Hi Sewmini, Could you please confirm your observations after using tenantDomain only with samlsso URL (for tenants)?
Thanks, Bhathiya On Thu, Jun 2, 2016 at 10:16 AM, Nuwan Dias <[email protected]> wrote: > Ok thanks, if there is no API change we don't have to worry. > > Thanks, > NuwanD. > > On Thu, Jun 2, 2016 at 10:10 AM, Johann Nallathamby <[email protected]> > wrote: > >> Hi Nuwan, >> >> For SAML2 SSO this is how it has been all this time. Because we can't >> guarantee the issuer will be unique across tenants unlike the client id in >> oauth2, which is a UUID. >> >> In IS even for OAuth2 we were sending the tenantDomain to token endpoint >> for all the grant types. However later found that in APIM it has been >> working without sending it due to a different reason, and that is why we >> did a fix to make tenant domain optional to token endpoint. >> >> I don't think in SAML2 SSO we can change it that way. >> >> Johann. >> >> On Thu, Jun 2, 2016 at 9:40 AM, Nuwan Dias <[email protected]> wrote: >> >>> So for tenant users, the samlsso url has changed (requires tenantDomain >>> query param)? Does this mean that for tenant users who are migrating to the >>> new version, they have to change their Application's SSO handling code? >>> >>> Thanks, >>> NuwanD. >>> >>> On Thu, Jun 2, 2016 at 8:48 AM, Farasath Ahamed <[email protected]> >>> wrote: >>> >>>> Hi Chamara, >>>> >>>> Sorry, I missed out some details. I tested the SAML Bearer Grant with >>>> an Identity Server 5.3.0 M1 pack. I had to change the samlsso URL to >>>> *https://localhost:9443/samlsso?tenantDomain=wso2.com >>>> <https://localhost:9443/samlsso?tenantDomain=wso2.com> *to log in as a >>>> user in the tenant domain in the travelocity App. Thereafter the SAML2 >>>> Bearer grant was sent to https://localhost:9443/oauth2/token >>>> <https://localhost:9443/oauth2/token?tenantDomain=> endpoint without >>>> passing the tenantDomain as a query param in the URL. >>>> >>>> The fix [1] was done after Identity Server 5.2.0-beta so if we are >>>> testing with a 5.2.0-beta or earlier IS pack we would have to send in the >>>> tenantDomain as a query param (ie. >>>> https://localhost:9443/oauth2/token?tenantDomain=<tenantDomain>) to >>>> the token endpoint for SPs in a tenantDomain as Pushpalanka has pointed >>>> out earlier .Otherwise, it will be taken as cabon.super. >>>> >>>> >>>> [1] https://wso2.org/jira/browse/IDENTITY-4531 >>>> >>>> >>>> Thanks, >>>> >>>> Farasath Ahamed >>>> Software Engineer, >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> >>>> Email: [email protected] >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> >>>> On Thu, Jun 2, 2016 at 7:43 AM, Chamara Ariyarathne <[email protected]> >>>> wrote: >>>> >>>>> Hi Farsath, Some unclear points. >>>>> >>>>> On Thu, Jun 2, 2016 at 2:47 AM, Farasath Ahamed <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I tested the SAML2 bearer grant with travelocity app for a tenant >>>>>> user and I was able to get an access token with any issue. >>>>>> >>>>> "with" or "without"? >>>>> >>>>> >>>>>> I had to change the samlsso URL to >>>>>> *https://localhost:9443/samlsso?tenantDomain=wso2.com >>>>>> <https://localhost:9443/samlsso?tenantDomain=wso2.com> *to get the >>>>>> sample working for a tenant user. >>>>>> >>>>> So, is it still needed? >>>>> >>>>> >>>>>> However, I was able to generate the token without sending the >>>>>> tenantDomain as a query param. >>>>>> >>>>> For which grant type? Are you still talking about the saml2-bearer >>>>> grant type? >>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Farasath >>>>>> >>>>>> >>>>>> Farasath Ahamed >>>>>> Software Engineer, >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> >>>>>> Email: [email protected] >>>>>> Mobile: +94777603866 >>>>>> Blog: blog.farazath.com >>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>> >>>>>> On Thu, Jun 2, 2016 at 2:22 AM, Farasath Ahamed <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> We have removed the requirement to send in the tenantDomain with the >>>>>>> token request as a query param in [1]. Instead of relying on the query >>>>>>> param we now retrieve the tenantDomain using the client_id sent in the >>>>>>> request. Therefore, this should work for all grant types. Anyways will >>>>>>> check once again with the SAML2 Bearer grant. >>>>>>> >>>>>>> >>>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4531 >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> Farasath Ahamed >>>>>>> Software Engineer, >>>>>>> WSO2 Inc.; http://wso2.com >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> >>>>>>> Email: [email protected] >>>>>>> Mobile: +94777603866 >>>>>>> Blog: blog.farazath.com >>>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>>> >>>>>>> On Thu, Jun 2, 2016 at 1:25 AM, Tania Mahanama <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jun 1, 2016 at 9:56 PM, Sewmini Jayaweera <[email protected] >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> Hi Pushpalanka, >>>>>>>>> >>>>>>>>> Thank you for your prompt response. >>>>>>>>> I could generate token successfully with the suggested endpoint. >>>>>>>>> >>>>>>>>> @Tania: Could you please update documentation [1] with this >>>>>>>>> information? I have created documentation Jira [2]. >>>>>>>>> >>>>>>>> >>>>>>>> Noted. >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> [1]. >>>>>>>>> https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type >>>>>>>>> [2]. https://wso2.org/jira/browse/DOCUMENTATION-3414 >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Sewmini. >>>>>>>>> >>>>>>>>> Sewmini Jayaweera >>>>>>>>> *Software Engineer - QA Team* >>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>> [email protected] >>>>>>>>> >>>>>>>>> On Wed, Jun 1, 2016 at 8:42 PM, Pushpalanka Jayawardhana < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi Sewmini, >>>>>>>>>> >>>>>>>>>> Please try sending the tenantDomain as a query param in the cURL >>>>>>>>>> command's token endpoint as below. >>>>>>>>>> >>>>>>>>>> https://localhost:9443/oauth2/token?tenantDomain=<tenantDomain> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> On Wed, Jun 1, 2016 at 8:15 PM, Sewmini Jayaweera < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Adding [email protected] >>>>>>>>>>> >>>>>>>>>>> Sewmini Jayaweera >>>>>>>>>>> *Software Engineer - QA Team* >>>>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>>>> [email protected] >>>>>>>>>>> >>>>>>>>>>> On Wed, Jun 1, 2016 at 8:13 PM, Sewmini Jayaweera < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi APIM / IS teams, >>>>>>>>>>>> >>>>>>>>>>>> I am testing 'Exchanging SAML2 Bearer Tokens with OAuth2' (SAML >>>>>>>>>>>> Extension Grant Type) scenario for tenant user. I followed API >>>>>>>>>>>> manager >>>>>>>>>>>> documentation available [1] and scenario worked fine for the super >>>>>>>>>>>> tenant. >>>>>>>>>>>> When I try the tenant scenario I noticed when service provider and >>>>>>>>>>>> IDP >>>>>>>>>>>> created in IS tenant domain token generation fails. Reason is that >>>>>>>>>>>> even >>>>>>>>>>>> though SP is in the tenant domain system expects IDP in >>>>>>>>>>>> carbon.super >>>>>>>>>>>> tenant. >>>>>>>>>>>> >>>>>>>>>>>> Are there any specific configurations which should be done, in >>>>>>>>>>>> order to get the tenant scenario working ? >>>>>>>>>>>> >>>>>>>>>>>> I have also reported a Jira [2] on this explaining full >>>>>>>>>>>> scenario. >>>>>>>>>>>> >>>>>>>>>>>> [2]. https://wso2.org/jira/browse/APIMANAGER-4929 >>>>>>>>>>>> [1]. >>>>>>>>>>>> https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type >>>>>>>>>>>> >>>>>>>>>>>> Kind Regards, >>>>>>>>>>>> Sewmini. >>>>>>>>>>>> >>>>>>>>>>>> Sewmini Jayaweera >>>>>>>>>>>> *Software Engineer - QA Team* >>>>>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>>>>> [email protected] >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Pushpalanka. >>>>>>>>>> -- >>>>>>>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>>>>>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>>>>>>>> Mobile: +94779716248 >>>>>>>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >>>>>>>>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Tania Mahanama >>>>>>>> Senior Technical Writer >>>>>>>> >>>>>>>> Contact: >>>>>>>> Mob: +94 077 5129270 >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "WSO2 Documentation Group" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit >>>>>>>> https://groups.google.com/a/wso2.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Chamara Ariyarathne* >>>>> Associate Technical Lead - QA >>>>> WSO2 Inc; http://www.wso2.com/ >>>>> Mobile; *+94772786766 <%2B94772786766>* >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Technical Lead - WSO2, Inc. http://wso2.com >>> email : [email protected] >>> Phone : +94 777 775 729 >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > > -- > Nuwan Dias > > Technical Lead - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Bhathiya Jayasekara* *Senior Software Engineer,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185 <%2B94715478185>* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
