Hi Bhathiya, Yes , this will work as expected when you enable this option in SAAS enables SP.
*Harsha Thirimanna* Associate Tech Lead; WSO2, Inc.; http://wso2.com * <http://www.apache.org/>* *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* *harshathirimannlinked-in: **http: <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* *Lean . Enterprise . Middleware* On Mon, Jun 6, 2016 at 11:52 AM, Bhathiya Jayasekara <bhath...@wso2.com> wrote: > Hi Harsha, > > On Mon, Jun 6, 2016 at 11:37 AM, Harsha Thirimanna <hars...@wso2.com> > wrote: > >> Hi Bathiya, >> >> Yes, 5.2.0 on wards, we have disable it. You are correct. >> >> The reason was, if we enable it by default, then for the super tenant >> users, there will be carbon.super within the user name as a subject. That >> is very unexpected case and then we have to disable it manually. Your case >> coming with the multi tenant story. >> Most of the time, we are working in super tenant mode, so we decided to >> disable it by default. In multi-tenant mode, we have to enable it per >> tenant. >> > > So how am I supposed to configure when I have just 1 SP for all tenants > with "SaaS App" enabled? > > Thanks, > Bhathiya > > >> >> Problem is , we have to document this clearly. >> >> >> >> *Harsha Thirimanna* >> Associate Tech Lead; WSO2, Inc.; http://wso2.com >> * <http://www.apache.org/>* >> *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * >> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >> *harshathirimannlinked-in: **http: >> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >> >> *Lean . Enterprise . Middleware* >> >> >> On Mon, Jun 6, 2016 at 11:09 AM, Bhathiya Jayasekara <bhath...@wso2.com> >> wrote: >> >>> Hi Harsha/Omindu, >>> >>> I'm using 5.2.0-SNAPSHOT. In it, that config is not ticked by default. >>> >>> Thanks, >>> Bhathiya >>> >>> >>> >>> On Mon, Jun 6, 2016 at 9:24 AM, Harsha Thirimanna <hars...@wso2.com> >>> wrote: >>> >>>> Bhathiya, >>>> What is your IS version ? We are talking about last released version. >>>> >>>> >>>> *Harsha Thirimanna* >>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com >>>> * <http://www.apache.org/>* >>>> *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * >>>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >>>> *harshathirimannlinked-in: **http: >>>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >>>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >>>> >>>> *Lean . Enterprise . Middleware* >>>> >>>> >>>> On Mon, Jun 6, 2016 at 9:12 AM, Harsha Thirimanna <hars...@wso2.com> >>>> wrote: >>>> >>>>> Hi Bathiya, >>>>> This option is enabled by default in fresh pack. So unless if some one >>>>> un-tick this option manually because of some reason, this would work as >>>>> expected for the customer who migrate to the APM 2.0. >>>>> In your case, how this option was disable ? Did you disable it in UI ? >>>>> >>>>> >>>>> *Harsha Thirimanna* >>>>> Associate Tech Lead; WSO2, Inc.; http://wso2.com >>>>> * <http://www.apache.org/>* >>>>> *email: **hars...@wso2.com* <az...@wso2.com>* cell: +94 71 5186770 * >>>>> *twitter: **http://twitter.com/ <http://twitter.com/afkham_azeez>* >>>>> *harshathirimannlinked-in: **http: >>>>> <http://lk.linkedin.com/in/afkhamazeez>**//www.linkedin.com/pub/harsha-thirimanna/10/ab8/122 >>>>> <http://www.linkedin.com/pub/harsha-thirimanna/10/ab8/122>* >>>>> >>>>> *Lean . Enterprise . Middleware* >>>>> >>>>> >>>>> On Mon, Jun 6, 2016 at 9:05 AM, Omindu Rathnaweera <omi...