I2 Oracle RP with IBM IDP
From OSIS Open Source Identity Systems
Note by Shane Weeden (sweeden@au1.ibm.com): The issue reported below was a configuration oversight and has been fixed.
IBM IDP requires the token type to be set to "urn:oasis:names:tc:SAML:1.0:assertion". if using a synonymous URI such as "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" it fails. The card selector lets the IBM card to be selected, however in a subsequent WS-Trust exchange with IBM STS, Card selector fails with the following error:
There was a failure making a WS-Trust exchange with an external application. Could not retrieve token from identity provider.
Inner Exception: Server returned an invalid SOAP Fault. Please see InnerException for more details. Inner Exception: Start element 'Code' from namespace 'http://www.w3.org/2003/05/soap-envelope' expected. Found element 'faultcode' from namespace . Line 1, position 160.
Additional Information:
Microsoft.InfoCards.TrustExchangeException: Could not retrieve token from identity provider. ---> System.ServiceModel.CommunicationException: Server returned an invalid SOAP Fault. Please see InnerException for more details. ---> System.Xml.XmlException: Start element 'Code' from namespace 'http://www.w3.org/2003/05/soap-envelope' expected. Found element 'faultcode' from namespace . Line 1, position 160.
at System.Xml.XmlExceptionHelper.ThrowXmlException(XmlDictionaryReader reader, String res, String arg1, String arg2, String arg3) at System.Xml.XmlExceptionHelper.ThrowStartElementExpected(XmlDictionaryReader reader, XmlDictionaryString localName, XmlDictionaryString ns) at System.Xml.XmlDictionaryReader.MoveToStartElement(XmlDictionaryString localName, XmlDictionaryString namespaceUri) at System.Xml.XmlDictionaryReader.ReadStartElement(XmlDictionaryString localName, XmlDictionaryString namespaceUri) at System.ServiceModel.Channels.ReceivedFault.CreateFault12Driver(XmlDictionaryReader reader, Int32 maxBufferSize, EnvelopeVersion version) at System.ServiceModel.Channels.MessageFault.CreateFault(Message message, Int32 maxBufferSize) --- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.MessageFault.CreateFault(Message message, Int32 maxBufferSize) at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.TryGetSecurityFaultException(Message faultMessage, Exception& faultException) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.InfoCards.RemoteTokenFactory.ISts.ProcessRequestSecurityToken(Message rstMessage) at Microsoft.InfoCards.RemoteTokenFactory.ProduceToken(InfoCard card, TokenCreationParameter parameter, TokenFactoryCredential credential, InfoCardPolicy policy, Boolean discloseOptional) --- End of inner exception stack trace ---
For more information, see Help and Support Center at
The workaround is to either not specify the tokenType parameter or specify it as urn:oasis:names:tc:SAML:1.0:assertion
