Ok thanks, if there is no API change we don't have to worry. Thanks, NuwanD.
On Thu, Jun 2, 2016 at 10:10 AM, Johann Nallathamby <joh...@wso2.com> wrote: > Hi Nuwan, > > For SAML2 SSO this is how it has been all this time. Because we can't > guarantee the issuer will be unique across tenants unlike the client id in > oauth2, which is a UUID. > > In IS even for OAuth2 we were sending the tenantDomain to token endpoint > for all the grant types. However later found that in APIM it has been > working without sending it due to a different reason, and that is why we > did a fix to make tenant domain optional to token endpoint. > > I don't think in SAML2 SSO we can change it that way. > > Johann. > > On Thu, Jun 2, 2016 at 9:40 AM, Nuwan Dias <nuw...@wso2.com> wrote: > >> So for tenant users, the samlsso url has changed (requires tenantDomain >> query param)? Does this mean that for tenant users who are migrating to the >> new version, they have to change their Application's SSO handling code? >> >> Thanks, >> NuwanD. >> >> On Thu, Jun 2, 2016 at 8:48 AM, Farasath Ahamed <farasa...@wso2.com> >> wrote: >> >>> Hi Chamara, >>> >>> Sorry, I missed out some details. I tested the SAML Bearer Grant with an >>> Identity Server 5.3.0 M1 pack. I had to change the samlsso URL to >>> *https://localhost:9443/samlsso?tenantDomain=wso2.com >>> <https://localhost:9443/samlsso?tenantDomain=wso2.com> *to log in as a >>> user in the tenant domain in the travelocity App. Thereafter the SAML2 >>> Bearer grant was sent to https://localhost:9443/oauth2/token >>> <https://localhost:9443/oauth2/token?tenantDomain=> endpoint without >>> passing the tenantDomain as a query param in the URL. >>> >>> The fix [1] was done after Identity Server 5.2.0-beta so if we are >>> testing with a 5.2.0-beta or earlier IS pack we would have to send in the >>> tenantDomain as a query param (ie. >>> https://localhost:9443/oauth2/token?tenantDomain=<tenantDomain>) to the >>> token endpoint for SPs in a tenantDomain as Pushpalanka has pointed out >>> earlier .Otherwise, it will be taken as cabon.super. >>> >>> >>> [1] https://wso2.org/jira/browse/IDENTITY-4531 >>> >>> >>> Thanks, >>> >>> Farasath Ahamed >>> Software Engineer, >>> WSO2 Inc.; http://wso2.com >>> lean.enterprise.middleware >>> >>> >>> Email: farasa...@wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> >>> On Thu, Jun 2, 2016 at 7:43 AM, Chamara Ariyarathne <chama...@wso2.com> >>> wrote: >>> >>>> Hi Farsath, Some unclear points. >>>> >>>> On Thu, Jun 2, 2016 at 2:47 AM, Farasath Ahamed <farasa...@wso2.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I tested the SAML2 bearer grant with travelocity app for a tenant user >>>>> and I was able to get an access token with any issue. >>>>> >>>> "with" or "without"? >>>> >>>> >>>>> I had to change the samlsso URL to >>>>> *https://localhost:9443/samlsso?tenantDomain=wso2.com >>>>> <https://localhost:9443/samlsso?tenantDomain=wso2.com> *to get the >>>>> sample working for a tenant user. >>>>> >>>> So, is it still needed? >>>> >>>> >>>>> However, I was able to generate the token without sending the >>>>> tenantDomain as a query param. >>>>> >>>> For which grant type? Are you still talking about the saml2-bearer >>>> grant type? >>>> >>>>> >>>>> >>>>> Thanks, >>>>> Farasath >>>>> >>>>> >>>>> Farasath Ahamed >>>>> Software Engineer, >>>>> WSO2 Inc.; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> >>>>> Email: farasa...@wso2.com >>>>> Mobile: +94777603866 >>>>> Blog: blog.farazath.com >>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>> >>>>> On Thu, Jun 2, 2016 at 2:22 AM, Farasath Ahamed <farasa...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> We have removed the requirement to send in the tenantDomain with the >>>>>> token request as a query param in [1]. Instead of relying on the query >>>>>> param we now retrieve the tenantDomain using the client_id sent in the >>>>>> request. Therefore, this should work for all grant types. Anyways will >>>>>> check once again with the SAML2 Bearer grant. >>>>>> >>>>>> >>>>>> [1] https://wso2.org/jira/browse/IDENTITY-4531 >>>>>> >>>>>> Thanks. >>>>>> >>>>>> Farasath Ahamed >>>>>> Software Engineer, >>>>>> WSO2 Inc.; http://wso2.com >>>>>> lean.enterprise.middleware >>>>>> >>>>>> >>>>>> Email: farasa...