers–> Authentication
    • Add SAML2IdentityAsserterV
    • Go to Management –> New –> New Webservice Identity Provider Partner
    • Name: Sendervouches:/echoservicesaml2/EchoServiceSAML2
    • Chose Enabled
    • Audience URIs: target:*:/echoservicesaml2
    • Issuer URI:
    • Virtual User selected
    • Confirmation Method: Sender-Vouches
    • Process Attributes selected
    • Save and restart if asked to do so.
  9. That’s all the configuration of web service.

Client Testing:

  1. Open a command prompt window
  2. Run setWLSEnv.cmd from that command window to set the paths
  3. ant runsaml2
  4. That’s all for now…

package com.saml.example;</pre>
<pre>import weblogic.jws.Policy;
<pre>import javax.jws.WebMethod;
 import javax.jws.WebService;</pre>
 public class StsUnt {
         static {
     public String dummyMethod(String s) {
         return s;
    static void init() {
         TrustTokenProviderRegistry reg = TrustTokenProviderRegistry.getInstance();
         SAMLTrustTokenProvider provider = <span class="il">new</span> MySAMLTrustTokenProvider();
         reg.registerProvider("<a href="" target="_blank"></a>", provider);
         reg.registerProvider("<a href="" target="_blank"></a>", provider);
         reg.registerProvider("<a href="" target="_blank"></a>",  provider);
         reg.registerProvider("<a href="" target="_blank"></a>",  provider);
         reg.registerProvider("<a href="" target="_blank"></a>",  provider);
    static class MySAMLTrustTokenProvider extends SAMLTrustTokenProvider {</pre>
<pre>    }

build.xml for

<?xml version="1.0"?>
<project name="SenderVouches11" default="all" basedir=".">
<property name="root.dir" value="${basedir}" />
<taskdef name="jwsc" classname="" />
<taskdef name="clientgen" classname="" />
<taskdef name="wldeploy" classname="" />
<taskdef name="wsdlc" classname="" />
<property file="${basedir}/properties.txt" />
<property name="source.dir" value="${basedir}" />
<property name="output.dir" value="${basedir}/build" />
<path id="class.path">
<pathelement path="${java.class.path}" />
<target name="all" depends="clean,jwsc,deploy" />
<target name="build" depends="clean,jwsc" />
<target name="clean">
<delete dir="${output.dir}" />
<target name="jwsc">
<antcall target="jwsc-sts" />
<target name="jwsc-sts">
<jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}">
<module contextpath="standalonests" name="standalonests" explode="true">
<jws file="" type="JAXWS">
<WLHttpTransport serviceUri="SamlSTS" />
<target name="deploy">
<antcall target="deploy-sts" />
<target name="deploy-sts">
<wldeploy action="deploy" source="${output.dir}/standalonests" user="${sts-wls-username}" password="${sts-wls-passwd}" verbose="false" adminurl="t3://${sts-wls-server}" debug="false" targets="${sts-wls-target}" />
<target name="undeploy">
<property name="wls-admin-server" value="${wls-server}" />
<wldeploy action="undeploy" name="standalonests" user="${sts-wls-username}" password="${sts-wls-passwd}" verbose="false" adminurl="t3://${sts-wls-server}" debug="false" targets="${sts-wls-target}" />
<property name="extra-server-verbose" value="
-Dweblogic.log.StdoutSeverity=Debug" />

properties.txt for

<pre># common properties

package com.saml.example;</pre>
<pre>import weblogic.jws.Policies;
 import weblogic.jws.Policy;
 import javax.jws.WebService;</pre>
     @Policy(uri = "policy:Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1-Asymmetric.xml"),
     @Policy(uri = "policy:Wssp1.2-2007-SignBody.xml"),
     @Policy(uri = "policy:Wssp1.2-2007-EncryptBody.xml")
 public class EchoServiceSAML2 {
   public String echo( String hello){
   System.out.println("Inside EchoServiceSAML2!!!");
     return hello;

build.xml for webservice

<?xml version="1.0"?> <project name="SenderVouches11" default="all" basedir=".">     <property name="root.dir" value="${basedir}" />     <taskdef name="jwsc" classname="" />     <taskdef name="clientgen" classname="" />     <taskdef name="wldeploy" classname="" />     <taskdef name="wsdlc" classname="" /></pre>
<pre>    <property file="${basedir}/properties.txt" /></pre>
<pre>    <property name="source.dir" value="${basedir}" />
     <property name="output.dir" value="${basedir}/build" />
     <property name="clientclasses.dir" value="${basedir}/build/client" />
     <property name="clientclassessaml2.dir" value="${basedir}/build/clientsaml2" />
     <path id="class.path">
         <pathelement path="${java.class.path}" />
         <pathelement path="${basedir}/build/client" />
         <pathelement path="${basedir}/build/clientsaml2" />
<pre>    <target name="all" depends="clean,jwsc,deploy,client" /></pre>
<pre>    <target name="build" depends="clean,jwsc,client" /></pre>
<pre>    <target name="clean">
         <delete dir="${output.dir}" />
<pre>    <target name="jwsc">
         <antcall target="jwsc-ws" />
<pre>    <target name="jwsc-ws">
         <jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}">
             <module contextpath="echoservice" name="echoservice" explode="true">
                 <jws file="" type="JAXWS">
                     <WLHttpTransport serviceUri="EchoService" />
         <jwsc srcdir="${source.dir}" destdir="${output.dir}" debug="on" classpath="${class.path}">
             <module contextpath="echoservicesaml2" name="echoservicesaml2" explode="true">
                 <jws file="" type="JAXWS">
                     <WLHttpTransport serviceUri="EchoServiceSAML2" />
     <target name="clientgen">
         <mkdir dir="${clientclasses.dir}" />
         <clientgen destdir="${clientclasses.dir}" wsdl="${basedir}/EchoService.wsdl" type="JAXWS" packageName="com.saml.example" />
         <clientgen destdir="${clientclassessaml2.dir}" wsdl="${basedir}/EchoServiceSAML2.wsdl" type="JAXWS" packageName="com.saml.example" />
     <target name="client">
         <mkdir dir="${clientclasses.dir}" />
         <copy todir="${clientclasses.dir}" overwrite="true">
             <fileset dir="${certs.dir}" includes="*" />
         <antcall target="clientgen" />
         <javac debug="true" srcdir="${source.dir}" destdir="${clientclasses.dir}">
             <classpath refid="class.path" />
             <include name="" />
         <javac debug="true" srcdir="${source.dir}" destdir="${clientclassessaml2.dir}">
             <classpath refid="class.path" />
             <include name="" />
<pre>    <target name="deploy">
         <antcall target="deploy-ws" />
<pre>    <target name="deploy-ws">
         <wldeploy action="deploy" source="${output.dir}/echoservice" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" />
         <wldeploy action="deploy" source="${output.dir}/echoservicesaml2" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" />
<pre>    <target name="undeploy">
         <property name="wls-admin-server" value="${wls-server}" />
         <wldeploy action="undeploy" name="echoservice" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" />
         <wldeploy action="undeploy" name="echoservicesaml2" user="${wls-username}" password="${wls-passwd}" verbose="false" adminurl="t3://${wls-server}" debug="false" targets="${wls-target}" />
     <target name="run">
         <java classname="com.saml.example.client.EchoServicePortClient" fork="true">
             <classpath refid="class.path" />
             <jvmarg line="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8453
               -Dweblogic.wsee.verbose=*,!weblogic.wsee.connection.soap.SoapConnectionMessage" /></pre>
<pre>        </java>
     <target name="runsaml2">
         <java classname="com.saml.example.client.EchoServiceSAML2PortClient" fork="true">
             <classpath refid="class.path" />
             <jvmarg line="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8453
               -Dweblogic.wsee.verbose=*,!weblogic.wsee.connection.soap.SoapConnectionMessage" /></pre>
<pre>        </java>
     <property name="extra-server-verbose" value="
       -Dweblogic.log.StdoutSeverity=Debug" />

properties.txt for webservice

certs.dir=${root.dir}/../certs/ config.dir=${root.dir}/../config/ build.dir=${root.dir}/../build</pre>

