Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code.
I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O="None L=None", OU=None, CN=istenant.com <http://istenant.com>* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the "org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key" exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam < sendu...@wso2.com> wrote: > Hi, > > Thanks Malithi for the response. > I tried, un-checking the Enable Response Signing , but even when I login > as admin I got the following exception > java.lang.NullPointerException > at > org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) > at > org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) > at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ..... > What I am missing here ? > > > @ES Team, could you please help me on how to import the public certificate > of a tenant to the publisher's key store. Where can I find the tenant's > public certificate > > Thank you > Senduran > > > > On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe <malit...@wso2.com> > wrote: > >> Hii Senduran, >> >> There's a separate primary keystore generated for the tenant. Since you >> have enabled response signing also, the service provider that you have >> registered should know the public key of the IdP in order to validate. >> Hence, the service provider should have the public key of the IdP in it's >> keystore and validate the signature acquiring the respective alias. So in >> this case I think that you should import the public cert of the respective >> tenant to your publisher's keystore. >> >> Thanks, >> Malithi. >> >> On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam < >> sendu...@wso2.com> wrote: >> >>> Hi, >>> >>> I am experiencing $subject, with ES 2.0.0 M5. Following are the changes >>> I made to configure SSO. >>> >>> - Shared registry and user database between ES and IS >>> - In ES's user-mgt.xml, pointed the "UserStoreManager" to IS's >>> embedded LDAP >>> - Modified as following in publisher, store json >>> >>> "identityProviderURL": "https://localhost:<IS-Port>/samlsso" >>> >>> >>> - Created a Service provider for publisher and store in IS as >>> follows >>> >>> SP for publisher >>> >>> Issuer: publisher >>> >>> Assertion Consumer URL: https://localhost:<ES-Port>/publisher/acs >>> >>> Use fully qualified username in the NameID >>> >>> Enable Response Signing >>> >>> Enable Assertion Signing >>> >>> Enable Single Logout >>> >>> >>> SP for store >>> >>> Issuer: store >>> >>> Assertion Consumer URL: https://localhost:<ES-Port>/store/acs >>> >>> Use fully qualified username in the NameID >>> >>> Enable Response Signing >>> >>> Enable Assertion Signing >>> >>> Enable Single Logout >>> >>> >>> When admin login the publisher behaviors as expected. (i.e page is >>> redirected to IS login and redirected to publisher, if already a sso >>> session is available directly goes to publisher)\ >>> But when I log in as a tenant, the browser is redirected to >>> https://localhost:9443/publisher/acs and following exception is shown >>> in the console >>> >>> INFO {JAGGERY.controllers.login:jag} - Login URL: >>> https://localhost:9447/samlsso >>> org.opensaml.xml.validation.ValidationException: Signature did not >>> validate against the credential's key >>> at >>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) >>> at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:606) >>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>> at >>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>> at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>> at >>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:50) >>> at org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>> at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>> at >>> org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) >>> at >>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>> at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>> at >>> org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) >>> at >>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>> at >>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>> at >>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>> at >>> org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) >>> at >>> org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) >>> at >>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>> at >>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>> at >>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) >>> at >>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) >>> at >>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) >>> at >>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378) >>> at >>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) >>> at >>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:183) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>> at >>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:56) >>> at >>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:146) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>> at >>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721) >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> (My ES runs on default port and IS runs on port offset 4) >>> >>> Could you please help me to resolve this issue >>> >>> Thank you >>> Senduran >>> >>> -- >>> *Senduran * >>> Software Engineer, >>> WSO2, Inc.; http://wso2.com/ <http://wso2.com/> >>> Mobile: +94 77 952 6548 >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> >> *Malithi Edirisinghe* >> Senior Software Engineer >> WSO2 Inc. >> >> Mobile : +94 (0) 718176807 >> malit...@wso2.com >> > > > > -- > *Senduran * > Software Engineer, > WSO2, Inc.; http://wso2.com/ <http://wso2.com/> > Mobile: +94 77 952 6548 > -- *Senduran * Software Engineer, WSO2, Inc.; http://wso2.com/ <http://wso2.com/> Mobile: +94 77 952 6548
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
