Hi Harsha, On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna <[email protected]> wrote:
> Hi Bathiya, > > Yes, 5.2.0 on wards, we have disable it. You are correct. > > The reason was, if we enable it by default, then for the super tenant > users, there will be carbon.super within the user name as a subject. That > is very unexpected case and then we have to disable it manually. Your case > coming with the multi tenant story. > Most of the time, we are working in super tenant mode, so we decided to > disable it by default. In multi-tenant mode, we have to enable it per > tenant. > So how am I supposed to configure when I have just 1 SP for all tenants with "SaaS App" enabled? Thanks, Bhathiya > > Problem is , we have to document this clearly. > > > > *Harsha Thirimanna* > Associate Tech Lead; WSO2, Inc.; http://wso2.com > * <http://www.apache.org/>* > *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * > *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* > *harshathirimannlinked-in: **http: > <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 > <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* > > *Lean . Enterprise . Middleware* > > > On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara <[email protected]> > wrote: > >> Hi Harsha/Omindu, >> >> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default. >> >> Thanks, >> Bhathiya >> >> >> >> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna <[email protected]> >> wrote: >> >>> Bhathiya, >>> What is your IS version ? We are talking about last released version. >>> >>> >>> *Harsha Thirimanna* >>> Associate Tech Lead; WSO2, Inc.; http://wso2.com >>> * <http://www.apache.org/>* >>> *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * >>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >>> *harshathirimannlinked-in: **http: >>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >>> >>> *Lean . Enterprise . Middleware* >>> >>> >>> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna <[email protected]> >>> wrote: >>> >>>> Hi Bathiya, >>>> This option is enabled by default in fresh pack. So unless if some one >>>> un-tick this option manually because of some reason, this would work as >>>> expected for the customer who migrate to the APM 2.0. >>>> In your case, how this option was disable ? Did you disable it in UI ? >>>> >>>> >>>> *Harsha Thirimanna* >>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com >>>> * <http://www.apache.org/>* >>>> *email: **[email protected]* <[email protected]>* cell: +94 71 5186770 * >>>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >>>> *harshathirimannlinked-in: **http: >>>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >>>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >>>> >>>> *Lean . Enterprise . Middleware* >>>> >>>> >>>> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera <[email protected]> >>>> wrote: >>>> >>>>> Hi Bathiya, >>>>> >>>>> This is the expected behavior. With IS 5.1.0, we have given the >>>>> capability to separately specify whether to include the tenant domain >>>>> and/or the user store domain in the subject. This setting is now under >>>>> 'Local & Outbound Authentication Configuration' section. In earlier >>>>> IS versions this was under SAML SSO configurations [1] (Use fully >>>>> qualified >>>>> username in the NameID). Better to mention this in the docs. >>>>> >>>>> So without enabling these options, the SAML response subject will not >>>>> have the tenant domain included. And since, there's no tenant domain >>>>> included, the assertion consumer service must be interpreting the user as >>>>> someone who belongs to the super tenant domain. >>>>> >>>>> Regarding, UseAuthenticatedUserDomainCrypto property, do you still >>>>> get the signature verification failure when it is set to 'true' ? >>>>> >>>>> [1] - >>>>> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2 >>>>> >>>>> Regards, >>>>> Omindu. >>>>> >>>>> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara <[email protected] >>>>> > wrote: >>>>> >>>>>> Hi Omindu, >>>>>> >>>>>> Thanks. That worked. Could you please explain this new behavior? Is >>>>>> this an intentional change? Or a workaround for an issue? I'm asking this >>>>>> because this is going to affect existing customers, as all of them has to >>>>>> make this change in their setups to get SSO working after upgrading to >>>>>> APIm >>>>>> 2.0.0. >>>>>> >>>>>> Thanks, >>>>>> Bhathiya >>>>>> >>>>>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Bathiya, >>>>>>> >>>>>>> Can you try changing the following config in IS SP and see whether >>>>>>> you are still getting logged as the super tenant. >>>>>>> >>>>>>> Edit the API_Manager SP. Under 'Local & Outbound Authentication >>>>>>> Configuration', select the 'Use tenant domain in local subject >>>>>>> identifier' option and save the changes. >>>>>>> >>>>>>> Regards, >>>>>>> Omindu. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi IS team, >>>>>>>> >>>>>>>> I configured SSO as per this doc[1]. I enabled SaaS Application in >>>>>>>> store and publisher SPs. But when I try to login as *[email protected] >>>>>>>> <[email protected]>*, it fails with "*SAML response signature is >>>>>>>> verification failed.*". But if I remove >>>>>>>> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >>>>>>>> *config from identity.xml adn do the same, I'm logged in as >>>>>>>> [email protected] (not as [email protected]). This means [email protected] >>>>>>>> can login as [email protected] even without knowing >>>>>>>> [email protected]'s credentials. >>>>>>>> >>>>>>>> The SAML response I get is [2]. Looks like it's for >>>>>>>> [email protected], which explains above 2 behaviors. >>>>>>>> >>>>>>>> Is this a bug or am I missing some new configuration? Appreciate a >>>>>>>> quick response as this is a Blocker for APIM 2 Beta release. >>>>>>>> >>>>>>>> >>>>>>>> [1] >>>>>>>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >>>>>>>> >>>>>>>> [2] <?xml version="1.0" encoding="UTF-8"?> >>>>>>>> <saml2p:Response Destination=" >>>>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >>>>>>>> ID="_386d73f9fe16add6d6a231cb46511661" >>>>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>>>>>>> <saml2:Issuer >>>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >>>>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>>>> <ds:SignedInfo> >>>>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>>> <ds:SignatureMethod Algorithm=" >>>>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>>>> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >>>>>>>> <ds:Transforms> >>>>>>>> <ds:Transform Algorithm=" >>>>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>>>> <ds:Transform Algorithm=" >>>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>>> </ds:Transforms> >>>>>>>> <ds:DigestMethod Algorithm=" >>>>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>>>> >>>>>>>> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >>>>>>>> </ds:Reference> >>>>>>>> </ds:SignedInfo> >>>>>>>> >>>>>>>> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >>>>>>>> <ds:KeyInfo> >>>>>>>> <ds:X509Data> >>>>>>>> >>>>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>>>> </ds:X509Data> >>>>>>>> </ds:KeyInfo> >>>>>>>> </ds:Signature> >>>>>>>> <saml2p:Status> >>>>>>>> <saml2p:StatusCode >>>>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>>>>>>> </saml2p:Status> >>>>>>>> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >>>>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>>>> <saml2:Issuer >>>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >>>>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# >>>>>>>> "> >>>>>>>> <ds:SignedInfo> >>>>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>>> <ds:SignatureMethod Algorithm=" >>>>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>>>> <ds:Reference >>>>>>>> URI="#_850365901d14fa3da9b47a0eef2decda"> >>>>>>>> <ds:Transforms> >>>>>>>> <ds:Transform Algorithm=" >>>>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>>>> <ds:Transform Algorithm=" >>>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>>> </ds:Transforms> >>>>>>>> <ds:DigestMethod Algorithm=" >>>>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>>>> >>>>>>>> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >>>>>>>> </ds:Reference> >>>>>>>> </ds:SignedInfo> >>>>>>>> >>>>>>>> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >>>>>>>> <ds:KeyInfo> >>>>>>>> <ds:X509Data> >>>>>>>> >>>>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>>>> </ds:X509Data> >>>>>>>> </ds:KeyInfo> >>>>>>>> </ds:Signature> >>>>>>>> <saml2:Subject> >>>>>>>> * <saml2:NameID >>>>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >>>>>>>> <saml2:SubjectConfirmation >>>>>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>>>>>>> <saml2:SubjectConfirmationData >>>>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >>>>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >>>>>>>> </saml2:SubjectConfirmation> >>>>>>>> </saml2:Subject> >>>>>>>> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >>>>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >>>>>>>> <saml2:AudienceRestriction> >>>>>>>> <saml2:Audience>API_PUBLISHER</saml2:Audience> >>>>>>>> </saml2:AudienceRestriction> >>>>>>>> </saml2:Conditions> >>>>>>>> <saml2:AuthnStatement >>>>>>>> AuthnInstant="2016-06-05T17:55:09.459Z" >>>>>>>> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >>>>>>>> <saml2:AuthnContext> >>>>>>>> >>>>>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >>>>>>>> </saml2:AuthnContext> >>>>>>>> </saml2:AuthnStatement> >>>>>>>> </saml2:Assertion> >>>>>>>> </saml2p:Response> >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> -- >>>>>>>> *Bhathiya Jayasekara* >>>>>>>> *Senior Software Engineer,* >>>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>>> >>>>>>>> *Phone: +94715478185 <%2B94715478185>* >>>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>>> <https://twitter.com/bhathiyax>* >>>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> [email protected] >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Omindu Rathnaweera >>>>>>> Software Engineer, WSO2 Inc. >>>>>>> Mobile: +94 771 197 211 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Bhathiya Jayasekara* >>>>>> *Senior Software Engineer,* >>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>> >>>>>> *Phone: +94715478185 <%2B94715478185>* >>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>> <https://twitter.com/bhathiyax>* >>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Omindu Rathnaweera >>>>> Software Engineer, WSO2 Inc. >>>>> Mobile: +94 771 197 211 >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>> >> >> >> -- >> *Bhathiya Jayasekara* >> *Senior Software Engineer,* >> *WSO2 inc., http://wso2.com <http://wso2.com>* >> >> *Phone: +94715478185 <%2B94715478185>* >> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >> <http://www.linkedin.com/in/bhathiyaj>* >> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >> *Blog: http://movingaheadblog.blogspot.com >> <http://movingaheadblog.blogspot.com/>* >> > > -- *Bhathiya Jayasekara* *Senior Software Engineer,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185 <%2B94715478185>* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
