Audience URI Not Working with OWSM Policy 'oracle/wss_saml_bearer_or_username_token_service_policy' attached to WebCenter Content Web Service. (Doc ID 2128504.1)

Last updated on AUGUST 01, 2023

Applies to:

Goal

Using the OWSM 11.1.1.9.0 policy 'oracle/wss_saml_bearer_or_username_token_service_policy' attached to an Oracle WebCenter Content service.

The absolute URI being used in this case - https://rmstest/idcws/SoapGenericPort doesn't work because rmstest is a cluster address and not mapped to a single host name.  The SAML audience URI must contain the hostname and the port of a running server, for example

https://<HOST>:<PORT>/idcws/SoapGenericPort

this works on a single server.

However, in a cluster it is not possible to use this absolute SAML URI nor is it possible to use relative SAML audience uris for this scenario.

Error MEssage
---------------------------------------------------
Caused by: FAULT CODE: InvalidSecurityToken FAULT MESSAGE: Audience URI for SAML assertion is invalid.
at oracle.security.jps.internal.jaas.module.saml.SAMLUtils.verifyAudienceUri(SAMLUtils.java:133)
at oracle.security.jps.internal.jaas.module.saml.JpsSAMLVerifier.verifyConditions(JpsSAMLVerifier.java:234)
at oracle.security.jps.internal.jaas.module.saml.JpsSAMLVerifier.verify(JpsSAMLVerifier.java:124)
at oracle.security.jps.internal.jaas.module.saml.JpsSamlAssertor.verify(JpsSamlAssertor.java:91)
at oracle.security.jps.internal.jaas.module.saml.JpsSamlAssertor.assertToken(JpsSamlAssertor.java:68)
at oracle.security.jps.internal.jaas.module.saml.JpsAbstractSAMLLoginModule.login(JpsAbstractSAMLLoginModule.java:109)
... 70 more

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.