Hi, On Fri, Aug 19, 2016 at 9:47 AM, Darshana Gunawardana <[email protected]> wrote:
> > > On Thu, Aug 18, 2016 at 4:43 PM, Rushmin Fernando <[email protected]> > wrote: > >> >> In current App Manager the service providers of tenants are getting >> created in the super tenant space. >> >> We are in the process of creating the service providers in the relevant >> tenants. >> >> In the app manager gateway, we use SAML SSO to authenticate the users, >> and the aforementioned service providers are used. >> >> When it comes to validating the the SAML response signature, I can see >> that we can re-use >> *org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil::getX509CredentialImplForTenant()* >> >> As per the code, it uses the tenant key store to get the certificates. >> And we can get the certificate by using the tenant name as the alias >> >> @IS team, do you see any issues with re-using this code in our gateway ? >> > > Using this util makes gateway -which is a client side(sp) component- > depends on the SAML component -which is server side(idp) component- > > IMO, its not nice to have that dependency. Once example is, this > dependency will expose you a samlsso (idp) endpoint from the gateway. And > also gateway profile would need to have saml components and makes you to > have whole framework related dependencies as well. > > Thinking about client side (sp) components which already doing this there > are two components we have in wso2 platform. > 1. Carbon SAML authenticator : https://github.com/wso2- > extensions/identity-carbon-auth-saml2 > 2. AS SSO valve : https://github.com/wso2/carbon-deployment/blob/4.7.x/ > components/webapp-mgt/org.wso2.carbon.webapp.mgt/src/ > main/java/org/wso2/carbon/webapp/mgt/sso/SAMLSignatureValidatorImpl.java > > Better to use utls from those two components, if we have such methods. > Most suitable component for gateway is #2, since carbon authenticator don't > have usage in gateway. > > I guess it's even worthy initiate separate component to handle all these > saml utils, given that we have isolated components across the platform and > we have to fix huge number of components if we identified a core issue. > +1 with darshans idea. And later better to have some common set of libraries to handle this kind of scenarios. > > Thanks, > > >> @Amila, in a cloud story do we need to configure the key aliases for each >> tenant or can we live with the default alias (which is the tenant domain >> name) ? >> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94772891266 >> >> >> > > > -- > Regards, > > > *Darshana Gunawardana*Associate Technical Lead > WSO2 Inc.; http://wso2.com > > *E-mail: [email protected] <[email protected]>* > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
