Hi Bathiya, Yes, 5.2.0 on wards, we have disable it. You are correct.
The reason was, if we enable it by default, then for the super tenant users, there will be carbon.super within the user name as a subject. That is very unexpected case and then we have to disable it manually. Your case coming with the multi tenant story. Most of the time, we are working in super tenant mode, so we decided to disable it by default. In multi-tenant mode, we have to enable it per tenant. Problem is , we have to document this clearly. *Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * <http://www.apache.org/>* *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* *harshathirimannlinked-in: **http: <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* *Lean . Enterprise . Middleware* On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara <bhath...@wso2.com> wrote: > Hi Harsha/Omindu, > > I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default. > > Thanks, > Bhathiya > > > > On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna <hars...@wso2.com> > wrote: > >> Bhathiya, >> What is your IS version ? We are talking about last released version. >> >> >> *Harsha Thirimanna* >> Associate Tech Lead; WSO2, Inc.; http://wso2.com >> * <http://www.apache.org/>* >> *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * >> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >> *harshathirimannlinked-in: **http: >> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >> >> *Lean . Enterprise . Middleware* >> >> >> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna <hars...@wso2.com> >> wrote: >> >>> Hi Bathiya, >>> This option is enabled by default in fresh pack. So unless if some one >>> un-tick this option manually because of some reason, this would work as >>> expected for the customer who migrate to the APM 2.0. >>> In your case, how this option was disable ? Did you disable it in UI ? >>> >>> >>> *Harsha Thirimanna* >>> Associate Tech Lead; WSO2, Inc.; http://wso2.com >>> * <http://www.apache.org/>* >>> *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * >>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >>> *harshathirimannlinked-in: **http: >>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >>> >>> *Lean . Enterprise . Middleware* >>> >>> >>> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera <omi...@wso2.com> >>> wrote: >>> >>>> Hi Bathiya, >>>> >>>> This is the expected behavior. With IS 5.1.0, we have given the >>>> capability to separately specify whether to include the tenant domain >>>> and/or the user store domain in the subject. This setting is now under >>>> 'Local & Outbound Authentication Configuration' section. In earlier IS >>>> versions this was under SAML SSO configurations [1] (Use fully qualified >>>> username in the NameID). Better to mention this in the docs. >>>> >>>> So without enabling these options, the SAML response subject will not >>>> have the tenant domain included. And since, there's no tenant domain >>>> included, the assertion consumer service must be interpreting the user as >>>> someone who belongs to the super tenant domain. >>>> >>>> Regarding, UseAuthenticatedUserDomainCrypto property, do you still get >>>> the signature verification failure when it is set to 'true' ? >>>> >>>> [1] - >>>> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2 >>>> >>>> Regards, >>>> Omindu. >>>> >>>> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara <bhath...@wso2.com> >>>> wrote: >>>> >>>>> Hi Omindu, >>>>> >>>>> Thanks. That worked. Could you please explain this new behavior? Is >>>>> this an intentional change? Or a workaround for an issue? I'm asking this >>>>> because this is going to affect existing customers, as all of them has to >>>>> make this change in their setups to get SSO working after upgrading to >>>>> APIm >>>>> 2.0.0. >>>>> >>>>> Thanks, >>>>> Bhathiya >>>>> >>>>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <omi...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Bathiya, >>>>>> >>>>>> Can you try changing the following config in IS SP and see whether >>>>>> you are still getting logged as the super tenant. >>>>>> >>>>>> Edit the API_Manager SP. Under 'Local & Outbound Authentication >>>>>> Configuration', select the 'Use tenant domain in local subject >>>>>> identifier' option and save the changes. >>>>>> >>>>>> Regards, >>>>>> Omindu. >>>>>> >>>>>> >>>>>> >>>>>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara < >>>>>> bhath...@wso2.com> wrote: >>>>>> >>>>>>> Hi IS team, >>>>>>> >>>>>>> I configured SSO as per this doc[1]. I enabled SaaS Application in >>>>>>> store and publisher SPs. But when I try to login as *ad...@b.com >>>>>>> <ad...@b.com>*, it fails with "*SAML response signature is >>>>>>> verification failed.*". But if I remove >>>>>>> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >>>>>>> *config from identity.xml adn do the same, I'm logged in as >>>>>>> admin@carbon.super (not as ad...@b.com). This means ad...@b.com can >>>>>>> login as admin@carbon.super even without knowing admin@carbon.super's >>>>>>> credentials. >>>>>>> >>>>>>> The SAML response I get is [2]. Looks like it's for >>>>>>> admin@carboin.super, which explains above 2 behaviors. >>>>>>> >>>>>>> Is this a bug or am I missing some new configuration? Appreciate a >>>>>>> quick response as this is a Blocker for APIM 2 Beta release. >>>>>>> >>>>>>> >>>>>>> [1] >>>>>>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >>>>>>> >>>>>>> [2] <?xml version="1.0" encoding="UTF-8"?> >>>>>>> <saml2p:Response Destination=" >>>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >>>>>>> ID="_386d73f9fe16add6d6a231cb46511661" >>>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>>>>>> <saml2:Issuer >>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >>>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>>> <ds:SignedInfo> >>>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>> <ds:SignatureMethod Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>>> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >>>>>>> <ds:Transforms> >>>>>>> <ds:Transform Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>>> <ds:Transform Algorithm=" >>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>> </ds:Transforms> >>>>>>> <ds:DigestMethod Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>>> >>>>>>> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >>>>>>> </ds:Reference> >>>>>>> </ds:SignedInfo> >>>>>>> >>>>>>> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >>>>>>> <ds:KeyInfo> >>>>>>> <ds:X509Data> >>>>>>> >>>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>>> </ds:X509Data> >>>>>>> </ds:KeyInfo> >>>>>>> </ds:Signature> >>>>>>> <saml2p:Status> >>>>>>> <saml2p:StatusCode >>>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>>>>>> </saml2p:Status> >>>>>>> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >>>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>>> <saml2:Issuer >>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >>>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>>> <ds:SignedInfo> >>>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>> <ds:SignatureMethod Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>>> <ds:Reference >>>>>>> URI="#_850365901d14fa3da9b47a0eef2decda"> >>>>>>> <ds:Transforms> >>>>>>> <ds:Transform Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>>> <ds:Transform Algorithm=" >>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>> </ds:Transforms> >>>>>>> <ds:DigestMethod Algorithm=" >>>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>>> >>>>>>> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >>>>>>> </ds:Reference> >>>>>>> </ds:SignedInfo> >>>>>>> >>>>>>> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >>>>>>> <ds:KeyInfo> >>>>>>> <ds:X509Data> >>>>>>> >>>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>>> </ds:X509Data> >>>>>>> </ds:KeyInfo> >>>>>>> </ds:Signature> >>>>>>> <saml2:Subject> >>>>>>> * <saml2:NameID >>>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >>>>>>> <saml2:SubjectConfirmation >>>>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>>>>>> <saml2:SubjectConfirmationData >>>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >>>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >>>>>>> </saml2:SubjectConfirmation> >>>>>>> </saml2:Subject> >>>>>>> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >>>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >>>>>>> <saml2:AudienceRestriction> >>>>>>> <saml2:Audience>API_PUBLISHER</saml2:Audience> >>>>>>> </saml2:AudienceRestriction> >>>>>>> </saml2:Conditions> >>>>>>> <saml2:AuthnStatement >>>>>>> AuthnInstant="2016-06-05T17:55:09.459Z" >>>>>>> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >>>>>>> <saml2:AuthnContext> >>>>>>> >>>>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >>>>>>> </saml2:AuthnContext> >>>>>>> </saml2:AuthnStatement> >>>>>>> </saml2:Assertion> >>>>>>> </saml2p:Response> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> -- >>>>>>> *Bhathiya Jayasekara* >>>>>>> *Senior Software Engineer,* >>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>> >>>>>>> *Phone: +94715478185 <%2B94715478185>* >>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>> <https://twitter.com/bhathiyax>* >>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Omindu Rathnaweera >>>>>> Software Engineer, WSO2 Inc. >>>>>> Mobile: +94 771 197 211 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Bhathiya Jayasekara* >>>>> *Senior Software Engineer,* >>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>> >>>>> *Phone: +94715478185 <%2B94715478185>* >>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>> *Twitter: https://twitter.com/bhathiyax >>>>> <https://twitter.com/bhathiyax>* >>>>> *Blog: http://movingaheadblog.blogspot.com >>>>> <http://movingaheadblog.blogspot.com/>* >>>>> >>>> >>>> >>>> >>>> -- >>>> Omindu Rathnaweera >>>> Software Engineer, WSO2 Inc. >>>> Mobile: +94 771 197 211 >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >> > > > -- > *Bhathiya Jayasekara* > *Senior Software Engineer,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <%2B94715478185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