@wso2.com >>>>>> Mobile: +94777603866 >>>>>> Blog: blog.farazath.com >>>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>>> >>>>>> On Thu, Jun 2, 2016 at 1:25 AM, Tania Mahanama <ta...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Jun 1, 2016 at 9:56 PM, Sewmini Jayaweera <sewm...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Pushpalanka, >>>>>>>> >>>>>>>> Thank you for your prompt response. >>>>>>>> I could generate token successfully with the suggested endpoint. >>>>>>>> >>>>>>>> @Tania: Could you please update documentation [1] with this >>>>>>>> information? I have created documentation Jira [2]. >>>>>>>> >>>>>>> >>>>>>> Noted. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> [1]. >>>>>>>> https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type >>>>>>>> [2]. https://wso2.org/jira/browse/DOCUMENTATION-3414 >>>>>>>> >>>>>>>> Regards, >>>>>>>> Sewmini. >>>>>>>> >>>>>>>> Sewmini Jayaweera >>>>>>>> *Software Engineer - QA Team* >>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>> sewm...@wso2.com >>>>>>>> >>>>>>>> On Wed, Jun 1, 2016 at 8:42 PM, Pushpalanka Jayawardhana < >>>>>>>> la...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi Sewmini, >>>>>>>>> >>>>>>>>> Please try sending the tenantDomain as a query param in the cURL >>>>>>>>> command's token endpoint as below. >>>>>>>>> >>>>>>>>> https://localhost:9443/oauth2/token?tenantDomain=<tenantDomain> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> On Wed, Jun 1, 2016 at 8:15 PM, Sewmini Jayaweera < >>>>>>>>> sewm...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Adding dev@wso2.org >>>>>>>>>> >>>>>>>>>> Sewmini Jayaweera >>>>>>>>>> *Software Engineer - QA Team* >>>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>>> sewm...@wso2.com >>>>>>>>>> >>>>>>>>>> On Wed, Jun 1, 2016 at 8:13 PM, Sewmini Jayaweera < >>>>>>>>>> sewm...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi APIM / IS teams, >>>>>>>>>>> >>>>>>>>>>> I am testing 'Exchanging SAML2 Bearer Tokens with OAuth2' (SAML >>>>>>>>>>> Extension Grant Type) scenario for tenant user. I followed API >>>>>>>>>>> manager >>>>>>>>>>> documentation available [1] and scenario worked fine for the super >>>>>>>>>>> tenant. >>>>>>>>>>> When I try the tenant scenario I noticed when service provider and >>>>>>>>>>> IDP >>>>>>>>>>> created in IS tenant domain token generation fails. Reason is that >>>>>>>>>>> even >>>>>>>>>>> though SP is in the tenant domain system expects IDP in carbon.super >>>>>>>>>>> tenant. >>>>>>>>>>> >>>>>>>>>>> Are there any specific configurations which should be done, in >>>>>>>>>>> order to get the tenant scenario working ? >>>>>>>>>>> >>>>>>>>>>> I have also reported a Jira [2] on this explaining full >>>>>>>>>>> scenario. >>>>>>>>>>> >>>>>>>>>>> [2]. https://wso2.org/jira/browse/APIMANAGER-4929 >>>>>>>>>>> [1]. >>>>>>>>>>> https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type >>>>>>>>>>> >>>>>>>>>>> Kind Regards, >>>>>>>>>>> Sewmini. >>>>>>>>>>> >>>>>>>>>>> Sewmini Jayaweera >>>>>>>>>>> *Software Engineer - QA Team* >>>>>>>>>>> Mobile: +94 (0) 773 381 250 >>>>>>>>>>> sewm...@wso2.com >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Pushpalanka. >>>>>>>>> -- >>>>>>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>>>>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>>>>>>> Mobile: +94779716248 >>>>>>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >>>>>>>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Tania Mahanama >>>>>>> Senior Technical Writer >>>>>>> >>>>>>> Contact: >>>>>>> Mob: +94 077 5129270 >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "WSO2 Documentation Group" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to documentation+unsubscr...@wso2.com. >>>>>>> For more options, visit >>>>>>> https://groups.google.com/a/wso2.com/d/optout. >>>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Chamara Ariyarathne* >>>> Associate Technical Lead - QA >>>> WSO2 Inc; http://www.wso2.com/ >>>> Mobile; *+94772786766 <%2B94772786766>* >>>> >>> >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Nuwan Dias >> >> Technical Lead - WSO2, Inc. http://wso2.com >> email : nuw...@wso2.com >> Phone : +94 777 775 729 >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > -- Nuwan Dias Technical Lead - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev