STS: Unable To Exchange SAML SSO Assertion For WS-Trust Assertion (Doc ID 2265104.1)

Last updated on JUNE 08, 2017

Applies to:

Oracle Security Token Service - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

When configuring the OAM STS to perform token exchange, and using the two exchanges:
- Exchange X509 token for SAML 2.0 Token
- Exchange SAML 2.0 token (from another issuing authority) for a SAML 2.0 token issues by OAM STS.

The X509 exchange works fine. I am unable to get the SAML 2.0 -> SAML 2.0 exchange to work. The issus is that the WS-Trust Validation Template keeps throwing a signature error.

The following messages are seen  in the diagnostic log:
[SRC_CLASS: oracle.security.fed.security.crypto.dsig.DomXmlVerifier] [SRC_METHOD: verify] Retrieving verification parameters.
[SRC_CLASS: oracle.security.fed.security.crypto.dsig.DomXmlVerifier] [SRC_METHOD: verify] Verifying that the parent is the node referenced in the signature
[SRC_CLASS: oracle.security.fed.security.crypto.dsig.DomXmlVerifier] [SRC_METHOD: verify] The parent of the signature is not the node referenced in the signature
[APP: oam_server#11.1.2.0.0] Signature in the token could not be verified

And then an exception:
[oracle.security.fed.eventhandler.sts.validation.token.ValidateSAML20TokenEventHandler] [tid: 78] [userId: ] [ecid: 9f019431c14d16d3:-94f1ef4:15983e3bec9:-8000-000000000000fef6,0] [APP: oam_server#11.1.2.0.0] Token processing Exception: {0}[[
oracle.security.fed.sts.token.TokenProcessingException: oracle.security.fed.sts.token.tpe.TokenProcessingException: Signature could not be verified
  at oracle.security.fed.sts.token.providers.TokenValidatorImpl.validate(TokenValidatorImpl.java:62)
  at oracle.security.fed.eventhandler.sts.validation.token.ValidateSAML20TokenEventHandler.perform(ValidateSAML20TokenEventHandler.java:260)
  at oracle.security.fed.controller.ActionStateMachine.processEvent(ActionStateMachine.java:173)

When a SAML assertion is created  with an enveloped signature and verified that the reference in the signature is pointing to the saml:assertion node.
What needs to be looked ?

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms