Bhathiya, What is your IS version ? We are talking about last released version.
*Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * <http://www.apache.org/>* *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* *harshathirimannlinked-in: **http: <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* *Lean . Enterprise . Middleware* On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna <[email protected]> wrote: > Hi Bathiya, > This option is enabled by default in fresh pack. So unless if some one > un-tick this option manually because of some reason, this would work as > expected for the customer who migrate to the APM 2.0. > In your case, how this option was disable ? Did you disable it in UI ? > > > *Harsha Thirimanna* > Associate Tech Lead; WSO2, Inc.; http://wso2.com > * <http://www.apache.org/>* > *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * > *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* > *harshathirimannlinked-in: **http: > <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 > <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* > > *Lean . Enterprise . Middleware* > > > On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera <[email protected]> > wrote: > >> Hi Bathiya, >> >> This is the expected behavior. With IS 5.1.0, we have given the >> capability to separately specify whether to include the tenant domain >> and/or the user store domain in the subject. This setting is now under 'Local >> & Outbound Authentication Configuration' section. In earlier IS versions >> this was under SAML SSO configurations [1] (Use fully qualified username in >> the NameID). Better to mention this in the docs. >> >> So without enabling these options, the SAML response subject will not >> have the tenant domain included. And since, there's no tenant domain >> included, the assertion consumer service must be interpreting the user as >> someone who belongs to the super tenant domain. >> >> Regarding, UseAuthenticatedUserDomainCrypto property, do you still get >> the signature verification failure when it is set to 'true' ? >> >> [1] - >> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2 >> >> Regards, >> Omindu. >> >> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara <[email protected]> >> wrote: >> >>> Hi Omindu, >>> >>> Thanks. That worked. Could you please explain this new behavior? Is this >>> an intentional change? Or a workaround for an issue? I'm asking this >>> because this is going to affect existing customers, as all of them has to >>> make this change in their setups to get SSO working after upgrading to APIm >>> 2.0.0. >>> >>> Thanks, >>> Bhathiya >>> >>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <[email protected]> >>> wrote: >>> >>>> Hi Bathiya, >>>> >>>> Can you try changing the following config in IS SP and see whether you >>>> are still getting logged as the super tenant. >>>> >>>> Edit the API_Manager SP. Under 'Local & Outbound Authentication >>>> Configuration', select the 'Use tenant domain in local subject >>>> identifier' option and save the changes. >>>> >>>> Regards, >>>> Omindu. >>>> >>>> >>>> >>>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara <[email protected] >>>> > wrote: >>>> >>>>> Hi IS team, >>>>> >>>>> I configured SSO as per this doc[1]. I enabled SaaS Application in >>>>> store and publisher SPs. But when I try to login as *[email protected] >>>>> <[email protected]>*, it fails with "*SAML response signature is >>>>> verification failed.*". But if I remove >>>>> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >>>>> *config from identity.xml adn do the same, I'm logged in as >>>>> [email protected] (not as [email protected]). This means [email protected] can >>>>> login as [email protected] even without knowing [email protected]'s >>>>> credentials. >>>>> >>>>> The SAML response I get is [2]. Looks like it's for [email protected], >>>>> which explains above 2 behaviors. >>>>> >>>>> Is this a bug or am I missing some new configuration? Appreciate a >>>>> quick response as this is a Blocker for APIM 2 Beta release. >>>>> >>>>> >>>>> [1] >>>>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >>>>> >>>>> [2] <?xml version="1.0" encoding="UTF-8"?> >>>>> <saml2p:Response Destination=" >>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >>>>> ID="_386d73f9fe16add6d6a231cb46511661" >>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>>>> <saml2:Issuer >>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>> <ds:SignedInfo> >>>>> <ds:CanonicalizationMethod Algorithm=" >>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>> <ds:SignatureMethod Algorithm=" >>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >>>>> <ds:Transforms> >>>>> <ds:Transform Algorithm=" >>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>> <ds:Transform Algorithm=" >>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>> </ds:Transforms> >>>>> <ds:DigestMethod Algorithm=" >>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>> >>>>> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >>>>> </ds:Reference> >>>>> </ds:SignedInfo> >>>>> >>>>> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >>>>> <ds:KeyInfo> >>>>> <ds:X509Data> >>>>> >>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>> </ds:X509Data> >>>>> </ds:KeyInfo> >>>>> </ds:Signature> >>>>> <saml2p:Status> >>>>> <saml2p:StatusCode >>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>>>> </saml2p:Status> >>>>> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>> <saml2:Issuer >>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>> <ds:SignedInfo> >>>>> <ds:CanonicalizationMethod Algorithm=" >>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>> <ds:SignatureMethod Algorithm=" >>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>> <ds:Reference URI="#_850365901d14fa3da9b47a0eef2decda"> >>>>> <ds:Transforms> >>>>> <ds:Transform Algorithm=" >>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>> <ds:Transform Algorithm=" >>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>> </ds:Transforms> >>>>> <ds:DigestMethod Algorithm=" >>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>> >>>>> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >>>>> </ds:Reference> >>>>> </ds:SignedInfo> >>>>> >>>>> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >>>>> <ds:KeyInfo> >>>>> <ds:X509Data> >>>>> >>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>> </ds:X509Data> >>>>> </ds:KeyInfo> >>>>> </ds:Signature> >>>>> <saml2:Subject> >>>>> * <saml2:NameID >>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >>>>> <saml2:SubjectConfirmation >>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>>>> <saml2:SubjectConfirmationData >>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >>>>> </saml2:SubjectConfirmation> >>>>> </saml2:Subject> >>>>> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >>>>> <saml2:AudienceRestriction> >>>>> <saml2:Audience>API_PUBLISHER</saml2:Audience> >>>>> </saml2:AudienceRestriction> >>>>> </saml2:Conditions> >>>>> <saml2:AuthnStatement AuthnInstant="2016-06-05T17:55:09.459Z" >>>>> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >>>>> <saml2:AuthnContext> >>>>> >>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >>>>> </saml2:AuthnContext> >>>>> </saml2:AuthnStatement> >>>>> </saml2:Assertion> >>>>> </saml2p:Response> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> -- >>>>> *Bhathiya Jayasekara* >>>>> *Senior Software Engineer,* >>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>> >>>>> *Phone: +94715478185 <%2B94715478185>* >>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>> *Twitter: https://twitter.com/bhathiyax >>>>> <https://twitter.com/bhathiyax>* >>>>> *Blog: http://movingaheadblog.blogspot.com >>>>> <http://movingaheadblog.blogspot.com/>* >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Omindu Rathnaweera >>>> Software Engineer, WSO2 Inc. >>>> Mobile: +94 771 197 211 >>>> >>> >>> >>> >>> -- >>> *Bhathiya Jayasekara* >>> *Senior Software Engineer,* >>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>> >>> *Phone: +94715478185 <%2B94715478185>* >>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>> <http://www.linkedin.com/in/bhathiyaj>* >>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>> *Blog: http://movingaheadblog.blogspot.com >>> <http://movingaheadblog.blogspot.com/>* >>> >> >> >> >> -- >> Omindu Rathnaweera >> Software Engineer, WSO2 Inc. >> Mobile: +94 771 197 211 >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
