Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi Senduran, Regarding the LC issue, here is what happen. 1. In your cloud setup you have a governance space[1], which contains set of assets with references to MobileAppLifeCycle. 2. Governance Registry keeps lifecycles in the config space 3. When ES is mounted to the above governance space[1] with a fresh config space[2], you don't get the MobileAppLifeCycle there in the new config[2] registry. 4. Hence, old assets will not behave as expected since the lifecycle is missing 5. Further, when you try to add the MobileAppLifeCycle through the governance API, it doesn't allow you do so saying the MobileAppLifeCycle is already there. 6. Reason for above #5 is, governance API checks whether any resource has a reference to that MobileAppLifeCycle name(instead of checking config space for available lifecycles) before allowing us to add it(which is IMO wrong) Hence, you will have to use same gov/config database pair or you will have to cleanup the governance database by removing assets which refers to non-existing lifecycles. /Ruchira On Wed, Feb 18, 2015 at 9:20 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: FYI This issue can be tracked here https://wso2.org/jira/browse/STORE-607 @Ruchira, Thanks for the workaround at the moment On Fri, Jan 23, 2015 at 9:47 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Sure Ruchira, Thanks Senduran On Fri, Jan 23, 2015 at 7:23 PM, Ruchira Wageesha ruch...@wso2.com wrote: On Fri, Jan 23, 2015 at 4:21 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Even when I add the UseAuthenticatedUserDomainCrypto to true in IS, I am still getting the same exception. Is this because IS couldn't identify whether it is tenant or admin who has logged in ? as Malithi mentioned in [IS] [ES] Signature Validation fails when tenant logs into SSO enabled Publisher Hm..I doubt how something like this could happen. If there is a logged in session, that means there is an associated user who's tenant domain can be determined. Relying on a passed tenant domain is never secure for authenticated users. Anyway, can you talk to me on Monday, so that we can have a look with the property suggested by pushpalanka. /Ruchira -- *Ruchira Wageesha**Associate Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444 %2B94%2077%205493444* -- *Senduran * Software Engineer, WSO2, Inc.; http://wso2.com/ http://wso2.com/ Mobile: +94 77 952 6548 -- *Senduran * Software Engineer, WSO2, Inc.; http://wso2.com/ http://wso2.com/ Mobile: +94 77 952 6548 -- *Ruchira Wageesha**Associate Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
FYI This issue can be tracked here https://wso2.org/jira/browse/STORE-607 @Ruchira, Thanks for the workaround at the moment On Fri, Jan 23, 2015 at 9:47 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Sure Ruchira, Thanks Senduran On Fri, Jan 23, 2015 at 7:23 PM, Ruchira Wageesha ruch...@wso2.com wrote: On Fri, Jan 23, 2015 at 4:21 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Even when I add the UseAuthenticatedUserDomainCrypto to true in IS, I am still getting the same exception. Is this because IS couldn't identify whether it is tenant or admin who has logged in ? as Malithi mentioned in [IS] [ES] Signature Validation fails when tenant logs into SSO enabled Publisher Hm..I doubt how something like this could happen. If there is a logged in session, that means there is an associated user who's tenant domain can be determined. Relying on a passed tenant domain is never secure for authenticated users. Anyway, can you talk to me on Monday, so that we can have a look with the property suggested by pushpalanka. /Ruchira -- *Ruchira Wageesha**Associate Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444 %2B94%2077%205493444* -- *Senduran * Software Engineer, WSO2, Inc.; http://wso2.com/ http://wso2.com/ Mobile: +94 77 952 6548 -- *Senduran * Software Engineer, WSO2, Inc.; http://wso2.com/ http://wso2.com/ Mobile: +94 77 952 6548 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
On Fri, Jan 23, 2015 at 4:21 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Even when I add the UseAuthenticatedUserDomainCrypto to true in IS, I am still getting the same exception. Is this because IS couldn't identify whether it is tenant or admin who has logged in ? as Malithi mentioned in [IS] [ES] Signature Validation fails when tenant logs into SSO enabled Publisher Hm..I doubt how something like this could happen. If there is a logged in session, that means there is an associated user who's tenant domain can be determined. Relying on a passed tenant domain is never secure for authenticated users. Anyway, can you talk to me on Monday, so that we can have a look with the property suggested by pushpalanka. /Ruchira -- *Ruchira Wageesha**Associate Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444* ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi Ruchira, There is property introduced in IS 5.0.0 called UseAuthenticatedUserDomainCrypto to make it backward compatible. Below link has a description of it's usage. [1] - https://docs.wso2.com/display/IS500/Configuring+identity.xml Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Fri, Jan 23, 2015 at 3:02 PM, Ruchira Wageesha ruch...@wso2.com wrote: Hi Kasun, I worked with Senduran and it seemed like a certificate mismatch. AFAICR, due to the latest changes in IS code base, the tenant key store is used during SSO. Hence, ES, which is based on newer IS code expects tenants certs to be used where IS 5.0 expects super-tenant certs to be used. AFAIK, I think, this should be the issue here. Hence, can somebody from IS team verify my doubt please? @Kasun/Senduran, If it is my doubt, then you will have to use it with an IS pack which has that change. On Fri, Jan 23, 2015 at 1:58 PM, Kasun Indrasiri ka...@wso2.com wrote: Hi ES team, We have spent quite a lot of time on this issue but haven't found a resolution yet. This will be a blocker for ES as well as iPaaS milestones. Can we get somebody from ES team to look in to this ASAP please? On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi Sameera, Unfortunately the exception is still there, I tried as you instructed. What I guess is if a tenant is logged in ES is trying to verify the signature against the tenant's specific keystore, while IS consider the wso2carbon keystore Is there any configuration in ES to check with the wso2carbon keystore even for the tenant ? Thank you Senduran On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara samee...@wso2.com wrote: Hi Senduran, Can we try the following: Export the primary key of the IS: keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.cert Then import the certificate to the tenant's key store (Home Configure KeyStores Import Certificates To) Thank You, Sameera On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code. I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O=None L=None, OU=None, CN=istenant.com http://istenant.com* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore. Thanks, Malithi. On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi ES team, We have spent quite a lot of time on this issue but haven't found a resolution yet. This will be a blocker for ES as well as iPaaS milestones. Can we get somebody from ES team to look in to this ASAP please? On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi Sameera, Unfortunately the exception is still there, I tried as you instructed. What I guess is if a tenant is logged in ES is trying to verify the signature against the tenant's specific keystore, while IS consider the wso2carbon keystore Is there any configuration in ES to check with the wso2carbon keystore even for the tenant ? Thank you Senduran On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara samee...@wso2.com wrote: Hi Senduran, Can we try the following: Export the primary key of the IS: keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.cert Then import the certificate to the tenant's key store (Home Configure KeyStores Import Certificates To) Thank You, Sameera On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code. I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O=None L=None, OU=None, CN=istenant.com http://istenant.com* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore. Thanks, Malithi. On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's user-mgt.xml, pointed the UserStoreManager to IS's embedded LDAP - Modified as following in publisher, store json identityProviderURL: https://localhost:IS-Port/samlsso - Created a Service provider for publisher and store in IS as follows SP for publisher Issuer: publisher Assertion Consumer URL: https://localhost:ES-Port/publisher/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout SP for store Issuer: store Assertion Consumer URL: https://localhost:ES-Port/store/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout When admin login the publisher behaviors as expected. (i.e page is redirected to IS login and redirected to publisher, if already a sso session is available directly goes to publisher)\ But when I log in as a tenant, the browser is redirected to https://localhost:9443/publisher/acs and following exception is shown in the console INFO {JAGGERY.controllers.login:jag} - Login URL: https://localhost:9447/samlsso
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi Kasun, I worked with Senduran and it seemed like a certificate mismatch. AFAICR, due to the latest changes in IS code base, the tenant key store is used during SSO. Hence, ES, which is based on newer IS code expects tenants certs to be used where IS 5.0 expects super-tenant certs to be used. AFAIK, I think, this should be the issue here. Hence, can somebody from IS team verify my doubt please? @Kasun/Senduran, If it is my doubt, then you will have to use it with an IS pack which has that change. On Fri, Jan 23, 2015 at 1:58 PM, Kasun Indrasiri ka...@wso2.com wrote: Hi ES team, We have spent quite a lot of time on this issue but haven't found a resolution yet. This will be a blocker for ES as well as iPaaS milestones. Can we get somebody from ES team to look in to this ASAP please? On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi Sameera, Unfortunately the exception is still there, I tried as you instructed. What I guess is if a tenant is logged in ES is trying to verify the signature against the tenant's specific keystore, while IS consider the wso2carbon keystore Is there any configuration in ES to check with the wso2carbon keystore even for the tenant ? Thank you Senduran On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara samee...@wso2.com wrote: Hi Senduran, Can we try the following: Export the primary key of the IS: keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.cert Then import the certificate to the tenant's key store (Home Configure KeyStores Import Certificates To) Thank You, Sameera On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code. I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O=None L=None, OU=None, CN=istenant.com http://istenant.com* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore. Thanks, Malithi. On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's user-mgt.xml, pointed the UserStoreManager to IS's embedded LDAP - Modified as following in publisher, store json identityProviderURL: https://localhost:IS-Port/samlsso - Created a Service provider for publisher and store in IS as follows SP for publisher Issuer: publisher Assertion Consumer URL: https://localhost:ES-Port/publisher/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout SP for store Issuer: store Assertion Consumer URL: https://localhost:ES-Port/store/acs Use
