Forum Discussion

JimL's avatar
JimL
Contributor
16 years ago

How to get SOAPUI to add a SAML Assertion?

Hi,

I haven't had much success here in getting any responses to my inquiries about a similar subject, but I'll give this one more try  ...

I have imported a WSDL into SOAPUI.  This WSDL is one for a webservice that I have running (and working) on a WebLogic server.  When we call this webservice from a webservice client (on another WebLogic server), the SOAP message has a SOAP header with a signed, sender-vouches Assertion.

Here's the WSDL:



 
 
   
     
       
         
            sender-vouches
         
       
     
   
 
 
   
     
       
         
           
         
       
     
     
       
         
           
         
       
     
     
       
         
           
         
       
     
     
       
         
           
         
       
     
   
 
 
   
 
 
   
 
 
   
 
 
   
 
 
   
     
     
   
   
     
     
   
 
 
   
   
     
     
       
       
         
       
     
     
       
     
   
   
     
     
       
       
         
       
     
     
       
     
   
 
 
   
     

   
 


What I am trying to do is to use SOAPUI to send SOAP messages to this same webservice.

As I said above the SOAP messages need to have a SOAP header with a signed Assertion.

After importing the WSDL into SOAPUI, I have tried numerous things, trying to configure the Outgoing WS-Security configuration.  I have the keystore configured, and have tried adding various combinations of SAML and Signature.

If I add only Signature to the Outgoing WS-Security configuration, and send a request from SOAPUI, it does add a section to the SOAP header, but as I said, in order to duplicate what the WebLogic-hosted webservice client does, what needs to be in the SOAP header is not just a signature, but a signed element.

I guess that really, the first question that I have is:  Should SOAPUI be able to do this?

If the answer to THAT question is "yes", then the question is "How?", i.e., what are the specific steps that I need to do, presumably in the Outgoing WS-Security configuration, to make this work?

Has ANYONE gotten something like this working?

Thanks, and sorry to have to start a new thread on this.

Jim

12 Replies

Sort By
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    Hi,

    I found this thread:

    http://www.eviware.com/component/option ... opic,973.0

    which gave me a hint, that when setting the WS-Security configuration in SOAPUI, that "Namespace" had to be the URL for the namespace, not the prefix.

    So, I tried again:

    Outgoing WS-Security:
    ++++++++++++++++

    ==> Signature

    Parts:
    ==> Body:  http://schemas.xmlsoap.org/soap/envelope/ Element
    ==> Assertion:  urn:oasis:names:tc:SAML:1.0:assertion Element


    I started with this in the SOAP request:
    ++++++++++++++++++++++++++++++++++++++








    weblogic

    urn:oasis:names:tc:SAML:1.0:cm:sender-vouches



     
         
            123
         
     




    Then, I right-clicked on request and applied the WS-Security 'test':
















    hcmOdvkDCMqGj3m7ev8lr9R0zGU=






    y01rfi7Tg3KUg1GYrM4/orXiq7c=



    Ok26TO3wZp47PmJWfQAbEDOXMYb2LL9hYQlmMNisXQ1+3I5ySwuW0vKhNqEiDpKXl51SnfDLLi3I
    CiywOGtWXjeQlmK8YyA8Z5kDjEY+QH+o7fSq3Mgpa1xBbfgwITeew9PGGRbF2Pc9dhbSR9CknQs+
    irAFnkNqRh9p9yQ/HkQ=




    CN=consumer,OU=Some Group,O=Some Company,L=Some City,ST=Some State,C=US
    0









    weblogic

    urn:oasis:names:tc:SAML:1.0:cm:sender-vouches



     
         
            123
         
     



    So, it looks like I can get SOAPUI to sign the parts, including the Assertion, BUT, the signature is in a separate block.

    However, in the signed Assertions from WebLogic, the signature is within the , as opposed to a separate block.

    I think that this is the difference between "enveloping" and "enveloped" signatures?

    Is there a way to get SOAPUI to do "the opposite"?

    Thanks,
    Jim

    P.S.  With the above, I had to include the "AssertionID="123"" in the original SOAP message, before I applied the WS-Security, whereas for signing the Body, I didn't have to do that, and SOAPUI automatically assigned the wsu:id. 

    Why is that?
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    16 years ago
    Hi Jim,

    I just wanted to apologize for our unresponsiveness to this, I just haven't had time to dig in to the internals of the wss4j library that we are using for the ws-security/saml support. It's high on my list and I'll post back as soon as possible..

    regards!

    /Ole
    eviware.com
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    Ole,

    Thanks for responding.  It's a kind of relief, as I was worried that there was something wrong with my posts.

    I understand what you said, and also understand that (guessing here) this WS-Security and SAML stuff may not be "mainline" for you all, but for us, it's key.

    In the meantime, I'll continue experimenting, and will post what I find.  Maybe it'll help others using SOAPUI who are also interested in using it with security.

    My next "test" is to try to use SOAPUI to generate the signature block, and then do some testing by copy-pasting the that got left out of the to see if it'll validate and work with one of my test WebLogic webservices.  I've not had much luck with that so far, but I'm not sure if it's because I'm corrupting the (thus causing the invalid token error from WebLogic), or if there's something wrong with my WebLogic SAML configuration. 

    I'm still debugging, and like I said, will post back any significant (to me, at least) results here.

    Thanks again,
    Jim
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    Hi,

    BTW, one of the things that I've found is that if I paste the surrounding and around the that I pasted into the request, then apply the WS-Security (right-clicking), SOAPUI wipes out the entire

    I'm not really sure why that's happening, but I have a feeling that SOAPUI, currently, is not able to "find" the "" 'Part' for signing if it's one level down from
    .

