After having a offline discussion with Johann, decided to go with a custom grant type approach by extending the saml grant type impl.
*Ayyoob Hamza* *Software Engineer* WSO2 Inc.; http://wso2.com email: ayy...@wso2.com cell: +94 77 1681010 <%2B94%2077%207779495> On Tue, Jan 17, 2017 at 9:45 AM, Ayyoob Hamza <ayy...@wso2.com> wrote: > Hi All, > > This is an update to provide more context to the problem. > > Currently in IoT Server we have device type apis for each tenants that are > exposed through api manager. In order to access it we create an AM > Application and then we subscribe to the tenants apis. This works fine when > we use the password grant type. > > Now when we tried to integrate with sso, we login to the service provider > (configured for sso with SAAS enabled) and it generates saml token that is > signed with super tenants key store. Then we use this saml token along with > the tenants specific app to generate oauth token. In this case it tries to > verify the signature using the tenants key store and it fails. > > After having a offline discussion with Farasath, figured that there could > be two possible solution: > 1) create an IDP with super tenants public cert for each tenant. The > problem in this is if we are to update the key store of super tenants then > we have to update the IDP of all the tenants. > > 2) Create a custom grant type that verifies using super tenants key store. > the downside is to maintain a separate grant type handler. > > Is it okay to create a custom grant type or is there any solutions for > this ?. > > Thanks, > Ayyoob > > *Ayyoob Hamza* > *Software Engineer* > WSO2 Inc.; http://wso2.com > email: ayy...@wso2.com cell: +94 77 1681010 <%2B94%2077%207779495> > > On Sun, Jan 15, 2017 at 9:53 PM, Ayyoob Hamza <ayy...@wso2.com> wrote: > >> >> Is the service provider created in super tenant and the rest of tenants >>> access it as a SaaS app? >>> >> Yes. >> >>> >>> Also what is oauth component version used in IoT server? >>> >> 5.1.2 >> >> Is there any solution other than writing a custom grant type for this >> since in the current grant type implementation it looks up for the IDP in >> the tenant space >> >> >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev