Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Nadeesha Meegoda]

Hi all,

I have done the same setup in tenant mode  (IDP and travelocity SP are in
tenant mode) and enabled assertion encryption. The SP created for the IDP
is in super tenant mode that is the 2nd IS. Now I am getting error in IS
side. I have exported the external IS private key and imported it to IDP.
Any reason behind this exception that I have missed doing? (Testing in the
wso2is-5.1.0-kernel-4.2.0-SNAPSHOT given on 14th Oct)

Note - I can successfully log in when assertion encryption is disabled.


[1] -
https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510

[2015-10-20 13:50:00,139] ERROR {org.opensaml.xml.encryption.Decrypter} -
Failed to decrypt EncryptedKey, valid decryption key could not be resolved
[2015-10-20 13:50:00,140] ERROR
{org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
-  Unable to decrypt the SAML Assertion
org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
Unable to decrypt the SAML Assertion
at
org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:202)
at
org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:65)
at
org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:426)
at
org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:400)
at
org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:114)
at
org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171)
at
org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:111)
at
org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:119)
at
org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at
org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at
org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at
org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at
org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at
org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Gayan Gunawardana]

On Tue, Oct 20, 2015 at 2:21 PM, Nadeesha Meegoda 
wrote:

> Hi all,
>
> I have done the same setup in tenant mode  (IDP and travelocity SP are in
> tenant mode)
>

Could you be able to resolve the issue in super tenant mode ?

> and enabled assertion encryption. The SP created for the IDP is in super
> tenant mode that is the 2nd IS. Now I am getting error in IS side. I have
> exported the external IS private key and imported it to IDP. Any reason
> behind this exception that I have missed doing? (Testing in the
> wso2is-5.1.0-kernel-4.2.0-SNAPSHOT given on 14th Oct)
>
> Note - I can successfully log in when assertion encryption is disabled.
>
>
> [1] -
> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510
>
> [2015-10-20 13:50:00,139] ERROR {org.opensaml.xml.encryption.Decrypter} -
> Failed to decrypt EncryptedKey, valid decryption key could not be resolved
> [2015-10-20 13:50:00,140] ERROR
> {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
> -  Unable to decrypt the SAML Assertion
> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
> Unable to decrypt the SAML Assertion
> at
> org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:202)
> at
> org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:65)
> at
> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:426)
> at
> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:400)
> at
> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:114)
> at
> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171)
> at
> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:111)
> at
> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:119)
> at
> org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
> at
> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
> at
> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
> at
> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
> at
> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> 

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Nadeesha Meegoda]

Yes it works for super tenant mode

On Tue, Oct 20, 2015 at 2:32 PM, Gayan Gunawardana  wrote:

>
>
> On Tue, Oct 20, 2015 at 2:21 PM, Nadeesha Meegoda 
> wrote:
>
>> Hi all,
>>
>> I have done the same setup in tenant mode  (IDP and travelocity SP are in
>> tenant mode)
>>
>
> Could you be able to resolve the issue in super tenant mode ?
>
>> and enabled assertion encryption. The SP created for the IDP is in super
>> tenant mode that is the 2nd IS. Now I am getting error in IS side. I have
>> exported the external IS private key and imported it to IDP. Any reason
>> behind this exception that I have missed doing? (Testing in the
>> wso2is-5.1.0-kernel-4.2.0-SNAPSHOT given on 14th Oct)
>>
>> Note - I can successfully log in when assertion encryption is disabled.
>>
>>
>> [1] -
>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510
>>
>> [2015-10-20 13:50:00,139] ERROR {org.opensaml.xml.encryption.Decrypter}
>> -  Failed to decrypt EncryptedKey, valid decryption key could not be
>> resolved
>> [2015-10-20 13:50:00,140] ERROR
>> {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler}
>> -  Unable to decrypt the SAML Assertion
>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>> Unable to decrypt the SAML Assertion
>> at
>> org.wso2.carbon.identity.application.authenticator.samlsso.SAMLSSOAuthenticator.processAuthenticationResponse(SAMLSSOAuthenticator.java:202)
>> at
>> org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:65)
>> at
>> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:426)
>> at
>> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:400)
>> at
>> org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:114)
>> at
>> org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171)
>> at
>> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:111)
>> at
>> org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:119)
>> at
>> org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>> at
>> org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
>> at
>> org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
>> at
>> org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
>> at
>> org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> 

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Gayan Gunawardana]

#Alias of the IdP's public certificate
IdPPublicCertAlias=wso2carbon

seems this is not present in travelocity.properties file. Can you please
try with latest travelocity app ?

On Thu, Oct 8, 2015 at 5:53 PM, Nadeesha Meegoda  wrote:

> Hi all,
>
> I'm continuously getting this error when assertion encryption is enabled.
> I have attached the traveolcity.properties file for your reference. I can
> give the travelocity.war on request.
>
> On Sun, Oct 4, 2015 at 1:43 PM, Gayan Gunawardana  wrote:
>
>> Hi Nadeesha,
>>
>> I just checked Federated SSO scenario  (product-is build 02/10/2015) you
>> mentioned in the initial mail. It works fine for me except I had to replace
>> commons-collections-3.1.jar with commons-collections-3.2.1.jar inside
>> travelocity.com web app.
>>
>> Thanks,
>> Gayan
>>
>> On Fri, Oct 2, 2015 at 9:11 PM, Nadeesha Meegoda 
>> wrote:
>>
>>> Hi Tharindu,
>>>
>>> When I tested this with single IS for SAML SSO (not the federated
>>> scenario) everything worked fine for super tenant. I doubt this is related
>>> to the federated scenario. Please have a look and let me know.
>>>
>>> Thanks!
>>>
>>> On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe >> > wrote:
>>>
 Hi Nadeesha,

 For super tenant, sso.agent should be able to decrypt the encrypted
 saml assertion. However there was an issue [1] where for a tenant, when the
 tenant encrypts the SAML assertion from the public certificate of the
 client (i.e travelocity app), then sso.agent could not decrypt the
 assertion because in the code, the private key of travelocity's key store
 was not getting picked up because of the particular method called in open
 saml library. This was patched sometimes back for sso.agent 1.2 version but
 we need to check whether the same fix got correctly merged to higher
 versions (i.e 1.4). Ideally this should anyway work for super tenant, but
 we'll check the same scenario more and let you know.

 [1] https://wso2.org/jira/browse/IDENTITY-3186

 Regards,
 TharinduE

 On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda 
 wrote:

> Hi Darshana,
>
> Yes the response is encrypted. Sending the SAML sso trace attached
> with the mail.
>
> @Ishara I used wso2carbon as the certificate alias since I'm using the
> default key stores and also I'm testing this in super tenant mode.  Do I
> need to import the public certificate of the private key of travelocity 
> app
> to IS keystores in super tenant mode?
>
> On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna 
> wrote:
>
>> Hi Nadeesha,
>>
>> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana <
>> darsh...@wso2.com> wrote:
>>
>>> Hi Nadeesha,
>>>
>>> Have you checked whether the assertion is encrypted in the response
>>> IS send back to travelocity app?
>>>
>>> And please provide the SSO Trace (save as a text file and attach in
>>> the mail) for the whole flow.
>>>
>>> Thanks,
>>> Darshana
>>>
>>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda >> > wrote:
>>>
 Hi.

 I have configured the setup to Login to the Identity Server Using
 Another Identity Server as per the details in [1] in Super tenant mode.
 With the happy scenario according to the documentation this works 
 fine. But
 I have enabled some additional properties in IDP and SP used for IDP as
 following :

 *Properties enabled for Federated Authenticators* - SAML2 Web SSO
 Configuration

 1. Enabled Assertion Encryption
 2. Enable Assertion Signing
 3. Enable Authentication Response Signing

 *Properties enabled fo SP used for IDP *

 1. Enabled Assertion Encryption
 2. Enabled Response Signing

 *Properties enabled fo SP used for travelocity app*

 1. Enabled Assertion Encryption

>>> What is the Certificate Alias you used here ?
>> is that the public key in travelocity app ?
>>
>>> 2. Enabled Response Signing

 In the travelocity.properties file also I have enabled Assertion
 Encryption,Response signing and Assertion signing. I have already 
 imported
 the Identity Provider Public Certificate to IDP

 When I'm signing in to travelocity.com I get Unable to decrypt the
 SAML Assertion error and error in [2] in tomcat.

