TaskQueryService with SAML

In this blogpost, I will look at the TaskQueryService with SAML. As an example, I’ll take the authenticateOnBehalfOf operation. In this blogpost, Edwin Biemond explains how to use the TaskQueryService without SAML. The weblogic username and password are visible in the WorkflowContext. This may not be desirable and can be avoided if we use the SAML port. I created a simple composite called getUserToken with a BPEL process and a reference to the TaskQueryService. Looking at the composite.xml, there are two bindings: 

Keep the binding with the TaskQueryServicePortSAML and delete the other one. This is the composite:

  
Next, add some OWSM policies. By default, the TaskQueryServicePortSAML uses oracle/wss10_saml_service_policy. As the getUserToken composite is the client of the TaskQueryService, add the oracle/wss10_saml_client_policy to the external reference. Right-click on the TaskQueryService reference and choose “Configure WS Policies...”.

Add oracle/wss10_saml_token_client_policy.
 

Before the composite is able to use the SAML policy, a security context has to be set. Do this by securing the composite with another policy, in this case use oracle/wss_username_token_service_policy. Right-click on the exposed service bpelprocess1_client_ep and choose “Configure WS Policies...”. Add oracle/wss_username_token_service_policy.

 
The BPEL process itself is quite simple. The input is used to invoke the operation authenticateOnBehalfOf of the partnerlink TaskQueryService. The output is returned in the response.

 The AssignOutput activity:

The AssignInput activity requires extra care:
 

It is essential to remove the element workflowContext before invoking the TaskQueryService. If left in, this error will pop up:

<bpelFault><faultType>1</faultType><processingErrorFault xmlns="http://xmlns.oracle.com/bpel/workflow/taskQueryService"><part name="payload"><taskQueryServiceFaultResponse xmlns="http://xmlns.oracle.com/bpel/workflow/taskQueryService"><message xmlns="http://xmlns.oracle.com/bpel/workflow/taskQueryService">ORA-30010:Error in creating reply message for Web Services. Error in creating reply message for Web Services. The Web Service input could be invalid causing this exception. Check the Web Service input for correctness. The input could also be validated against XML schema definition that describes the operation input. It being valid, this is a system error. </message></taskQueryServiceFaultResponse></part></processingErrorFault></bpelFault>

 Deploy the composite to the server and test it. I have used the test console in the Enterprise Manager but you can use any soap client you like, e.g. SoapUI.

Do not forget to enter the security credentials. As input string I have entered “samltestcase”, this is a user that I have created via the Weblogic Administration Console. After invoking the web service, this is the response:

Changing DVM in clustered environment.

This post is not about how to edit, delete or add values to your DomainValue Map at runtime using the SOA Composer. The Oracle® Fusion Middleware Developer's Guide for Oracle SOA Suite 11g Release 1 (11.1.1.6.2), chapter 48, basically says it all. The one thing I bumped into was when I tried to do this in a clustered environment. Adding a new value was easy. Committing the chances was also easy. Later, I found out that the chances only took effect on the machine on which I committed those changes. I had to start the SOA Composer on the other machine as well, only to commit the DVM to the runtime. A thing to keep in mind!