    I've tried things ala XPath for the 'Part', i.e., Envelope/Header/Security but that didn't work either ...

    Jim
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    Hi,

    I did more testing, and I'm afraid that I'm at an impasse.

    First of all, for reference, here is what one of our "valid" WebLogic blocks looks like:



    MajorVersion="1" MinorVersion="1"
    xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
    xmlns="urn:oasis:names:tc:SAML:1.0:assertion">



    weblogic

    urn:oasis:names:tc:SAML:1.0:cm:sender-vouches










    QVVEqebiI8LY8u2/elbrXxyZ04k=
    P0a5rpznbrPqhb0frjTJhXJhqO/Otviabu8kGIRmHV8rQ1A2RrdMilwPp780CUEv2iSEgUQI3sYalRamuB/23V
    iicWeRqSpstEgGTAXsmLtEN4i908bHZWEhsL7ZcAoUE4JN9ONUSuuG7sZZuOx8ya4Lg28lx0jIHBEhI+LGnLQ=


    MIIDMDCCApmgAwIBAgIBADANBgkqhkiG9w0BAQQFADB1MQswCQYDVQQGEwJVUzETMBEG
    A1UECBMKU29tZSBTdGF0ZTESMBAGA1UEBxMJU29tZSBDaXR5MRUwEwYDVQQKEwxTb21lIENvbXBhbnkxEzARBgNV
    BAsTClNvbWUgR3JvdXAxETAPBgNVBAMTCGNvbnN1bWVyMB4XDTAzMTAwMzAwNTE1MloXDTEzMDkzMDAwNTE1Mlo
    wdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUgU3RhdGUxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UECh
    MMU29tZSBDb21wYW55MRMwEQYDVQQLEwpTb21lIEdyb3VwMREwDwYDVQQDEwhjb25zdW1lcjCBnzANBgkqhkiG9
    w0BAQEFAAOBjQAwgYkCgYEApYAO1laM2GJBQDLMtvpsz6ndkpdnWMB6D0Da+T3Xc6y3N31sMt0AT3bGZJ/ca33I+A+
    L9f6CATotc1n9rKBXv4Bxy9zZ8CRS3xoSytk5lGWOY7xYImjgbWM9YVqeWJiRJX+jnKF/JjjDsYXJsJ7mJbmYr2TkpeRPfEf+
    CuToDbMCAwEAAaOBzzCBzDAdBgNVHQ4EFgQUK2f7I/IXNeEMiR1CnrCurAFmiewwgZ8GA1UdIwSBlzCBlIAUK2f7I/IX
    NeEMiR1CnrCurAFmieyheaR3MHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lIFN0YXRlMRIwEAYDVQQHEwlTb21
    lIENpdHkxFTATBgNVBAoTDFNvbWUgQ29tcGFueTETMBEGA1UECxMKU29tZSBHcm91cDERMA8GA1UEAxMIY29uc3VtZ
    XKCAQAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQQFAAOBgQCeIb85xq/foT5fbri6wNeQy+BhjZXeFc91VEbCbyJ+q1rm
    CUP08vs4CO7tvwC1XySlEuTgYn6FjZKX0lPO9x1uvaegF9JwY0jWD/Kd+3lHKiJEZrmmgLtKA8lFRAU2SeWIqJYE4nDKyP
    2UrrpyvB+evXtM3wS8cQqSXE38zm3Bhg==


    A couple of things to note in the above:

    1) The is embedded in the element
    2) There're these two in the :





    Now, I tried the test I mentioned in my previous post, i.e.:

    a) I added the manually into the request, then
    b) I did right-click apply==>Ws-security, which created the , then
    c) I manually copy-pasted such that the was embedded in the
    d) I then sent the request to the WebLogic webservice and got this error:

    "Could not verify signature: SAMLSignedObject.verify() detected an invalid signature profile."

    So, I then added:



    to the , and sent the request again.

    This time, I got the following error:

    "Could not verify signature: SAMLSignedObject.verify() failed to validate signature value."

    Now, I have to admit that I don't know whether that last error is because with the various copy-pasting, I just
    inadverdently corrupted the signed content to the point that the signature was no longer good, or whether the
    signature "covers" the block, and because I added the "enveloped-signature"
    that made the signature invalid, but either way, it doesn't seem like this works.

    I guess that, to me, the really "correct" thing might be if SOAPUI had an option in the Signature configuration for
    enveloped vs. enveloping?

    Jim
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    16 years ago
    Hi Jim,

    thanks for all your info.. I've had some time to dig into the wss4j API and it seems there is support for signed SAML tokens, I'll try to put this into a nightly build later this week and will post back here so you can check it out..

    again sorry for the time this is taking..

    regards!

    /Ole
    eviware.com
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    Ole,

    I'll look forward to testing that when it's available.  If you need any more information, please post back.

    Jim
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    Hi Ole,

    Do you have any update on this, or an ETA for the nightly build that you mentioned in your previous post?

    Thanks,
    Jim
  • JimL's avatar
    JimL
    Contributor
    16 years ago
    eviware support wrote:

    Hi Jim,

    thanks for all your info.. I've had some time to dig into the wss4j API and it seems there is support for signed SAML tokens, I'll try to put this into a nightly build later this week and will post back here so you can check it out..

    again sorry for the time this is taking..

    regards!

    /Ole
    eviware.com



    Hi,

    I haven't seen any further info on this subject.  Did you ever get some fixes/changes into a build for this?

    Thanks,
    Jim
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    16 years ago
    Hi Jim,

    sorry to keep you waiting, I just haven't had time to dig as I wanted.. I'll get back to you as soon as I can.

    regards,

    /Ole
    eviware.com