package com.saml.example.client;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.xml.namespace.QName;
import weblogic.wsee.message.WlMessageContext;
import weblogic.xml.crypto.wss.provider.CredentialProvider;
import com.saml.example.*;
import weblogic.wsee.jaxrpc.WLStub;
import weblogic.jws.Policies;
import weblogic.jws.Policy;
import weblogic.xml.crypto.wss.WSSecurityContext;
import weblogic.wsee.jaxrpc.WLStub;
import javax.jws.WebMethod;
import javax.jws.WebParam;
import javax.jws.WebResult;
import javax.jws.WebService;
import java.util.*;
public class EchoServiceSAML2PortClient {
     private static EchoServiceSAML2Service echoServiceService;
    private static String stsUntPolicy = "&lt;?xml version=\"1.0\"?&gt;\n"
             + "&lt;wsp:Policy\n"
             + "  xmlns:wsp=\"\"\n"
             + "  xmlns:sp=\"\"\n"
             + "  &gt;\n"
             + "  &lt;sp:TransportBinding&gt;\n"
             + "    &lt;wsp:Policy&gt;\n"
             + "      &lt;sp:TransportToken&gt;\n"
             + "        &lt;wsp:Policy&gt;\n"
             + "          &lt;sp:HttpsToken/&gt;\n"
             + "        &lt;/wsp:Policy&gt;\n"
             + "      &lt;/sp:TransportToken&gt;\n"
             + "      &lt;sp:AlgorithmSuite&gt;\n"
             + "        &lt;wsp:Policy&gt;\n"
             + "          &lt;sp:Basic256/&gt;\n"
             + "        &lt;/wsp:Policy&gt;\n"
             + "      &lt;/sp:AlgorithmSuite&gt;\n"
             + "      &lt;sp:Layout&gt;\n"
             + "        &lt;wsp:Policy&gt;\n"
             + "          &lt;sp:Lax/&gt;\n"
             + "        &lt;/wsp:Policy&gt;\n"
             + "      &lt;/sp:Layout&gt;\n"
             + "      &lt;sp:IncludeTimestamp/&gt;\n"
             + "    &lt;/wsp:Policy&gt;\n"
             + "  &lt;/sp:TransportBinding&gt;\n"
             + "  &lt;sp:SupportingTokens&gt;\n"
             + "    &lt;wsp:Policy&gt;\n"
             + "      &lt;sp:UsernameToken\n"
             + "        sp:IncludeToken=\"\"&gt;\n"
             + "        &lt;wsp:Policy&gt;\n" + "          &lt;sp:WssUsernameToken10/&gt;\n"
             + "        &lt;/wsp:Policy&gt;\n" + "      &lt;/sp:UsernameToken&gt;\n"
             + "    &lt;/wsp:Policy&gt;\n" + "  &lt;/sp:SupportingTokens&gt;\n"
             + "&lt;/wsp:Policy&gt;";
    public static void main(String[] args) {
         try {
            String wsURL = "http://HYD-69ZRV01-L:7001/echoservicesaml2/EchoServiceSAML2?WSDL";
            echoServiceService = new EchoServiceSAML2Service(new URL(wsURL),
                     new QName("",
             EchoServiceSAML2 echoService = echoServiceService.getEchoServiceSAML2Port();
            Map&lt;String, Object&gt; requestContext = ((BindingProvider) echoService)
            List&lt;CredentialProvider&gt; credList = new ArrayList&lt;CredentialProvider&gt;();
            // Add the necessary credential providers to the list
             InputStream policy = new ByteArrayInputStream(stsUntPolicy
             requestContext.put(WlMessageContext.WST_BOOT_STRAP_POLICY, policy);
            String stsURL = "https://HYD-69ZRV01-L:6002/standalonests/SamlSTS";
                     new TrustManager() {
                         public boolean certificateCallback(
                                 X509Certificate[] chain, int validateErr) {
                             // need to validate if the server cert can be
                             // trusted
                             return true;
            requestContext.put(WLStub.SAML_ATTRIBUTE_ONLY, "False");
             credList.add(new SAMLTrustCredentialProvider());
             credList.add(new MySAMLCredentialProvider1());
            String username = "Alice";
             String password = "Interop1";
             credList.add(new ClientUNTCredentialProvider(username.getBytes(),
            // ClientBSTCredentialProvider
             String defaultClientcert = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Alice.cer";
             String clientcert = System.getProperty("target.clientcert",
             String defaultClientkey = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Alice.prv";
             String clientkey = System.getProperty("target.clientkey",
            String defaultServerCert = "F:/Oracle/Middleware/user_projects/domains/WebserviceDomain/certs/Bob.cer";
             String serverCert = System.getProperty("target.serverCert",
            credList.add(new ClientBSTCredentialProvider(clientcert, clientkey,
            // Add your code to call the desired methods.
             System.out.println(echoService.echo("Hello SAML2"));
        } catch (Exception ex) {
    * This Credntail Provider is for SMAL 2.0 Sender Vouches
  private static class MySAMLCredentialProvider1 extends SAML2CredentialProvider {
    public SAMLAttributeStatementData getSAMLAttributeData(Subject subject) {
      System.out.println(" Prividing SAML Attributes from MySAMLCredentialProvider1 for Subject =" + subject);
       // There are four types of attributes in this test
      SAMLAttributeStatementData attributes = new SAMLAttributeStatementDataImpl();
      String xmlns = "";
      // 1. The attribute without value
       SAMLAttributeData attribute1 = new SAMLAttributeDataImpl();
       // Friendly name is optional. It is set in this example.
       attribute1.setAttributeFriendlyName("Type 1 - No Value");
      // 2. Static attribute that has static value
       SAMLAttributeData attribute2 = new SAMLAttributeDataImpl();
       attribute2.setAttributeFriendlyName("Type 2 - Static Attribute");
      // 3. Subjust dependent attributes
       SAMLAttributeData attribute3 = new SAMLAttributeDataImpl();
       attribute3.setAttributeFriendlyName("Type 3 - Subject Dependent Attribute");
       if (hasUser("Alice", subject)) {
         attribute3.addAttributeValue("Alice A");
       } else if (hasUser("Bob", subject)) {
         attribute3.addAttributeValue("Bob B");
       } else {
         attribute3.addAttributeValue("Hacker X");
      // 4. Multiple value attributes
       SAMLAttributeData attribute4 = new SAMLAttributeDataImpl();
       attribute4.setAttributeFriendlyName("Type 4 - Multi-Value Attribute");
       if (hasUser("Alice", subject)) {
         attribute4.addAttributeValue("Team Lead");
       } else if (hasUser("Bob", subject)) {
         attribute4.addAttributeValue("System Admin");
       } else {
         attribute4.addAttributeValue("meber of unkown");
       return attributes;
    private static boolean hasUser(String user, Subject subject) {
       if (null == user || null == subject) {
         return false;
       Set principals = subject.getPrincipals();
       if (null == principals || principals.isEmpty()) {
         return false;
       for (Iterator it = principals.iterator(); it.hasNext();) {
         Object obj =;
         if (obj instanceof Principal) {
           Principal p = (Principal) obj;
           if (user.equals(p.getName())) {
             return true;
         } else if (obj instanceof WLSPrincipal) {
           WLSPrincipal principal = (WLSPrincipal) obj;
           if (user.equals(principal.getName())) {
             return true;
       return false;

