Hi Bathiya, This option is enabled by default in fresh pack. So unless if some one un-tick this option manually because of some reason, this would work as expected for the customer who migrate to the APM 2.0. In your case, how this option was disable ? Did you disable it in UI ?
*Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * <http://www.apache.org/>* *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* *harshathirimannlinked-in: **http: <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* *Lean . Enterprise . Middleware* On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera <[email protected]> wrote: > Hi Bathiya, > > This is the expected behavior. With IS 5.1.0, we have given the capability > to separately specify whether to include the tenant domain and/or the user > store domain in the subject. This setting is now under 'Local & Outbound > Authentication Configuration' section. In earlier IS versions this was > under SAML SSO configurations [1] (Use fully qualified username in the > NameID). Better to mention this in the docs. > > So without enabling these options, the SAML response subject will not have > the tenant domain included. And since, there's no tenant domain included, > the assertion consumer service must be interpreting the user as someone who > belongs to the super tenant domain. > > Regarding, UseAuthenticatedUserDomainCrypto property, do you still get > the signature verification failure when it is set to 'true' ? > > [1] - > https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2 > > Regards, > Omindu. > > On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara <[email protected]> > wrote: > >> Hi Omindu, >> >> Thanks. That worked. Could you please explain this new behavior? Is this >> an intentional change? Or a workaround for an issue? I'm asking this >> because this is going to affect existing customers, as all of them has to >> make this change in their setups to get SSO working after upgrading to APIm >> 2.0.0. >> >> Thanks, >> Bhathiya >> >> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <[email protected]> >> wrote: >> >>> Hi Bathiya, >>> >>> Can you try changing the following config in IS SP and see whether you >>> are still getting logged as the super tenant. >>> >>> Edit the API_Manager SP. Under 'Local & Outbound Authentication >>> Configuration', select the 'Use tenant domain in local subject >>> identifier' option and save the changes. >>> >>> Regards, >>> Omindu. >>> >>> >>> >>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara <[email protected]> >>> wrote: >>> >>>> Hi IS team, >>>> >>>> I configured SSO as per this doc[1]. I enabled SaaS Application in >>>> store and publisher SPs. But when I try to login as *[email protected] >>>> <[email protected]>*, it fails with "*SAML response signature is >>>> verification failed.*". But if I remove >>>> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >>>> *config from identity.xml adn do the same, I'm logged in as >>>> [email protected] (not as [email protected]). This means [email protected] can >>>> login as [email protected] even without knowing [email protected]'s >>>> credentials. >>>> >>>> The SAML response I get is [2]. Looks like it's for [email protected], >>>> which explains above 2 behaviors. >>>> >>>> Is this a bug or am I missing some new configuration? Appreciate a >>>> quick response as this is a Blocker for APIM 2 Beta release. >>>> >>>> >>>> [1] >>>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >>>> >>>> [2] <?xml version="1.0" encoding="UTF-8"?> >>>> <saml2p:Response Destination=" >>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >>>> ID="_386d73f9fe16add6d6a231cb46511661" >>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>>> <saml2:Issuer >>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>> <ds:SignedInfo> >>>> <ds:CanonicalizationMethod Algorithm=" >>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>> <ds:SignatureMethod Algorithm=" >>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >>>> <ds:Transforms> >>>> <ds:Transform Algorithm=" >>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>> <ds:Transform Algorithm=" >>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>> </ds:Transforms> >>>> <ds:DigestMethod Algorithm=" >>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>> >>>> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >>>> </ds:Reference> >>>> </ds:SignedInfo> >>>> >>>> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >>>> <ds:KeyInfo> >>>> <ds:X509Data> >>>> >>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>> </ds:X509Data> >>>> </ds:KeyInfo> >>>> </ds:Signature> >>>> <saml2p:Status> >>>> <saml2p:StatusCode >>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>>> </saml2p:Status> >>>> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>>> <saml2:Issuer >>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>> <ds:SignedInfo> >>>> <ds:CanonicalizationMethod Algorithm=" >>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>> <ds:SignatureMethod Algorithm=" >>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>> <ds:Reference URI="#_850365901d14fa3da9b47a0eef2decda"> >>>> <ds:Transforms> >>>> <ds:Transform Algorithm=" >>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>> <ds:Transform Algorithm=" >>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>> </ds:Transforms> >>>> <ds:DigestMethod Algorithm=" >>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>> >>>> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >>>> </ds:Reference> >>>> </ds:SignedInfo> >>>> >>>> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >>>> <ds:KeyInfo> >>>> <ds:X509Data> >>>> >>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>> </ds:X509Data> >>>> </ds:KeyInfo> >>>> </ds:Signature> >>>> <saml2:Subject> >>>> * <saml2:NameID >>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >>>> <saml2:SubjectConfirmation >>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>>> <saml2:SubjectConfirmationData >>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >>>> </saml2:SubjectConfirmation> >>>> </saml2:Subject> >>>> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >>>> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >>>> <saml2:AudienceRestriction> >>>> <saml2:Audience>API_PUBLISHER</saml2:Audience> >>>> </saml2:AudienceRestriction> >>>> </saml2:Conditions> >>>> <saml2:AuthnStatement AuthnInstant="2016-06-05T17:55:09.459Z" >>>> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >>>> <saml2:AuthnContext> >>>> >>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >>>> </saml2:AuthnContext> >>>> </saml2:AuthnStatement> >>>> </saml2:Assertion> >>>> </saml2p:Response> >>>> >>>> >>>> Thanks, >>>> >>>> -- >>>> *Bhathiya Jayasekara* >>>> *Senior Software Engineer,* >>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>> >>>> *Phone: +94715478185 <%2B94715478185>* >>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>> <http://www.linkedin.com/in/bhathiyaj>* >>>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>>> *Blog: http://movingaheadblog.blogspot.com >>>> <http://movingaheadblog.blogspot.com/>* >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Omindu Rathnaweera >>> Software Engineer, WSO2 Inc. >>> Mobile: +94 771 197 211 >>> >> >> >> >> -- >> *Bhathiya Jayasekara* >> *Senior Software Engineer,* >> *WSO2 inc., http://wso2.com <http://wso2.com>* >> >> *Phone: +94715478185 <%2B94715478185>* >> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >> <http://www.linkedin.com/in/bhathiyaj>* >> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >> *Blog: http://movingaheadblog.blogspot.com >> <http://movingaheadblog.blogspot.com/>* >> > > > > -- > Omindu Rathnaweera > Software Engineer, WSO2 Inc. > Mobile: +94 771 197 211 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
