Hi Nuwan, For SAML2 SSO this is how it has been all this time. Because we can't guarantee the issuer will be unique across tenants unlike the client id in oauth2, which is a UUID.
In IS even for OAuth2 we were sending the tenantDomain to token endpoint for all the grant types. However later found that in APIM it has been working without sending it due to a different reason, and that is why we did a fix to make tenant domain optional to token endpoint. I don't think in SAML2 SSO we can change it that way. Johann. On Thu, Jun 2, 2016 at 9:40 AM, Nuwan Dias <[email protected]> wrote: > So for tenant users, the samlsso url has changed (requires tenantDomain > query param)? Does this mean that for tenant users who are migrating to the > new version, they have to change their Application's SSO handling code? > > Thanks, > NuwanD. > > On Thu, Jun 2, 2016 at 8:48 AM, Farasath Ahamed <[email protected]> > wrote: > >> Hi Chamara, >> >> Sorry, I missed out some details. I tested the SAML Bearer Grant with an >> Identity Server 5.3.0 M1 pack. I had to change the samlsso URL to >> *https://localhost:9443/samlsso?tenantDomain=wso2.com >> <https://localhost:9443/samlsso?tenantDomain=wso2.com> *to log in as a >> user in the tenant domain in the travelocity App. Thereafter the SAML2 >> Bearer grant was sent to https://localhost:9443/oauth2/token >> <https://localhost:9443/oauth2/token?tenantDomain=> endpoint without >> passing the tenantDomain as a query param in the URL. >> >> The fix [1] was done after Identity Server 5.2.0-beta so if we are >> testing with a 5.2.0-beta or earlier IS pack we would have to send in the >> tenantDomain as a query param (ie. >> https://localhost:9443/oauth2/token?tenantDomain=<tenantDomain>) to the >> token endpoint for SPs in a tenantDomain as Pushpalanka has pointed out >> earlier .Otherwise, it will be taken as cabon.super. >> >> >> [1] https://wso2.org/jira/browse/IDENTITY-4531 >> >> >> Thanks, >> >> Farasath Ahamed >> Software Engineer, >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> >> >> Email: [email protected] >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> >> On Thu, Jun 2, 2016 at 7:43 AM, Chamara Ariyarathne <[email protected]> >> wrote: >> >>> Hi Farsath, Some unclear points. >>> >>> On Thu, Jun 2, 2016 at 2:47 AM, Farasath Ahamed <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> I tested the SAML2 bearer grant with travelocity app for a tenant user >>>> and I was able to get an access token with any issue. >>>> >>> "with" or "without"? >>> >>> >>>> I had to change the samlsso URL to >>>> *https://localhost:9443/samlsso?tenantDomain=wso2.com >>>> <https://localhost:9443/samlsso?tenantDomain=wso2.com> *to get the >>>> sample working for a tenant user. >>>> >>> So, is it still needed? >>> >>> >>>> However, I was able to generate the token without sending the >>>> tenantDomain as a query param. >>>> >>> For which grant type? Are you still talking about the saml2-bearer grant >>> type? >>> >>>> >>>> >>>> Thanks, >>>> Farasath >>>> >>>> >>>> Farasath Ahamed >>>> Software Engineer, >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> >>>> Email: [email protected] >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> >>>> On Thu, Jun 2, 2016 at 2:22 AM, Farasath Ahamed <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> We have removed the requirement to send in the tenantDomain with the >>>>> token request as a query param in [1]. Instead of relying on the query >>>>> param we now retrieve the tenantDomain using the client_id sent in the >>>>> request. Therefore, this should work for all grant types. Anyways will >>>>> check once again with the SAML2 Bearer grant. >>>>> >>>>> >>>>> [1] https://wso2.org/jira/browse/IDENTITY-4531 >>>>> >>>>> Thanks. >>>>> >>>>> Farasath Ahamed >>>>> Software Engineer, >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> >>>>> Email: [email protected] >>>>> Mobile: +94777603866 >>>>> Blog: blog.farazath.com >>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>> >>>>> On Thu, Jun 2, 2016 at 1:25 AM, Tania Mahanama <[email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Jun 1, 2016 at 9:56 PM, Sewmini Jayaweera <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Pushpalanka, >>>>>>> >>>>>>> Thank you for your prompt response. >>>>>>> I could generate token successfully with the suggested endpoint. >>>>>>> >>>>>>> @Tania: Could you please update documentation [1] with this >>>>>>> information? I have created documentation Jira [2]. >>>>>>> >>>>>> >>>>>> Noted. >>>>>> >>>>>> >>>>>>> >>>>>>> [1]. >>>>>>> https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type >>>>>>> [2]. https://wso2.org/jira/browse/DOCUMENTATION-3414 >>>>>>> >>>>>>> Regards, >>>>>>> Sewmini. >>>>>>> >>>>>>> Sewmini Jayaweera >>>>>>> *Software Engineer - QA Team* >>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>> [email protected] >>>>>>> >>>>>>> On Wed, Jun 1, 2016 at 8:42 PM, Pushpalanka Jayawardhana < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi Sewmini, >>>>>>>> >>>>>>>> Please try sending the tenantDomain as a query param in the cURL >>>>>>>> command's token endpoint as below. >>>>>>>> >>>>>>>> https://localhost:9443/oauth2/token?tenantDomain=<tenantDomain> >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> On Wed, Jun 1, 2016 at 8:15 PM, Sewmini Jayaweera <[email protected] >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> Adding [email protected] >>>>>>>>> >>>>>>>>> Sewmini Jayaweera >>>>>>>>> *Software Engineer - QA Team* >>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>> [email protected] >>>>>>>>> >>>>>>>>> On Wed, Jun 1, 2016 at 8:13 PM, Sewmini Jayaweera < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi APIM / IS teams, >>>>>>>>>> >>>>>>>>>> I am testing 'Exchanging SAML2 Bearer Tokens with OAuth2' (SAML >>>>>>>>>> Extension Grant Type) scenario for tenant user. I followed API >>>>>>>>>> manager >>>>>>>>>> documentation available [1] and scenario worked fine for the super >>>>>>>>>> tenant. >>>>>>>>>> When I try the tenant scenario I noticed when service provider and >>>>>>>>>> IDP >>>>>>>>>> created in IS tenant domain token generation fails. Reason is that >>>>>>>>>> even >>>>>>>>>> though SP is in the tenant domain system expects IDP in carbon.super >>>>>>>>>> tenant. >>>>>>>>>> >>>>>>>>>> Are there any specific configurations which should be done, in >>>>>>>>>> order to get the tenant scenario working ? >>>>>>>>>> >>>>>>>>>> I have also reported a Jira [2] on this explaining full scenario. >>>>>>>>>> >>>>>>>>>> [2]. https://wso2.org/jira/browse/APIMANAGER-4929 >>>>>>>>>> [1]. >>>>>>>>>> https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type >>>>>>>>>> >>>>>>>>>> Kind Regards, >>>>>>>>>> Sewmini. >>>>>>>>>> >>>>>>>>>> Sewmini Jayaweera >>>>>>>>>> *Software Engineer - QA Team* >>>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>>> [email protected] >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Pushpalanka. >>>>>>>> -- >>>>>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>>>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>>>>>> Mobile: +94779716248 >>>>>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >>>>>>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Tania Mahanama >>>>>> Senior Technical Writer >>>>>> >>>>>> Contact: >>>>>> Mob: +94 077 5129270 >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "WSO2 Documentation Group" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/a/wso2.com/d/optout >>>>>> . >>>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> *Chamara Ariyarathne* >>> Associate Technical Lead - QA >>> WSO2 Inc; http://www.wso2.com/ >>> Mobile; *+94772786766 <%2B94772786766>* >>> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Nuwan Dias > > Technical Lead - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
