Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-07 Thread Bhathiya Jayasekara
Any response on this? On Mon, Jun 6, 2016 at 2:22 PM, Bhathiya Jayasekara wrote: > Hi all, > > Do we still need to do this step even with IS 5.2.0? I tested this with > 10 and it worked fine. > > Reduce the priority of the SAML2SSOAuthenticator configuration in the >

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Bhathiya Jayasekara
Hi all, Do we still need to do this step even with IS 5.2.0? I tested this with 10 and it worked fine. Reduce the priority of the SAML2SSOAuthenticator configuration in the /repository/conf/security/authenticators.xml file. You do this as a workaround for a known issue that will be fixed in a

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Tania Mahanama
On Mon, Jun 6, 2016 at 12:56 PM, Bhathiya Jayasekara wrote: > Thanks harsha. > > @Tania: We need to update doc with this new config change. > Noted. > > Thanks, > Bhathiya > > On Mon, Jun 6, 2016 at 12:47 PM, Harsha Thirimanna > wrote: > >> Hi Bhathiya,

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Bhathiya Jayasekara
Thanks harsha. @Tania: We need to update doc with this new config change. Thanks, Bhathiya On Mon, Jun 6, 2016 at 12:47 PM, Harsha Thirimanna wrote: > Hi Bhathiya, > Yes , this will work as expected when you enable this option in SAAS > enables SP. > > > *Harsha Thirimanna*

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Harsha Thirimanna
Hi Bhathiya, Yes , this will work as expected when you enable this option in SAAS enables SP. *Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * * *email: **hars...@wso2.com* * cell: +94 71 5186770 * *twitter: **http://twitter.com/

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Harsha Thirimanna
https://wso2.org/jira/browse/DOCUMENTATION-3430 *Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * * *email: **hars...@wso2.com* * cell: +94 71 5186770 * *twitter: **http://twitter.com/ *

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Bhathiya Jayasekara
Hi Harsha, On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna wrote: > ​Hi Bathiya, > > Yes, 5.2.0 on wards, we have disable it. You are correct. > > The reason was, if we enable it by default, then for the super tenant > users, there will be carbon.super within the user name

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-06 Thread Harsha Thirimanna
​Hi Bathiya, Yes, 5.2.0 on wards, we have disable it. You are correct. The reason was, if we enable it by default, then for the super tenant users, there will be carbon.super within the user name as a subject. That is very unexpected case and then we have to disable it manually. Your case coming

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Bhathiya Jayasekara
Hi Harsha/Omindu, I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default. Thanks, Bhathiya On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna wrote: > Bhathiya, > What is your IS version ? We are talking about last released version. > > > *Harsha Thirimanna*

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Harsha Thirimanna
Bhathiya, What is your IS version ? We are talking about last released version. *Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * * *email: **hars...@wso2.com* * cell: +94 71 5186770 * *twitter: **http://twitter.com/

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Harsha Thirimanna
Hi Bathiya, This option is enabled by default in fresh pack. So unless if some one un-tick this option manually because of some reason, this would work as expected for the customer who migrate to the APM 2.0. In your case, how this option was disable ? Did you disable it in UI ? *Harsha

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Omindu Rathnaweera
Hi Bathiya, This is the expected behavior. With IS 5.1.0, we have given the capability to separately specify whether to include the tenant domain and/or the user store domain in the subject. This setting is now under 'Local & Outbound Authentication Configuration' section. In earlier IS versions

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Bhathiya Jayasekara
Hi Omindu, Thanks. That worked. Could you please explain this new behavior? Is this an intentional change? Or a workaround for an issue? I'm asking this because this is going to affect existing customers, as all of them has to make this change in their setups to get SSO working after upgrading to

Re: [Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Omindu Rathnaweera
Hi Bathiya, Can you try changing the following config in IS SP and see whether you are still getting logged as the super tenant. Edit the API_Manager SP. Under 'Local & Outbound Authentication Configuration', select the 'Use tenant domain in local subject identifier' option and save the changes.

[Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

2016-06-05 Thread Bhathiya Jayasekara
Hi IS team, I configured SSO as per this doc[1]. I enabled SaaS Application in store and publisher SPs. But when I try to login as *ad...@b.com *, it fails with "*SAML response signature is verification failed.*". But if I remove *true *config from identity.xml adn do the same, I'm