Hi all, After looking into the ES login code with Darshana, we figured that the issue is caused by "RelayState" value set in SAML request. In *store *login.jag [1], RelayState is set to the value of* referer* header in http/https request. It contains host (localhost:port / <IP>:port) as well. Once the authentication is completed and SAML response is received, acs redirects to the "RaleyState" URL. But the response is sent to* <AssertionConsumerService>https://localhost:9443/store/acs <https://localhost:9443/store/acs></AssertionConsumerService>* which is defined in sso-idp-config.xml. When this *AssertionConsumerService* hostname doesn't match with the redirected RelayState hostname above discussed issue is present.
When the RelayState value is set to be a relative path(ex: /store/asts/site/list?sortBy=overview_createdtime&sort=DESC) the issue is eliminated since relative values are used. In Publisher, above mentioned 'referer' header value is null, hence RealayState is set to default value '/publisher' which is relative. That's why the issue is not present in the Publisher. I've fixed the issue in Store in the commit [2], where the context is filtered-out from the RealayState URL. [1] https://github.com/wso2/carbon-store/blob/f258561979fa649e74290631031b34986e3b5d24/apps/store/controllers/login.jag#L27 [2] https://github.com/wso2/carbon-store/commit/ff74b1d3723ed6550a10d1a55471f89eccd9d7c6 Thanks! -Ayesha On Thu, Oct 23, 2014 at 8:36 PM, Darshana Gunawardana <[email protected]> wrote: > > On Wed, Oct 22, 2014 at 11:15 PM, Rajeeva Uthayasangar <[email protected]> > wrote: > >> Hi Dharshana, >> In my case also, authentication request validation is passed and the >> authentication response hit the acs. >> >> > Ok... Then the issue might be in the ACS. Have to look into the logic in > the acs.. > > >> First, i tried to access the store via IP by giving credentials, it >> directs to the store home page again and showing as not logged in. At that >> time URL is with IP. But when i replace the IP with localhost it shows as >> logged in. Please find the attached images. >> >> On Wed, Oct 22, 2014 at 10:22 PM, Darshana Gunawardana <[email protected] >> > wrote: >> >>> On Wed, Oct 22, 2014 at 10:08 PM, Rajeeva Uthayasangar <[email protected] >>> > wrote: >>> >>>> Hi Sameera, >>>> Issue comes in the redirection URL after the authentication. It's >>>> redirecting with the IP but the domain we registered in SP is localhost. >>>> Redirection domain should be same as what we gave in SP registering AFAIK. >>>> >>> >>> What Rajeeva faced should be a authentication request validation >>> failure.. But if the authentication response hit the acs, authentication >>> request validation seems to be passed and it returning a saml response. >>> >>> @Sameera : Have you traced SAML requests? Does the ACS hitting with a >>> valid SAML assertion? >>> >>>> >>>> @Chandana >>>> The solution which i mentioned, solved the issue in App Manager. >>>> >>>> Thanks, >>>> Rajeeva. >>>> >>>> >>>> On Wed, Oct 22, 2014 at 8:35 PM, Sameera Medagammaddegedara < >>>> [email protected]> wrote: >>>> >>>>> Hi Rajeeva, >>>>> >>>>> During the offline discussion with Chandana it was noted that the >>>>> response was hitting the correct acs endpoint. >>>>> >>>>> Thank You, >>>>> Sameera >>>>> >>>>> On Wed, Oct 22, 2014 at 8:24 PM, Rajeeva Uthayasangar < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Chandana/Sameera, >>>>>> >>>>>> AFAIK, Store and publisher are in SSO and they are registered as >>>>>> service providers with localhost in sso-idp-config.xml >>>>>> (ES_HOME/repositort/conf). >>>>>> >>>>>> You have to register the service provider with IP in >>>>>> sso-idp-config.xml as below in order to access via IP. >>>>>> >>>>>> <ServiceProvider> >>>>>> <Issuer>store</Issuer> >>>>>> >>>>>> *<AssertionConsumerService>https://<IP>:9443/store/acs</AssertionConsumerService>* >>>>>> <SignResponse>true</SignResponse> >>>>>> <CustomLoginPage>/store/login.jag</CustomLoginPage> >>>>>> </ServiceProvider> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Rajeeva. >>>>>> >>>>>> On Wed, Oct 22, 2014 at 7:52 PM, Chandana Napagoda <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> Great... Thanks Sameera, >>>>>>> >>>>>>> I have created a JIRA[1] for this issue. >>>>>>> >>>>>>> [1]. https://wso2.org/jira/browse/STORE-542 >>>>>>> >>>>>>> Regards, >>>>>>> Chandana >>>>>>> >>>>>>> On Wed, Oct 22, 2014 at 7:22 PM, Sameera Medagammaddegedara < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Chandana, >>>>>>>> >>>>>>>> I was able to reproduce the problem on my local setup. >>>>>>>> >>>>>>>> I will provide an update on this as soon as possible, could you >>>>>>>> please create a JIRA to track the issue? >>>>>>>> >>>>>>>> Thank You, >>>>>>>> Sameera >>>>>>>> >>>>>>>> On Wed, Oct 22, 2014 at 7:09 PM, Chandana Napagoda < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> Hi Sameera/Ruchira, >>>>>>>>> >>>>>>>>> We have noticed following behavior in latest ES based store >>>>>>>>> application. If the user tries to access store application using a >>>>>>>>> network >>>>>>>>> assigned IP address, they won't be able to login into store app. >>>>>>>>> Instead he >>>>>>>>> will be redirected to the same page again and again. >>>>>>>>> >>>>>>>>> However login function work as expected for localhost. Is this a >>>>>>>>> known issue? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Chandana >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Chandana Napagoda* >>>>>>>>> Senior Software Engineer >>>>>>>>> WSO2 Inc. - http://wso2.org >>>>>>>>> >>>>>>>>> *Email : [email protected] <[email protected]>**Mobile : >>>>>>>>> +94718169299 <%2B94718169299>* >>>>>>>>> >>>>>>>>> *Blog : http://cnapagoda.blogspot.com >>>>>>>>> <http://cnapagoda.blogspot.com>* >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sameera Medagammaddegedara >>>>>>>> Software Engineer >>>>>>>> >>>>>>>> Contact: >>>>>>>> Email: [email protected] >>>>>>>> Mobile: + 94 077 255 3005 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Chandana Napagoda* >>>>>>> Senior Software Engineer >>>>>>> WSO2 Inc. - http://wso2.org >>>>>>> >>>>>>> *Email : [email protected] <[email protected]>**Mobile : >>>>>>> +94718169299 <%2B94718169299>* >>>>>>> >>>>>>> *Blog : http://cnapagoda.blogspot.com >>>>>>> <http://cnapagoda.blogspot.com>* >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> [email protected] >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Rajeeva Uthayasangar* >>>>>> Software Engineer >>>>>> WSO2, Inc.:http://wso2.com >>>>>> >>>>>> >>>>>> Mobile: +94777298873 >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Sameera Medagammaddegedara >>>>> Software Engineer >>>>> >>>>> Contact: >>>>> Email: [email protected] >>>>> Mobile: + 94 077 255 3005 >>>>> >>>> >>>> >>>> >>>> -- >>>> *Rajeeva Uthayasangar* >>>> Software Engineer >>>> WSO2, Inc.:http://wso2.com >>>> >>>> >>>> Mobile: +94777298873 >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Regards, >>> >>> >>> *Darshana Gunawardana*Software Engineer >>> WSO2 Inc.; http://wso2.com >>> >>> *E-mail: [email protected] <[email protected]>* >>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>> >> >> >> >> -- >> *Rajeeva Uthayasangar* >> Software Engineer >> WSO2, Inc.:http://wso2.com >> >> >> Mobile: +94777298873 >> >> > > > -- > Regards, > > > *Darshana Gunawardana*Software Engineer > WSO2 Inc.; http://wso2.com > > *E-mail: [email protected] <[email protected]>* > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Ayesha Dissanayaka* Software Engineer, WSO2, Inc : http://wso2.com <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> 20, Palmgrove Avenue, Colombo 3 E-Mail: [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
