Hi Bathiya, This is the expected behavior. With IS 5.1.0, we have given the capability to separately specify whether to include the tenant domain and/or the user store domain in the subject. This setting is now under 'Local & Outbound Authentication Configuration' section. In earlier IS versions this was under SAML SSO configurations [1] (Use fully qualified username in the NameID). Better to mention this in the docs.
So without enabling these options, the SAML response subject will not have the tenant domain included. And since, there's no tenant domain included, the assertion consumer service must be interpreting the user as someone who belongs to the super tenant domain. Regarding, UseAuthenticatedUserDomainCrypto property, do you still get the signature verification failure when it is set to 'true' ? [1] - https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2 Regards, Omindu. On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara <[email protected]> wrote: > Hi Omindu, > > Thanks. That worked. Could you please explain this new behavior? Is this > an intentional change? Or a workaround for an issue? I'm asking this > because this is going to affect existing customers, as all of them has to > make this change in their setups to get SSO working after upgrading to APIm > 2.0.0. > > Thanks, > Bhathiya > > On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <[email protected]> > wrote: > >> Hi Bathiya, >> >> Can you try changing the following config in IS SP and see whether you >> are still getting logged as the super tenant. >> >> Edit the API_Manager SP. Under 'Local & Outbound Authentication >> Configuration', select the 'Use tenant domain in local subject identifier' >> option and save the changes. >> >> Regards, >> Omindu. >> >> >> >> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara <[email protected]> >> wrote: >> >>> Hi IS team, >>> >>> I configured SSO as per this doc[1]. I enabled SaaS Application in store >>> and publisher SPs. But when I try to login as *[email protected] >>> <[email protected]>*, it fails with "*SAML response signature is verification >>> failed.*". But if I remove >>> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >>> *config from identity.xml adn do the same, I'm logged in as >>> [email protected] (not as [email protected]). This means [email protected] can >>> login as [email protected] even without knowing [email protected]'s >>> credentials. >>> >>> The SAML response I get is [2]. Looks like it's for [email protected], >>> which explains above 2 behaviors. >>> >>> Is this a bug or am I missing some new configuration? Appreciate a quick >>> response as this is a Blocker for APIM 2 Beta release. >>> >>> >>> [1] >>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >>> >>> [2] <?xml version="1.0" encoding="UTF-8"?> >>> <saml2p:Response Destination=" >>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >>> ID="_386d73f9fe16add6d6a231cb46511661" >>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>> <saml2:Issuer >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> <ds:SignatureMethod Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >>> <ds:Transforms> >>> <ds:Transform Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>> <ds:Transform Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> </ds:Transforms> >>> <ds:DigestMethod Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>> >>> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> >>> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >>> <ds:KeyInfo> >>> <ds:X509Data> >>> >>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>> </ds:X509Data> >>> </ds:KeyInfo> >>> </ds:Signature> >>> <saml2p:Status> >>> <saml2p:StatusCode >>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>> </saml2p:Status> >>> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>> <saml2:Issuer >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> <ds:SignedInfo> >>> <ds:CanonicalizationMethod Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> <ds:SignatureMethod Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>> <ds:Reference URI="#_850365901d14fa3da9b47a0eef2decda"> >>> <ds:Transforms> >>> <ds:Transform Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>> <ds:Transform Algorithm=" >>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>> </ds:Transforms> >>> <ds:DigestMethod Algorithm=" >>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>> >>> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >>> </ds:Reference> >>> </ds:SignedInfo> >>> >>> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >>> <ds:KeyInfo> >>> <ds:X509Data> >>> >>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>> </ds:X509Data> >>> </ds:KeyInfo> >>> </ds:Signature> >>> <saml2:Subject> >>> * <saml2:NameID >>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >>> <saml2:SubjectConfirmation >>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>> <saml2:SubjectConfirmationData >>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >>> </saml2:SubjectConfirmation> >>> </saml2:Subject> >>> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >>> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >>> <saml2:AudienceRestriction> >>> <saml2:Audience>API_PUBLISHER</saml2:Audience> >>> </saml2:AudienceRestriction> >>> </saml2:Conditions> >>> <saml2:AuthnStatement AuthnInstant="2016-06-05T17:55:09.459Z" >>> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >>> <saml2:AuthnContext> >>> >>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >>> </saml2:AuthnContext> >>> </saml2:AuthnStatement> >>> </saml2:Assertion> >>> </saml2p:Response> >>> >>> >>> Thanks, >>> >>> -- >>> *Bhathiya Jayasekara* >>> *Senior Software Engineer,* >>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>> >>> *Phone: +94715478185 <%2B94715478185>* >>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>> <http://www.linkedin.com/in/bhathiyaj>* >>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>> *Blog: http://movingaheadblog.blogspot.com >>> <http://movingaheadblog.blogspot.com/>* >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Omindu Rathnaweera >> Software Engineer, WSO2 Inc. >> Mobile: +94 771 197 211 >> > > > > -- > *Bhathiya Jayasekara* > *Senior Software Engineer,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <%2B94715478185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > -- Omindu Rathnaweera Software Engineer, WSO2 Inc. Mobile: +94 771 197 211
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