Java Sample Client – Oracle Access Manager API – OAMAuthnCookie Validator

June 4, 2016 3 comments

Here is a sample Java Client code that validates the OAMAuthnCookie token. It performs 2 steps:

  1. Checks whether passed in OAMAuthnCookie token is valid and not expired
  2. Retrieves username for given OAMAuthnCookie token

OAMAuthnCookie can be found inside cookies of a browser. In the below Java client you need to put the value of OAMAuthnCookie inside the getUserNameFromToken() sessionToken.


package com.oam.test;

import java.util.Hashtable;


 * This class is a sample to extract OAM Session cookie for authenticated user
 * and to extract userid for given OAM Session token
 * @author Karun
public class OAMSessionCookieValidate {
    public static final String ms_resource = "//<STS IP>:7777/atest/index.jsp";

    public static final String ms_protocol = "http";
    public static final String ms_method = "GET";
    public static final String ms_login = "weblogic";
    public static final String ms_passwd = "<password>";
    public static final String m_configLocation = "D:\\Installables\\ofm_oam_sdk_generic_11.";

    public static void main(String args[]) {
        AccessClient ac = null;
        try {
            System.out.println("Entered Try..");
            ac = AccessClient.createDefaultInstance(m_configLocation,

            // ac = AccessClient.createDefaultInstance(m_configLocation);
            System.out.println("Created Default Instance.." + ac);
            ResourceRequest rrq = new ResourceRequest(ms_protocol, ms_resource,
            System.out.println("Created Resource Request object.." + rrq);
            String sessionToken = null;
            if (rrq.isProtected()) {
                System.out.println("Resource is protected.");
                AuthenticationScheme authnScheme = new AuthenticationScheme(rrq);
                System.out.println("Athentication Scheme:"
                        + authnScheme.isBasic());
                if (authnScheme.isBasic()) {
                    System.out.println("Basic Authentication Scheme.");
                    Hashtable creds = new Hashtable();
                    creds.put("userid", ms_login);
                    creds.put("password", ms_passwd);
                    UserSession session = new UserSession(rrq, creds);
                    if (session.getStatus() == UserSession.LOGGEDIN) {
                        if (session.isAuthorized(rrq)) {
                                    .println("User is logged in and authorized for the"
                                            + "request at level "
                                            + session.getLevel());
                            System.out.println("User Identity:"
                                    + session.getUserIdentity());
                                    .println("Status: " + session.getStatus());
                            System.out.println("Start time:"
                                    + session.getStartTime());
                            sessionToken = session.getSessionToken();
                            System.out.println("Session Token:" + sessionToken);
                            System.out.println("Last Usetime:"
                                    + session.getLastUseTime());

                            String userName = getUserNameFromToken(sessionToken);
                            System.out.println("Username*****=" + userName);

                        } else {
                                    .println("User is logged in but NOT authorized");
                        // user can be loggedout by calling logoff method on the
                        // session object
                    } else {
                        System.out.println("User is NOT logged in");
                } else {
                    System.out.println("non-Basic Authentication Scheme.");
            } else {
                System.out.println("Resource is NOT protected.");
        } catch (AccessException ae) {
            System.out.println("Access Exception: " + ae.getCause());
        } catch (Exception e) {
        if (ac != null)

    public static String getUserNameFromToken(String sessionToken)
            throws AccessException {
        String userName = null;
        sessionToken = "rHt95P4PrMP2k%2FG%2BxydisWbDdtbjKoIjHgL7sRVtIwDy6DBbP7WSzyrHxQs%2FIYfNe7QTXw%2Fruw6873smWJppdy8ooAAIqcJLj7BocSlV%2FUBdXVUhJWaySY%2BOrbRMaolMpe6lzwtOcsvSpxZ6fMdH976JYlsYJapNr%2FgC7HvONAUJD%2BwPwryFXrQ6%2F0zqrxsPGGztiPy%2BbC9N%2BwcDbPmZUzcfQksmF6%2BPRvZ4Gbi%2FDUKuxz8kBPYIOphaLIZ2BkWTo6kXwOuXMDP4mwF25%2FCHECk03uNZVOTYza%2BBOmzl52JykyABehI0M1xvLjutJ0NBm0Oz9fUZzKGByb31kNYMD2ltQfjKS271HBh37NlLa%2FQ42oTRDtg2HZQUgeyruRmpdSSDlLzq2NPEDB8oHbxADBKLOzrRWkdDEGv63TVb2LLS5LyCGUwRiPqbPHFz1hWoGNS34uoW1Lh1rglWEcLH%2F7Pc9HSCNDI2D9IGw57vKopbw2FIPl64wbOt8TY06uYz";
        UserSession session = new UserSession(sessionToken);
        userName = session.getUserIdentity();
        if (userName != null) {
            userName = userName.substring(userName.indexOf("uid=") + 4,
        return userName;

SAML2 Assertion is not yet valid (NotBefore condition)

June 4, 2016 1 comment

My current setup:

Oracle STS is running on Machine 1 and Oracle Weblogic Web service is running on Machine 2

When I wrote a client to invoke SAML2 token from STS on Machine 1 and use the token to call SAML2 web service on weblogic running on Machine 2. My client constantly kept throwing following error:

<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <found idp partner with targetResource: /echoservicesaml2/EchoServiceSAML2>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion signature>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: The assertion is signed.>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion signature>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion attributes>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion attributes>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion issuer>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: End verify assertion issuer>
<16 Jun, 2014 5:48:56 PM IST> <Debug> <SecuritySAML2Atn> <BEA-000000> <SAML2Assert: Start verify assertion conditions>
<WSEE:12>Exception while asserting identity: [Security:090377]Identity Assertion Failed, [Security:090377]Identity Assertion Failed, [Security:096537]Assertion is not yet valid (NotBefore condition).<CSSUtils.assertIdentity:429>

Root Cause:
Oracle STS returned token appropriately, but the request fails on the weblogic server.

After a bit of fight we could figure out that the Machine 2 time is 2 minutes behind Machine 1. When we adjusted the times (synced) of Machine 1 and Machine 2 things worked smoothly there after.

Hope this tip helps some one there.

Configuration settings are unavailable because /Farm_IDMDomain/asinst_1/oid2 is down


If you see an error in the Enterprise Manager console as shown below, follow the solution that might solve the issue.

