Pivotal Knowledge Base

Follow

Unbinding SSO Service Instance throws `client must have been created with scope zones.write` error

Environment

Single Sign-On for PCF (Pivotal Cloud Foundry®) 

Versions prior to 1.2.x 

Symptoms

When attempting to run cf unbind-service on an SSO service instance, you see an error similar to:

Server error, status code: 502, error code: 10001, message: Service instance : 
Service broker error: client must have been created with scope zones.write

You might also see this error when you attempt to cf delete the app to which your SSO service instance is bound to.

Cause

This is a known issue in older versions of the Single Sign-On for PCF product. This has been fixed as of 1.2.x versions. To prevent this from occurring in the future, it is highly recommended you upgrade to SSO 1.2.x, which you can do through the Ops Manger & Elastic Runtime Versions 1.8.x.

In order to get past this issue in the meantime, please see the following resolution section. 

Resolution 

First we should verify that your UAAC identity client does have the zones.write permission (it should)

1) Install uaac client by running gem install cf-uaac (may require root)
2) Target your system domain to login by running: uaac target https://login.YOUR-SYSTEM-DOMAIN
3) Get admin token by running: uaac token client get admin -s <secret> (secret can be found in the Ops Manager -> Elastic Runtime Tile -> Credentials Tab -> UAA Section -> Admin Client Credentials)
4) Obtain UAAC identity client info by running uaac client get identity
5) Get the applications client ID by running cf env <app-name>. In the results, you'll see a section called System-Provided: with a JSON entry called client_id, which should contain a UUID. That UUID will be used in step 6). Also note the "auth_domain" field which should contain your URL for your SSO service. It should look like "https://<subdomain>.login.<sys-domain>". The <subdomain> will be used in step 6) also.

Example:

{
"staging_env_json": {},
"running_env_json": {},
"system_env_json": {
"VCAP_SERVICES: {
"p-identity": [
{
"credentials": {
"client_id": "b494b960-2687-4455-9293-c009fefc0ca2",
"client_secret": "<client_secret_UUID>",
"auth_domain": "https://app-auth.login.run-02.haas-59.pez.pivotal.io"
},
"syslog_drain_url": null,
"label": "p-identity",
"provider": null,
"plan": "app-auth",
"name": "sso",
"tags": []
}
]
}
}
}

6) Run uaac curl /oauth/clients/<client_id-from-step-7> -X DELETE -H "X-Identity-Zone-Subdomain: <subdomain>"

Example:

uaac curl /oauth/clients/b494b960-2687-4455-9293-c009fefc0ca2 -X DELETE -H "X-Identity-Zone-Subdomain: app-auth"

The SSO service instance should now be unbound and you should be free to operate on the app as you please.

Comments

Powered by Zendesk