My Oracle Support Banner

The Patch For Bug 13771511 Does Not Fix The SAML Token Offset Issue (Doc ID 1507161.1)

Last updated on JUNE 05, 2023

Applies to:

Oracle Web Services Manager - Version 11.1.1.4.0 to 11.1.1.7.0 [Release 11gR1]
Information in this document applies to any platform.

Symptoms

A Web Service is secured with OWSM using a SAML based policy. A SAML assertion is created. The clock on the system where the assertion is consumed is running behind the clock on the system where the assertion is created. The SAML assertion is then rejected with an error message like this:

####<Apr 24, 2012 12:30:22 AM SGT> <Debug> <SecuritySAML> <SAMLDEM> <DEMO> <[ACTIVE] ExecuteThread: '43' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <> <1335198622924> <BEA-000000> <SAMLAssertion: [Security:099031]Assertion is invalid before Tue Apr 24 00:30:23 SGT 2012.>

Here, the time stamp of the log entry (Apr 24, 2012 12:30:22 AM SGT) is before the date where the assertion becomes valid (Tue Apr 24 00:30:23 SGT 2012) and that causes the SAML assertion to be rejected.

Another example message:

[2014-06-11T13:59:22.794+00:00] [soa_server2] [ERROR] [WSM-07618] [oracle.wsm.resources.enforcement] [tid: [ACTIVE].ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid:<ECID>] [APP: <APP NAME>] [J2EE_APP.name: <J2EE APP NAME>] [J2EE_MODULE.name: <J2EE MODULE NAME>] [WEBSERVICE.name: <WEBSERVICE NAME>] [WEBSERVICE_PORT.name: <WEBSERVICE PORT NAME>] [composite_instance_id: <COMPOSITE INSTANCE ID>] [component_instance_id: <COMPONENT ID>] [composite_name: <COMPOSITE NAME] [component_name: <COMPONENT NAME>] [WSM_POLICY_NAME: oracle/wss_saml_or_username_token_service_policy] Failed to execute the assertion "WSSecurity SAML Token" in the conditional policy. InvalidSecurityToken : The security token is not valid.[[
oracle.wsm.common.sdk.WSMException: InvalidSecurityToken : The security token is not valid.
        at oracle.wsm.security.policy.scenario.executor.Wss10SamlTokenScenarioExecutor.receiveRequest(Wss10SamlTokenScenarioExecutor.java:166)
        at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:832)
        at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
[...]

Caused by: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Found invalid condition "on or after" in SAML assertion. Current Time:Wed Jun 11 13:59:22 UTC 2014, clockSkew:360000 milli seconds, NotOnOrAfter Time:Wed Jun 11 13:04:23 UTC 2014.
       at oracle.security.jps.internal.jaas.module.saml.SAMLUtils.verifyNotOnOrAfter(SAMLUtils.java:107)
       at oracle.security.jps.internal.jaas.module.saml.JpsSAMLVerifier.verifyConditions(JpsSAMLVerifier.java:224)
       at oracle.security.jps.internal.jaas.module.saml.JpsSAMLVerifier.verify(JpsSAMLVerifier.java:124)
       at oracle.security.jps.internal.jaas.module.saml.JpsSamlAssertor.verify(JpsSamlAssertor.java:91)
       at oracle.security.jps.internal.jaas.module.saml.JpsSamlAssertor.assertToken(JpsSamlAssertor.java:68)
       at oracle.security.jps.internal.jaas.module.saml.JpsAbstractSAMLLoginModule.login(JpsAbstractSAMLLoginModule.java:107)
       ... 67 more

This problem is known as <BUG: 13771511> - CAN NOT DEFINE CLOCK SKEW WHEN USING FMW WEB SERVICES.
Bug 13771511 is fixed in version 11.1.1.7.


Problem

11.1.1.7 or newer is used, or <PATCH: 13771511> is applied on 11.1.1.6 and earlier, but this then nevertheless failed to address the symptoms.

In the diagnostic log, at TRACE debugging level for oracle.wsm.security.policy.scenario.processor one or both of the following messages are observed:

[2012-10-31T22:05:31.935+08:00] [osb_server1] [TRACE] [] [oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid:<ECID>] [SRC_CLASS: oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor] [WSM_POLICY_NAME: oracle/wss10_saml_token_client_policy] [APP: ALSB Routing] [SRC_METHOD: getClientClockSkew] The client clock skew is 0
[2012-10-31T22:05:39.732+08:00] [osb_server1] [TRACE] [] [oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid:<ECID>] [SRC_CLASS: oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor] [WSM_POLICY_NAME: oracle/wss10_saml_token_client_policy] [APP: ALSB Routing] [SRC_METHOD: getClientClockSkew] The client clock skew not configured. Using default

 

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
 
Problem
Changes
Cause
Solution
 Solution for 11.1.1.6 and earlier
 Solution for 11.1.1.7:
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.