On the client site I have two Credential Mapping Provider (SAML and PKI) and two Credential Mapping (Key Pair and certificate) configured and the request produced well (I monitor it with wireshark). But the server side returns with error (Caused by: javax.xml.rpc.JAXRPCException: weblogic.xml.crypto.wss.WSSecurityException: Could not validate encryption against any of the supported token types).
What should I configure on the server side? Is a single SAML 2.0 Identity Assertion Provider is enough? Should I configure an additional PKI mapping or anything else? Do you know some more detailed documentation about a similar Use Case?
So I think there are a couple of questions:
1 - Did you configure a SAML Identity Asserter?
2 - Did you configure an asserting that matches the client - same confirmation method, same audience, issuer uri?
NOTE: There is an issue in 10.3 that if you manually configure the partners through the console, the constants for the subject confirmation method written into the embedded LDAP are wrong. You'll need to use WLST to do this and get the constants correct. Correct in this case means to include the full uri of the subject confirmation method, not just the name "holder-of-key"
3 - Did you configure the server to have an identity? Either through setting up SSL or through a Domain Level Web Services configuration?
4 - Did you turn on WS-Security debugging?
5 - Did you turn on the weblogic SAML2, atn, and LDAP debug targets for the server?
The most common problem is that the partner configuration doesn't match.