Friday, March 4, 2011

Failed to create SAML token as anonymous user principal found in Subject


When we executed a Mediator in Oracle SOA Suite 11g (after a recent upgrade to AIA Foundation Pack, we started getting the following error:

Error during invoking 1-way operation "ChangeProfileName" on target service "ChangeOrganization" oracle.fabric.common.PolicyEnforcementException: WSM-00263 : Failed to create SAML token as anonymous user principal found in Subject.


After upgrading to AIA Foundation Pack, the "aia_wss10_saml_token_client_policy_OPT_ON" policy is automatically defaulted to ON, resulting in the error above. The steps below describe how to disable the policy:

1. Navigate to Farm_soa_domain --> WebLogic Domain --> (right-click on) soa_domain --> Web Services --> Policies

2. Modify the search criteria as follows:
Category:       Security
Applies To:    All
3. Disable the "oracle/aia_wss10_saml_token_client_policy_OPT_ON" policy

4. Bounce "soa_server1"

Applicable Versions:
  • Oracle SOA Suite 11g (
  • Oracle AIA Foundation Pack 11g (

Ahmed Aboulnaga


Balaji said...


I am also facing similar error but when i searched for the policy i didn't find the same but had "oracle/wss10_saml_token_client_policy". I tried disabling that but after that am starting to get ' InvalidSecurity : error in processing the WS-Security security header' exception.
I am using SOA 11G

Ahmed Aboulnaga said...

Try the following...

1. Navigate to "Farm_soa_domain --> WebLogic Domain --> (right-click on) soa_domain --> Web Services --> Policies"

2. Choose category 'Security' that applies to 'All' and review the attachment count.

3. This should guide you to the policies that are currently in effect.

Also try the following...

1. Navigate to "Farm_soa_domain --> WebLogic Domain --> (right-click on) soa_domain --> Web Services --> Policy Sets"

2. Choose types of resources 'All' and find out all Policy Sets that are enabled.

3. 'View' each Policy Set and look under the Scope of Resources to see which composites the policy set will apply to.

This could be the starting point, as it appears that some policy is taking effect in your case.

Unknown said...

Does this mean that "aia_wss10_saml_token_client_policy_OPT_ON" should be disabled?

Ahmed Aboulnaga said...

If you are not explicitly using it, then I recommend you disable it.

Anonymous said...

Hi Ahmed,

Thank you for this nice blog.
We are facing exaclty the same error right now.
We have ADF+OWSM_domain and we have SOA+OWSM_domain
saml secured service (bpel process) deployed in SOA+OWSM_domain and a sample client (ADF web app) is deployed in ADF+OWSM_domain.
Neceesary public key exchnage has been done between these two domain.

Now while invoking the service we are facing exaclty same issue as this blog is indicating.

BUT if we simple login to em (ADF domain) and use WS Test client then we can pass proper saml to SOA domain and all is working as expected.
Sample client code --

logger.log(Level.ALL,"Input received------------->"+input);
sayhellobpelprocess_client_ep = new Sayhellobpelprocess_client_ep();
SecurityPoliciesFeature securityFeatures =
new SecurityPoliciesFeature(new String[] {"oracle/wss10_saml_token_client_policy" });

SayHelloBPELProcess sayHelloBPELProcess = sayhellobpelprocess_client_ep.getSayHelloBPELProcess_pt(securityFeatures);
Map reqContext = ((BindingProvider)sayHelloBPELProcess).getRequestContext();
reqContext.put(BindingProvider.USERNAME_PROPERTY, "weblogic" );
reqContext.put(BindingProvider.PASSWORD_PROPERTY, "weblogic1" );

// Add your code to call the desired methods.
output= sayHelloBPELProcess.process(input);
logger.log(Level.ALL,"Output received------------->"+output);