Thursday, February 27, 2014

Oracle SOA - OWSM- Task Query Service with SAML Port and Credential Store

Scenario:  - Invoke task query service securely by using wss10_saml_token_client_policy OWSM policy and CSF key. Without inbound subject(Principal) 
Solution:

You can find sample BPEL project on Task Query service using SAML on  Jeroren Bakker's blog .This blog based  on policy's default setting like "subject.precedence" = true which means policy expect subject (Principal) from inbound.

 You can use same project but with following settings.


BPEL


.  1. Create  "basic.credentials" CSF key in EM console 






 2.     Apply   wss10_saml_token_client_policy on Task Query Service in BPEL Process

Edit policy properties.
·        If there is other issuer than oracle override the value of “saml.issuer.name” property.
·        Override value of “subject.precedence” to false.


SAML client policy having default "basic.credential" csf key value.

   3. If we are using "subject.precendece" option as false, it means we are not using or expecting any inbound subject and we are going to use CSF key to generate SAML token. To accomplish this opertation, we have to give WSIdentityPermission to our SOA project. In my case ,composite name is TaskQuery_Process.

     Set the WSIdentityPermissio

  •  In the navigator pane, expand WebLogic Domain to show the domain where you need to configure the application. Select the domain.
  • Using Fusion Middleware Control, click WebLogic Domain, then Security, and then System Policies. System policies are the  system-wide policies applied to all applications deployed to the current WebLogic Domain. 




  •     From the System Policies page, select the arrow icon in the Permission field to search the system security grants
  •   Select one of the codebase permissions to use as a starting point and click Create Like. 

  •   In the Grant Details section of the page, enter file:${common.components.home}/modules/oracle.wsm.agent.common_11.1.1/wsm-agent-core.jar in the Codebase field.
  •    In the Permissions section of the page, select the starting point permission class and click Edit.
  •       Enter oracle.wsm.security.WSIdentityPermission in the Permission Class field. The resource name is the composite name for SOA, and the application name for a J2EE client. The action is always assert. 






Restart your SOA server.

After restart you can test you task query service from BPEL by using SAML port.

OSB
 - We have to perform same configuration for OSB business service.


-         Set “subject.precedence” value to false.
                                  -     Override "saml-issuer-name" property if its other than oracle.

OSB Request- Remove  "workflowContext" element from the request.

TaskQuery Service Method - authenticateOnBehalfOf
















Posted by at 1 comment:
Labels: , , , ,
Subscribe to: Posts (Atom)