Hi, As per the discussion in [1], this issue can arise due to a certificate mismatch of portal and your IdP. Can you please check whether you can follow suggested solutions?
[1] http://mail.wso2.org/mailarchive/dev/2015-January/042262.html Thanks. On Wed, Jun 1, 2016 at 2:08 PM, Megala Uthayakumar <meg...@wso2.com> wrote: > Hi Farasath, > > I have used only response signing on. But still I have the same issue. > > Thanks. > > On Wed, Jun 1, 2016 at 12:46 PM, Farasath Ahamed <farasa...@wso2.com> > wrote: > >> Hi Megala, >> >> Have you enabled Signature validation for Authentication requests? If so >> can you try the scenario with only Response signing on and see if it works >> for tenants as well. >> >> >> Thanks, >> >> Farasath Ahamed >> Software Engineer, >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> >> Email: farasa...@wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> >> On Wed, Jun 1, 2016 at 12:04 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote: >> >>> Hi All, >>> We embedded the dashboard not using SSO, but with custom Jaggery page >>> inside "admin-dashboard" app. So the authentication session with >>> "admin-dashboard" is sufficient for all auth/authz purpose. Hence the above >>> problem does not arise. >>> >>> Therefore that work is not technically related to this thread. >>> >>> Cheers, >>> Ruwan >>> >>> On Wed, Jun 1, 2016 at 11:55 AM, Megala Uthayakumar <meg...@wso2.com> >>> wrote: >>> >>>> ok. I will check with him. Thanks >>>> >>>> On Wed, Jun 1, 2016 at 11:46 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>>> >>>>> Ruwan worked on embedding the portal within the admin-dashboard. Can >>>>> you please talk to him and see what this means in that context? >>>>> >>>>> On Wed, Jun 1, 2016 at 11:43 AM, Megala Uthayakumar <meg...@wso2.com> >>>>> wrote: >>>>> >>>>>> No. This is the portal coming from carbon-dashboard feature. It is >>>>>> different from admin-dashboard. Please see the screen-shot thanks. >>>>>> >>>>>> On Wed, Jun 1, 2016 at 11:36 AM, Nuwan Dias <nuw...@wso2.com> wrote: >>>>>> >>>>>>> Portal in the sense admin-dashboard right? >>>>>>> >>>>>>> On Wed, Jun 1, 2016 at 11:33 AM, Megala Uthayakumar <meg...@wso2.com >>>>>>> > wrote: >>>>>>> >>>>>>>> I have already mounted the registry and publisher app is working >>>>>>>> fine in tenant mode as well. This issue only exists in the portal app. >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Megala >>>>>>>> >>>>>>>> On Wed, Jun 1, 2016 at 11:26 AM, Nuwan Dias <nuw...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> You need to share the same registry (mount registries) between IS >>>>>>>>> and APIM to make this work for tenants. >>>>>>>>> >>>>>>>>> Its because tenants have their key stores in the registry and the >>>>>>>>> SAML response is signed using the key in this key store. If they don't >>>>>>>>> share the registry signing will be done by one key and verification >>>>>>>>> will be >>>>>>>>> done by a non-matching public key. Hence, signature validation will >>>>>>>>> fail. >>>>>>>>> >>>>>>>>> Disabling signature validation poses a security threat. Therefore >>>>>>>>> its not recommended to do that. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> NuwanD. >>>>>>>>> >>>>>>>>> On Wed, Jun 1, 2016 at 11:16 AM, Megala Uthayakumar < >>>>>>>>> meg...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> It is working when I remove that signature validation part from >>>>>>>>>> acs.jag >>>>>>>>>> >>>>>>>>>> On Wed, Jun 1, 2016 at 9:35 AM, Udara Rathnayake <uda...@wso2.com >>>>>>>>>> > wrote: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wed, Jun 1, 2016 at 8:53 AM, Megala Uthayakumar < >>>>>>>>>>> meg...@wso2.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi All, >>>>>>>>>>>> >>>>>>>>>>>> I am trying to configure SSO in APIM 2.0.x by following [1]. >>>>>>>>>>>> Publisher and Store jaggery apps work as expected but when I try >>>>>>>>>>>> to login >>>>>>>>>>>> to portal app(Portal of Dashboard Server) using SSO, it works fine >>>>>>>>>>>> when I >>>>>>>>>>>> am logging in as super-tenant user but whenever I try to login in >>>>>>>>>>>> as a user >>>>>>>>>>>> from other tenants, it throws following error, >>>>>>>>>>>> >>>>>>>>>>>> org.opensaml.xml.validation.ValidationException: Signature did >>>>>>>>>>>> not validate against the credential's key >>>>>>>>>>>> >>>>>>>>>>> For the moment, shall we disable the signature validation and >>>>>>>>>>> try? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> at >>>>>>>>>>>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.modules.sso.common.util.Util.validateSignature(Util.java:290) >>>>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>>>>> at >>>>>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>>>>>> at >>>>>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>>>>>>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>>>>>>>>>>> at >>>>>>>>>>>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>>>>>>>>>>> at >>>>>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:57) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>>>>>>>>>>> at >>>>>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3._c_anonymous_1(/portal/controllers/acs.jag:77) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>>>>>>>>>>> at >>>>>>>>>>>> org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3._c_script_0(/portal/controllers/acs.jag:20) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>>>>>>>>>>> at >>>>>>>>>>>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>>>>>>>>>>> at >>>>>>>>>>>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.rhino.portal.controllers.c3.exec(/portal/controllers/acs.jag) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:587) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:507) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>>>>>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) >>>>>>>>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:747) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:377) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337) >>>>>>>>>>>> at >>>>>>>>>>>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>>>>>>>>>>> at >>>>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) >>>>>>>>>>>> at >>>>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>>>>>>>>>>> at >>>>>>>>>>>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) >>>>>>>>>>>> at >>>>>>>>>>>> org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48) >>>>>>>>>>>> at >>>>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>>>>>>>>>>> at >>>>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) >>>>>>>>>>>> at >>>>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>>>>>>>>>>> at >>>>>>>>>>>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1749) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1708) >>>>>>>>>>>> at >>>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>>>>>>>>> at >>>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>>>>>>>>> at >>>>>>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>>>> >>>>>>>>>>>> When I tried the same setup in product-ds using the internal >>>>>>>>>>>> identity server, it works fine for both super-tenant and other >>>>>>>>>>>> tenants. >>>>>>>>>>>> >>>>>>>>>>>> What could be the possible reason for this? Any help on this is >>>>>>>>>>>> highly appreciated. >>>>>>>>>>>> >>>>>>>>>>>> [1] >>>>>>>>>>>> https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2#ConfiguringSingleSign-onwithSAML2-ConfiguringWSO2APIManagerappsasSAML2.0SSOserviceproviders >>>>>>>>>>>> Thanks. >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Megala >>>>>>>>>>>> -- >>>>>>>>>>>> Megala Uthayakumar >>>>>>>>>>>> >>>>>>>>>>>> Software Engineer >>>>>>>>>>>> Mobile : 0779967122 >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Regards, >>>>>>>>>>> UdaraR >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Megala Uthayakumar >>>>>>>>>> >>>>>>>>>> Software Engineer >>>>>>>>>> Mobile : 0779967122 >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Dev mailing list >>>>>>>>>> Dev@wso2.org >>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Nuwan Dias >>>>>>>>> >>>>>>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>>>>>> email : nuw...@wso2.com >>>>>>>>> Phone : +94 777 775 729 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Megala Uthayakumar >>>>>>>> >>>>>>>> Software Engineer >>>>>>>> Mobile : 0779967122 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Nuwan Dias >>>>>>> >>>>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>>>> email : nuw...@wso2.com >>>>>>> Phone : +94 777 775 729 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Megala Uthayakumar >>>>>> >>>>>> Software Engineer >>>>>> Mobile : 0779967122 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>> email : nuw...@wso2.com >>>>> Phone : +94 777 775 729 >>>>> >>>> >>>> >>>> >>>> -- >>>> Megala Uthayakumar >>>> >>>> Software Engineer >>>> Mobile : 0779967122 >>>> >>> >>> >>> >>> -- >>> >>> *Ruwan Abeykoon* >>> *Architect,* >>> *WSO2, Inc. http://wso2.com <http://wso2.com/> * >>> *lean.enterprise.middleware.* >>> >>> email: ruw...@wso2.com >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > > > -- > Megala Uthayakumar > > Software Engineer > Mobile : 0779967122 > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Best Regards, *Thilini Cooray* Software Engineer Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194> E-mail : thili...@wso2.com WSO2 Inc. www.wso2.com lean.enterprise.middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
