Hi Harsha/Omindu, I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default.
Thanks, Bhathiya On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna <hars...@wso2.com> wrote: > Bhathiya, > What is your IS version ? We are talking about last released version. > > > *Harsha Thirimanna* > Associate Tech Lead; WSO2, Inc.; http://wso2.com > * <http://www.apache.org/>* > *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * > *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* > *harshathirimannlinked-in: **http: > <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 > <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* > > *Lean . Enterprise . Middleware* > > > On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna <hars...@wso2.com> > wrote: > >> Hi Bathiya, >> This option is enabled by default in fresh pack. So unless if some one >> un-tick this option manually because of some reason, this would work as >> expected for the customer who migrate to the APM 2.0. >> In your case, how this option was disable ? Did you disable it in UI ? >> >> >> *Harsha Thirimanna* >> Associate Tech Lead; WSO2, Inc.; http://wso2.com >> * <http://www.apache.org/>* >> *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * >> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >> *harshathirimannlinked-in: **http: >> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >> >> *Lean . Enterprise . Middleware* >> >> >> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera <omi...@wso2.com> >> wrote: >> >>> Hi Bathiya, >>> >>> This is the expected behavior. With IS 5.1.0, we have given the >>> capability to separately specify whether to include the tenant domain >>> and/or the user store domain in the subject. This setting is now under >>> 'Local >>> & Outbound Authentication Configuration' section. In earlier IS >>> versions this was under SAML SSO configurations [1] (Use fully qualified >>> username in the NameID). Better to mention this in the docs. >>> >>> So without enabling these options, the SAML response subject will not >>> have the tenant domain included. And since, there's no tenant domain >>> included, the assertion consumer service must be interpreting the user as >>> someone who belongs to the super tenant domain. >>> >>> Regarding, UseAuthenticatedUserDomainCrypto property, do you still get >>> the signature verification failure when it is set to 'true' ? >>> >>> [1] - >>> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2 >>> >>> Regards, >>> Omindu. >>> >>> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara <bhath...@wso2.com> >>> wrote: >>> >>>> Hi Omindu, >>>> >>>> Thanks. That worked. Could you please explain this new behavior? Is >>>> this an intentional change? Or a workaround for an issue? I'm asking this >>>> because this is going to affect existing customers, as all of them has to >>>> make this change in their setups to get SSO working after upgrading to APIm >>>> 2.0.0. >>>> >>>> Thanks, >>>> Bhathiya >>>> >>>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <omi...@wso2.com> >>>> wrote: >>>> >>>>> Hi Bathiya, >>>>> >>>>> Can you try changing the following config in IS SP and see whether you >>>>> are still getting logged as the super tenant. >>>>> >>>>> Edit the API_Manager SP. Under 'Local & Outbound Authentication >>>>> Configuration', select the 'Use tenant domain in local subject >>>>> identifier' option and save the changes. >>>>> >>>>> Regards, >>>>> Omindu. >>>>> >>>>> >>>>> >>>>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara < >>>>> bhath...@wso2.com> wrote: >>>>> >>>>>> Hi IS team, >>>>>> >>>>>> I configured SSO as per this doc[1]. I enabled SaaS Application in >>>>>> store and publisher SPs. But when I try to login as *ad...@b.com >>>>>> <ad...@b.com>*, it fails with "*SAML response signature is >>>>>> verification failed.*". But if I remove >>>>>> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >>>>>> *config from identity.xml adn do the same, I'm logged in as >>>>>> admin@carbon.super (not as ad...@b.com). This means ad...@b.com can >>>>>> login as admin@carbon.super even without knowing admin@carbon.super's >>>>>> credentials. >>>>>> >>>>>> The SAML response I get is [2]. Looks like it's for >>>>>> admin@carboin.super, which explains above 2 behaviors. >>>>>> >>>>>> Is this a bug or am I missing some new configuration? Appreciate a >>>>>> quick response as this is a Blocker for APIM 2 Beta release. >>>>>> >>>>>> >>>>>> [1] >>>>>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >>>>>> >>>>>> [2] <?xml version="1.0" encoding="UTF-8"?> >>>>>> <saml2p:Response Destination=" >>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >>>>>> ID="_386d73f9fe16add6d6a231cb46511661" >>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>>>>> <saml2:Issuer >>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>> <ds:SignedInfo> >>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>> <ds:SignatureMethod Algorithm=" >>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >>>>>> <ds:Transforms> >>>>>> <ds:Transform Algorithm=" >>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>> <ds:Transform Algorithm=" >>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>> </ds:Transforms> >>>>>> <ds:DigestMethod Algorithm=" >>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>> >>>>>> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >>>>>> </ds:Reference> >>>>>> </ds:SignedInfo> >>>>>> >>>>>> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >>>>>> <ds:KeyInfo> >>>>>> <ds:X509Data> >>>>>> >>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>> </ds:X509Data> >>>>>> </ds:KeyInfo> >>>>>> </ds:Signature> >>>>>> <saml2p:Status> >>>>>> <saml2p:StatusCode >>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>>>>> </saml2p:Status> >>>>>> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>> <saml2:Issuer >>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>> <ds:SignedInfo> >>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>> <ds:SignatureMethod Algorithm=" >>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>> <ds:Reference >>>>>> URI="#_850365901d14fa3da9b47a0eef2decda"> >>>>>> <ds:Transforms> >>>>>> <ds:Transform Algorithm=" >>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>> <ds:Transform Algorithm=" >>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>> </ds:Transforms> >>>>>> <ds:DigestMethod Algorithm=" >>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>> >>>>>> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >>>>>> </ds:Reference> >>>>>> </ds:SignedInfo> >>>>>> >>>>>> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >>>>>> <ds:KeyInfo> >>>>>> <ds:X509Data> >>>>>> >>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>> </ds:X509Data> >>>>>> </ds:KeyInfo> >>>>>> </ds:Signature> >>>>>> <saml2:Subject> >>>>>> * <saml2:NameID >>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >>>>>> <saml2:SubjectConfirmation >>>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>>>>> <saml2:SubjectConfirmationData >>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >>>>>> </saml2:SubjectConfirmation> >>>>>> </saml2:Subject> >>>>>> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >>>>>> <saml2:AudienceRestriction> >>>>>> <saml2:Audience>API_PUBLISHER</saml2:Audience> >>>>>> </saml2:AudienceRestriction> >>>>>> </saml2:Conditions> >>>>>> <saml2:AuthnStatement AuthnInstant="2016-06-05T17:55:09.459Z" >>>>>> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >>>>>> <saml2:AuthnContext> >>>>>> >>>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >>>>>> </saml2:AuthnContext> >>>>>> </saml2:AuthnStatement> >>>>>> </saml2:Assertion> >>>>>> </saml2p:Response> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> -- >>>>>> *Bhathiya Jayasekara* >>>>>> *Senior Software Engineer,* >>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>> >>>>>> *Phone: +94715478185 <%2B94715478185>* >>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>> <https://twitter.com/bhathiyax>* >>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Omindu Rathnaweera >>>>> Software Engineer, WSO2 Inc. >>>>> Mobile: +94 771 197 211 >>>>> >>>> >>>> >>>> >>>> -- >>>> *Bhathiya Jayasekara* >>>> *Senior Software Engineer,* >>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>> >>>> *Phone: +94715478185 <%2B94715478185>* >>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>> <http://www.linkedin.com/in/bhathiyaj>* >>>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>>> *Blog: http://movingaheadblog.blogspot.com >>>> <http://movingaheadblog.blogspot.com/>* >>>> >>> >>> >>> >>> -- >>> Omindu Rathnaweera >>> Software Engineer, WSO2 Inc. >>> Mobile: +94 771 197 211 >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > -- *Bhathiya Jayasekara* *Senior Software Engineer,* *WSO2 inc., http://wso2.com <http://wso2.com>* *Phone: +94715478185* *LinkedIn: http://www.linkedin.com/in/bhathiyaj <http://www.linkedin.com/in/bhathiyaj>* *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* *Blog: http://movingaheadblog.blogspot.com <http://movingaheadblog.blogspot.com/>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