Information: Configuration settings are unavailable because /Farm_<domain>/<asinst>/oid1 is down.


  • Restart with opmnctl stopall and opmnctl startall
  • Restart weblogic admin
  • Start weblogic managed server wls_ods1
  • Start weblogic managed server wls_oif1
  • opmnctl stopproc ias-component=EMAGENT
  • opmnctl startproc ias-component=EMAGENT
  • Now try in /em console this time you should see the details

Oracle Internet Directory (OID) Synchronization with Active Directory for Enterprise User Security – Part 1

This blog post outlines the step-by-step configurations to be made at Active Directory (AD) side and on the Oracle Internet Directory (OID) for the synchronization of identities from Active Directory to OID. Intentionally I split it into multiple blog posts for the configuration…

Following are the salient features of this integration:

  • Synchronization is only from Active Directory to OID i.e. changes made at OID will not be reflected on Active Directory
  • Create of a new user in the Active Directory would be reflected on to OID
  • For the synchronization to start, Administrator has to trigger a change password request for all the users of interest

High-Level Configurations to be made on Active Directory:

  • Install Oracle Password Filter, with comes with Oracle Identity Management 11gR2 Patch.
  • If AD machine is 64 bit then go into Utils –> adpwdfilter –> 64 bit –>setup.exe
  • If AD machine is 32 bit then go into Utils –> adpwdfilter –> setup.exe
  • Create SSL connection between OID and AD, with OID as server and AD as client. Add certificate of OID into AD’s trust store

High-Level Configuration to be made on OID:

  • Configure a new OID instance (don’t disturb the default OID instance that runs on 3060)
  • Configure SSL Authentication Server Mode:2 for the newly created OID instance
  • Configure synchronization profile using Oracle Directory Integration Platform
  • Test the synchronization profile to see that uid and userpassword attributes are replicated at OID

High-Level design diagram for Active Directory – Oracle Internet Directory one-way synchronization:

Next blog post is about how to configure new OID Instance

Oracle Internet Directory (OID) Synchronization with Active Directory for Enterprise User Security – Part 5

1          Configuring Oracle Directory Integration Platform

1.1       SSL Server Authentication Configuration (Mode 2) Steps

  • In the enterprise manager go to oid1àCreate wallet and go to selfsigned. Export the trust store certificate and save it in your filesystem.
  • Check OID connection with ssl is working fine or not by issuing below command
  • Cmd>ldapbind –h  –p 3133 –D cn=orcladmin –w **** –U 2 –W file:E:/app/asinst_1/OID/admin/selfsigned -P “”
  • Result of the above command should be “bind successful”
  • Got EM, “Identity and Access” –> dip –> Administration –> Server Properties
  • You will see OID connect SSL mode “SSL_ENCRYPT (MODE 1)”. This need to be changed to 2
  • To change to option 2, use below command
  • Cmd> manageDIPServerConfig set -attribute sslmode -h -p -D weblogic -value 2
  • Above command asks for password, provide weblogic password.
  • You should see result “The attribute sslmode is successfully changed to 2”
  • Cmd>manageDIPServerConfig.bat set –attribute oidhostport –h <server>  –p 7005 –D weblogic –value <servername>:3133
  • Above command should now change the port that DIP is listening to from 3131 to 3133


  • Now time to create a DIP keystore for connecting to OID over SSL. Follow below steps.
  • Cmd>keytool –importcert –trustcacerts –file E:/OIDCertificates/<servername>.crt –keystore E:/OIDCertificates/dip_keystore
  • Enter password
  • Say yes
  • Keystore dip_keystore successfully created.
  • Now copy the dip_keystore and paste it in <ORACLE_IDM1> location
  • You may check the dip_keystore has the oid trust certificate by issuing below query.
  • Cmd> keytool –list –keystore dip_keystore
  • Above command should list the certificate of OID.
  • Now it’s time to set the password using WLST prompt
  • Navigate to the path $ORACLE_IDM1/commons/bin
  • Cmd> <ORACLE_IDM1>\common\bin>./
  • Wls>connect()
  • Provide weblogic username, password and t3://:7001
  • Wls:/IDMDomain/domainRunTime>createCred(map=“dip”,key=”jksKey”,user=”jksuser”,password=”****”)
  • Above command should store the password for opening the dip_keystore we created in previous step
  • Now set the keystore location for DIP
  • Cmd>manageDIPServerConfig set –attribute keystorelocation –value E:/app/ORACLE_IDM1/dip_keystore -h <servername> -p 7005 -D weblogic
  • Above command asks for password, provide weblogic password
  • You should see result “The attribute keystorelocation is successfully changed to <path>”
  • Now go to weblogic –> Servers –> restart wls_ods1
  • Now go to EM –> Identity and Access –> DIP, you should see quartz scheduler and MBean in Green color up and running
  • Now it’s time to setup “Synchronization Profile” on DIP
  • Go to EM –> Identity and Access –> Administration –> Synchronization Profile
  • Click ‘Create’. Don’t enable the profile at this stage.


