WLS 10.3 - SAML 2 authentication failed, resulting in SOAP fault due to HTTP 500 (Doc ID 1092004.1)

Last updated on JUNE 09, 2016

Applies to:

Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.

Symptoms

A Webservice and client using SAML 2 authentication which was tested to work fine in Glassfish 2.1.1 after deploying on WLS 10.3 fails, when the client on Glassfish invokes the Webservice (on WLS), it fails with SOAP fault due to HTTP 500 error, as below:

<WSEE:12>set Message called: weblogic.xml.saaj.SOAPMessageImpl@6516e2<SoapMessageContext.setMessage:64>
** S T A R T R E S P O N S E O U T P U T S T R E A M **

---[HTTP response 500]---
<?xml version='1.0' encoding='UTF-8'?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurity</faultcode><faultstring>weblogic.xml.crypto.api.MarshalException: weblogic.xml.dom.marshal.MarshalException: Failed to unmarshal {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference, no SecurityTokenReference factory found for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifierValueType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID</faults.tring></env:Fault></env:Body></env:Envelope>--------------------
<?xml version='1.0' encoding='UTF-8'?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><faultcode>wsse:InvalidSecurity</faultcode><faultstring>weblogic.xml.crypto.api.MarshalException:weblogic.xml.dom.marshal.MarshalException: Failed to unmarshal {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference, no SecurityTokenReference factory found for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifier ValueType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID</faultstring></env:Fault></env:Body></env:Envelope>
** E N D R E S P O N S E O U T P U T S T R E A M **
<WSEE:12>HTTP RESPONSE
ContentType= text/xml;charset="utf-8"
CharacterEncoding= utf-8
<ServletDebugUtil.printResponse:42>
<WSEE:12>*** JAXWS post finish ***<VerboseHttpProcessor.post:45>


WLS has been configured according to the docs for configuring SAML 2, including the following settings via admin console:

The following debug flags were also turned on, in order to collect required diagnostics:

-Dweblogic.debug.DebugSecuritySAMLAtn=true
-Dweblogic.debug.DebugSecuritySAMLLib=true
-Dweblogic.debug.DebugSecuritySAML2Service=true
-Dweblogic.debug.DebugSecuritySAML2CredMap=true
-Dweblogic.debug.DebugSecuritySAML2Atn=true
-Dweblogic.debug.DebugSecuritySAML2Lib=true
-Dweblogic.debug.DebugSecurityCredMap=true
-Dweblogic.wsee.verbose=*
-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true
-Dweblogic.xml.crypto.encrypt.verbose=true
-Dweblogic.xml.crypto.dsig.debug=true
-Dweblogic.xml.crypto.dsig.verbose=true
-Dweblogic.wsee.security.debug=true
-Dweblogic.wsee.security.verbose=true
-Dweblogic.xml.crypto.encrypt.verbose=true
-Dweblogic.servlet.DIEnabled=true
-Dweblogic.xml.crypto.encrypt.debug=true
-Dweblogic.xml.crypto.dsig.verbose=true
-Dweblogic.xml.crypto.dsig.debug=true
-Dweblogic.xml.crypto.keyinfo.verbose=true
-Dweblogic.xml.crypto.keyinfo.debug=true
-Dweblogic.xml.crypto.wss.debug=true
-Dweblogic.xml.crypto.wss.verbose=true
-Dcom.sun.xml.ws.transport.http.HttpAdapter.dump=true
-Dcom.sun.xml.ws.transport.http.client.HttpTransportPipe.dump=true
-Dweblogic.debug.DebugSecuritySAMLService=true
-Dweblogic.debug.DebugSecuritySAMLCredMap=true


No custom authentication is used, with everything using WLS defaults.  The SAML 2 tokens are generated by Sun Metro.

Changes

None.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms