问题
Environment :
- wso2 API-M + wso2 Identity server (Key manager) and they shared the same user store.
2 service providers(publisher and store) and 2 identity providers(Google and Facebook) in the carbon.super tenant.
SSO service enabled and issuer IDs follow above.
- Enable OAuth2.0 users(Google and Facebook) to login.
- 3 tenants (carbon.super , TA and TB) in the environment.
What I tried:
- Social accounts can login to publisher and store and they will be directed to carbon.super publisher.
- TA users can't login to publisher without publisher SP SaaS enabled.(Service Provider tenant domain must be equal to user tenant domain for non-SaaS applications)
- TA and TB users can login to publisher with publisher SP SaaS enabled but they will be redirected to carbon.super tenant.
- TA/TB user can browse their own tenant publisher while they try to sending tenantDomain=, but it will be redirected to carbon.super publisher and deploy API on carbon.super publisher when users deploy APIs to publisher.(The API will be published on carbon.super store.)
What I want :
- Tenant users can login to correct tenant publisher and deploy API on it with SSO.(Social account login to carbon.super tenant is fine.)
Thanks
Tom
回答1:
If you are willing to have another security mechanism they need to write CXF handler and plug it to web applications. It’s always recommended to use one or more security mechanisms with this API as users can do almost all critical operations using these APIs.
You can change the CXF interceptor by editing WEB-INF/beans.xml files. You can see the following entry for the security interceptor.
By default API Manager REST API use OAuth 2.0 and do not use SSO based authentication for the REST API. However if you need to do assertion based validation let API access then you can do that with CXF interceptor as mentioned above.
Thanks,
sanjeewa.
来源:https://stackoverflow.com/questions/37851451/wso2-cant-login-to-correct-publisher-tenant