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi Pushpalanka, Is Using tenant keystore the deprecated way or the recommended way? According to the doc, it seems the older approach, but I was under the impression it is the recommended way. On Fri, Jan 23, 2015 at 3:19 PM, Pushpalanka Jayawardhana la...@wso2.com wrote: Hi Ruchira, There is property introduced in IS 5.0.0 called UseAuthenticatedUserDomainCrypto to make it backward compatible. Below link has a description of it's usage. [1] - https://docs.wso2.com/display/IS500/Configuring+identity.xml Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Fri, Jan 23, 2015 at 3:02 PM, Ruchira Wageesha ruch...@wso2.com wrote: Hi Kasun, I worked with Senduran and it seemed like a certificate mismatch. AFAICR, due to the latest changes in IS code base, the tenant key store is used during SSO. Hence, ES, which is based on newer IS code expects tenants certs to be used where IS 5.0 expects super-tenant certs to be used. AFAIK, I think, this should be the issue here. Hence, can somebody from IS team verify my doubt please? @Kasun/Senduran, If it is my doubt, then you will have to use it with an IS pack which has that change. On Fri, Jan 23, 2015 at 1:58 PM, Kasun Indrasiri ka...@wso2.com wrote: Hi ES team, We have spent quite a lot of time on this issue but haven't found a resolution yet. This will be a blocker for ES as well as iPaaS milestones. Can we get somebody from ES team to look in to this ASAP please? On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi Sameera, Unfortunately the exception is still there, I tried as you instructed. What I guess is if a tenant is logged in ES is trying to verify the signature against the tenant's specific keystore, while IS consider the wso2carbon keystore Is there any configuration in ES to check with the wso2carbon keystore even for the tenant ? Thank you Senduran On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara samee...@wso2.com wrote: Hi Senduran, Can we try the following: Export the primary key of the IS: keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.cert Then import the certificate to the tenant's key store (Home Configure KeyStores Import Certificates To) Thank You, Sameera On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code. I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O=None L=None, OU=None, CN=istenant.com http://istenant.com* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore.
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi, Even when I add the UseAuthenticatedUserDomainCrypto to true in IS, I am still getting the same exception. Is this because IS couldn't identify whether it is tenant or admin who has logged in ? as Malithi mentioned in [IS] [ES] Signature Validation fails when tenant logs into SSO enabled Publisher Regards Senduran On Fri, Jan 23, 2015 at 3:19 PM, Pushpalanka Jayawardhana la...@wso2.com wrote: Hi Ruchira, There is property introduced in IS 5.0.0 called UseAuthenticatedUserDomainCrypto to make it backward compatible. Below link has a description of it's usage. [1] - https://docs.wso2.com/display/IS500/Configuring+identity.xml Thanks, Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka On Fri, Jan 23, 2015 at 3:02 PM, Ruchira Wageesha ruch...@wso2.com wrote: Hi Kasun, I worked with Senduran and it seemed like a certificate mismatch. AFAICR, due to the latest changes in IS code base, the tenant key store is used during SSO. Hence, ES, which is based on newer IS code expects tenants certs to be used where IS 5.0 expects super-tenant certs to be used. AFAIK, I think, this should be the issue here. Hence, can somebody from IS team verify my doubt please? @Kasun/Senduran, If it is my doubt, then you will have to use it with an IS pack which has that change. On Fri, Jan 23, 2015 at 1:58 PM, Kasun Indrasiri ka...@wso2.com wrote: Hi ES team, We have spent quite a lot of time on this issue but haven't found a resolution yet. This will be a blocker for ES as well as iPaaS milestones. Can we get somebody from ES team to look in to this ASAP please? On Wed, Jan 21, 2015 at 8:39 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi Sameera, Unfortunately the exception is still there, I tried as you instructed. What I guess is if a tenant is logged in ES is trying to verify the signature against the tenant's specific keystore, while IS consider the wso2carbon keystore Is there any configuration in ES to check with the wso2carbon keystore even for the tenant ? Thank you Senduran On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara samee...@wso2.com wrote: Hi Senduran, Can we try the following: Export the primary key of the IS: keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.cert Then import the certificate to the tenant's key store (Home Configure KeyStores Import Certificates To) Thank You, Sameera On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code. I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O=None L=None, OU=None, CN=istenant.com http://istenant.com* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias.
