Whats the interop problem between Oracle SOA Suite and SAP?
Short version: Oracle SOA Suite is working after applying the SAP Notes listed below providing workarounds for Oracle issues.
Long version: WS-Security makes it complicated to implement SAML Sender-Vouches correctly. Oracle has the following issues:
1) When signing the SAML assertion using the STR-Transform, Oracle is using two transforms. First is the STR-Transform, second is the C14N-exclusive transform. As the result of the first transform already an octet-stream, the second transform does not make any sense.
2) Oracle violates the WS-I Basic Security Profile Version 1.0 specification, R3059 in section 7.22. This change make AS ABAP 7.00 and AS ABAP 7.10 more tolerant to accept SOAP messages without Reference/@ValueType attribute.
Checking SAP Notes
SAML Sender-vouches is supported with releases AS ABAP 7.00 (SP 15) and higher. Please ensure the following SAP notes have been applied:
AS ABAP 7.00:
- SAP Notes: 1176558, 1325457, 1420594
- Kernel Patch level: 207
AS ABAP 7.01:
- SAP Notes: 1401097
- Kernel Patch level: 9
AS ABAP 7.10:
- SAP Notes 1170238, 1325457, 1420594
- Kernel patch level: 150
AS ABAP 7.11:
- SAP Notes 1170238, 1325457, 1401097
- Kernel patch level: 13
Configure the provider
The ws provider needs to be configured to SAML Sender-Vouches authentication. Integrity and confidentiality can either be implemented using SSL or asymmetric message security.
In case of SSL, the SOAP message is transferred using the https ensuring integrity and confidentiality. To create such a configuration, follow the instructions.
In case of asymmetric message security, X.509 certificates are used for signing and encrypting the SOAP message. To create such a configuration, follow the instructions.
Configure Trust between Oracle and SAP WebAS ABAP
The scenario involves an XML Signature. Please check the Oracle documentation how to do this in their product.
Any SAML assertion created by Oracle needs to be trusted by the SAP system and be mapped to an SAP user. Please follow the instructions from section Configure Trust for SAML SenderVouches authentication ( ABAP) using the following information:
- SAML Issuer: <get from Oracle configuration>
- SAML Name Identifier: (empty,not used)
- Subject of the X.509 certificate used for the message signature (from the example): CN=Oracle, OU=NW SIM, O=NW, L=Walldorf, SP=Baden Wuerttemberg, C=DE
Create and configure the consumer
(No information available, fell free to fill the space)
Expected SOAP messages
See Single Sign on using SAML Sender Vouches example