Hi Omindu, Thanks. That worked. Could you please explain this new behavior? Is this an intentional change? Or a workaround for an issue? I'm asking this because this is going to affect existing customers, as all of them has to make this change in their setups to get SSO working after upgrading to APIm 2.0.0.
Thanks, Bhathiya On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <[email protected]> wrote: > Hi Bathiya, > > Can you try changing the following config in IS SP and see whether you are > still getting logged as the super tenant. > > Edit the API_Manager SP. Under 'Local & Outbound Authentication > Configuration', select the 'Use tenant domain in local subject identifier' > option and save the changes. > > Regards, > Omindu. > > > > On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara <[email protected]> > wrote: > >> Hi IS team, >> >> I configured SSO as per this doc[1]. I enabled SaaS Application in store >> and publisher SPs. But when I try to login as *[email protected] <[email protected]>*, >> it fails with "*SAML response signature is verification failed.*". But >> if I remove >> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >> *config from identity.xml adn do the same, I'm logged in as >> [email protected] (not as [email protected]). This means [email protected] can >> login as [email protected] even without knowing [email protected]'s >> credentials. >> >> The SAML response I get is [2]. Looks like it's for [email protected], >> which explains above 2 behaviors. >> >> Is this a bug or am I missing some new configuration? Appreciate a quick >> response as this is a Blocker for APIM 2 Beta release. >> >> >> [1] >> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >> >> [2] <?xml version="1.0" encoding="UTF-8"?> >> <saml2p:Response Destination=" >> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >> ID="_386d73f9fe16add6d6a231cb46511661" >> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >> <saml2:Issuer >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod Algorithm=" >> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> <ds:SignatureMethod Algorithm=" >> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >> <ds:Transforms> >> <ds:Transform Algorithm=" >> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >> <ds:Transform Algorithm=" >> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> </ds:Transforms> >> <ds:DigestMethod Algorithm=" >> http://www.w3.org/2000/09/xmldsig#sha1"; /> >> >> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> >> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >> <ds:KeyInfo> >> <ds:X509Data> >> >> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </ds:Signature> >> <saml2p:Status> >> <saml2p:StatusCode >> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >> </saml2p:Status> >> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >> <saml2:Issuer >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <ds:SignedInfo> >> <ds:CanonicalizationMethod Algorithm=" >> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> <ds:SignatureMethod Algorithm=" >> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >> <ds:Reference URI="#_850365901d14fa3da9b47a0eef2decda"> >> <ds:Transforms> >> <ds:Transform Algorithm=" >> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >> <ds:Transform Algorithm=" >> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >> </ds:Transforms> >> <ds:DigestMethod Algorithm=" >> http://www.w3.org/2000/09/xmldsig#sha1"; /> >> >> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >> </ds:Reference> >> </ds:SignedInfo> >> >> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >> <ds:KeyInfo> >> <ds:X509Data> >> >> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >> </ds:X509Data> >> </ds:KeyInfo> >> </ds:Signature> >> <saml2:Subject> >> * <saml2:NameID >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >> <saml2:SubjectConfirmation >> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >> <saml2:SubjectConfirmationData >> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >> </saml2:SubjectConfirmation> >> </saml2:Subject> >> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >> <saml2:AudienceRestriction> >> <saml2:Audience>API_PUBLISHER</saml2:Audience> >> </saml2:AudienceRestriction> >> </saml2:Conditions> >> <saml2:AuthnStatement AuthnInstant="2016-06-05T17:55:09.459Z" >> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >> <saml2:AuthnContext> >> >> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >> </saml2:AuthnContext> >> </saml2:AuthnStatement> >> </saml2:Assertion> >> </saml2p:Response> >> >> >> Thanks, >> >> -- >> *Bhathiya Jayasekara* >> *Senior Software Engineer,* >> *WSO2 inc., http://wso2.com <http://wso2.com>* >> >> *Phone: +94715478185 <%2B94715478185>* >> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >> <http://www.linkedin.com/in/bhathiyaj>* >> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >> *Blog: http://movingaheadblog.blogspot.com >> <http://movingaheadblog.blogspot.com/>* >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Omindu Rathnaweera > Software Engineer, WSO2 Inc. > Mobile: +94 771 197 211 > -- *Bhathiya Jayasekara* *Senior Software Engineer,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
