Hi Bathiya, Yes, 5.2.0 on wards, we have disable it. You are correct.
The reason was, if we enable it by default, then for the super tenant users, there will be carbon.super within the user name as a subject. That is very unexpected case and then we have to disable it manually. Your case coming with the multi tenant story. Most of the time, we are working in super tenant mode, so we decided to disable it by default. In multi-tenant mode, we have to enable it per tenant. Problem is , we have to document this clearly. *Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * <http://www.apache.org/>* *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* *harshathirimannlinked-in: **http: <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* *Lean . Enterprise . Middleware* On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara <[email protected]> wrote: > Hi Harsha/Omindu, > > I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default. > > Thanks, > Bhathiya > > > > On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna <[email protected]> > wrote: > >> Bhathiya, >> What is your IS version ? We are talking about last released version. >> >> >> *Harsha Thirimanna* >> Associate Tech Lead; WSO2, Inc.; http://wso2.com >> * <http://www.apache.org/>* >> *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * >> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >> *harshathirimannlinked-in: **http: >> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >> >> *Lean . Enterprise . Middleware* >> >> >> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna <[email protected]> >> wrote: >> >>> Hi Bathiya, >>> This option is enabled by default in fresh pack. So unless if some one >>> un-tick this option manually because of some reason, this would work as >>> expected for the customer who migrate to the APM 2.0. >>> In your case, how this option was disable ? Did you disable it in UI ? >>> >>> >>> *Harsha Thirimanna* >>> Associate Tech Lead; WSO2, Inc.; http://wso2.com >>> * <http://www.apache.org/>* >>> *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * >>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >>> *harshathirimannlinked-in: **http: >>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >>> >>> *Lean . Enterprise . Middleware* >>> >>> >>> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera <[email protected]> >>> wrote: >>> >>>> Hi Bathiya, >>>> >>>> This is the expected behavior. With IS 5.1.0, we have given the >>>> capability to separately specify whether to include the tenant domain >>>> and/or the user store domain in the subject. This setting is now under >>>> 'Local & Outbound Authentication Configuration' section. In earlier IS >>>> versions this was under SAML SSO configurations [1] (Use fully qualified >>>> username in the NameID). Better to mention this in the docs. >>>> >>>> So without enabling these options, the SAML response subject will not >>>> have the tenant domain included. And since, there's no tenant domain >>>> included, the assertion consumer service must be interpreting the user as >>>> someone who belongs to the super tenant domain. >>>> >>>> Regarding, UseAuthenticatedUserDomainCrypto property, do you still get >>>> the signature verification failure when it is set to 'true' ? >>>> >>>> [1] - >>>> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2 >>>> >>>> Regards, >>>> Omindu. >>>> >>>> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara <[email protected]> >>>> wrote: >>>> >>>>> Hi Omindu, >>>>> >>>>> Thanks. That worked. Could you please explain this new behavior? Is >>>>> this an intentional change? Or a workaround for an issue? I'm asking this >>>>> because this is going to affect existing customers, as all of them has to >>>>> make this change in their setups to get SSO working after upgrading to >>>>> APIm >>>>> 2.0.0. >>>>> >>>>> Thanks, >>>>> Bhathiya >>>>> >>>>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Bathiya, >>>>>> >>>>>> Can you try changing the following config in IS SP and see whether >>>>>> you are still getting logged as the super tenant. >>>>>> >>>>>> Edit the API_Manager SP. Under 'Local & Outbound Authentication >>>>>> Configuration', select the 'Use tenant domain in local subject >>>>>> identifier' option and save the changes. >>>>>> >>>>>> Regards, >>>>>> Omindu. >>>>>> >>>>>> >>>>>> >>>>>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi IS team, >>>>>>> >>>>>>> I configured SSO as per this doc[1]. I enabled SaaS Application in >>>>>>> store and publisher SPs. But when I try to login as *[email protected] >>>>>>> <[email protected]>*, it fails with "*SAML response signature is >>>>>>> verification failed.*". But if I remove >>>>>>> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >>>>>>> *config from identity.xml adn do the same, I'm logged in as >>>>>>> [email protected] (not as [email protected]). This means [email protected] can >>>>>>> login as [email protected] even without knowing [email protected]'s >>>>>>> credentials. >>>>>>> >>>>>>> The SAML response I get is [2]. Looks like it's for >>>>>>> [email protected], which explains above 2 behaviors. >>>>>>> >>>>>>> Is this a bug or am I missing some new configuration? Appreciate a >>>>>>> quick response as this is a Blocker for APIM 2 Beta release. >>>>>>> >>>>>>> >>>>>>> [1] >>>>>>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >>>>>>> >>>>>>> [2] <?xml version="1.0" encoding="UTF-8"?