 Note that only enabling "assertion signing" in IDP I was
 successfully able to login and no error was displayed. When I enabled 
 the
 Assertion Encryption this error occurred. Why is this error occurred 
 when I
 

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Nadeesha Meegoda]

Hi all,

I'm continuously getting this error when assertion encryption is enabled. I
have attached the traveolcity.properties file for your reference. I can
give the travelocity.war on request.

On Sun, Oct 4, 2015 at 1:43 PM, Gayan Gunawardana  wrote:

> Hi Nadeesha,
>
> I just checked Federated SSO scenario  (product-is build 02/10/2015) you
> mentioned in the initial mail. It works fine for me except I had to replace
> commons-collections-3.1.jar with commons-collections-3.2.1.jar inside
> travelocity.com web app.
>
> Thanks,
> Gayan
>
> On Fri, Oct 2, 2015 at 9:11 PM, Nadeesha Meegoda 
> wrote:
>
>> Hi Tharindu,
>>
>> When I tested this with single IS for SAML SSO (not the federated
>> scenario) everything worked fine for super tenant. I doubt this is related
>> to the federated scenario. Please have a look and let me know.
>>
>> Thanks!
>>
>> On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe 
>> wrote:
>>
>>> Hi Nadeesha,
>>>
>>> For super tenant, sso.agent should be able to decrypt the encrypted saml
>>> assertion. However there was an issue [1] where for a tenant, when the
>>> tenant encrypts the SAML assertion from the public certificate of the
>>> client (i.e travelocity app), then sso.agent could not decrypt the
>>> assertion because in the code, the private key of travelocity's key store
>>> was not getting picked up because of the particular method called in open
>>> saml library. This was patched sometimes back for sso.agent 1.2 version but
>>> we need to check whether the same fix got correctly merged to higher
>>> versions (i.e 1.4). Ideally this should anyway work for super tenant, but
>>> we'll check the same scenario more and let you know.
>>>
>>> [1] https://wso2.org/jira/browse/IDENTITY-3186
>>>
>>> Regards,
>>> TharinduE
>>>
>>> On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda 
>>> wrote:
>>>
 Hi Darshana,

 Yes the response is encrypted. Sending the SAML sso trace attached with
 the mail.

 @Ishara I used wso2carbon as the certificate alias since I'm using the
 default key stores and also I'm testing this in super tenant mode.  Do I
 need to import the public certificate of the private key of travelocity app
 to IS keystores in super tenant mode?

 On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna 
 wrote:

> Hi Nadeesha,
>
> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana <
> darsh...@wso2.com> wrote:
>
>> Hi Nadeesha,
>>
>> Have you checked whether the assertion is encrypted in the response
>> IS send back to travelocity app?
>>
>> And please provide the SSO Trace (save as a text file and attach in
>> the mail) for the whole flow.
>>
>> Thanks,
>> Darshana
>>
>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda 
>> wrote:
>>
>>> Hi.
>>>
>>> I have configured the setup to Login to the Identity Server Using
>>> Another Identity Server as per the details in [1] in Super tenant mode.
>>> With the happy scenario according to the documentation this works fine. 
>>> But
>>> I have enabled some additional properties in IDP and SP used for IDP as
>>> following :
>>>
>>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO
>>> Configuration
>>>
>>> 1. Enabled Assertion Encryption
>>> 2. Enable Assertion Signing
>>> 3. Enable Authentication Response Signing
>>>
>>> *Properties enabled fo SP used for IDP *
>>>
>>> 1. Enabled Assertion Encryption
>>> 2. Enabled Response Signing
>>>
>>> *Properties enabled fo SP used for travelocity app*
>>>
>>> 1. Enabled Assertion Encryption
>>>
>> What is the Certificate Alias you used here ?
> is that the public key in travelocity app ?
>
>> 2. Enabled Response Signing
>>>
>>> In the travelocity.properties file also I have enabled Assertion
>>> Encryption,Response signing and Assertion signing. I have already 
>>> imported
>>> the Identity Provider Public Certificate to IDP
>>>
>>> When I'm signing in to travelocity.com I get Unable to decrypt the
>>> SAML Assertion error and error in [2] in tomcat.
>>>
>>> Note that only enabling "assertion signing" in IDP I was
>>> successfully able to login and no error was displayed. When I enabled 
>>> the
>>> Assertion Encryption this error occurred. Why is this error occurred 
>>> when I
>>> enable this property as mentioned above?
>>>
>>> Any help regarding this is highly appreciated!
>>>
>>>
>>>
>>> [1] -
>>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510
>>>
>>> [2] - Oct 02, 2015 2:10:47 PM
>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter
>>> 

