Thursday, 9 May 2013

How To secure your OSB services (Propagate SAML Token)

To day I would like to share my knowledge, Reading and Finding about

How To Secure a OSB service using SAML Token or What are the Steps to Secure a OSB service using a SAML Token (Also the below steps can be used for SAML token Propagation) :

Now in order to find how to secure OSB  there is a sites / videos that can help us:

  • Watch this video for easy understand of how to secure OSB service. This an oracle produced Video. The link provided here is only part 1 out of 3 Parts. As always, youtube provides the links to the relevant videos once you watch the first part. 
  • The same can be found in this slide pack.

Before reading this blog further please view / review the above reference artefacts so that you have the basic Knowledge / context.

In order to achieve our goal there are few bits missing in the above referenced artefacts.

In order to secure a OSB service, you will need two product / parts:

1. OWSM  policies. -- this is clearly articulated in the referenced artefacts above.
2. Configuration of the Weblogic Server (For the identity Provider) - This is missed out in the above reference artefact.

Note: This blog is not to pinpoint any documentation defects in the reference artefacts, please consider this blog as an additional reference material.

In order to configure the security provider or authentication provider in weblogic server, please follow this documentation:

Document: Oracle® Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.6)
Section Relevant to us would be: Configuring LDAP Authentication Providers

And one last thing that would vary for us from the reference artefacts is that the following OWSM policies need to be used instead of the policies stated in the above referenced artefacts:

oracle/wss10_saml_token_service_policy – Proxy Service
oracle/wss10_saml_token_client_policy – Business Service.

Hope all the above references were of help. Please feel free to leave you comments.


  1. Hi

    I've got a similar requirement to create a Pass-through proxy for SAML token policy.
    Consumer sends the SAML token, and the OSB Business Service invokes UCM which accepts SAML token.

    I've understood that I've to configure appropriate policies for Proxy and Business Service, but not able to figure out how to test. The consumer application is not ready yet, and actually developed by a diff team alltogether. UCM is already ready which the Business Service invokes.
    In this case, If I want to test, what configurations do I need to do in Weblogic, and can I test the application using SOAP UI?

    Appreciate your response

  2. Hi Ravi Kiran,

    You can test the web service (OSB) by just invoking the service from SOAPUi.

    The steps to configure SOAPui for SAML are available in the SOAPUI forum:

    Follow steps with the link provided above.

    Hope this helps.


  3. I enable this policy on Proxy Osb. I have separated osb and soa suite (bpel) servers, but with a fixed header that i get on internet and put on soapui the ws works. I want to force authentication, only accept requisition of trusted server. I follow many blogs and posts and not works ... What i am doing wrong ?

  4. Hi Victor, Not too clear on what you are asking. Are you asking about two way trusted invocation with SSL.

    Check out the below A-Team blog: