You need to share the same registry (mount registries) between IS and APIM to make this work for tenants.
Its because tenants have their key stores in the registry and the SAML response is signed using the key in this key store. If they don't share the registry signing will be done by one key and verification will be done by a non-matching public key. Hence, signature validation will fail. Disabling signature validation poses a security threat. Therefore its not recommended to do that. Thanks, NuwanD. On Wed, Jun 1, 2016 at 11:16 AM, Megala Uthayakumar <[email protected]> wrote: > It is working when I remove that signature validation part from acs.jag > > On Wed, Jun 1, 2016 at 9:35 AM, Udara Rathnayake <[email protected]> wrote: > >> >> >> On Wed, Jun 1, 2016 at 8:53 AM, Megala Uthayakumar <[email protected]> >> wrote: >> >>> Hi All, >>> >>> I am trying to configure SSO in APIM 2.0.x by following [1]. Publisher >>> and Store jaggery apps work as expected but when I try to login to portal >>> app(Portal of Dashboard Server) using SSO, it works fine when I am logging >>> in as super-tenant user but whenever I try to login in as a user from other >>> tenants, it throws following error, >>> >>> org.opensaml.xml.validation.ValidationException: Signature did not >>> validate against the credential's key >>> >> For the moment, shall we disable the signature validation and try? >> >> >>> at >>> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79) >>> at >>> org.jaggeryjs.modules.sso.common.util.Util.validateSignature(Util.java:290) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:606) >>> at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) >>> at >>> org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) >>> at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) >>> at >>> org.jaggeryjs.rhino.<sso>.scripts.c0._c_anonymous_3(<sso>/scripts/sso.client.js:57) >>> at org.jaggeryjs.rhino.<sso>.scripts.c0.call(<sso>/scripts/sso.client.js) >>> at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) >>> at >>> org.jaggeryjs.rhino.portal.controllers.c3._c_anonymous_1(/portal/controllers/acs.jag:77) >>> at >>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>> at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) >>> at >>> org.jaggeryjs.rhino.portal.controllers.c3._c_script_0(/portal/controllers/acs.jag:20) >>> at >>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>> at >>> org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) >>> at >>> org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) >>> at >>> org.jaggeryjs.rhino.portal.controllers.c3.call(/portal/controllers/acs.jag) >>> at >>> org.jaggeryjs.rhino.portal.controllers.c3.exec(/portal/controllers/acs.jag) >>> at >>> org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) >>> at >>> org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) >>> at >>> org.jaggeryjs.jaggery.core.manager.WebAppManager.exec(WebAppManager.java:587) >>> at >>> org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:507) >>> at >>> org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:747) >>> at >>> org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485) >>> at >>> org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:377) >>> at >>> org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337) >>> at >>> org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>> at >>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) >>> at >>> org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48) >>> at >>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>> at >>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1749) >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1708) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>> at >>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> When I tried the same setup in product-ds using the internal identity >>> server, it works fine for both super-tenant and other tenants. >>> >>> What could be the possible reason for this? Any help on this is highly >>> appreciated. >>> >>> [1] >>> https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2#ConfiguringSingleSign-onwithSAML2-ConfiguringWSO2APIManagerappsasSAML2.0SSOserviceproviders >>> Thanks. >>> >>> Regards, >>> Megala >>> -- >>> Megala Uthayakumar >>> >>> Software Engineer >>> Mobile : 0779967122 >>> >> >> >> >> -- >> Regards, >> UdaraR >> > > > > -- > Megala Uthayakumar > > Software Engineer > Mobile : 0779967122 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Nuwan Dias Technical Lead - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
