STS: Unable To Exchange SAML SSO Assertion For WS-Trust Assertion

(Doc ID 2265104.1)

Last updated on JUNE 08, 2017

Applies to:

Oracle Security Token Service - Version and later
Information in this document applies to any platform.


When configuring the OAM STS to perform token exchange, and using the two exchanges:
- Exchange X509 token for SAML 2.0 Token
- Exchange SAML 2.0 token (from another issuing authority) for a SAML 2.0 token issues by OAM STS.

The X509 exchange works fine. I am unable to get the SAML 2.0 -> SAML 2.0 exchange to work. The issus is that the WS-Trust Validation Template keeps throwing a signature error.

The following messages are seen  in the diagnostic log:
[SRC_CLASS:] [SRC_METHOD: verify] Retrieving verification parameters.
[SRC_CLASS:] [SRC_METHOD: verify] Verifying that the parent is the node referenced in the signature
[SRC_CLASS:] [SRC_METHOD: verify] The parent of the signature is not the node referenced in the signature
[APP: oam_server#] Signature in the token could not be verified

And then an exception:
[] [tid: 78] [userId: ] [ecid: 9f019431c14d16d3:-94f1ef4:15983e3bec9:-8000-000000000000fef6,0] [APP: oam_server#] Token processing Exception: {0}[[ Signature could not be verified

When a SAML assertion is created  with an enveloped signature and verified that the reference in the signature is pointing to the saml:assertion node.
What needs to be looked ?


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms