Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-07 Thread Bhathiya Jayasekara 
Any response on this?

On Mon, Jun 6, 2016 at 2:22 PM, Bhathiya Jayasekara 
wrote:

> Hi all,
>
> Do we still need to do this step even with IS 5.2.0? I tested this with
> 10 and it worked fine.
>
> Reduce the priority of the SAML2SSOAuthenticator configuration in the
> /repository/conf/security/authenticators.xml file.
>
> You do this as a workaround for a known issue that will be fixed in a
> future release. The SAML2SSOAuthenticator handler does not process only
> SAML authentication requests at the moment. If you set its priority higher
> than that of the BasicAuthenticator handler, the  SAML2SSOAuthenticator tries
> to process the basic authentication requests as well. This causes login
> issues in the API Publisher/Store.
>
> 
>0
>
> 
>
> [1]
> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2
>
> Thanks,
> Bhathiya
>
>
>
>
> On Mon, Jun 6, 2016 at 12:56 PM, Bhathiya Jayasekara 
> wrote:
>
>> Thanks harsha.
>>
>> @Tania: We need to update doc with this new config change.
>>
>> Thanks,
>> Bhathiya
>>
>> On Mon, Jun 6, 2016 at 12:47 PM, Harsha Thirimanna 
>> wrote:
>>
>>> Hi Bhathiya,
>>> Yes , this will work as expected when you enable this option in SAAS
>>> enables SP.
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>> *
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>> On Mon, Jun 6, 2016 at 11:52 AM, Bhathiya Jayasekara 
>>> wrote:
>>>
 Hi Harsha,

 On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna 
 wrote:

> ​Hi Bathiya,
>
> Yes, 5.2.0 on wards, we have disable it. You are correct.
>
> The reason was, if we enable it by default, then for the super tenant
> users, there will be carbon.super within the user name as a subject. That
> is very unexpected case and then we have to disable it manually. Your case
> coming with the multi tenant story.
> Most of the time, we are working in super tenant mode, so we decided
> to disable it by default. In multi-tenant mode, we have to enable it per
> tenant.
>

 So how am I supposed to configure when I have just 1 SP for all tenants
 with "SaaS App" enabled?

 Thanks,
 Bhathiya


>
> Problem is , we have to document this clearly.
>
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara <
> bhath...@wso2.com> wrote:
>
>> Hi Harsha/Omindu,
>>
>> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by
>> default.
>>
>> Thanks,
>> Bhathiya
>>
>>
>>
>> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna 
>> wrote:
>>
>>> Bhathiya,
>>> What is your IS version ? We are talking about last released
>>> version.
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>> *
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
>>> wrote:
>>>
 Hi Bathiya,
 This option is enabled by default in fresh pack. So unless if some
 one un-tick this option manually because of some reason, this would 
 work as
 expected for the customer who migrate to the APM 2.0.
 In your case, how this option was disable ? Did you disable it in
 UI ?


 *Harsha Thirimanna*
 Associate Tech Lead; WSO2, Inc.; http://wso2.com
 * *
 *email: **hars...@wso2.com* * cell:

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Bhathiya Jayasekara 
Hi all,

Do we still need to do this step even with IS 5.2.0? I tested this with
10 and it worked fine.

Reduce the priority of the SAML2SSOAuthenticator configuration in the
/repository/conf/security/authenticators.xml file.

You do this as a workaround for a known issue that will be fixed in a
future release. The SAML2SSOAuthenticator handler does not process only
SAML authentication requests at the moment. If you set its priority higher
than that of the BasicAuthenticator handler, the  SAML2SSOAuthenticator tries
to process the basic authentication requests as well. This causes login
issues in the API Publisher/Store.


   0
   


[1]
https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2

Thanks,
Bhathiya




On Mon, Jun 6, 2016 at 12:56 PM, Bhathiya Jayasekara 
wrote:

> Thanks harsha.
>
> @Tania: We need to update doc with this new config change.
>
> Thanks,
> Bhathiya
>
> On Mon, Jun 6, 2016 at 12:47 PM, Harsha Thirimanna 
> wrote:
>
>> Hi Bhathiya,
>> Yes , this will work as expected when you enable this option in SAAS
>> enables SP.
>>
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>> * *
>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>> *twitter: **http://twitter.com/ *
>> *harshathirimannlinked-in: **http:
>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>> *
>>
>> *Lean . Enterprise . Middleware*
>>
>>
>> On Mon, Jun 6, 2016 at 11:52 AM, Bhathiya Jayasekara 
>> wrote:
>>
>>> Hi Harsha,
>>>
>>> On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna 
>>> wrote:
>>>
 ​Hi Bathiya,

 Yes, 5.2.0 on wards, we have disable it. You are correct.

 The reason was, if we enable it by default, then for the super tenant
 users, there will be carbon.super within the user name as a subject. That
 is very unexpected case and then we have to disable it manually. Your case
 coming with the multi tenant story.
 Most of the time, we are working in super tenant mode, so we decided to
 disable it by default. In multi-tenant mode, we have to enable it per
 tenant.

>>>
>>> So how am I supposed to configure when I have just 1 SP for all tenants
>>> with "SaaS App" enabled?
>>>
>>> Thanks,
>>> Bhathiya
>>>
>>>

 Problem is , we have to document this clearly.



 *Harsha Thirimanna*
 Associate Tech Lead; WSO2, Inc.; http://wso2.com
 * *
 *email: **hars...@wso2.com* * cell: +94 71 5186770 *
 *twitter: **http://twitter.com/ *
 *harshathirimannlinked-in: **http:
 **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
 *

 *Lean . Enterprise . Middleware*


 On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara  wrote:

> Hi Harsha/Omindu,
>
> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.
>
> Thanks,
> Bhathiya
>
>
>
> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna 
> wrote:
>
>> Bhathiya,
>> What is your IS version ? We are talking about last released version.
>>
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>> * *
>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>> *twitter: **http://twitter.com/ *
>> *harshathirimannlinked-in: **http:
>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>> *
>>
>> *Lean . Enterprise . Middleware*
>>
>>
>> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
>> wrote:
>>
>>> Hi Bathiya,
>>> This option is enabled by default in fresh pack. So unless if some
>>> one un-tick this option manually because of some reason, this would 
>>> work as
>>> expected for the customer who migrate to the APM 2.0.
>>> In your case, how this option was disable ? Did you disable it in UI
>>> ?
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>>

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Tania Mahanama 
On Mon, Jun 6, 2016 at 12:56 PM, Bhathiya Jayasekara 
wrote:

> Thanks harsha.
>
> @Tania: We need to update doc with this new config change.
>

Noted.


>
> Thanks,
> Bhathiya
>
> On Mon, Jun 6, 2016 at 12:47 PM, Harsha Thirimanna 
> wrote:
>
>> Hi Bhathiya,
>> Yes , this will work as expected when you enable this option in SAAS
>> enables SP.
>>
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>> * *
>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>> *twitter: **http://twitter.com/ *
>> *harshathirimannlinked-in: **http:
>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>> *
>>
>> *Lean . Enterprise . Middleware*
>>
>>
>> On Mon, Jun 6, 2016 at 11:52 AM, Bhathiya Jayasekara 
>> wrote:
>>
>>> Hi Harsha,
>>>
>>> On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna 
>>> wrote:
>>>
 ​Hi Bathiya,

 Yes, 5.2.0 on wards, we have disable it. You are correct.

 The reason was, if we enable it by default, then for the super tenant
 users, there will be carbon.super within the user name as a subject. That
 is very unexpected case and then we have to disable it manually. Your case
 coming with the multi tenant story.
 Most of the time, we are working in super tenant mode, so we decided to
 disable it by default. In multi-tenant mode, we have to enable it per
 tenant.

>>>
>>> So how am I supposed to configure when I have just 1 SP for all tenants
>>> with "SaaS App" enabled?
>>>
>>> Thanks,
>>> Bhathiya
>>>
>>>

 Problem is , we have to document this clearly.



 *Harsha Thirimanna*
 Associate Tech Lead; WSO2, Inc.; http://wso2.com
 * *
 *email: **hars...@wso2.com* * cell: +94 71 5186770 *
 *twitter: **http://twitter.com/ *
 *harshathirimannlinked-in: **http:
 **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
 *

 *Lean . Enterprise . Middleware*


 On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara  wrote:

> Hi Harsha/Omindu,
>
> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.
>
> Thanks,
> Bhathiya
>
>
>
> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna 
> wrote:
>
>> Bhathiya,
>> What is your IS version ? We are talking about last released version.
>>
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>> * *
>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>> *twitter: **http://twitter.com/ *
>> *harshathirimannlinked-in: **http:
>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>> *
>>
>> *Lean . Enterprise . Middleware*
>>
>>
>> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
>> wrote:
>>
>>> Hi Bathiya,
>>> This option is enabled by default in fresh pack. So unless if some
>>> one un-tick this option manually because of some reason, this would 
>>> work as
>>> expected for the customer who migrate to the APM 2.0.
>>> In your case, how this option was disable ? Did you disable it in UI
>>> ?
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>> *
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera 
>>> wrote:
>>>
 Hi Bathiya,

 This is the expected behavior. With IS 5.1.0, we have given the
 capability to separately specify whether to include the tenant domain
 and/or the user store domain in the subject. This setting is now under
 'Local & Outbound Authentication Configuration' section. In
 earlier IS versions this was under SAML SSO configurations [1] (Use 
 fully
 qualified username in the NameID). Better to mention this in the docs.

 So without enabling these options,

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Bhathiya Jayasekara 
Thanks harsha.

@Tania: We need to update doc with this new config change.

Thanks,
Bhathiya

On Mon, Jun 6, 2016 at 12:47 PM, Harsha Thirimanna  wrote:

> Hi Bhathiya,
> Yes , this will work as expected when you enable this option in SAAS
> enables SP.
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> On Mon, Jun 6, 2016 at 11:52 AM, Bhathiya Jayasekara 
> wrote:
>
>> Hi Harsha,
>>
>> On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna 
>> wrote:
>>
>>> ​Hi Bathiya,
>>>
>>> Yes, 5.2.0 on wards, we have disable it. You are correct.
>>>
>>> The reason was, if we enable it by default, then for the super tenant
>>> users, there will be carbon.super within the user name as a subject. That
>>> is very unexpected case and then we have to disable it manually. Your case
>>> coming with the multi tenant story.
>>> Most of the time, we are working in super tenant mode, so we decided to
>>> disable it by default. In multi-tenant mode, we have to enable it per
>>> tenant.
>>>
>>
>> So how am I supposed to configure when I have just 1 SP for all tenants
>> with "SaaS App" enabled?
>>
>> Thanks,
>> Bhathiya
>>
>>
>>>
>>> Problem is , we have to document this clearly.
>>>
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>> *
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>> On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara 
>>> wrote:
>>>
 Hi Harsha/Omindu,

 I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.

 Thanks,
 Bhathiya



 On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna 
 wrote:

> Bhathiya,
> What is your IS version ? We are talking about last released version.
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
> wrote:
>
>> Hi Bathiya,
>> This option is enabled by default in fresh pack. So unless if some
>> one un-tick this option manually because of some reason, this would work 
>> as
>> expected for the customer who migrate to the APM 2.0.
>> In your case, how this option was disable ? Did you disable it in UI ?
>>
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>> * *
>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>> *twitter: **http://twitter.com/ *
>> *harshathirimannlinked-in: **http:
>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>> *
>>
>> *Lean . Enterprise . Middleware*
>>
>>
>> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera 
>> wrote:
>>
>>> Hi Bathiya,
>>>
>>> This is the expected behavior. With IS 5.1.0, we have given the
>>> capability to separately specify whether to include the tenant domain
>>> and/or the user store domain in the subject. This setting is now under
>>> 'Local & Outbound Authentication Configuration' section. In earlier
>>> IS versions this was under SAML SSO configurations [1] (Use fully 
>>> qualified
>>> username in the NameID). Better to mention this in the docs.
>>>
>>> So without enabling these options, the SAML response subject will
>>> not have the tenant domain included. And since, there's no tenant domain
>>> included, the assertion consumer service must be interpreting the user 
>>> as
>>> someone who belongs to the super

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Harsha Thirimanna 
Hi Bhathiya,
Yes , this will work as expected when you enable this option in SAAS
enables SP.


