On Tue, Feb 28, 2017 at 4:27 AM, Hasintha Indrajee <[email protected]> wrote:
> > > On Tue, Feb 28, 2017 at 2:52 PM, Dulanja Liyanage <[email protected]> > wrote: > >> Originally we identified the tenant domain only after user >> authentication. Then only tenant specific SP configs could be retrieved. >> That's why validation was done only after authentication. >> > > Aren't we getting SP tenant domain with the issuer (appended after an "@" > sign)? or at least as a query parameter ?. > We don't need to append tenant domain to issuer anymore. Earlier we had it because some SPs can't send query parameters. Now since we get the tenant domain from the URL and it is not considered in the code (due to new multi-tenancy model) we don't need it. > Do we do any request validation based on authenticated user's tenant > domain ?. > For IS 6.0.0 M4 we haven't considered anything like that. That will come only when we cater saas use cases with federation. At that point we may have to extend the authorization handler and implement additional logic related to federation. >> On Tue, Feb 28, 2017 at 2:49 PM, Thanuja Jayasinghe <[email protected]> >> wrote: >> >>> Hi Farasath, >>> >>> On Tue, Feb 28, 2017 at 2:39 PM, Farasath Ahamed <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> Noticed $subject happening when we configure SAML SSO with SAML Request >>>> Validation enabled. >>>> >>>> This means that even for an invalid SAML Request (with an invalid >>>> signature) the user will go through the authentication steps configured for >>>> that Service Provider(identified by the issuer value in the request) and >>>> the SAML Request validation only happens after we get the response from the >>>> authentication framework. >>>> >>>> Is this the expected behaviour? >>>> >>>> Yes. >>> >>> We only validate issuer name of the SAML service priovider in the >>> authentication request before the authentication. >>> >>> Since we store SAML related configurations in the registry, we have >>> implemented it in this way to improve performance for the valid >>> authentication requests. >>> >>> But ideally, we should validate authentication request before moving to >>> authentication. >>> >>> >>>> >>>> Thanks, >>>> Farasath Ahamed >>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>> Thanks, >>> Thanuja >>> -- >>> *Thanuja Lakmal* >>> Senior Software Engineer >>> WSO2 Inc. http://wso2.com/ >>> *lean.enterprise.middleware* >>> Mobile: +94715979891 +94758009992 >>> >> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> Lead, Platform Security Team >> WSO2 Inc. >> > > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
