- Single Sign-On for Pivotal Cloud Foundry (PCF)
- Versions prior to 1.2.x
When attempting to run
cf unbind-service on an SSO service instance, you see an error similar to:
Server error, status code: 502, error code: 10001, message: Service instance :
Service broker error: client must have been created with scope zones.write
You might also see this error when you attempt to
cf delete the app to which your SSO service instance is bound to.
This is a known issue in older versions of the Single Sign-On for PCF product. This has been fixed as of 1.2.x versions. To prevent this from occurring in the future, it is highly recommended you upgrade to SSO 1.2.x, which you can do through the Ops Manager & Elastic Runtime Versions 1.8.x.
In order to get past this issue in the meantime, please see the following resolution section.
First, we should verify that your
identity client does have the zones.write permission (it should)
uaac client by running
gem install cf-uaac (may require root)
2. Target your system domain to login by running:
uaac target https://login.YOUR-SYSTEM-DOMAIN
3. Get admin token by running:
uaac token client get admin -s <secret> (
secret can be found in the Ops Manager -> Elastic Runtime Tile -> Credentials Tab -> UAA Section -> Admin Client Credentials)
UAAC identity client info by running
uaac client get identity5. Get the applications client ID by running
cf env <app-name>. In the results, you'll see a section called
System-Provided: with a JSON entry called
client_id, which should contain a UUID. That UUID will be used in step 6). Also note the
"auth_domain" field which should contain your URL for your SSO service. It should look like
<subdomain> will be used in step 6) also.
uaac curl /oauth/clients/<client_id-from-step-7> -X DELETE -H "X-Identity-Zone-Subdomain: <subdomain>"
uaac curl /oauth/clients/b494b960-2687-4455-9293-c009fefc0ca2 -X DELETE -H "X-Identity-Zone-Subdomain: app-auth"
The SSO service instance should now be unbound and you should be free to operate on the app as you please.