The Patch For Bug 13771511 Does Not Fix The SAML Token Offset Issue (Doc ID 1507161.1)

Last updated on OCTOBER 25, 2016

Applies to:

Oracle Web Services Manager - Version 11.1.1.4.0 to 11.1.1.7.0 [Release 11gR1]
Information in this document applies to any platform.

Symptoms

A Web Service is secured with OWSM using a SAML based policy. A SAML assertion is created. The clock on the system where the assertion is consumed is running behind the clock on the system where the assertion is created. The SAML assertion is then rejected with an error message like this:

####<Apr 24, 2012 12:30:22 AM SGT> <Debug> <SecuritySAMLAtn> <SGDEMDMCustPP01> <CUSTMGDPPRDSIG1> <[ACTIVE] ExecuteThread: '43' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1335198622924> <BEA-000000> <SAMLAssertion: [Security:099031]Assertion is invalid before Tue Apr 24 00:30:23 SGT 2012.>

Here, the time stamp of the log entry (Apr 24, 2012 12:30:22 AM SGT) is before the date where the assertion becomes valid (Tue Apr 24 00:30:23 SGT 2012) and that causes the SAML assertion to be rejected.

Another example message:

[2014-06-11T13:59:22.794+00:00] [soa_server2] [ERROR] [WSM-07618] [oracle.wsm.resources.enforcement] [tid: [ACTIVE].ExecuteThread: '58' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 92779a63aa7f68a6:487a6cc3:14685c472d2:-8000-000000000002eca3,1:30928] [APP: PasTransactionsService_TransactionsService#V1.2] [J2EE_APP.name: PasTransactionsService_TransactionsService_V1.2] [J2EE_MODULE.name: opsmservices-transactions] [WEBSERVICE.name: TransactionsProcessingServiceAMService] [WEBSERVICE_PORT.name: TransactionsProcessingServiceAMServiceSoapHttpPort] [composite_instance_id: 500030] [component_instance_id: 357E2880F16811E3BF678DE4420A0C04] [composite_name: PasTransactionsComposite] [component_name: CreateTransaction] [WSM_POLICY_NAME: oracle/wss_saml_or_username_token_service_policy] Failed to execute the assertion "WSSecurity SAML Token" in the conditional policy. InvalidSecurityToken : The security token is not valid.[[
oracle.wsm.common.sdk.WSMException: InvalidSecurityToken : The security token is not valid.
        at oracle.wsm.security.policy.scenario.executor.Wss10SamlTokenScenarioExecutor.receiveRequest(Wss10SamlTokenScenarioExecutor.java:166)
        at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:832)
        at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
[...]

Caused by: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Found invalid condition "on or after" in SAML assertion. Current Time:Wed Jun 11 13:59:22 UTC 2014, clockSkew:360000 milli seconds, NotOnOrAfter Time:Wed Jun 11 13:04:23 UTC 2014.
       at oracle.security.jps.internal.jaas.module.saml.SAMLUtils.verifyNotOnOrAfter(SAMLUtils.java:107)
       at oracle.security.jps.internal.jaas.module.saml.JpsSAMLVerifier.verifyConditions(JpsSAMLVerifier.java:224)
       at oracle.security.jps.internal.jaas.module.saml.JpsSAMLVerifier.verify(JpsSAMLVerifier.java:124)
       at oracle.security.jps.internal.jaas.module.saml.JpsSamlAssertor.verify(JpsSamlAssertor.java:91)
       at oracle.security.jps.internal.jaas.module.saml.JpsSamlAssertor.assertToken(JpsSamlAssertor.java:68)
       at oracle.security.jps.internal.jaas.module.saml.JpsAbstractSAMLLoginModule.login(JpsAbstractSAMLLoginModule.java:107)
       ... 67 more

This problem is known as <BUG: 13771511> - CAN NOT DEFINE CLOCK SKEW WHEN USING FMW WEB SERVICES.
Bug 13771511 is fixed in version 11.1.1.7.


Problem

11.1.1.7 or newer is used, or <PATCH: 13771511> is applied on 11.1.1.6 and earlier, but this then nevertheless failed to address the symptoms.

In the diagnostic log, at TRACE debugging level for oracle.wsm.security.policy.scenario.processor one or both of the following messages are observed:

[2012-10-31T22:05:31.935+08:00] [osb_server1] [TRACE] [] [oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 84b47c168e100133:-c3ec4a7:13ab1dbd3c0:-7ffd-000000000004b2c0,0] [SRC_CLASS: oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor] [WSM_POLICY_NAME: oracle/wss10_saml_token_client_policy] [APP: ALSB Routing] [SRC_METHOD: getClientClockSkew] The client clock skew is 0
[2012-10-31T22:05:39.732+08:00] [osb_server1] [TRACE] [] [oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 84b47c168e100133:-c3ec4a7:13ab1dbd3c0:-7ffd-000000000004b2e5,0] [SRC_CLASS: oracle.wsm.security.policy.scenario.processor.WssSamlTokenProcessor] [WSM_POLICY_NAME: oracle/wss10_saml_token_client_policy] [APP: ALSB Routing] [SRC_METHOD: getClientClockSkew] The client clock skew not configured. Using default

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms