[Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

Bhathiya Jayasekara Sun, 05 Jun 2016 11:12:07 -0700

Hi IS team,

I configured SSO as per this doc[1]. I enabled SaaS Application in store
and publisher SPs. But when I try to login as *ad...@b.com <ad...@b.com>*,
it fails with "*SAML response signature is verification failed.*". But if I
remove 
*<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto>
*config from identity.xml adn do the same, I'm logged in as
admin@carbon.super (not as ad...@b.com). This means ad...@b.com can login
as admin@carbon.super even without knowing admin@carbon.super's
credentials.


The SAML response I get is [2]. Looks like it's for admin@carboin.super,
which explains above 2 behaviors.

Is this a bug or am I missing some new configuration? Appreciate a quick
response as this is a Blocker for APIM 2 Beta release.


[1]
https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2

[2] <?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="
https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag";
ID="_386d73f9fe16add6d6a231cb46511661"
InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
            <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
            <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661">
                <ds:Transforms>
                    <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
                    <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"; />

<ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>

<ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>

<ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2p:Status>
        <saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda"
IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
                <ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
                <ds:Reference URI="#_850365901d14fa3da9b47a0eef2decda">
                    <ds:Transforms>
                        <ds:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
                        <ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"; />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"; />

<ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>

<ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>

<ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
*            <saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>*
            <saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData
InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj"
NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient="
https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z"
NotOnOrAfter="2016-06-05T18:00:09.459Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>API_PUBLISHER</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2016-06-05T17:55:09.459Z"
SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a">
            <saml2:AuthnContext>

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>


Thanks,

-- 
*Bhathiya Jayasekara*
*Senior Software Engineer,*
*WSO2 inc., http://wso2.com <http://wso2.com>*

*Phone: +94715478185*
*LinkedIn: http://www.linkedin.com/in/bhathiyaj
<http://www.linkedin.com/in/bhathiyaj>*
*Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>*
*Blog: http://movingaheadblog.blogspot.com
<http://movingaheadblog.blogspot.com/>*

_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [APIM 2.0.0] [IS] SSO is broken for tenants

Reply via email to