Hi Megala, Those configuration parameters in authenticators.xml are related to the IDP, in publisher the SP side validation should happen based on the configurations in publisher.json.
But when I try to debug the scenario, the spId was taken from authenticators.xml but it shouldn't happen like that. AFAIK it has to be taken from sso-idp-config.xml. Thanks On Tue, Oct 4, 2016 at 9:11 AM, Megala Uthayakumar <[email protected]> wrote: > Hi Thilini, > > Thank you for your explanation. The above mentioned error log got printed > if the following are not included in authenticators.xml > > <Parameter name="ResponseSignatureValidationEnabled">false</Parameter> > <Parameter name="AssertionSignatureValidationEnabled">false</Parameter> > > under SAML2SSOAuthenticator configuration. Because in [1] those 2 > parameters are checked and if those are false, validate signature part is > skipped. If those properties are not included in authenticators.xml, > signature validation fails and the relevant error log got printed as in [2] > and this happens when the code on [3] gets executed. My question was what > is reasoning behind this? > > [1] https://github.com/wso2-extensions/identity-carbon- > auth-saml2/blob/master/components/org.wso2.carbon. > identity.authenticator.saml2.sso/src/main/java/org/wso2/ > carbon/identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java#L415 > [2]https://github.com/wso2-extensions/identity-carbon- > auth-saml2/blob/master/components/org.wso2.carbon. > identity.authenticator.saml2.sso/src/main/java/org/wso2/ > carbon/identity/authenticator/saml2/sso/SAML2SSOAuthenticator.java#L135 > [3] https://github.com/wso2/carbon-appmgt/blob/master/ > features/org.wso2.carbon.appmgt.publisher.feature/src/ > main/resources/publisher/controllers/acs.jag#L135 > > Thanks. > > Regards, > Megala > > On Mon, Oct 3, 2016 at 12:55 PM, Thilini Shanika <[email protected]> > wrote: > >> Hi Megala, >> >> When I try to login to carbon-appmgt publisher as a tenant admin in EMM, >> it prints the following message in the console, >> *[2016-10-02 20:23:46,814] ERROR >> {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} - >> Authentication Request is rejected. Signature validation failed.* >> >> But I tried the same with the APPM pack downloaded from jenkins. But the >> relevant error message is not getting printed in the same scenario. While >> further analyzing, I found that by default, AssertionSignatureValidation is >> disabled in APPM [1]. What is the reason behind disabling this? >> >> The config in [1] is not related to Assertion signature validation. You >> can find App manager publisher, store SAML response validation related >> configs in [2] (publisher) and [3] (store) and you can enable/disable >> signature validation via '*responseSigningEnabled*' property under >> ssoConfiguration. >> By default, this property is enabled in App Manager. >> >> jaggery SSO module is responsible for processing SAML response and >> validating it according to given configurations [4]. Please check whether >> the changes done to SSO module are reflected in EMM branch. >> >> [1] - https://github.com/wso2/product-app-manager/blob/master/mo >> dules/distribution/product/pom.xml#L107 >> [2] - https://github.com/wso2/carbon-appmgt/blob/master/features/ >> org.wso2.carbon.appmgt.publisher.feature/src/main/ >> resources/publisher/config/publisher.json#L52 >> [3] - https://github.com/wso2/carbon-appmgt/blob/master/features >> /org.wso2.carbon.appmgt.store.feature/src/main/resources/ >> store/config/store.json#L17 >> [4] - https://github.com/wso2/carbon-store/blob/app-manager-4.4. >> x-kernel/jaggery-modules/sso/scripts/sso.client.js#L142 >> >> On Sun, Oct 2, 2016 at 8:53 PM, Megala Uthayakumar <[email protected]> >> wrote: >> >>> Hi All, >>> >>> When I try to login to carbon-appmgt publisher as a tenant admin in EMM, >>> it prints the following message in the console, >>> *[2016-10-02 20:23:46,814] ERROR >>> {org.wso2.carbon.identity.authenticator.saml2.sso.SAML2SSOAuthenticator} - >>> Authentication Request is rejected. Signature validation failed.* >>> >>> But I tried the same with the APPM pack downloaded from jenkins. But the >>> relevant error message is not getting printed in the same scenario. While >>> further analyzing, I found that by default, AssertionSignatureValidation is >>> disabled in APPM [1]. What is the reason behind disabling this? >>> >>> [1] https://github.com/wso2/product-app-manager/blob/master/ >>> modules/distribution/product/pom.xml#L107 >>> >>> Thanks. >>> >>> Regards, >>> Megala >>> -- >>> Megala Uthayakumar >>> >>> Software Engineer >>> Mobile : 0779967122 >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Thilini Shanika >> Senior Software Engineer >> WSO2, Inc.; http://wso2.com >> 20, Palmgrove Avenue, Colombo 3 >> >> E-mail: [email protected] >> >> > > > -- > Megala Uthayakumar > > Software Engineer > Mobile : 0779967122 > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Prakhash Sivakumar Software Engineer | WSO2 Inc Platform Security Team Mobile : +94771510080 Blog : https://medium.com/@PrakhashS
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