*Harsha Thirimanna*
Associate Tech Lead; WSO2, Inc.; http://wso2.com
* *
*email: **hars...@wso2.com* * cell: +94 71 5186770 *
*twitter: **http://twitter.com/ *
*harshathirimannlinked-in: **http:
**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
*

*Lean . Enterprise . Middleware*


On Mon, Jun 6, 2016 at 11:52 AM, Bhathiya Jayasekara 
wrote:

> Hi Harsha,
>
> On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna 
> wrote:
>
>> ​Hi Bathiya,
>>
>> Yes, 5.2.0 on wards, we have disable it. You are correct.
>>
>> The reason was, if we enable it by default, then for the super tenant
>> users, there will be carbon.super within the user name as a subject. That
>> is very unexpected case and then we have to disable it manually. Your case
>> coming with the multi tenant story.
>> Most of the time, we are working in super tenant mode, so we decided to
>> disable it by default. In multi-tenant mode, we have to enable it per
>> tenant.
>>
>
> So how am I supposed to configure when I have just 1 SP for all tenants
> with "SaaS App" enabled?
>
> Thanks,
> Bhathiya
>
>
>>
>> Problem is , we have to document this clearly.
>>
>>
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>> * *
>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>> *twitter: **http://twitter.com/ *
>> *harshathirimannlinked-in: **http:
>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>> *
>>
>> *Lean . Enterprise . Middleware*
>>
>>
>> On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara 
>> wrote:
>>
>>> Hi Harsha/Omindu,
>>>
>>> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.
>>>
>>> Thanks,
>>> Bhathiya
>>>
>>>
>>>
>>> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna 
>>> wrote:
>>>
 Bhathiya,
 What is your IS version ? We are talking about last released version.


 *Harsha Thirimanna*
 Associate Tech Lead; WSO2, Inc.; http://wso2.com
 * *
 *email: **hars...@wso2.com* * cell: +94 71 5186770 *
 *twitter: **http://twitter.com/ *
 *harshathirimannlinked-in: **http:
 **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
 *

 *Lean . Enterprise . Middleware*


 On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
 wrote:

> Hi Bathiya,
> This option is enabled by default in fresh pack. So unless if some one
> un-tick this option manually because of some reason, this would work as
> expected for the customer who migrate to the APM 2.0.
> In your case, how this option was disable ? Did you disable it in UI ?
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera 
> wrote:
>
>> Hi Bathiya,
>>
>> This is the expected behavior. With IS 5.1.0, we have given the
>> capability to separately specify whether to include the tenant domain
>> and/or the user store domain in the subject. This setting is now under
>> 'Local & Outbound Authentication Configuration' section. In earlier
>> IS versions this was under SAML SSO configurations [1] (Use fully 
>> qualified
>> username in the NameID). Better to mention this in the docs.
>>
>> So without enabling these options, the SAML response subject will not
>> have the tenant domain included. And since, there's no tenant domain
>> included, the assertion consumer service must be interpreting the user as
>> someone who belongs to the super tenant domain.
>>
>> Regarding, UseAuthenticatedUserDomainCrypto property, do you still
>> get the signature verification failure when it is set to 'true' ?
>>
>> [1] -
>> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2
>>
>> Regards,
>> Omindu.
>>
>> On Mon, Jun 6,

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Harsha Thirimanna 
https://wso2.org/jira/browse/DOCUMENTATION-3430


*Harsha Thirimanna*
Associate Tech Lead; WSO2, Inc.; http://wso2.com
* *
*email: **hars...@wso2.com* * cell: +94 71 5186770 *
*twitter: **http://twitter.com/ *
*harshathirimannlinked-in: **http:
**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
*

*Lean . Enterprise . Middleware*


On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna  wrote:

> ​Hi Bathiya,
>
> Yes, 5.2.0 on wards, we have disable it. You are correct.
>
> The reason was, if we enable it by default, then for the super tenant
> users, there will be carbon.super within the user name as a subject. That
> is very unexpected case and then we have to disable it manually. Your case
> coming with the multi tenant story.
> Most of the time, we are working in super tenant mode, so we decided to
> disable it by default. In multi-tenant mode, we have to enable it per
> tenant.
>
> Problem is , we have to document this clearly.
>
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara 
> wrote:
>
>> Hi Harsha/Omindu,
>>
>> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.
>>
>> Thanks,
>> Bhathiya
>>
>>
>>
>> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna 
>> wrote:
>>
>>> Bhathiya,
>>> What is your IS version ? We are talking about last released version.
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>> *
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
>>> wrote:
>>>
 Hi Bathiya,
 This option is enabled by default in fresh pack. So unless if some one
 un-tick this option manually because of some reason, this would work as
 expected for the customer who migrate to the APM 2.0.
 In your case, how this option was disable ? Did you disable it in UI ?


