My Oracle Support Banner

The Patch For Bug 13771511 Does Not Fix The SAML Token Offset Issue (Doc ID 1507161.1)

Last updated on OCTOBER 25, 2016

Applies to:

Oracle Web Services Manager - Version to [Release 11gR1]
Information in this document applies to any platform.


A Web Service is secured with OWSM using a SAML based policy. A SAML assertion is created. The clock on the system where the assertion is consumed is running behind the clock on the system where the assertion is created. The SAML assertion is then rejected with an error message like this:

####<Apr 24, 2012 12:30:22 AM SGT> <Debug> <SecuritySAMLAtn> <SGDEMDMCustPP01> <CUSTMGDPPRDSIG1> <[ACTIVE] ExecuteThread: '43' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1335198622924> <BEA-000000> <SAMLAssertion: [Security:099031]Assertion is invalid before Tue Apr 24 00:30:23 SGT 2012.>

Here, the time stamp of the log entry (Apr 24, 2012 12:30:22 AM SGT) is before the date where the assertion becomes valid (Tue Apr 24 00:30:23 SGT 2012) and that causes the SAML assertion to be rejected.

Another example message:

[2014-06-11T13:59:22.794+00:00] [soa_server2] [ERROR] [WSM-07618] [oracle.wsm.resources.enforcement] [tid: [ACTIVE].ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 92779a63aa7f68a6:487a6cc3:14685c472d2:-8000-000000000002eca3,1:30928] [APP: PasTransactionsService_TransactionsService#V1.2] [ PasTransactionsService_TransactionsService_V1.2] [ opsmservices-transactions] [ TransactionsProcessingServiceAMService] [ TransactionsProcessingServiceAMServiceSoapHttpPort] [composite_instance_id: 500030] [component_instance_id: 357E2880F16811E3BF678DE4420A0C04] [composite_name: PasTransactionsComposite] [component_name: CreateTransaction] [WSM_POLICY_NAME: oracle/wss_saml_or_username_token_service_policy] Failed to execute the assertion "WSSecurity SAML Token" in the conditional policy. InvalidSecurityToken : The security token is not valid.[[
oracle.wsm.common.sdk.WSMException: InvalidSecurityToken : The security token is not valid.
        at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(

Caused by: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Found invalid condition "on or after" in SAML assertion. Current Time:Wed Jun 11 13:59:22 UTC 2014, clockSkew:360000 milli seconds, NotOnOrAfter Time:Wed Jun 11 13:04:23 UTC 2014.
       ... 67 more

This problem is known as <BUG: 13771511> - CAN NOT DEFINE CLOCK SKEW WHEN USING FMW WEB SERVICES.
Bug 13771511 is fixed in version

Problem or newer is used, or <PATCH: 13771511> is applied on and earlier, but this then nevertheless failed to address the symptoms.

In the diagnostic log, at TRACE debugging level for one or both of the following messages are observed:

[2012-10-31T22:05:31.935+08:00] [osb_server1] [TRACE] [] [] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 84b47c168e100133:-c3ec4a7:13ab1dbd3c0:-7ffd-000000000004b2c0,0] [SRC_CLASS:] [WSM_POLICY_NAME: oracle/wss10_saml_token_client_policy] [APP: ALSB Routing] [SRC_METHOD: getClientClockSkew] The client clock skew is 0
[2012-10-31T22:05:39.732+08:00] [osb_server1] [TRACE] [] [] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 84b47c168e100133:-c3ec4a7:13ab1dbd3c0:-7ffd-000000000004b2e5,0] [SRC_CLASS:] [WSM_POLICY_NAME: oracle/wss10_saml_token_client_policy] [APP: ALSB Routing] [SRC_METHOD: getClientClockSkew] The client clock skew not configured. Using default



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Solution for and earlier
 Solution for

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.