> >>>>>>> <saml2p:Response Destination=" >>>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >>>>>>> ID="_386d73f9fe16add6d6a231cb46511661" >>>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>>>>>> <saml2:Issuer >>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >>>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>>> <ds:SignedInfo> >>>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>> <ds:SignatureMethod Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>>> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >>>>>>> <ds:Transforms> >>>>>>> <ds:Transform Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>>> <ds:Transform Algorithm=" >>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>> </ds:Transforms> >>>>>>> <ds:DigestMethod Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>>> >>>>>>> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >>>>>>> </ds:Reference> >>>>>>> </ds:SignedInfo> >>>>>>> >>>>>>> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >>>>>>> <ds:KeyInfo> >>>>>>> <ds:X509Data> >>>>>>> >>>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>>> </ds:X509Data> >>>>>>> </ds:KeyInfo> >>>>>>> </ds:Signature> >>>>>>> <saml2p:Status> >>>>>>> <saml2p:StatusCode >>>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>>>>>> </saml2p:Status> >>>>>>> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >>>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>>> <saml2:Issuer >>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >>>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>>> <ds:SignedInfo> >>>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>> <ds:SignatureMethod Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>>> <ds:Reference >>>>>>> URI="#_850365901d14fa3da9b47a0eef2decda"> >>>>>>> <ds:Transforms> >>>>>>> <ds:Transform Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>>> <ds:Transform Algorithm=" >>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>> </ds:Transforms> >>>>>>> <ds:DigestMethod Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>>> >>>>>>> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >>>>>>> </ds:Reference> >>>>>>> </ds:SignedInfo> >>>>>>> >>>>>>> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >>>>>>> <ds:KeyInfo> >>>>>>> <ds:X509Data> >>>>>>> >>>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>>> </ds:X509Data> >>>>>>> </ds:KeyInfo> >>>>>>> </ds:Signature> >>>>>>> <saml2:Subject> >>>>>>> * <saml2:NameID >>>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >>>>>>> <saml2:SubjectConfirmation >>>>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>>>>>> <saml2:SubjectConfirmationData >>>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >>>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >>>>>>> </saml2:SubjectConfirmation> >>>>>>> </saml2:Subject> >>>>>>> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >>>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >>>>>>> <saml2:AudienceRestriction> >>>>>>> <saml2:Audience>API_PUBLISHER</saml2:Audience> >>>>>>> </saml2:AudienceRestriction> >>>>>>> </saml2:Conditions> >>>>>>> <saml2:AuthnStatement >>>>>>> AuthnInstant="2016-06-05T17:55:09.459Z" >>>>>>> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >>>>>>> <saml2:AuthnContext> >>>>>>> >>>>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >>>>>>> </saml2:AuthnContext> >>>>>>> </saml2:AuthnStatement> >>>>>>> </saml2:Assertion> >>>>>>> </saml2p:Response> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> -- >>>>>>> *Bhathiya Jayasekara* >>>>>>> *Senior Software Engineer,* >>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>> >>>>>>> *Phone: +94715478185 <%2B94715478185>* >>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>> <https://twitter.com/bhathiyax>* >>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> [email protected] >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Omindu Rathnaweera >>>>>> Software Engineer, WSO2 Inc. >>>>>> Mobile: +94 771 197 211 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Bhathiya Jayasekara* >>>>> *Senior Software Engineer,* >>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>> >>>>> *Phone: +94715478185 <%2B94715478185>* >>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>> *Twitter: https://twitter.com/bhathiyax >>>>> <https://twitter.com/bhathiyax>* >>>>> *Blog: http://movingaheadblog.blogspot.com >>>>> <http://movingaheadblog.blogspot.com/>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Omindu Rathnaweera >>>> Software Engineer, WSO2 Inc. >>>> Mobile: +94 771 197 211 >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >> > > > -- > *Bhathiya Jayasekara* > *Senior Software Engineer,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <%2B94715478185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