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Bathiya, >>>>>> >>>>>> This is the expected behavior. With IS 5.1.0, we have given the >>>>>> capability to separately specify whether to include the tenant domain >>>>>> and/or the user store domain in the subject. This setting is now under >>>>>> 'Local & Outbound Authentication Configuration' section. In earlier >>>>>> IS versions this was under SAML SSO configurations [1] (Use fully >>>>>> qualified >>>>>> username in the NameID). Better to mention this in the docs. >>>>>> >>>>>> So without enabling these options, the SAML response subject will not >>>>>> have the tenant domain included. And since, there's no tenant domain >>>>>> included, the assertion consumer service must be interpreting the user as >>>>>> someone who belongs to the super tenant domain. >>>>>> >>>>>> Regarding, UseAuthenticatedUserDomainCrypto property, do you still >>>>>> get the signature verification failure when it is set to 'true' ? >>>>>> >>>>>> [1] - >>>>>> https://docs.wso2.com/display/AM190/Configuring+Single+Sign-on+with+SAML2 >>>>>> >>>>>> Regards, >>>>>> Omindu. >>>>>> >>>>>> On Mon, Jun 6, 2016 at 8:38 AM, Bhathiya Jayasekara < >>>>>> bhath...@wso2.com> wrote: >>>>>> >>>>>>> Hi Omindu, >>>>>>> >>>>>>> Thanks. That worked. Could you please explain this new behavior? Is >>>>>>> this an intentional change? Or a workaround for an issue? I'm asking >>>>>>> this >>>>>>> because this is going to affect existing customers, as all of them has >>>>>>> to >>>>>>> make this change in their setups to get SSO working after upgrading to >>>>>>> APIm >>>>>>> 2.0.0. >>>>>>> >>>>>>> Thanks, >>>>>>> Bhathiya >>>>>>> >>>>>>> On Mon, Jun 6, 2016 at 1:19 AM, Omindu Rathnaweera <omi...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Bathiya, >>>>>>>> >>>>>>>> Can you try changing the following config in IS SP and see whether >>>>>>>> you are still getting logged as the super tenant. >>>>>>>> >>>>>>>> Edit the API_Manager SP. Under 'Local & Outbound Authentication >>>>>>>> Configuration', select the 'Use tenant domain in local subject >>>>>>>> identifier' option and save the changes. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Omindu. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Sun, Jun 5, 2016 at 11:41 PM, Bhathiya Jayasekara < >>>>>>>> bhath...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi IS team, >>>>>>>>> >>>>>>>>> I configured SSO as per this doc[1]. I enabled SaaS Application in >>>>>>>>> store and publisher SPs. But when I try to login as *ad...@b.com >>>>>>>>> <ad...@b.com>*, it fails with "*SAML response signature is >>>>>>>>> verification failed.*". But if I remove >>>>>>>>> *<UseAuthenticatedUserDomainCrypto>true</UseAuthenticatedUserDomainCrypto> >>>>>>>>> *config from identity.xml adn do the same, I'm logged in as >>>>>>>>> admin@carbon.super (not as ad...@b.com). This means ad...@b.com >>>>>>>>> can login as admin@carbon.super even without knowing >>>>>>>>> admin@carbon.super's credentials. >>>>>>>>> >>>>>>>>> The SAML response I get is [2]. Looks like it's for >>>>>>>>> admin@carboin.super, which explains above 2 behaviors. >>>>>>>>> >>>>>>>>> Is this a bug or am I missing some new configuration? Appreciate a >>>>>>>>> quick response as this is a Blocker for APIM 2 Beta release. >>>>>>>>> >>>>>>>>> >>>>>>>>> [1] >>>>>>>>> https://docs.wso2.com/display/AM200/Configuring+Single+Sign-on+with+SAML2 >>>>>>>>> >>>>>>>>> [2] <?xml version="1.0" encoding="UTF-8"?> >>>>>>>>> <saml2p:Response Destination=" >>>>>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; >>>>>>>>> ID="_386d73f9fe16add6d6a231cb46511661" >>>>>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>>>>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> >>>>>>>>> <saml2:Issuer >>>>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >>>>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">localhost</saml2:Issuer> >>>>>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>>>>>>>> <ds:SignedInfo> >>>>>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>>>> <ds:SignatureMethod Algorithm=" >>>>>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>>>>> <ds:Reference URI="#_386d73f9fe16add6d6a231cb46511661"> >>>>>>>>> <ds:Transforms> >>>>>>>>> <ds:Transform Algorithm=" >>>>>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>>>>> <ds:Transform Algorithm=" >>>>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>>>> </ds:Transforms> >>>>>>>>> <ds:DigestMethod Algorithm=" >>>>>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>>>>> >>>>>>>>> <ds:DigestValue>V9ftUN89s66MnhOct2O7EvvFrFw=</ds:DigestValue> >>>>>>>>> </ds:Reference> >>>>>>>>> </ds:SignedInfo> >>>>>>>>> >>>>>>>>> <ds:SignatureValue>O8bdhEpkCVTQ9Jflw0zaHU6ZdYO925xpGqdl1JDwC4WheuZS2H9h0mEB6v13EYXSH12JrsTSg/u6dZukPdf1/2KvzHj+c4iEDpJTZVbITK8jdRCE49LVHTDFfIcIx/HKucvMfWh635RyNXzWV4Mht9tUutqRrBf1KFziKcnlLOg=</ds:SignatureValue> >>>>>>>>> <ds:KeyInfo> >>>>>>>>> <ds:X509Data> >>>>>>>>> >>>>>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>>>>> </ds:X509Data> >>>>>>>>> </ds:KeyInfo> >>>>>>>>> </ds:Signature> >>>>>>>>> <saml2p:Status> >>>>>>>>> <saml2p:StatusCode >>>>>>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> >>>>>>>>> </saml2p:Status> >>>>>>>>> <saml2:Assertion ID="_850365901d14fa3da9b47a0eef2decda" >>>>>>>>> IssueInstant="2016-06-05T17:55:09.459Z" Version="2.0" >>>>>>>>> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>>>>>>>> <saml2:Issuer >>>>>>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer> >>>>>>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig# >>>>>>>>> "> >>>>>>>>> <ds:SignedInfo> >>>>>>>>> <ds:CanonicalizationMethod Algorithm=" >>>>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>>>> <ds:SignatureMethod Algorithm=" >>>>>>>>> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> >>>>>>>>> <ds:Reference >>>>>>>>> URI="#_850365901d14fa3da9b47a0eef2decda"> >>>>>>>>> <ds:Transforms> >>>>>>>>> <ds:Transform Algorithm=" >>>>>>>>> http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> >>>>>>>>> <ds:Transform Algorithm=" >>>>>>>>> http://www.w3.org/2001/10/xml-exc-c14n#"; /> >>>>>>>>> </ds:Transforms> >>>>>>>>> <ds:DigestMethod Algorithm=" >>>>>>>>> http://www.w3.org/2000/09/xmldsig#sha1"; /> >>>>>>>>> >>>>>>>>> <ds:DigestValue>OFV827BcNkwEL67y2GoaffiurZ0=</ds:DigestValue> >>>>>>>>> </ds:Reference> >>>>>>>>> </ds:SignedInfo> >>>>>>>>> >>>>>>>>> <ds:SignatureValue>HV2EFLTy6nFJ17s+NA2zZMdtTFoEgOU4VXymO+wxiInUAPeC6M6QQsosLXFmBRRDphYrsVt583xQmpULz5osVJK+v67UUz9R/NRFCpUy9dIgDUwbS3iGRqQFd1WF8XPufM8Fi17RDMD01PpfZ5iQh9wMuVN5rHtlA74pVKnQrfU=</ds:SignatureValue> >>>>>>>>> <ds:KeyInfo> >>>>>>>>> <ds:X509Data> >>>>>>>>> >>>>>>>>> <ds:X509Certificate>MIIB/zCCAWigAwIBAgIEivu33jANBgkqhkiG9w0BAQQFADBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTYwNTA2MTY0MjA2WhcNMjYwNjAzMTY0MjA2WjBEMQ4wDAYDVQQDEwViLmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALK5mrBP6QHREoxOLlXj5wZymSd3CjQM+uLL/qTA+PoXEwrbihKJwG1RFMnGUOG0pUXA4d3dcyu6UIwsGARPZ9rtrSAwcBAGU/Yij+N6y5/6pnHvsf6nD3/3ZW1PYiKLg6bgeHh/KsJOloEAlJCstx6+NqQxYO25vdVXtUAbNdW7AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAchIS/zHu2dVH/rIHfdg62mQhA28Anp7oTbV+ZmrowNRx8r8x43hDtoC7tCCjnC+oh5h63xFB3aV34CrsDAlxiOSQoPDUEVFR+1CoDYmHtrc36o5YXPkIW4+uXXQs9CAey+SA8bImJ7ZpFweJRlczvfin0oHxzNs/zAx7Ufnw694=</ds:X509Certificate> >>>>>>>>> </ds:X509Data> >>>>>>>>> </ds:KeyInfo> >>>>>>>>> </ds:Signature> >>>>>>>>> <saml2:Subject> >>>>>>>>> * <saml2:NameID >>>>>>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID>* >>>>>>>>> <saml2:SubjectConfirmation >>>>>>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> >>>>>>>>> <saml2:SubjectConfirmationData >>>>>>>>> InResponseTo="angpbleoolbohkhghhaoffcjdbpeicmmenlfldhj" >>>>>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z" Recipient=" >>>>>>>>> https://192.168.8.100:9443/publisher/jagg/jaggery_acs.jag"; /> >>>>>>>>> </saml2:SubjectConfirmation> >>>>>>>>> </saml2:Subject> >>>>>>>>> <saml2:Conditions NotBefore="2016-06-05T17:55:09.459Z" >>>>>>>>> NotOnOrAfter="2016-06-05T18:00:09.459Z"> >>>>>>>>> <saml2:AudienceRestriction> >>>>>>>>> <saml2:Audience>API_PUBLISHER</saml2:Audience> >>>>>>>>> </saml2:AudienceRestriction> >>>>>>>>> </saml2:Conditions> >>>>>>>>> <saml2:AuthnStatement >>>>>>>>> AuthnInstant="2016-06-05T17:55:09.459Z" >>>>>>>>> SessionIndex="4fe8bee1-967e-4e3b-89a4-479ac891b90a"> >>>>>>>>> <saml2:AuthnContext> >>>>>>>>> >>>>>>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> >>>>>>>>> </saml2:AuthnContext> >>>>>>>>> </saml2:AuthnStatement> >>>>>>>>> </saml2:Assertion> >>>>>>>>> </saml2p:Response> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Bhathiya Jayasekara* >>>>>>>>> *Senior Software Engineer,* >>>>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>>>> >>>>>>>>> *Phone: +94715478185 <%2B94715478185>* >>>>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>>>> <https://twitter.com/bhathiyax>* >>>>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> Dev@wso2.org >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Omindu Rathnaweera >>>>>>>> Software Engineer, WSO2 Inc. >>>>>>>> Mobile: +94 771 197 211 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Bhathiya Jayasekara* >>>>>>> *Senior Software Engineer,* >>>>>>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>>>>>> >>>>>>> *Phone: +94715478185 <%2B94715478185>* >>>>>>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>>>>>> <http://www.linkedin.com/in/bhathiyaj>* >>>>>>> *Twitter: https://twitter.com/bhathiyax >>>>>>> <https://twitter.com/bhathiyax>* >>>>>>> *Blog: http://movingaheadblog.blogspot.com >>>>>>> <http://movingaheadblog.blogspot.com/>* >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Omindu Rathnaweera >>>>>> Software Engineer, WSO2 Inc. >>>>>> Mobile: +94 771 197 211 >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>> >>> >>> >>> -- >>> *Bhathiya Jayasekara* >>> *Senior Software Engineer,* >>> *WSO2 inc., http://wso2.com <http://wso2.com>* >>> >>> *Phone: +94715478185 <%2B94715478185>* >>> *LinkedIn: http://www.linkedin.com/in/bhathiyaj >>> <http://www.linkedin.com/in/bhathiyaj>* >>> *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* >>> *Blog: http://movingaheadblog.blogspot.com >>> <http://movingaheadblog.blogspot.com/>* >>> >> >> > > > -- > *Bhathiya Jayasekara* > *Senior Software Engineer,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <%2B94715478185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
