Hi Tharindu, When I tested this with single IS for SAML SSO (not the federated scenario) everything worked fine for super tenant. I doubt this is related to the federated scenario. Please have a look and let me know.
Thanks! On Fri, Oct 2, 2015 at 8:52 PM, Tharindu Edirisinghe <tharin...@wso2.com> wrote: > Hi Nadeesha, > > For super tenant, sso.agent should be able to decrypt the encrypted saml > assertion. However there was an issue [1] where for a tenant, when the > tenant encrypts the SAML assertion from the public certificate of the > client (i.e travelocity app), then sso.agent could not decrypt the > assertion because in the code, the private key of travelocity's key store > was not getting picked up because of the particular method called in open > saml library. This was patched sometimes back for sso.agent 1.2 version but > we need to check whether the same fix got correctly merged to higher > versions (i.e 1.4). Ideally this should anyway work for super tenant, but > we'll check the same scenario more and let you know. > > [1] https://wso2.org/jira/browse/IDENTITY-3186 > > Regards, > TharinduE > > On Fri, Oct 2, 2015 at 3:34 PM, Nadeesha Meegoda <nadees...@wso2.com> > wrote: > >> Hi Darshana, >> >> Yes the response is encrypted. Sending the SAML sso trace attached with >> the mail. >> >> @Ishara I used wso2carbon as the certificate alias since I'm using the >> default key stores and also I'm testing this in super tenant mode. Do I >> need to import the public certificate of the private key of travelocity app >> to IS keystores in super tenant mode? >> >> On Fri, Oct 2, 2015 at 3:19 PM, Ishara Karunarathna <isha...@wso2.com> >> wrote: >> >>> Hi Nadeesha, >>> >>> On Fri, Oct 2, 2015 at 3:04 PM, Darshana Gunawardana <darsh...@wso2.com> >>> wrote: >>> >>>> Hi Nadeesha, >>>> >>>> Have you checked whether the assertion is encrypted in the response IS >>>> send back to travelocity app? >>>> >>>> And please provide the SSO Trace (save as a text file and attach in the >>>> mail) for the whole flow. >>>> >>>> Thanks, >>>> Darshana >>>> >>>> On Fri, Oct 2, 2015 at 2:53 PM, Nadeesha Meegoda <nadees...@wso2.com> >>>> wrote: >>>> >>>>> Hi. >>>>> >>>>> I have configured the setup to Login to the Identity Server Using >>>>> Another Identity Server as per the details in [1] in Super tenant mode. >>>>> With the happy scenario according to the documentation this works fine. >>>>> But >>>>> I have enabled some additional properties in IDP and SP used for IDP as >>>>> following : >>>>> >>>>> *Properties enabled for Federated Authenticators* - SAML2 Web SSO >>>>> Configuration >>>>> >>>>> 1. Enabled Assertion Encryption >>>>> 2. Enable Assertion Signing >>>>> 3. Enable Authentication Response Signing >>>>> >>>>> *Properties enabled fo SP used for IDP * >>>>> >>>>> 1. Enabled Assertion Encryption >>>>> 2. Enabled Response Signing >>>>> >>>>> *Properties enabled fo SP used for travelocity app* >>>>> >>>>> 1. Enabled Assertion Encryption >>>>> >>>> What is the Certificate Alias you used here ? >>> is that the public key in travelocity app ? >>> >>>> 2. Enabled Response Signing >>>>> >>>>> In the travelocity.properties file also I have enabled Assertion >>>>> Encryption,Response signing and Assertion signing. I have already imported >>>>> the Identity Provider Public Certificate to IDP >>>>> >>>>> When I'm signing in to travelocity.com I get Unable to decrypt the >>>>> SAML Assertion error and error in [2] in tomcat. >>>>> >>>>> Note that only enabling "assertion signing" in IDP I was successfully >>>>> able to login and no error was displayed. When I enabled the Assertion >>>>> Encryption this error occurred. Why is this error occurred when I enable >>>>> this property as mentioned above? >>>>> >>>>> Any help regarding this is highly appreciated! >>>>> >>>>> >>>>> >>>>> [1] - >>>>> https://docs.wso2.com/pages/viewpage.action?title=Login%2Bto%2Bthe%2BIdentity%2BServer%2BUsing%2BAnother%2BIdentity%2BServer&spaceKey=IS510 >>>>> >>>>> [2] - Oct 02, 2015 2:10:47 PM >>>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter doFilter >>>>> SEVERE: An error has occurred >>>>> org.wso2.carbon.identity.sso.agent.exception.SSOAgentException: Unable >>>>> to decrypt the SAML Assertion >>>>> at >>>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processSSOResponse(SAML2SSOManager.java:254) >>>>> at >>>>> org.wso2.carbon.identity.sso.agent.saml.SAML2SSOManager.processResponse(SAML2SSOManager.java:198) >>>>> at >>>>> org.wso2.carbon.identity.sso.agent.SSOAgentFilter.doFilter(SSOAgentFilter.java:89) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>>>> at >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>>>> at >>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>>>> at >>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>>>> at >>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>>>> at >>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>>>> at >>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>>>> at >>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>>>> at >>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>>>> at >>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) >>>>> at >>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) >>>>> at >>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>>>> at >>>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>>>> at >>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>>>> at >>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> >>>>> >>>>> >>>>> >>>>> Thanks! >>>>> -- >>>>> *Nadeesha Meegoda* >>>>> Software Engineer - QA >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> email : nadees...@wso2.com >>>>> mobile: +94783639540 >>>>> <%2B94%2077%202273555> >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> >>>> *Darshana Gunawardana*Senior Software Engineer >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >>>> >>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Senior Software Engineer >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>> +94717996791 >>> >> >> >> >> -- >> *Nadeesha Meegoda* >> Software Engineer - QA >> WSO2 Inc.; http://wso2.com >> lean.enterprise.middleware >> email : nadees...@wso2.com >> mobile: +94783639540 >> <%2B94%2077%202273555> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > > Tharindu Edirisinghe > Software Engineer | WSO2 Inc > Identity Server Team > Blog : tharindue.blogspot.com > mobile : +94 775 181586 > > > -- *Nadeesha Meegoda* Software Engineer - QA WSO2 Inc.; http://wso2.com lean.enterprise.middleware email : nadees...@wso2.com mobile: +94783639540 <%2B94%2077%202273555>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