 *Harsha Thirimanna*
 Associate Tech Lead; WSO2, Inc.; http://wso2.com
 * *
 *email: **hars...@wso2.com* * cell: +94 71 5186770 *
 *twitter: **http://twitter.com/ *
 *harshathirimannlinked-in: **http:
 **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
 *

 *Lean . Enterprise . Middleware*


 On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera 
 wrote:

> Hi Bathiya,
>
> This is the expected behavior. With IS 5.1.0, we have given the
> capability to separately specify whether to include the tenant domain
> and/or the user store domain in the subject. This setting is now under
> 'Local & Outbound Authentication Configuration' section. In earlier
> IS versions this was under SAML SSO configurations [1] (Use fully 
> qualified
> username in the NameID). Better to mention this in the docs.
>
> So without enabling these options, the SAML response subject will not
> have the tenant domain included. And since, there's no tenant domain
> included, the assertion consumer service must be interpreting the user as
> someone who belongs to the super tenant domain.
>
> Regarding, UseAuthenticatedUserDomainCrypto property, do you still
> get the signature verification failure when it is set to 'true' ?
>
> [1] -
> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2
>
> Regards,
> Omindu.
>
> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara  > wrote:
>
>> Hi Omindu,
>>
>> Thanks. That worked. Could you please explain this new behavior? Is
>> this an intentional change? Or a workaround for an issue? I'm asking this
>> because this is going to affect existing customers, as all of them has to
>> make this change in their setups to get SSO

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Bhathiya Jayasekara 
Hi Harsha,

On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna  wrote:

> ​Hi Bathiya,
>
> Yes, 5.2.0 on wards, we have disable it. You are correct.
>
> The reason was, if we enable it by default, then for the super tenant
> users, there will be carbon.super within the user name as a subject. That
> is very unexpected case and then we have to disable it manually. Your case
> coming with the multi tenant story.
> Most of the time, we are working in super tenant mode, so we decided to
> disable it by default. In multi-tenant mode, we have to enable it per
> tenant.
>

So how am I supposed to configure when I have just 1 SP for all tenants
with "SaaS App" enabled?

Thanks,
Bhathiya


>
> Problem is , we have to document this clearly.
>
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara 
> wrote:
>
>> Hi Harsha/Omindu,
>>
>> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.
>>
>> Thanks,
>> Bhathiya
>>
>>
>>
>> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna 
>> wrote:
>>
>>> Bhathiya,
>>> What is your IS version ? We are talking about last released version.
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>> *
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
>>> wrote:
>>>
 Hi Bathiya,
 This option is enabled by default in fresh pack. So unless if some one
 un-tick this option manually because of some reason, this would work as
 expected for the customer who migrate to the APM 2.0.
 In your case, how this option was disable ? Did you disable it in UI ?


 *Harsha Thirimanna*
 Associate Tech Lead; WSO2, Inc.; http://wso2.com
 * *
 *email: **hars...@wso2.com* * cell: +94 71 5186770 *
 *twitter: **http://twitter.com/ *
 *harshathirimannlinked-in: **http:
 **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
 *

 *Lean . Enterprise . Middleware*


 On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera 
 wrote:

> Hi Bathiya,
>
> This is the expected behavior. With IS 5.1.0, we have given the
> capability to separately specify whether to include the tenant domain
> and/or the user store domain in the subject. This setting is now under
> 'Local & Outbound Authentication Configuration' section. In earlier
> IS versions this was under SAML SSO configurations [1] (Use fully 
> qualified
> username in the NameID). Better to mention this in the docs.
>
> So without enabling these options, the SAML response subject will not
> have the tenant domain included. And since, there's no tenant domain
> included, the assertion consumer service must be interpreting the user as
> someone who belongs to the super tenant domain.
>
> Regarding, UseAuthenticatedUserDomainCrypto property, do you still
> get the signature verification failure when it is set to 'true' ?
>
> [1] -
> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2
>
> Regards,
> Omindu.
>
> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara  > wrote:
>
>> Hi Omindu,
>>
>> Thanks. That worked. Could you please explain this new behavior? Is
>> this an intentional change? Or a workaround for an issue? I'm asking this
>> because this is going to affect existing customers, as all of them has to
>> make this change in their setups to get SSO working after upgrading to 
>> APIm
>> 2.0.0.
>>
>> Thanks,
>> Bhathiya
>>
>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera 
>> wrote:
>>
>>> Hi Bathiya,
>>>
>>> Can you try changing the following config in IS SP and see whether
>>> you are still getting logged as the super tenant.
>>>
>>>

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Harsha Thirimanna 
​Hi Bathiya,

Yes, 5.2.0 on wards, we have disable it. You are correct.

The reason was, if we enable it by default, then for the super tenant
users, there will be carbon.super within the user name as a subject. That
is very unexpected case and then we have to disable it manually. Your case
coming with the multi tenant story.
Most of the time, we are working in super tenant mode, so we decided to
disable it by default. In multi-tenant mode, we have to enable it per
tenant.

Problem is , we have to document this clearly.



*Harsha Thirimanna*
Associate Tech Lead; WSO2, Inc.; http://wso2.com
* *
*email: **hars...@wso2.com* * cell: +94 71 5186770 *
*twitter: **http://twitter.com/ *
*harshathirimannlinked-in: **http:
**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
*

*Lean . Enterprise . Middleware*


On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara 
wrote:

> Hi Harsha/Omindu,
>
> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.
>
> Thanks,
> Bhathiya
>
>
>
> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna 
> wrote:
>
>> Bhathiya,
>> What is your IS version ? We are talking about last released version.
>>
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>> * *
>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>> *twitter: **http://twitter.com/ *
>> *harshathirimannlinked-in: **http:
>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>> *
>>
>> *Lean . Enterprise . Middleware*
>>
>>
>> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
>> wrote:
>>
>>> Hi Bathiya,
>>> This option is enabled by default in fresh pack. So unless if some one
>>> un-tick this option manually because of some reason, this would work as
>>> expected for the customer who migrate to the APM 2.0.
>>> In your case, how this option was disable ? Did you disable it in UI ?
>>>
>>>
>>> *Harsha Thirimanna*
>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>>> * *
>>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>>> *twitter: **http://twitter.com/ *
>>> *harshathirimannlinked-in: **http:
>>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>>> *
>>>
>>> *Lean . Enterprise . Middleware*
>>>
>>>
>>> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera 
>>> wrote:
>>>
 Hi Bathiya,

 This is the expected behavior. With IS 5.1.0, we have given the
 capability to separately specify whether to include the tenant domain
 and/or the user store domain in the subject. This setting is now under
 'Local & Outbound Authentication Configuration' section. In earlier IS
 versions this was under SAML SSO configurations [1] (Use fully qualified
 username in the NameID). Better to mention this in the docs.