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Sure Ruchira, Thanks Senduran On Fri, Jan 23, 2015 at 7:23 PM, Ruchira Wageesha ruch...@wso2.com wrote: On Fri, Jan 23, 2015 at 4:21 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Even when I add the UseAuthenticatedUserDomainCrypto to true in IS, I am still getting the same exception. Is this because IS couldn't identify whether it is tenant or admin who has logged in ? as Malithi mentioned in [IS] [ES] Signature Validation fails when tenant logs into SSO enabled Publisher Hm..I doubt how something like this could happen. If there is a logged in session, that means there is an associated user who's tenant domain can be determined. Relying on a passed tenant domain is never secure for authenticated users. Anyway, can you talk to me on Monday, so that we can have a look with the property suggested by pushpalanka. /Ruchira -- *Ruchira Wageesha**Associate Technical Lead* *WSO2 Inc. - lean . enterprise . middleware | wso2.com http://wso2.com* *email: ruch...@wso2.com ruch...@wso2.com, blog: ruchirawageesha.blogspot.com http://ruchirawageesha.blogspot.com, mobile: +94 77 5493444 %2B94%2077%205493444* -- *Senduran * Software Engineer, WSO2, Inc.; http://wso2.com/ http://wso2.com/ Mobile: +94 77 952 6548 ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code. I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O=None L=None, OU=None, CN=istenant.com http://istenant.com* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore. Thanks, Malithi. On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's user-mgt.xml, pointed the UserStoreManager to IS's embedded LDAP - Modified as following in publisher, store json identityProviderURL: https://localhost:IS-Port/samlsso - Created a Service provider for publisher and store in IS as follows SP for publisher Issuer: publisher Assertion Consumer URL: https://localhost:ES-Port/publisher/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout SP for store Issuer: store Assertion Consumer URL: https://localhost:ES-Port/store/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout When admin login the publisher behaviors as expected. (i.e page is redirected to IS login and redirected to publisher, if already a sso session is available directly goes to publisher)\ But when I log in as a tenant, the browser is redirected to https://localhost:9443/publisher/acs and following exception is shown in the console INFO {JAGGERY.controllers.login:jag} - Login URL: https://localhost:9447/samlsso org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) at org.jaggeryjs.rhino.sso.scripts.c0._c_anonymous_3(sso/scripts/sso.client.js:50) at org.jaggeryjs.rhino.sso.scripts.c0.call(sso/scripts/sso.client.js) at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) at org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi Senduran, Can we try the following: Export the primary key of the IS: keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.cert Then import the certificate to the tenant's key store (Home Configure KeyStores Import Certificates To) Thank You, Sameera On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code. I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O=None L=None, OU=None, CN=istenant.com http://istenant.com* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore. Thanks, Malithi. On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's user-mgt.xml, pointed the UserStoreManager to IS's embedded LDAP - Modified as following in publisher, store json identityProviderURL: https://localhost:IS-Port/samlsso - Created a Service provider for publisher and store in IS as follows SP for publisher Issuer: publisher Assertion Consumer URL: https://localhost:ES-Port/publisher/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout SP for store Issuer: store Assertion Consumer URL: https://localhost:ES-Port/store/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout When admin login the publisher behaviors as expected. (i.e page is redirected to IS login and redirected to publisher, if already a sso session is available directly goes to publisher)\ But when I log in as a tenant, the browser is redirected to https://localhost:9443/publisher/acs and following exception is shown in the console INFO {JAGGERY.controllers.login:jag} - Login URL: https://localhost:9447/samlsso org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) at
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi Sameera, Unfortunately the exception is still there, I tried as you instructed. What I guess is if a tenant is logged in ES is trying to verify the signature against the tenant's specific keystore, while IS consider the wso2carbon keystore Is there any configuration in ES to check with the wso2carbon keystore even for the tenant ? Thank you Senduran On Tue, Jan 20, 2015 at 9:07 PM, Sameera Medagammaddegedara samee...@wso2.com wrote: Hi Senduran, Can we try the following: Export the primary key of the IS: keytool -export -keystore wso2carbon.jks -alias wso2carbon -file wso2.cert Then import the certificate to the tenant's key store (Home Configure KeyStores Import Certificates To) Thank You, Sameera On Tue, Jan 20, 2015 at 6:43 AM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I debugged the org.wso2.store.sso.common.util.Util (product-es/modules/components/sso-common). Also I attached xmltooling-1.3.1-sources.jar and xmlsec-1.5.5-sources.jar to get the complete executing code. I compared the signingCert variable (in the org.wso2.store.sso.common.util.X509CredentialImpl) when I log in as a tenant If I log in to ES's management console the subject of the certificate is *CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US* but when I log in to the publisher as the same tenant the subject of the certificate is *C=None, O=None L=None, OU=None, CN=istenant.com http://istenant.com* Please note that in the above both scenarios I am logging as a Tenant and when I try to log in to publisher the signature is trying to validate against the tenant specific certificate, Is this causing the org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key exception ? Thanks Senduran On Mon, Jan 19, 2015 at 11:31 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore. Thanks, Malithi. On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's user-mgt.xml, pointed the UserStoreManager to IS's embedded LDAP - Modified as following in publisher, store json identityProviderURL: https://localhost:IS-Port/samlsso - Created a Service provider for publisher and store in IS as follows SP for publisher Issuer: publisher Assertion Consumer URL: https://localhost:ES-Port/publisher/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout SP for store Issuer: store Assertion Consumer URL: https://localhost:ES-Port/store/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout When admin login the publisher behaviors as expected. (i.e page is redirected to IS login and redirected to publisher, if already a sso session is available directly goes to publisher)\ But when I log in as a tenant, the browser is redirected to https://localhost:9443/publisher/acs and following exception is shown in the console INFO {JAGGERY.controllers.login:jag} - Login URL: https://localhost:9447/samlsso org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore. Thanks, Malithi. On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's user-mgt.xml, pointed the UserStoreManager to IS's embedded LDAP - Modified as following in publisher, store json identityProviderURL: https://localhost:IS-Port/samlsso - Created a Service provider for publisher and store in IS as follows SP for publisher Issuer: publisher Assertion Consumer URL: https://localhost:ES-Port/publisher/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout SP for store Issuer: store Assertion Consumer URL: https://localhost:ES-Port/store/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout When admin login the publisher behaviors as expected. (i.e page is redirected to IS login and redirected to publisher, if already a sso session is available directly goes to publisher)\ But when I log in as a tenant, the browser is redirected to https://localhost:9443/publisher/acs and following exception is shown in the console INFO {JAGGERY.controllers.login:jag} - Login URL: https://localhost:9447/samlsso org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) at org.jaggeryjs.rhino.sso.scripts.c0._c_anonymous_3(sso/scripts/sso.client.js:50) at org.jaggeryjs.rhino.sso.scripts.c0.call(sso/scripts/sso.client.js) at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) at org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) at org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at
Re: [Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi, Thanks Malithi for the response. I tried, un-checking the Enable Response Signing , but even when I login as admin I got the following exception java.lang.NullPointerException at org.opensaml.xml.signature.SignatureValidator.buildSignature(SignatureValidator.java:91) at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:55) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) . What I am missing here ? @ES Team, could you please help me on how to import the public certificate of a tenant to the publisher's key store. Where can I find the tenant's public certificate Thank you Senduran On Mon, Jan 19, 2015 at 8:10 PM, Malithi Edirisinghe malit...@wso2.com wrote: Hii Senduran, There's a separate primary keystore generated for the tenant. Since you have enabled response signing also, the service provider that you have registered should know the public key of the IdP in order to validate. Hence, the service provider should have the public key of the IdP in it's keystore and validate the signature acquiring the respective alias. So in this case I think that you should import the public cert of the respective tenant to your publisher's keystore. Thanks, Malithi. On Mon, Jan 19, 2015 at 12:35 PM, Senduran Balasubramaniyam sendu...@wso2.com wrote: Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's user-mgt.xml, pointed the UserStoreManager to IS's embedded LDAP - Modified as following in publisher, store json identityProviderURL: https://localhost:IS-Port/samlsso - Created a Service provider for publisher and store in IS as follows SP for publisher Issuer: publisher Assertion Consumer URL: https://localhost:ES-Port/publisher/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout SP for store Issuer: store Assertion Consumer URL: https://localhost:ES-Port/store/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout When admin login the publisher behaviors as expected. (i.e page is redirected to IS login and redirected to publisher, if already a sso session is available directly goes to publisher)\ But when I log in as a tenant, the browser is redirected to https://localhost:9443/publisher/acs and following exception is shown in the console INFO {JAGGERY.controllers.login:jag} - Login URL: https://localhost:9447/samlsso org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) at org.jaggeryjs.rhino.sso.scripts.c0._c_anonymous_3(sso/scripts/sso.client.js:50) at org.jaggeryjs.rhino.sso.scripts.c0.call(sso/scripts/sso.client.js) at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) at org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) at org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at
[Dev] [ES] Tenant couldn't login to publisher when SSO is enabled with IS
Hi, I am experiencing $subject, with ES 2.0.0 M5. Following are the changes I made to configure SSO. - Shared registry and user database between ES and IS - In ES's user-mgt.xml, pointed the UserStoreManager to IS's embedded LDAP - Modified as following in publisher, store json identityProviderURL: https://localhost:IS-Port/samlsso - Created a Service provider for publisher and store in IS as follows SP for publisher Issuer: publisher Assertion Consumer URL: https://localhost:ES-Port/publisher/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout SP for store Issuer: store Assertion Consumer URL: https://localhost:ES-Port/store/acs Use fully qualified username in the NameID Enable Response Signing Enable Assertion Signing Enable Single Logout When admin login the publisher behaviors as expected. (i.e page is redirected to IS login and redirected to publisher, if already a sso session is available directly goes to publisher)\ But when I log in as a tenant, the browser is redirected to https://localhost:9443/publisher/acs and following exception is shown in the console INFO {JAGGERY.controllers.login:jag} - Login URL: https://localhost:9447/samlsso org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) at org.wso2.store.sso.common.util.Util.validateSignature(Util.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126) at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:225) at org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52) at org.jaggeryjs.rhino.sso.scripts.c0._c_anonymous_3(sso/scripts/sso.client.js:50) at org.jaggeryjs.rhino.sso.scripts.c0.call(sso/scripts/sso.client.js) at org.mozilla.javascript.optimizer.OptRuntime.call2(OptRuntime.java:42) at org.jaggeryjs.rhino.publisher.controllers.c1._c_anonymous_1(/publisher/controllers/acs.jag:48) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.mozilla.javascript.optimizer.OptRuntime.call0(OptRuntime.java:23) at org.jaggeryjs.rhino.publisher.controllers.c1._c_script_0(/publisher/controllers/acs.jag:20) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) at org.jaggeryjs.rhino.publisher.controllers.c1.call(/publisher/controllers/acs.jag) at org.jaggeryjs.rhino.publisher.controllers.c1.exec(/publisher/controllers/acs.jag) at org.jaggeryjs.scriptengine.engine.RhinoEngine.execScript(RhinoEngine.java:567) at org.jaggeryjs.scriptengine.engine.RhinoEngine.exec(RhinoEngine.java:273) at org.jaggeryjs.jaggery.core.manager.WebAppManager.execute(WebAppManager.java:559) at org.jaggeryjs.jaggery.core.JaggeryServlet.doPost(JaggeryServlet.java:29) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:748) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:486) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:378) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:338) at org.jaggeryjs.jaggery.core.JaggeryFilter.doFilter(JaggeryFilter.java:21) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at