On Thu, Aug 18, 2016 at 4:43 PM, Rushmin Fernando <rush...@wso2.com> wrote:
> > In current App Manager the service providers of tenants are getting > created in the super tenant space. > > We are in the process of creating the service providers in the relevant > tenants. > > In the app manager gateway, we use SAML SSO to authenticate the users, and > the aforementioned service providers are used. > > When it comes to validating the the SAML response signature, I can see > that we can re-use > *org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil::getX509CredentialImplForTenant()* > > As per the code, it uses the tenant key store to get the certificates. And > we can get the certificate by using the tenant name as the alias > > @IS team, do you see any issues with re-using this code in our gateway ? > Using this util makes gateway -which is a client side(sp) component- depends on the SAML component -which is server side(idp) component- IMO, its not nice to have that dependency. Once example is, this dependency will expose you a samlsso (idp) endpoint from the gateway. And also gateway profile would need to have saml components and makes you to have whole framework related dependencies as well. Thinking about client side (sp) components which already doing this there are two components we have in wso2 platform. 1. Carbon SAML authenticator : https://github.com/wso2-extensions/identity-carbon-auth-saml2 2. AS SSO valve : https://github.com/wso2/carbon-deployment/blob/4.7.x/components/webapp-mgt/org.wso2.carbon.webapp.mgt/src/main/java/org/wso2/carbon/webapp/mgt/sso/SAMLSignatureValidatorImpl.java Better to use utls from those two components, if we have such methods. Most suitable component for gateway is #2, since carbon authenticator don't have usage in gateway. I guess it's even worthy initiate separate component to handle all these saml utils, given that we have isolated components across the platform and we have to fix huge number of components if we identified a core issue. Thanks, > @Amila, in a cloud story do we need to configure the key aliases for each > tenant or can we live with the default alias (which is the tenant domain > name) ? > > > > -- > *Best Regards* > > *Rushmin Fernando* > *Technical Lead* > > WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware > > mobile : +94772891266 > > > -- Regards, *Darshana Gunawardana*Associate Technical Lead WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com <darsh...@wso2.com>* *Mobile: +94718566859*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev