Wednesday, June 3, 2009

How to Debug SAML Token Profile on WLS

K asks:

On the client site I have two Credential Mapping Provider (SAML and PKI) and two Credential Mapping (Key Pair and certificate) configured and the request produced well (I monitor it with wireshark). But the server side returns with error (Caused by: javax.xml.rpc.JAXRPCException: weblogic.xml.crypto.wss.WSSecurityException: Could not validate encryption against any of the supported token types).

What should I configure on the server side? Is a single SAML 2.0 Identity Assertion Provider is enough? Should I configure an additional PKI mapping or anything else? Do you know some more detailed documentation about a similar Use Case?

So I think there are a couple of questions:

1 - Did you configure a SAML Identity Asserter?
2 - Did you configure an asserting that matches the client - same confirmation method, same audience, issuer uri?

NOTE: There is an issue in 10.3 that if you manually configure the partners through the console, the constants for the subject confirmation method written into the embedded LDAP are wrong. You'll need to use WLST to do this and get the constants correct. Correct in this case means to include the full uri of the subject confirmation method, not just the name "holder-of-key"

3 - Did you configure the server to have an identity? Either through setting up SSL or through a Domain Level Web Services configuration?
4 - Did you turn on WS-Security debugging?
5 - Did you turn on the weblogic SAML2, atn, and LDAP debug targets for the server?

The most common problem is that the partner configuration doesn't match.


  1. hi Josh
    I am having certain issues with WLS 10.3 using
    SAML Token Profile.
    I have posted the problem in detail here.
    Can you provide some help ?

  2. Can you also explain that how SAML token profile exactly works with weblogic 10.3.

    I think that first SAMLCredMapper creates a saml assertion from authenticated subject on web-service client , then appends it to the wsse:security header in the outgoing soap message. then
    at the server side the SAMLIdentityAsserter validates the assertion and responds to the service request.

    Is it correct ?


    Hope this helps


Note: Only a member of this blog may post a comment.