 So without enabling these options, the SAML response subject will not
 have the tenant domain included. And since, there's no tenant domain
 included, the assertion consumer service must be interpreting the user as
 someone who belongs to the super tenant domain.

 Regarding, UseAuthenticatedUserDomainCrypto property, do you still get
 the signature verification failure when it is set to 'true' ?

 [1] -
 https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2

 Regards,
 Omindu.

 On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara 
 wrote:

> Hi Omindu,
>
> Thanks. That worked. Could you please explain this new behavior? Is
> this an intentional change? Or a workaround for an issue? I'm asking this
> because this is going to affect existing customers, as all of them has to
> make this change in their setups to get SSO working after upgrading to 
> APIm
> 2.0.0.
>
> Thanks,
> Bhathiya
>
> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera 
> wrote:
>
>> Hi Bathiya,
>>
>> Can you try changing the following config in IS SP and see whether
>> you are still getting logged as the super tenant.
>>
>> Edit the API_Manager SP. Under 'Local & Outbound Authentication
>> Configuration', select the 'Use tenant domain in local subject
>> identifier' option and save the changes.
>>
>> Regards,
>> Omindu.
>>
>>
>>
>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara <
>> bhath...@wso2.com> wrote:
>>
>>> Hi IS team,
>>>

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Bhathiya Jayasekara 
Hi Harsha/Omindu,

I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.

Thanks,
Bhathiya



On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna  wrote:

> Bhathiya,
> What is your IS version ? We are talking about last released version.
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna 
> wrote:
>
>> Hi Bathiya,
>> This option is enabled by default in fresh pack. So unless if some one
>> un-tick this option manually because of some reason, this would work as
>> expected for the customer who migrate to the APM 2.0.
>> In your case, how this option was disable ? Did you disable it in UI ?
>>
>>
>> *Harsha Thirimanna*
>> Associate Tech Lead; WSO2, Inc.; http://wso2.com
>> * *
>> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
>> *twitter: **http://twitter.com/ *
>> *harshathirimannlinked-in: **http:
>> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
>> *
>>
>> *Lean . Enterprise . Middleware*
>>
>>
>> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera 
>> wrote:
>>
>>> Hi Bathiya,
>>>
>>> This is the expected behavior. With IS 5.1.0, we have given the
>>> capability to separately specify whether to include the tenant domain
>>> and/or the user store domain in the subject. This setting is now under 
>>> 'Local
>>> & Outbound Authentication Configuration' section. In earlier IS
>>> versions this was under SAML SSO configurations [1] (Use fully qualified
>>> username in the NameID). Better to mention this in the docs.
>>>
>>> So without enabling these options, the SAML response subject will not
>>> have the tenant domain included. And since, there's no tenant domain
>>> included, the assertion consumer service must be interpreting the user as
>>> someone who belongs to the super tenant domain.
>>>
>>> Regarding, UseAuthenticatedUserDomainCrypto property, do you still get
>>> the signature verification failure when it is set to 'true' ?
>>>
>>> [1] -
>>> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2
>>>
>>> Regards,
>>> Omindu.
>>>
>>> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara 
>>> wrote:
>>>
 Hi Omindu,

 Thanks. That worked. Could you please explain this new behavior? Is
 this an intentional change? Or a workaround for an issue? I'm asking this
 because this is going to affect existing customers, as all of them has to
 make this change in their setups to get SSO working after upgrading to APIm
 2.0.0.

 Thanks,
 Bhathiya

 On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera 
 wrote:

> Hi Bathiya,
>
> Can you try changing the following config in IS SP and see whether you
> are still getting logged as the super tenant.
>
> Edit the API_Manager SP. Under 'Local & Outbound Authentication
> Configuration', select the 'Use tenant domain in local subject
> identifier' option and save the changes.
>
> Regards,
> Omindu.
>
>
>
> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara <
> bhath...@wso2.com> wrote:
>
>> Hi IS team,
>>
>> I configured SSO as per this doc[1]. I enabled SaaS Application in
>> store and publisher SPs. But when I try to login as *ad...@b.com
>> *, it fails with "*SAML response signature is
>> verification failed.*". But if I remove 
>> *true
>> *config from identity.xml adn do the same, I'm logged in as
>> admin@carbon.super (not as ad...@b.com). This means ad...@b.com can
>> login as admin@carbon.super even without knowing admin@carbon.super's
>> credentials.
>>
>> The SAML response I get is [2]. Looks like it's for
>> admin@carboin.super, which explains above 2 behaviors.
>>
>> Is this a bug or am I missing some new configuration? Appreciate a
>> quick response as this is a Blocker for APIM 2 Beta release.
>>
>>
>> [1]
>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2
>>
>> [2] 
>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag;
>> ID="_386d73f9fe16add6d6a231cb46511661"
>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
>>

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Harsha Thirimanna 
Bhathiya,
What is your IS version ? We are talking about last released version.


*Harsha Thirimanna*
Associate Tech Lead; WSO2, Inc.; http://wso2.com
* *
*email: **hars...@wso2.com* * cell: +94 71 5186770 *
*twitter: **http://twitter.com/ *
*harshathirimannlinked-in: **http:
**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
*

*Lean . Enterprise . Middleware*


On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna  wrote:

> Hi Bathiya,
> This option is enabled by default in fresh pack. So unless if some one
> un-tick this option manually because of some reason, this would work as
> expected for the customer who migrate to the APM 2.0.
> In your case, how this option was disable ? Did you disable it in UI ?
>
>
> *Harsha Thirimanna*
> Associate Tech Lead; WSO2, Inc.; http://wso2.com
> * *
> *email: **hars...@wso2.com* * cell: +94 71 5186770 *
> *twitter: **http://twitter.com/ *
> *harshathirimannlinked-in: **http:
> **//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
> *
>
> *Lean . Enterprise . Middleware*
>
>
> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera 
> wrote:
>
>> Hi Bathiya,
>>
>> This is the expected behavior. With IS 5.1.0, we have given the
>> capability to separately specify whether to include the tenant domain
>> and/or the user store domain in the subject. This setting is now under 'Local
>> & Outbound Authentication Configuration' section. In earlier IS versions
>> this was under SAML SSO configurations [1] (Use fully qualified username in
>> the NameID). Better to mention this in the docs.
>>
>> So without enabling these options, the SAML response subject will not
>> have the tenant domain included. And since, there's no tenant domain
>> included, the assertion consumer service must be interpreting the user as
>> someone who belongs to the super tenant domain.
>>
>> Regarding, UseAuthenticatedUserDomainCrypto property, do you still get
>> the signature verification failure when it is set to 'true' ?
>>
>> [1] -
>> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2
>>
>> Regards,
>> Omindu.
>>
>> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara 
>> wrote:
>>
>>> Hi Omindu,
>>>
>>> Thanks. That worked. Could you please explain this new behavior? Is this
>>> an intentional change? Or a workaround for an issue? I'm asking this
>>> because this is going to affect existing customers, as all of them has to
>>> make this change in their setups to get SSO working after upgrading to APIm
>>> 2.0.0.
>>>
>>> Thanks,
>>> Bhathiya
>>>
>>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera 
>>> wrote:
>>>
 Hi Bathiya,

 Can you try changing the following config in IS SP and see whether you
 are still getting logged as the super tenant.

 Edit the API_Manager SP. Under 'Local & Outbound Authentication
 Configuration', select the 'Use tenant domain in local subject
 identifier' option and save the changes.

 Regards,
 Omindu.



 On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara  wrote:

> Hi IS team,
>
> I configured SSO as per this doc[1]. I enabled SaaS Application in
> store and publisher SPs. But when I try to login as *ad...@b.com
> *, it fails with "*SAML response signature is
> verification failed.*". But if I remove 
> *true
> *config from identity.xml adn do the same, I'm logged in as
> admin@carbon.super (not as ad...@b.com). This means ad...@b.com can
> login as admin@carbon.super even without knowing admin@carbon.super's
> credentials.
>
> The SAML response I get is [2]. Looks like it's for admin@carboin.super,
> which explains above 2 behaviors.
>
> Is this a bug or am I missing some new configuration? Appreciate a
> quick response as this is a Blocker for APIM 2 Beta release.
>
>
> [1]
> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2
>
> [2] 
> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag;
> ID="_386d73f9fe16add6d6a231cb46511661"
> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost
> http://www.w3.org/2000/09/xmldsig#;>
> 
> http://www.w3.org/2001/10/xml-exc-c14n#; />
>

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Harsha Thirimanna 
Hi Bathiya,
This option is enabled by default in fresh pack. So unless if some one
un-tick this option manually because of some reason, this would work as
expected for the customer who migrate to the APM 2.0.
In your case, how this option was disable ? Did you disable it in UI ?


*Harsha Thirimanna*
Associate Tech Lead; WSO2, Inc.; http://wso2.com
* *
*email: **hars...@wso2.com* * cell: +94 71 5186770 *
*twitter: **http://twitter.com/ *
*harshathirimannlinked-in: **http:
**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122
*

*Lean . Enterprise . Middleware*


On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera  wrote:

> Hi Bathiya,
>
> This is the expected behavior. With IS 5.1.0, we have given the capability
> to separately specify whether to include the tenant domain and/or the user
> store domain in the subject. This setting is now under 'Local & Outbound
> Authentication Configuration' section. In earlier IS versions this was
> under SAML SSO configurations [1] (Use fully qualified username in the
> NameID). Better to mention this in the docs.
>
> So without enabling these options, the SAML response subject will not have
> the tenant domain included. And since, there's no tenant domain included,
> the assertion consumer service must be interpreting the user as someone who
> belongs to the super tenant domain.
>
> Regarding, UseAuthenticatedUserDomainCrypto property, do you still get
> the signature verification failure when it is set to 'true' ?
>
> [1] -
> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2
>
> Regards,
> Omindu.
>
> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara 
> wrote:
>
>> Hi Omindu,
>>
>> Thanks. That worked. Could you please explain this new behavior? Is this
>> an intentional change? Or a workaround for an issue? I'm asking this
>> because this is going to affect existing customers, as all of them has to
>> make this change in their setups to get SSO working after upgrading to APIm
>> 2.0.0.
>>
>> Thanks,
>> Bhathiya
>>
>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera 
>> wrote:
>>
>>> Hi Bathiya,
>>>
>>> Can you try changing the following config in IS SP and see whether you
>>> are still getting logged as the super tenant.
>>>
>>> Edit the API_Manager SP. Under 'Local & Outbound Authentication
>>> Configuration', select the 'Use tenant domain in local subject
>>> identifier' option and save the changes.
>>>
>>> Regards,
>>> Omindu.
>>>
>>>
>>>
>>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara 
>>> wrote:
>>>
 Hi IS team,

 I configured SSO as per this doc[1]. I enabled SaaS Application in
 store and publisher SPs. But when I try to login as *ad...@b.com
 *, it fails with "*SAML response signature is
 verification failed.*". But if I remove 
 *true
 *config from identity.xml adn do the same, I'm logged in as
 admin@carbon.super (not as ad...@b.com). This means ad...@b.com can
 login as admin@carbon.super even without knowing admin@carbon.super's
 credentials.

