By Mark Wilcox - CTO - Oracle Consulting Security-Oracle on Dec 11, 2013
A recent question on our internal list was
"A customer has OAM and wants to do SSO to SOAP Web Services".
In this case the customer was using Webcenter Content (the product formerly known as Unified Content Manager UCM). But the scenario applies to any SOAP Web Service.
My answer was well received and there isn't anything proprietary here so I thought I would share to make it easier for people to find and for me to refer to later.
First - There is no such thing as SSO in web services.
There is only identity propagation.
Meaning that I log in as Fabrizio into OAM, connect to a Web application protected by OAM.
That Web application is a Web Services client and I want to tell the client to tell the Web Services that Fabrizio is using the service.
The first step to set this up is to protect the web services via OWSM.
The second step is to translate the OAM token into a WS-Security token.
There are 3 ways to this second step:
1 - If you are writing manual client and don't want any other product involved - use OAM STS
2 - Use Oracle Service Bus (which most likely will also use OAM STS but should make this a couple of mouse clicks)
3 - Use OAG - which doesn't need to talk to STS. It has a very simple way to convert OAM into WS-Security header.
If you're not using OSB already - I would recommend OAG. It's by far the simplest plus you get the additional benefits of OAG.
PS - You can use OSB and OAG together in many scenarios - I was only saying to avoid OSB here because the service was already exposed and there was no benefit I could see for having OSB. If you have a reason to have OSB - let me know. I only know OSB at a very high level since my area of focus is security.