Pivotal Knowledge Base


Unbinding SSO Service Instance Throws "client must have been created with scope zones.write" Error


  • Single Sign-On for Pivotal Cloud Foundry (PCF)
  • Versions prior to 1.2.x 


When attempting to run cf unbind-service on an SSO service instance, you see an error similar to:

Server error, status code: 502, error code: 10001, message: Service instance : 
Service broker error: client must have been created with scope zones.write

You might also see this error when you attempt to cf delete the app to which your SSO service instance is bound to.


This is a known issue in older versions of the Single Sign-On for PCF product. This has been fixed as of 1.2.x versions. To prevent this from occurring in the future, it is highly recommended you upgrade to SSO 1.2.x, which you can do through the Ops Manager & Elastic Runtime Versions 1.8.x.

In order to get past this issue in the meantime, please see the following resolution section.


First, we should verify that your UAAC identity client does have the zones.write permission (it should)

1. Install uaac client by running gem install cf-uaac (may require root)
2. Target your system domain to login by running: uaac target https://login.YOUR-SYSTEM-DOMAIN
3. Get admin token by running: uaac token client get admin -s <secret> (secret can be found in the Ops Manager -> Elastic Runtime Tile -> Credentials Tab -> UAA Section -> Admin Client Credentials)
4. Obtain UAAC identity client info by running uaac client get identity
5. Get the applications client ID by running cf env <app-name>. In the results, you'll see a section called System-Provided: with a JSON entry called client_id, which should contain a UUID. That UUID will be used in step 6). Also note the "auth_domain" field which should contain your URL for your SSO service. It should look like "https://<subdomain>.login.<sys-domain>". The <subdomain> will be used in step 6) also.


"staging_env_json": {},
"running_env_json": {},
"system_env_json": {
"p-identity": [
"credentials": {
"client_id": "b494b960-2687-4455-9293-c009fefc0ca2",
"client_secret": "<client_secret_UUID>",
"auth_domain": "https://app-auth.login.run-02.haas-59.pez.pivotal.io"
"syslog_drain_url": null,
"label": "p-identity",
"provider": null,
"plan": "app-auth",
"name": "sso",
"tags": []

6. Run uaac curl /oauth/clients/<client_id-from-step-7> -X DELETE -H "X-Identity-Zone-Subdomain: <subdomain>"


uaac curl /oauth/clients/b494b960-2687-4455-9293-c009fefc0ca2 -X DELETE -H "X-Identity-Zone-Subdomain: app-auth"

The SSO service instance should now be unbound and you should be free to operate on the app as you please.


Powered by Zendesk