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Ishara Karunarathna]

Hi Nadeesha,

On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana 
wrote:

> Hi Nadeesha,
>
> Have you checked whether the assertion is encrypted in the response IS
> send back to travelocity app?
>
> And please provide the SSO Trace (save as a text file and attach in the
> mail) for the whole flow.
>
> Thanks,
> Darshana
>
> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda 
> wrote:
>
>> Hi.
>>
>> I have configured the setup to Login to the Identity Server Using Another
>> Identity Server as per the details in [1] in Super tenant mode. With the
>> happy scenario according to the documentation this works fine. But I have
>> enabled some additional properties in IDP and SP used for IDP as following :
>>
>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO
>> Configuration
>>
>> 1. Enabled Assertion Encryption
>> 2. Enable Assertion Signing
>> 3. Enable Authentication Response Signing
>>
>> *Properties enabled fo SP used for IDP *
>>
>> 1. Enabled Assertion Encryption
>> 2. Enabled Response Signing
>>
>> *Properties enabled fo SP used for travelocity app*
>>
>> 1. Enabled Assertion Encryption
>>
> What is the Certificate Alias you used here ?
is that the public key in travelocity app ?

> 2. Enabled Response Signing
>>
>> In the travelocity.properties file also I have enabled Assertion
>> Encryption,Response signing and Assertion signing. I have already imported
>> the Identity Provider Public Certificate to IDP
>>
>> When I'm signing in to travelocity.com I get Unable to decrypt the SAML
>> Assertion error and error in [2] in tomcat.
>>
>> Note that only enabling "assertion signing" in IDP I was successfully
>> able to login and no error was displayed. When I enabled the Assertion
>> Encryption this error occurred. Why is this error occurred when I enable
>> this property as mentioned above?
>>
>> Any help regarding this is highly appreciated!
>>
>>
>>
>> [1] -
>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510
>>
>> [2] - Oct 02, 2015 2:10:47 PM
>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter
>> SEVERE: An error has occurred
>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to
>> decrypt the SAML Assertion
>> at
>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254)
>> at
>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198)
>> at
>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>> at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>> at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
>> at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>> at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
>> at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
>> at
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>> at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
>> at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>> at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
>> at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
>> at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
>> at
>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> at
>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>>
>>
>>
>>
>> Thanks!
>> --
>> *Nadeesha Meegoda*
>> Software Engineer - QA
>> WSO2 Inc.; http://wso2.com
>> lean.enterprise.middleware
>> email : nadees...@wso2.com
>> mobile: +94783639540
>> <%2B94%2077%202273555>
>>
>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Senior Software Engineer
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com *
> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
>



-- 
Ishara Karunarathna
Senior Software Engineer
WSO2 Inc. - lean . enterprise . middleware |  wso2.com

email: isha...@wso2.com,   blog: isharaaruna.blogspot.com,   mobile:
+94717996791

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Nadeesha Meegoda]

Hi Darshana,

Yes the response is encrypted. Sending the SAML sso trace attached with the
mail.

@Ishara I used wso2carbon as the certificate alias since I'm using the
default key stores and also I'm testing this in super tenant mode.  Do I
need to import the public certificate of the private key of travelocity app
to IS keystores in super tenant mode?

On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna 
wrote:

> Hi Nadeesha,
>
> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana 
> wrote:
>
>> Hi Nadeesha,
>>
>> Have you checked whether the assertion is encrypted in the response IS
>> send back to travelocity app?
>>
>> And please provide the SSO Trace (save as a text file and attach in the
>> mail) for the whole flow.
>>
>> Thanks,
>> Darshana
>>
>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda 
>> wrote:
>>
>>> Hi.
>>>
>>> I have configured the setup to Login to the Identity Server Using
>>> Another Identity Server as per the details in [1] in Super tenant mode.
>>> With the happy scenario according to the documentation this works fine. But
>>> I have enabled some additional properties in IDP and SP used for IDP as
>>> following :
>>>
>>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO
>>> Configuration
>>>
>>> 1. Enabled Assertion Encryption
>>> 2. Enable Assertion Signing
>>> 3. Enable Authentication Response Signing
>>>
>>> *Properties enabled fo SP used for IDP *
>>>
>>> 1. Enabled Assertion Encryption
>>> 2. Enabled Response Signing
>>>
>>> *Properties enabled fo SP used for travelocity app*
>>>
>>> 1. Enabled Assertion Encryption
>>>
>> What is the Certificate Alias you used here ?
> is that the public key in travelocity app ?
>
>> 2. Enabled Response Signing
>>>
>>> In the travelocity.properties file also I have enabled Assertion
>>> Encryption,Response signing and Assertion signing. I have already imported
>>> the Identity Provider Public Certificate to IDP
>>>
>>> When I'm signing in to travelocity.com I get Unable to decrypt the SAML
>>> Assertion error and error in [2] in tomcat.
>>>
>>> Note that only enabling "assertion signing" in IDP I was successfully
>>> able to login and no error was displayed. When I enabled the Assertion
>>> Encryption this error occurred. Why is this error occurred when I enable
>>> this property as mentioned above?
>>>
>>> Any help regarding this is highly appreciated!
>>>
>>>
>>>
>>> [1] -
>>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510
>>>
>>> [2] - Oct 02, 2015 2:10:47 PM
>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter
>>> SEVERE: An error has occurred
>>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable
>>> to decrypt the SAML Assertion
>>> at
>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254)
>>> at
>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198)
>>> at
>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
>>> at
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
>>> at
>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
>>> at
>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
>>> at
>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
>>> at
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
>>> at
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>>> at
>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
>>> at
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>>> at
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
>>> at
>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
>>> at
>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
>>> at
>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> at
>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>> at java.lang.Thread.run(Thread.java:745)
>>>
>>>
>>>
>>>
>>> Thanks!
>>> --
>>> *Nadeesha Meegoda*
>>> Software Engineer - QA
>>> WSO2 Inc.; http://wso2.com
>>> 

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Darshana Gunawardana]

Hi Nadeesha,

Have you checked whether the assertion is encrypted in the response IS send
back to travelocity app?

And please provide the SSO Trace (save as a text file and attach in the
mail) for the whole flow.

Thanks,
Darshana

On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda  wrote:

> Hi.
>
> I have configured the setup to Login to the Identity Server Using Another
> Identity Server as per the details in [1] in Super tenant mode. With the
> happy scenario according to the documentation this works fine. But I have
> enabled some additional properties in IDP and SP used for IDP as following :
>
> *Properties enabled for Federated Authenticators* - SAML2 Web SSO
> Configuration
>
> 1. Enabled Assertion Encryption
> 2. Enable Assertion Signing
> 3. Enable Authentication Response Signing
>
> *Properties enabled fo SP used for IDP *
>
> 1. Enabled Assertion Encryption
> 2. Enabled Response Signing
>
> *Properties enabled fo SP used for travelocity app*
>
> 1. Enabled Assertion Encryption
> 2. Enabled Response Signing
>
> In the travelocity.properties file also I have enabled Assertion
> Encryption,Response signing and Assertion signing. I have already imported
> the Identity Provider Public Certificate to IDP
>
> When I'm signing in to travelocity.com I get Unable to decrypt the SAML
> Assertion error and error in [2] in tomcat.
>
> Note that only enabling "assertion signing" in IDP I was successfully able
> to login and no error was displayed. When I enabled the Assertion
> Encryption this error occurred. Why is this error occurred when I enable
> this property as mentioned above?
>
> Any help regarding this is highly appreciated!
>
>
>
> [1] -
> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510
>
> [2] - Oct 02, 2015 2:10:47 PM
> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter
> SEVERE: An error has occurred
> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to
> decrypt the SAML Assertion
> at
> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254)
> at
> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198)
> at
> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
> at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
>
>
>
>
> Thanks!
> --
> *Nadeesha Meegoda*
> Software Engineer - QA
> WSO2 Inc.; http://wso2.com
> lean.enterprise.middleware
> email : nadees...@wso2.com
> mobile: +94783639540
> <%2B94%2077%202273555>
>



-- 
Regards,


*Darshana Gunawardana*Senior Software Engineer
WSO2 Inc.; http://wso2.com

*E-mail: darsh...@wso2.com *
*Mobile: +94718566859*Lean . Enterprise . Middleware
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Nadeesha Meegoda]

Hi.

I have configured the setup to Login to the Identity Server Using Another
Identity Server as per the details in [1] in Super tenant mode. With the
happy scenario according to the documentation this works fine. But I have
enabled some additional properties in IDP and SP used for IDP as following :

*Properties enabled for Federated Authenticators* - SAML2 Web SSO
Configuration

1. Enabled Assertion Encryption
2. Enable Assertion Signing
3. Enable Authentication Response Signing

*Properties enabled fo SP used for IDP *

1. Enabled Assertion Encryption
2. Enabled Response Signing

*Properties enabled fo SP used for travelocity app*

1. Enabled Assertion Encryption
2. Enabled Response Signing

In the travelocity.properties file also I have enabled Assertion
Encryption,Response signing and Assertion signing. I have already imported
the Identity Provider Public Certificate to IDP

When I'm signing in to travelocity.com I get Unable to decrypt the SAML
Assertion error and error in [2] in tomcat.

Note that only enabling "assertion signing" in IDP I was successfully able
to login and no error was displayed. When I enabled the Assertion
Encryption this error occurred. Why is this error occurred when I enable
this property as mentioned above?

Any help regarding this is highly appreciated!



[1] -
https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510

[2] - Oct 02, 2015 2:10:47 PM
org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter
SEVERE: An error has occurred
org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable to
decrypt the SAML Assertion
at
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254)
at
org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198)
at
org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)




Thanks!
-- 
*Nadeesha Meegoda*
Software Engineer - QA
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
email : nadees...@wso2.com
mobile: +94783639540
<%2B94%2077%202273555>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Nadeesha Meegoda]

Hi Tharindu,

When I tested this with single IS for SAML SSO (not the federated scenario)
everything worked fine for super tenant. I doubt this is related to the
federated scenario. Please have a look and let me know.

Thanks!

On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe 
wrote:

> Hi Nadeesha,
>
> For super tenant, sso.agent should be able to decrypt the encrypted saml
> assertion. However there was an issue [1] where for a tenant, when the
> tenant encrypts the SAML assertion from the public certificate of the
> client (i.e travelocity app), then sso.agent could not decrypt the
> assertion because in the code, the private key of travelocity's key store
> was not getting picked up because of the particular method called in open
> saml library. This was patched sometimes back for sso.agent 1.2 version but
> we need to check whether the same fix got correctly merged to higher
> versions (i.e 1.4). Ideally this should anyway work for super tenant, but
> we'll check the same scenario more and let you know.
>
> [1] https://wso2.org/jira/browse/IDENTITY-3186
>
> Regards,
> TharinduE
>
> On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda 
> wrote:
>
>> Hi Darshana,
>>
>> Yes the response is encrypted. Sending the SAML sso trace attached with
>> the mail.
>>
>> @Ishara I used wso2carbon as the certificate alias since I'm using the
>> default key stores and also I'm testing this in super tenant mode.  Do I
>> need to import the public certificate of the private key of travelocity app
>> to IS keystores in super tenant mode?
>>
>> On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna 
>> wrote:
>>
>>> Hi Nadeesha,
>>>
>>> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana 
>>> wrote:
>>>
 Hi Nadeesha,

 Have you checked whether the assertion is encrypted in the response IS
 send back to travelocity app?

 And please provide the SSO Trace (save as a text file and attach in the
 mail) for the whole flow.

 Thanks,
 Darshana

 On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda 
 wrote:

> Hi.
>
> I have configured the setup to Login to the Identity Server Using
> Another Identity Server as per the details in [1] in Super tenant mode.
> With the happy scenario according to the documentation this works fine. 
> But
> I have enabled some additional properties in IDP and SP used for IDP as
> following :
>
> *Properties enabled for Federated Authenticators* - SAML2 Web SSO
> Configuration
>
> 1. Enabled Assertion Encryption
> 2. Enable Assertion Signing
> 3. Enable Authentication Response Signing
>
> *Properties enabled fo SP used for IDP *
>
> 1. Enabled Assertion Encryption
> 2. Enabled Response Signing
>
> *Properties enabled fo SP used for travelocity app*
>
> 1. Enabled Assertion Encryption
>
 What is the Certificate Alias you used here ?
>>> is that the public key in travelocity app ?
>>>
 2. Enabled Response Signing
>
> In the travelocity.properties file also I have enabled Assertion
> Encryption,Response signing and Assertion signing. I have already imported
> the Identity Provider Public Certificate to IDP
>
> When I'm signing in to travelocity.com I get Unable to decrypt the
> SAML Assertion error and error in [2] in tomcat.
>
> Note that only enabling "assertion signing" in IDP I was successfully
> able to login and no error was displayed. When I enabled the Assertion
> Encryption this error occurred. Why is this error occurred when I enable
> this property as mentioned above?
>
> Any help regarding this is highly appreciated!
>
>
>
> [1] -
> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510
>
> [2] - Oct 02, 2015 2:10:47 PM
> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter
> SEVERE: An error has occurred
> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable
> to decrypt the SAML Assertion
> at
> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254)
> at
> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198)
> at
> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> at
> 

Re: [Dev] [IS] - Unable to decrypt the SAML Assertion When Authenticating to Travelocity app

[Tharindu Edirisinghe]

Hi Nadeesha,

For super tenant, sso.agent should be able to decrypt the encrypted saml
assertion. However there was an issue [1] where for a tenant, when the
tenant encrypts the SAML assertion from the public certificate of the
client (i.e travelocity app), then sso.agent could not decrypt the
assertion because in the code, the private key of travelocity's key store
was not getting picked up because of the particular method called in open
saml library. This was patched sometimes back for sso.agent 1.2 version but
we need to check whether the same fix got correctly merged to higher
versions (i.e 1.4). Ideally this should anyway work for super tenant, but
we'll check the same scenario more and let you know.

[1] https://wso2.org/jira/browse/IDENTITY-3186

Regards,
TharinduE

On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda  wrote:

> Hi Darshana,
>
> Yes the response is encrypted. Sending the SAML sso trace attached with
> the mail.
>
> @Ishara I used wso2carbon as the certificate alias since I'm using the
> default key stores and also I'm testing this in super tenant mode.  Do I
> need to import the public certificate of the private key of travelocity app
> to IS keystores in super tenant mode?
>
> On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna 
> wrote:
>
>> Hi Nadeesha,
>>
>> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana 
>> wrote:
>>
>>> Hi Nadeesha,
>>>
>>> Have you checked whether the assertion is encrypted in the response IS
>>> send back to travelocity app?
>>>
>>> And please provide the SSO Trace (save as a text file and attach in the
>>> mail) for the whole flow.
>>>
>>> Thanks,
>>> Darshana
>>>
>>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda 
>>> wrote:
>>>
 Hi.

 I have configured the setup to Login to the Identity Server Using
 Another Identity Server as per the details in [1] in Super tenant mode.
 With the happy scenario according to the documentation this works fine. But
 I have enabled some additional properties in IDP and SP used for IDP as
 following :

 *Properties enabled for Federated Authenticators* - SAML2 Web SSO
 Configuration

 1. Enabled Assertion Encryption
 2. Enable Assertion Signing
 3. Enable Authentication Response Signing

 *Properties enabled fo SP used for IDP *

 1. Enabled Assertion Encryption
 2. Enabled Response Signing

 *Properties enabled fo SP used for travelocity app*

 1. Enabled Assertion Encryption

>>> What is the Certificate Alias you used here ?
>> is that the public key in travelocity app ?
>>
>>> 2. Enabled Response Signing

 In the travelocity.properties file also I have enabled Assertion
 Encryption,Response signing and Assertion signing. I have already imported
 the Identity Provider Public Certificate to IDP

 When I'm signing in to travelocity.com I get Unable to decrypt the
 SAML Assertion error and error in [2] in tomcat.

 Note that only enabling "assertion signing" in IDP I was successfully
 able to login and no error was displayed. When I enabled the Assertion
 Encryption this error occurred. Why is this error occurred when I enable
 this property as mentioned above?

 Any help regarding this is highly appreciated!



 [1] -
 https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer=IS510

 [2] - Oct 02, 2015 2:10:47 PM
 org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter
 SEVERE: An error has occurred
 org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable
 to decrypt the SAML Assertion
 at
 org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254)
 at
 org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198)
 at
 org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89)
 at
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
 at
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
 at
 org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
 at
 org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
 at
 org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
 at
 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
 at
 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
 at
 org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
 at