  • Go to Mappings Tab
  • Edit Domain Mapping Rules, Source Container: cn=users,dc=test,dc=com (Get this cleared from TEST first, if they want to transfer only GIS Center specific users then you need to point to that particular DN), DIP-OID Container: <leave the default value>

  • Click on ‘Validate all mapping rules’
  • Ignore warnings. If errors then they need to be resolved.
  • Now check if synchprofile is correct or not by issuing below commands at same command window where you executed manageDIPServerConfig
  • Cmd> syncProfileBootstrap -host -port 7005 -D weblogic -profile ad2oid3 -lp 5
  • Result should show something like “entries read in bootstrap operation:…”
  • From EM, now enable the policy
  • Make changes in AD now by adding a user or changing the password
  • Go to ODSM and check whether newly added user is listed or not
  • Also EM should show you the count of users successfully synchronized. Below the screenshot


  • Now add OID truststore certificate to Oracle Database for successful SSL handshake
  • On the database goto start–>Programs–>Oracle-home–>Integrated Management Tools –> Wallets
  • Add operations–>imported trusted certificate and navigate the folder where TrustedServer is
  • Add ‘TrustedServer’ and save the wallet
  • In EM, make the option ‘skip error to sync next change’ to true.

  • Userpassword synch and uid from AD to OID can now be seen in odsm

  • Now it’s time to test the connection from sqlplus
  • Sqlplus>conn orcladmin/ Connection should succeed

Sqlplus>conn karun13/ connect should succeed

Note:Let’s say if you create a new user in AD. Oracle password filter may not be able to capture the userPassword and replicate to OID. Sync of password happens only if user changes his domain password.

This ends the series on OID-AD Synchronization…

Let me know your thoughts

Oracle Internet Directory (OID) Synchronization with Active Directory for Enterprise User Security – Part 4

1          To install the Oracle Password Filter for Microsoft Active Directory

  • Locate the setup.exe file in the <Oracle IDM Patch>/utils/testwdfilter directory on the Oracle Application Server CD-ROM (Disk 1). Run the setup.exe command to extract the installation files to a directory on your domain controller. Use setup.exe from 64-bit folder if Active Directory is 64 bit or else use setup.exe that is outside of 64-bit folder or at utils/testwdfilter
  • If AD is 64 bit then set the following environment variable: Righ-click on system–>Administrative Properties–>Path
    • Path=c:\windows\SysWOW64
  • Navigate to the directory where you extracted the installation files and double-click setup.exe. The Welcome page of the Oracle Password Filter for Microsoft Active Directory installation program displays, informing you that the program will install the Oracle Password Filter for Microsoft Active Directory.

  • On the Welcome page, click Next. The Installation Requirements page displays, notifying you that SSL must be enabled between Oracle Internet Directory and Microsoft Active Directory and that installing the Oracle Password Filter for Microsoft Active Directory must restart your computer at the end of the installation process.

On the Installation Requirements page, click Next. The Installation Options page displays

  • On the Installation Options page, select Typical (Recommended)

  • For AD, admin has to provide appropriate values. Below screenshot is only for reference, the values should be  Active Directory specific entries.

  • Click Next. The Microsoft Active Directory Domain Controller Information page displays. Provide Active Directory domain username and password. Also define a Log location appropriately.

  • Click Next to continue. The Oracle Internet Directory Configuration Parameters page displays. For TEST’s OID here are details:
    • Base DN: dc=<replace appropriately>,dc=com
    • Host: <oid server name>
    • SSL Port: 3132
    • Non-SSL Port: 3061
    • User: cn=orcladmin
    • User password: ****

  • Click Next to continue. The Oracle Password Filter Configuration Parameters page displays.

  • Click Next to continue. If you chose Advanced on the Installation Options page, the Specify Attributes page displays.

  • Next

  • When prompted whether or not to upload schema extensions to Oracle Internet Directory, always select No. You do not want to upload schema extensions to Oracle Internet Directory because it comes preloaded with the schema extension attributes required for the Microsoft Active Directory Password filter.


The Reboot Domain Controller page displays.


  • After the computer restarts, log in as an administrator.
  • For 64 bit Active Directory OS, following extra step need to be executed
    • Locate the following 2 dll files in C:\WINDOWS\syswow64 and copy them into C:\WINDOWS\system32
      • Oraidmpwf11.dll
      • Orclmessages.dll


  • Restart Active Directory again
  • Now verify whether SSL connection between AD and OID is correctly configured or not …
    • C:\oracle\adpasswordFilter>ldapbindssl -h  -p 3131 -D cn=orcladmin -w ****
    • Connecting server in SSL Mode
    • Checking if SSL is enabled
    • SSL not enabled
    • SSL being enabled…
    • Binding …
    • Bind Successful


  • If you see above message then the configuration is successful.
  • You are good to go into next step.
  • Oracle password filter installation is now complete.




GOALDoes the Oracle Password Filter installation on Microsoft Active Directory (AD) make any changes to the AD schema ?


No, neither the 32 nor the 64 bit Oracle Password Filter installation makes any changes to the Active Directory schema.

It just creates an OrganizationalUnit entry in AD (via the prepAD.ldif file) which is a retry container, i.e., a container to store the password changes that may have failed to get updated in OID, for later retry.

Next blog post on Configuring Oracle Directory Integration Platform

Oracle Internet Directory (OID) Synchronization with Active Directory for Enterprise User Security – Part 2

1.1       Configuring new OID Instance

Why do we need a new OID instance?

  • Oracle database for Enterprise User Security with OID need a port on “SSL No Authentication Mode 1”.
  • Active Directory to synchronize AD password need OID with a port on “SSL Server authentication mode 2”
  • To cater to above requirements, we need to configure another OID instance

1.1.1     Steps to create new oid instance

  • $> opmnctl createcomponent -componentType OID -componentName oid3 -adminPort 7003 -Db_info “localhost:1521:ORCL”
  • For TEST –adminPort is 7001 and –Db_info is “localhost:1521:oid”
  • Asks for a password for ODS, ODSSM users. Provide appropriate password
  • Asks for a password for OID admin user i.e. orcladmin. Provide password appropriately
  • Now you should see OID instance created successfully message. Below is the screenshot run on Oracle Enterprise Linux for your reference

  • $> “opmnctl status –l”
  • You should see that the new oid3 instance, which is down
  • Start the new oid3 instance by issuing
  • $> ./opmnctl startproc ias-component=oid3
  • $>./opmnctl status –l
  • It should show that 2 oid instances are up and running but the new oid3 instance running on different port (may be 3061 Non SSL, 3132 SSL No authentication mode)
  • Sql>conn orcladmin/
  • Connection should be successful
  • That’s it! Your new oid instance is ready

1.1.1     Steps to configure new OID instance as “SSL Server Auth Mode 2”

  • Once your managed servers are up and running go to the Enterprise Manager
  • Go to http:// <weblogic-server>:7001/em
  • From Identity and access tree expand and select ‘oid3’
  • If you see an “Information: Configuration settings are unavailable because oid3 is down” then try to restart from EM console i.e. OID–>control–>restart
  • OID–>Security–>Wallets
  • Create a new wallet ‘selfsigned’ as shown in screenshots below

  • Got OID–>Administrator–>Server Properties
  • Click on the General –> Change SSL Settings
  • o   Restart OID server now by going to Controls–>Restart server

    o   SSL configuration for OID is complete now. We need to test the SSL connection

    o   Got to http:// <idmweblogicserverdomain>:7005/odsm

    o   Create a new connection with SSL port 3132 and select SSL enabled on test a pop-up should show up. Accept the certificates and click on OK. A new SSL connection should be visible on ODSM.

    o   In the ODSM go to the tab “Data Browser”


    In the case of Oracle Internet Directory and Microsoft Active Directory integration, Oracle Internet Directory is the server and Microsoft Active Directory is the client. The Oracle Password Filter for Microsoft Active Directory uses SSL to protect the password during transmission between the Microsoft Active Directory domain controller and the Oracle Internet Directory server.


    Continuation of the configuration is in the next blog post on Active Directory Configuration…