On Fri, Aug 19, 2016 at 12:26 PM, Darshana Gunawardana <[email protected]> wrote:
> > > On Fri, Aug 19, 2016 at 10:25 AM, Johann Nallathamby <[email protected]> > wrote: > >> This is what we have the SSO agent for. >> > > SSO Agent is not carbon specific. Hence it does not have reading tenant's > key and validating the signature. > > SSO Agent have an interface to plug carbon use cases. AS SSO valve > reference shared above have that specific implementation. That > implementation invoked via sso agent. > +1. That should be the way to go here also. > > Thanks > > >> @Rushmin, did you check the SSOAgent code? This was improved recently >> also and is used in AS 6.0. The goal of the implementation was to make it a >> library to be used everywhere in the platform. Can you please check on >> that? If there are any limitations we need to fix that library and try to >> use it everywhere we need it. >> >> Please check with Kernel team where to get this and use this. >> >> On Fri, Aug 19, 2016 at 9:56 AM, Ishara Karunarathna <[email protected]> >> wrote: >> >>> Hi, >>> >>> On Fri, Aug 19, 2016 at 9:47 AM, Darshana Gunawardana <[email protected] >>> > wrote: >>> >>>> >>>> >>>> On Thu, Aug 18, 2016 at 4:43 PM, Rushmin Fernando <[email protected]> >>>> wrote: >>>> >>>>> >>>>> In current App Manager the service providers of tenants are getting >>>>> created in the super tenant space. >>>>> >>>>> We are in the process of creating the service providers in the >>>>> relevant tenants. >>>>> >>>>> In the app manager gateway, we use SAML SSO to authenticate the users, >>>>> and the aforementioned service providers are used. >>>>> >>>>> When it comes to validating the the SAML response signature, I can see >>>>> that we can re-use >>>>> *org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil::getX509CredentialImplForTenant()* >>>>> >>>>> As per the code, it uses the tenant key store to get the certificates. >>>>> And we can get the certificate by using the tenant name as the alias >>>>> >>>>> @IS team, do you see any issues with re-using this code in our gateway >>>>> ? >>>>> >>>> >>>> Using this util makes gateway -which is a client side(sp) component- >>>> depends on the SAML component -which is server side(idp) component- >>>> >>>> IMO, its not nice to have that dependency. Once example is, this >>>> dependency will expose you a samlsso (idp) endpoint from the gateway. And >>>> also gateway profile would need to have saml components and makes you to >>>> have whole framework related dependencies as well. >>>> >>>> Thinking about client side (sp) components which already doing this >>>> there are two components we have in wso2 platform. >>>> 1. Carbon SAML authenticator : https://github.com/wso2-exte >>>> nsions/identity-carbon-auth-saml2 >>>> 2. AS SSO valve : https://github.com/wso2/carb >>>> on-deployment/blob/4.7.x/components/webapp-mgt/org.wso2.carb >>>> on.webapp.mgt/src/main/java/org/wso2/carbon/webapp/mgt/sso/ >>>> SAMLSignatureValidatorImpl.java >>>> >>>> Better to use utls from those two components, if we have such methods. >>>> Most suitable component for gateway is #2, since carbon authenticator don't >>>> have usage in gateway. >>>> >>>> I guess it's even worthy initiate separate component to handle all >>>> these saml utils, given that we have isolated components across the >>>> platform and we have to fix huge number of components if we identified a >>>> core issue. >>>> >>> +1 with darshans idea. And later better to have some common set of >>> libraries to handle this kind of scenarios. >>> >>>> >>>> Thanks, >>>> >>>> >>>>> @Amila, in a cloud story do we need to configure the key aliases for >>>>> each tenant or can we live with the default alias (which is the tenant >>>>> domain name) ? >>>>> >>>>> >>>>> >>>>> -- >>>>> *Best Regards* >>>>> >>>>> *Rushmin Fernando* >>>>> *Technical Lead* >>>>> >>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>> >>>>> mobile : +94772891266 >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> >>>> *Darshana Gunawardana*Associate Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: [email protected] <[email protected]>* >>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>>> >>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Associate Technical Lead >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>> +94717996791 >>> >>> >>> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > > -- > Regards, > > > *Darshana Gunawardana*Associate Technical Lead > WSO2 Inc.; http://wso2.com > > *E-mail: [email protected] <[email protected]>* > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
