Hi Nadeesha, For super tenant, sso.agent should be able to decrypt the encrypted saml assertion. However there was an issue [1] where for a tenant, when the tenant encrypts the SAML assertion from the public certificate of the client (i.e travelocity app), then sso.agent could not decrypt the assertion because in the code, the private key of travelocity's key store was not getting picked up because of the particular method called in open saml library. This was patched sometimes back for sso.agent 1.2 version but we need to check whether the same fix got correctly merged to higher versions (i.e 1.4). Ideally this should anyway work for super tenant, but we'll check the same scenario more and let you know.
[1] https://wso2.org/jira/browse/IDENTITY-3186 Regards, TharinduE On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda <nadees...@wso2.com> wrote: > Hi Darshana, > > Yes the response is encrypted. Sending the SAML sso trace attached with > the mail. > > @Ishara I used wso2carbon as the certificate alias since I'm using the > default key stores and also I'm testing this in super tenant mode. Do I > need to import the public certificate of the private key of travelocity app > to IS keystores in super tenant mode? > > On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> Hi Nadeesha, >> >> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana <darsh...@wso2.com> >> wrote: >> >>> Hi Nadeesha, >>> >>> Have you checked whether the assertion is encrypted in the response IS >>> send back to travelocity app? >>> >>> And please provide the SSO Trace (save as a text file and attach in the >>> mail) for the whole flow. >>> >>> Thanks, >>> Darshana >>> >>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda <nadees...@wso2.com> >>> wrote: >>> >>>> Hi. >>>> >>>> I have configured the setup to Login to the Identity Server Using >>>> Another Identity Server as per the details in [1] in Super tenant mode. >>>> With the happy scenario according to the documentation this works fine. But >>>> I have enabled some additional properties in IDP and SP used for IDP as >>>> following : >>>> >>>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO >>>> Configuration >>>> >>>> 1. Enabled Assertion Encryption >>>> 2. Enable Assertion Signing >>>> 3. Enable Authentication Response Signing >>>> >>>> *Properties enabled fo SP used for IDP * >>>> >>>> 1. Enabled Assertion Encryption >>>> 2. Enabled Response Signing >>>> >>>> *Properties enabled fo SP used for travelocity app* >>>> >>>> 1. Enabled Assertion Encryption >>>> >>> What is the Certificate Alias you used here ? >> is that the public key in travelocity app ? >> >>> 2. Enabled Response Signing >>>> >>>> In the travelocity.properties file also I have enabled Assertion >>>> Encryption,Response signing and Assertion signing. I have already imported >>>> the Identity Provider Public Certificate to IDP >>>> >>>> When I'm signing in to travelocity.com I get Unable to decrypt the >>>> SAML Assertion error and error in [2] in tomcat. >>>> >>>> Note that only enabling "assertion signing" in IDP I was successfully >>>> able to login and no error was displayed. When I enabled the Assertion >>>> Encryption this error occurred. Why is this error occurred when I enable >>>> this property as mentioned above? >>>> >>>> Any help regarding this is highly appreciated! >>>> >>>> >>>> >>>> [1] - >>>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer&spaceKey=IS510 >>>> >>>> [2] - Oct 02, 2015 2:10:47 PM >>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >>>> SEVERE: An error has occurred >>>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable >>>> to decrypt the SAML Assertion >>>> at >>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) >>>> at >>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) >>>> at >>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>> at >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>> at >>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>> at >>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>> at >>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>>> at >>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>> at >>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>>> at >>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>>> at >>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>> at >>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) >>>> at >>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) >>>> at >>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>>> at >>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>> at >>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>> at java.lang.Thread.run(Thread.java:745) >>>> >>>> >>>> >>>> >>>> Thanks! >>>> -- >>>> *Nadeesha Meegoda* >>>> Software Engineer - QA >>>> WSO2 Inc.; http://wso2.com >>>> lean.enterprise.middleware >>>> email : nadees...@wso2.com >>>> mobile: +94783639540 >>>> <%2B94%2077%202273555> >>>> >>> >>> >>> >>> -- >>> Regards, >>> >>> >>> *Darshana Gunawardana*Senior Software Engineer >>> WSO2 Inc.; http://wso2.com >>> >>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>> >> >> >> >> -- >> Ishara Karunarathna >> Senior Software Engineer >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> > > > > -- > *Nadeesha Meegoda* > Software Engineer - QA > WSO2 Inc.; http://wso2.com > lean.enterprise.middleware > email : nadees...@wso2.com > mobile: +94783639540 > <%2B94%2077%202273555> > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Tharindu Edirisinghe Software Engineer | WSO2 Inc Identity Server Team Blog : tharindue.blogspot.com mobile : +94 775 181586
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