 The SAML response I get is [2]. Looks like it's for admin@carboin.super,
 which explains above 2 behaviors.

 Is this a bug or am I missing some new configuration? Appreciate a
 quick response as this is a Blocker for APIM 2 Beta release.


 [1]
 https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2

 [2] 
 https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag;
 ID="_386d73f9fe16add6d6a231cb46511661"
 InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
 IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
 >>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
 xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost
 http://www.w3.org/2000/09/xmldsig#;>
 
 http://www.w3.org/2001/10/xml-exc-c14n#; />
 http://www.w3.org/2000/09/xmldsig#rsa-sha1; />
 
 
 http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
 http://www.w3.org/2001/10/xml-exc-c14n#; />
 
 http://www.w3.org/2000/09/xmldsig#sha1; />

 V9ftUN89s66MnhOct2O7EvvFrFw=
 
 

 O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Omindu Rathnaweera 
Hi Bathiya,

This is the expected behavior. With IS 5.1.0, we have given the capability
to separately specify whether to include the tenant domain and/or the user
store domain in the subject. This setting is now under 'Local & Outbound
Authentication Configuration' section. In earlier IS versions this was
under SAML SSO configurations [1] (Use fully qualified username in the
NameID). Better to mention this in the docs.

So without enabling these options, the SAML response subject will not have
the tenant domain included. And since, there's no tenant domain included,
the assertion consumer service must be interpreting the user as someone who
belongs to the super tenant domain.

Regarding, UseAuthenticatedUserDomainCrypto property, do you still get the
signature verification failure when it is set to 'true' ?

[1] -
https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2

Regards,
Omindu.

On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara 
wrote:

> Hi Omindu,
>
> Thanks. That worked. Could you please explain this new behavior? Is this
> an intentional change? Or a workaround for an issue? I'm asking this
> because this is going to affect existing customers, as all of them has to
> make this change in their setups to get SSO working after upgrading to APIm
> 2.0.0.
>
> Thanks,
> Bhathiya
>
> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera 
> wrote:
>
>> Hi Bathiya,
>>
>> Can you try changing the following config in IS SP and see whether you
>> are still getting logged as the super tenant.
>>
>> Edit the API_Manager SP. Under 'Local & Outbound Authentication
>> Configuration', select the 'Use tenant domain in local subject identifier'
>> option and save the changes.
>>
>> Regards,
>> Omindu.
>>
>>
>>
>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara 
>> wrote:
>>
>>> Hi IS team,
>>>
>>> I configured SSO as per this doc[1]. I enabled SaaS Application in store
>>> and publisher SPs. But when I try to login as *ad...@b.com
>>> *, it fails with "*SAML response signature is verification
>>> failed.*". But if I remove 
>>> *true
>>> *config from identity.xml adn do the same, I'm logged in as
>>> admin@carbon.super (not as ad...@b.com). This means ad...@b.com can
>>> login as admin@carbon.super even without knowing admin@carbon.super's
>>> credentials.
>>>
>>> The SAML response I get is [2]. Looks like it's for admin@carboin.super,
>>> which explains above 2 behaviors.
>>>
>>> Is this a bug or am I missing some new configuration? Appreciate a quick
>>> response as this is a Blocker for APIM 2 Beta release.
>>>
>>>
>>> [1]
>>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2
>>>
>>> [2] 
>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag;
>>> ID="_386d73f9fe16add6d6a231cb46511661"
>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>>> >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost
>>> http://www.w3.org/2000/09/xmldsig#;>
>>> 
>>> http://www.w3.org/2001/10/xml-exc-c14n#; />
>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1; />
>>> 
>>> 
>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
>>> http://www.w3.org/2001/10/xml-exc-c14n#; />
>>> 
>>> http://www.w3.org/2000/09/xmldsig#sha1; />
>>>
>>> V9ftUN89s66MnhOct2O7EvvFrFw=
>>> 
>>> 
>>>
>>> O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=
>>> 
>>> 
>>>
>>> MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=
>>> 
>>> 
>>> 
>>> 
>>> >> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>>> 
>>> >> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>>> >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost
>>> http://www.w3.org/2000/09/xmldsig#;>
>>> 
>>>

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Bhathiya Jayasekara 
Hi Omindu,

Thanks. That worked. Could you please explain this new behavior? Is this an
intentional change? Or a workaround for an issue? I'm asking this because
this is going to affect existing customers, as all of them has to make this
change in their setups to get SSO working after upgrading to APIm 2.0.0.

Thanks,
Bhathiya

On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera  wrote:

> Hi Bathiya,
>
> Can you try changing the following config in IS SP and see whether you are
> still getting logged as the super tenant.
>
> Edit the API_Manager SP. Under 'Local & Outbound Authentication
> Configuration', select the 'Use tenant domain in local subject identifier'
> option and save the changes.
>
> Regards,
> Omindu.
>
>
>
> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara 
> wrote:
>
>> Hi IS team,
>>
>> I configured SSO as per this doc[1]. I enabled SaaS Application in store
>> and publisher SPs. But when I try to login as *ad...@b.com *,
>> it fails with "*SAML response signature is verification failed.*". But
>> if I remove 
>> *true
>> *config from identity.xml adn do the same, I'm logged in as
>> admin@carbon.super (not as ad...@b.com). This means ad...@b.com can
>> login as admin@carbon.super even without knowing admin@carbon.super's
>> credentials.
>>
>> The SAML response I get is [2]. Looks like it's for admin@carboin.super,
>> which explains above 2 behaviors.
>>
>> Is this a bug or am I missing some new configuration? Appreciate a quick
>> response as this is a Blocker for APIM 2 Beta release.
>>
>>
>> [1]
>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2
>>
>> [2] 
>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag;
>> ID="_386d73f9fe16add6d6a231cb46511661"
>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost
>> http://www.w3.org/2000/09/xmldsig#;>
>> 
>> http://www.w3.org/2001/10/xml-exc-c14n#; />
>> http://www.w3.org/2000/09/xmldsig#rsa-sha1; />
>> 
>> 
>> http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
>> http://www.w3.org/2001/10/xml-exc-c14n#; />
>> 
>> http://www.w3.org/2000/09/xmldsig#sha1; />
>>
>> V9ftUN89s66MnhOct2O7EvvFrFw=
>> 
>> 
>>
>> O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=
>> 
>> 
>>
>> MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=
>> 
>> 
>> 
>> 
>> > Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>> 
>> > IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>> > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost
>> http://www.w3.org/2000/09/xmldsig#;>
>> 
>> http://www.w3.org/2001/10/xml-exc-c14n#; />
>> http://www.w3.org/2000/09/xmldsig#rsa-sha1; />
>> 
>> 
>> http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
>> http://www.w3.org/2001/10/xml-exc-c14n#; />
>> 
>> http://www.w3.org/2000/09/xmldsig#sha1; />
>>
>> OFV827BcNkwEL67y2GoaffiurZ0=
>> 
>> 
>>
>> HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=
>> 
>> 
>>
>>

