Hi Megala, Have you enabled Signature validation for Authentication requests? If so can you try the scenario with only Response signing on and see if it works for tenants as well.
Thanks, Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com lean.enterprise.middleware Email: farasa...@wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> On Wed, Jun 1, 2016 at 12:04 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote: > Hi All, > We embedded the dashboard not using SSO, but with custom Jaggery page > inside "admin-dashboard" app. So the authentication session with > "admin-dashboard" is sufficient for all auth/authz purpose. Hence the above > problem does not arise. > > Therefore that work is not technically related to this thread. > > Cheers, > Ruwan > > On Wed, Jun 1, 2016 at 11:55 AM, Megala Uthayakumar <meg...@wso2.com> > wrote: > >> ok. I will check with him. Thanks >> >> On Wed, Jun 1, 2016 at 11:46 AM, Nuwan Dias <nuw...@wso2.com> wrote: >> >>> Ruwan worked on embedding the portal within the admin-dashboard. Can you >>> please talk to him and see what this means in that context? >>> >>> On Wed, Jun 1, 2016 at 11:43 AM, Megala Uthayakumar <meg...@wso2.com> >>> wrote: >>> >>>> No. This is the portal coming from carbon-dashboard feature. It is >>>> different from admin-dashboard. Please see the screen-shot thanks. >>>> >>>> On Wed, Jun 1, 2016 at 11:36 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>>> >>>>> Portal in the sense admin-dashboard right? >>>>> >>>>> On Wed, Jun 1, 2016 at 11:33 AM, Megala Uthayakumar <meg...@wso2.com> >>>>> wrote: >>>>> >>>>>> I have already mounted the registry and publisher app is working fine >>>>>> in tenant mode as well. This issue only exists in the portal app. >>>>>> >>>>>> Thanks. >>>>>> >>>>>> Regards, >>>>>> Megala >>>>>> >>>>>> On Wed, Jun 1, 2016 at 11:26 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>>>>> >>>>>>> You need to share the same registry (mount registries) between IS >>>>>>> and APIM to make this work for tenants. >>>>>>> >>>>>>> Its because tenants have their key stores in the registry and the >>>>>>> SAML response is signed using the key in this key store. If they don't >>>>>>> share the registry signing will be done by one key and verification >>>>>>> will be >>>>>>> done by a non-matching public key. Hence, signature validation will >>>>>>> fail. >>>>>>> >>>>>>> Disabling signature validation poses a security threat. Therefore >>>>>>> its not recommended to do that. >>>>>>> >>>>>>> Thanks, >>>>>>> NuwanD. >>>>>>> >>>>>>> On Wed, Jun 1, 2016 at 11:16 AM, Megala Uthayakumar <meg...@wso2.com >>>>>>> > wrote: >>>>>>> >>>>>>>> It is working when I remove that signature validation part from >>>>>>>> acs.jag >>>>>>>> >>>>>>>> On Wed, Jun 1, 2016 at 9:35 AM, Udara Rathnayake <uda...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Jun 1, 2016 at 8:53 AM, Megala Uthayakumar < >>>>>>>>> meg...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi All, >>>>>>>>>> >>>>>>>>>> I am trying to configure SSO in APIM 2.0.x by following [1]. >>>>>>>>>> Publisher and Store jaggery apps work as expected but when I try to >>>>>>>>>> login >>>>>>>>>> to portal app(Portal of Dashboard Server) using SSO, it works fine >>>>>>>>>> when I >>>>>>>>>> am logging in as super-tenant user but whenever I try to login in as >>>>>>>>>> a user >>>>>>>>>> from other tenants, it throws following error, >>>>>>>>>> >>>>>>>>>> org.opensaml.xml.validation.ValidationException: Signature did >>>>>>>>>> not validate against the credential's key >>>>>>>>>> >>>>>>>>> For the moment, shall we disable the signature validation and >>>>>>>>> try? >>>>>>>>> >>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.modules.sso.common.util.Util.validateSignature(Util.java:290) >>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>>> at >>>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>>>> at >>>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>>>>>> at >>>>>>>>>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>>>>>>>>> at >>>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:57) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>>>>>>>>> at >>>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3._c_anonymous_1(/portal/controllers/acs.jag:77) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>>>>>>>>> at >>>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3._c_script_0(/portal/controllers/acs.jag:20) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>>>>>>>>> at >>>>>>>>>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>>>>>>>>> at >>>>>>>>>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3.exec(/portal/controllers/acs.jag) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:587) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:507) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>>>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) >>>>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:747) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:377) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337) >>>>>>>>>> at >>>>>>>>>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1749) >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1708) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>> >>>>>>>>>> When I tried the same setup in product-ds using the internal >>>>>>>>>> identity server, it works fine for both super-tenant and other >>>>>>>>>> tenants. >>>>>>>>>> >>>>>>>>>> What could be the possible reason for this? Any help on this is >>>>>>>>>> highly appreciated. >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2#ConfiguringSingleSign-onwithSAML2-ConfiguringWSO2APIManagerappsasSAML2.0SSOserviceproviders >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Megala >>>>>>>>>> -- >>>>>>>>>> Megala Uthayakumar >>>>>>>>>> >>>>>>>>>> Software Engineer >>>>>>>>>> Mobile : 0779967122 >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Regards, >>>>>>>>> UdaraR >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Megala Uthayakumar >>>>>>>> >>>>>>>> Software Engineer >>>>>>>> Mobile : 0779967122 >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> Dev@wso2.org >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Nuwan Dias >>>>>>> >>>>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>>>> email : nuw...@wso2.com >>>>>>> Phone : +94 777 775 729 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Megala Uthayakumar >>>>>> >>>>>> Software Engineer >>>>>> Mobile : 0779967122 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>> email : nuw...@wso2.com >>>>> Phone : +94 777 775 729 >>>>> >>>> >>>> >>>> >>>> -- >>>> Megala Uthayakumar >>>> >>>> Software Engineer >>>> Mobile : 0779967122 >>>> >>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Technical Lead - WSO2, Inc. http://wso2.com >>> email : nuw...@wso2.com >>> Phone : +94 777 775 729 >>> >> >> >> >> -- >> Megala Uthayakumar >> >> Software Engineer >> Mobile : 0779967122 >> > > > > -- > > *Ruwan Abeykoon* > *Architect,* > *WSO2, Inc. http://wso2.com <http://wso2.com/> * > *lean.enterprise.middleware.* > > email: ruw...@wso2.com > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
