Hi Bathiya, Can you try changing the following config in IS SP and see whether you are still getting logged as the super tenant.
Edit the API_Manager SP. Under 'Local & Outbound Authentication Configuration', select the 'Use tenant domain in local subject identifier' option and save the changes. Regards, Omindu. On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara <[email protected]> wrote: > Hi IS team, > > I configured SSO as per this doc[1]. I enabled SaaS Application in store > and publisher SPs. But when I try to login as *[email protected] <[email protected]>*, > it fails with "*SAML response signature is verification failed.*". But if > I remove > *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> > *config from identity.xml adn do the same, I'm logged in as > [email protected] (not as [email protected]). This means [email protected] can login > as [email protected] even without knowing [email protected]'s > credentials. > > The SAML response I get is [2]. Looks like it's for [email protected], > which explains above 2 behaviors. > > Is this a bug or am I missing some new configuration? Appreciate a quick > response as this is a Blocker for APIM 2 Beta release. > > > [1] > https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 > > [2] <?xml version="1.0" encoding="UTF-8"?> > <saml2p:Response Destination=" > https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; > ID="_386d73f9fe16add6d6a231cb46511661" > InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" > IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> > <saml2:Issuer > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> > <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#sha1"; /> > > <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2p:Status> > <saml2p:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> > </saml2p:Status> > <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" > IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > <saml2:Issuer > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> > <ds:Reference URI="#_850365901d14fa3da9b47a0eef2decda"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#sha1"; /> > > <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2:Subject> > * <saml2:NameID > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml2:SubjectConfirmationData > InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" > NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" > https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> > </saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" > NotOnOrAfter="2016-06-05T18:00:09.459Z"> > <saml2:AudienceRestriction> > <saml2:Audience>API_PUBLISHER</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > <saml2:AuthnStatement AuthnInstant="2016-06-05T17:55:09.459Z" > SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > </saml2:Assertion> > </saml2p:Response> > > > Thanks, > > -- > *Bhathiya Jayasekara* > *Senior Software Engineer,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <%2B94715478185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Omindu Rathnaweera Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