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Omindu Rathnaweera 
Hi Bathiya,

Can you try changing the following config in IS SP and see whether you are
still getting logged as the super tenant.

Edit the API_Manager SP. Under 'Local & Outbound Authentication
Configuration', select the 'Use tenant domain in local subject identifier'
option and save the changes.

Regards,
Omindu.



On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara 
wrote:

> Hi IS team,
>
> I configured SSO as per this doc[1]. I enabled SaaS Application in store
> and publisher SPs. But when I try to login as *ad...@b.com *,
> it fails with "*SAML response signature is verification failed.*". But if
> I remove 
> *true
> *config from identity.xml adn do the same, I'm logged in as
> admin@carbon.super (not as ad...@b.com). This means ad...@b.com can login
> as admin@carbon.super even without knowing admin@carbon.super's
> credentials.
>
> The SAML response I get is [2]. Looks like it's for admin@carboin.super,
> which explains above 2 behaviors.
>
> Is this a bug or am I missing some new configuration? Appreciate a quick
> response as this is a Blocker for APIM 2 Beta release.
>
>
> [1]
> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2
>
> [2] 
> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag;
> ID="_386d73f9fe16add6d6a231cb46511661"
> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
>  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost
> http://www.w3.org/2000/09/xmldsig#;>
> 
> http://www.w3.org/2001/10/xml-exc-c14n#; />
> http://www.w3.org/2000/09/xmldsig#rsa-sha1; />
> 
> 
> http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
> http://www.w3.org/2001/10/xml-exc-c14n#; />
> 
> http://www.w3.org/2000/09/xmldsig#sha1; />
>
> V9ftUN89s66MnhOct2O7EvvFrFw=
> 
> 
>
> O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=
> 
> 
>
> MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=
> 
> 
> 
> 
>  Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
> 
>  IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
>  Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost
> http://www.w3.org/2000/09/xmldsig#;>
> 
> http://www.w3.org/2001/10/xml-exc-c14n#; />
> http://www.w3.org/2000/09/xmldsig#rsa-sha1; />
> 
> 
> http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
> http://www.w3.org/2001/10/xml-exc-c14n#; />
> 
> http://www.w3.org/2000/09/xmldsig#sha1; />
>
> OFV827BcNkwEL67y2GoaffiurZ0=
> 
> 
>
> HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=
> 
> 
>
> MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=
> 
> 
> 
> 
> * Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin*
>  Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>

[Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Bhathiya Jayasekara 
Hi IS team,

I configured SSO as per this doc[1]. I enabled SaaS Application in store
and publisher SPs. But when I try to login as *ad...@b.com *,
it fails with "*SAML response signature is verification failed.*". But if I
remove 
*true
*config from identity.xml adn do the same, I'm logged in as
admin@carbon.super (not as ad...@b.com). This means ad...@b.com can login
as admin@carbon.super even without knowing admin@carbon.super's
credentials.

The SAML response I get is [2]. Looks like it's for admin@carboin.super,
which explains above 2 behaviors.

Is this a bug or am I missing some new configuration? Appreciate a quick
response as this is a Blocker for APIM 2 Beta release.


[1]
https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2

[2] 
https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag;
ID="_386d73f9fe16add6d6a231cb46511661"
InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
localhost
http://www.w3.org/2000/09/xmldsig#;>

http://www.w3.org/2001/10/xml-exc-c14n#; />
http://www.w3.org/2000/09/xmldsig#rsa-sha1; />


http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
http://www.w3.org/2001/10/xml-exc-c14n#; />

http://www.w3.org/2000/09/xmldsig#sha1; />

V9ftUN89s66MnhOct2O7EvvFrFw=



O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=



MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=







localhost
http://www.w3.org/2000/09/xmldsig#;>

http://www.w3.org/2001/10/xml-exc-c14n#; />
http://www.w3.org/2000/09/xmldsig#rsa-sha1; />


http://www.w3.org/2000/09/xmldsig#enveloped-signature; />
http://www.w3.org/2001/10/xml-exc-c14n#; />

http://www.w3.org/2000/09/xmldsig#sha1; />

OFV827BcNkwEL67y2GoaffiurZ0=



HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=



MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=




*admin*

https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag; />




API_PUBLISHER





urn:oasis:names:tc:SAML:2.0:ac:classes:Password






Thanks,

-- 
*Bhathiya Jayasekara*
*Senior Software Engineer,*
*WSO2 inc., http://wso2.com *

*Phone: +94715478185*
*LinkedIn: http://www.linkedin.com/in/bhathiyaj
*
*Twitter: https://twitter.com/bhathiyax *
*Blog: http://movingaheadblog.blogspot.com
*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev