Hi Senduran, AFAIK if your service provider is registered in a tenant and when the service provider is sending the request to the IdP you should send a query param as 'tenantDomain' from which the IS will identify the respective tenant domain. I think that this is the cause for the response from IS to be signed with the super tenant key.
Thanks, Malithi. On Thu, Jan 22, 2015 at 9:26 AM, Senduran Balasubramaniyam < [email protected]> wrote: > Hi, > > I have enabled SSO for ES and ESB with an external IS. I am facing the > following issue when I try to login to publisher as a tenant. > > INFO {JAGGERY.controllers.login:jag} - Login URL: > https://localhost:9447/samlsso > org.opensaml.xml.validation.ValidationException: Signature did not > validate against the credential's key > > I tried to debug the SignatureValidator and found that, when a tenant logs > in to the publisher (via sso) the saml response is validated against the > tenant specific keystore, whereas a tenant logs in to the management > console (via sso) the saml response is validated against the wso2carbon > keystore. > The second scenario (tenant logs in to management console) is successful. > What I guess is IS always send a saml response which is only valid against > the wso2carbon keystore. (please correct me if I am wrong). What should be > the correct behavior is IS should send tenant specific response ? or ES > should always validate the saml response against the wso2carbon keystore. > > Note: I have shred the governance registry and user database, also pointed > ES, ESB to IS's embedded LDAP. > Also please go through this mail thread "[ES] Tenant couldn't > login to publisher when SSO is enabled with IS" > > Thank you > Senduran > > -- > *Senduran * > Software Engineer, > WSO2, Inc.; http://wso2.com/ <http://wso2.com/> > Mobile: +94 77 952 6548 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Malithi Edirisinghe* Senior Software Engineer WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
