Pivotal Knowledge Base


BOSH Director SAML Authentication Fails After Upgrading to 1.7 or 1.8


 Pivotal Ops Manager versions 1.7.24 and 1.8.16


Getting a one-time passcode from BOSH Director could fail after upgrading to version 1.7 or 1.8 with SAML authentication enabled in Ops Manager.

From CLI, the user attempts to target and login to BOSH Director af the er upgrade completes successfully:

$ bosh --ca-cert /var/tempest/workspaces/default/root_ca_certificate login
One Time Code ( Get one at ):

When a user goes to the Web Address, the following error is observed:

Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is Unable to verify the signature


There was a regression in Ops Manager 1.7 and 1.8 which omits the SAML serviceProviderKey and serviceProviderCertificate keys from the director manifest. This Causes UAA on the director to use an expired SSL certificate and may cause SAML authentication to fail if the identity provider is performing a SSL verification.


This issue only impacts Ops Manager version 1.7 and 1.8:

  • Fixed in Ops Manager 1.7.25 and higher
  • Fixed in Ops Manager 1.8.17 and higher

All later releases do not have this problem.


  • Obtain the values of keys "serviceProviderKey" and "serviceProviderCertificate" from /home/tempest-web/uaa/config/login.yml on the Ops Manager host
  • Apply the key/values obtained from the Ops Manager UAA login.yml to the BOSH Director /var/vcap/jobs/uaa/config/login.yml file:
        serviceProviderKey: |
          -----BEGIN RSA PRIVATE KEY-----
          -----END RSA PRIVATE KEY-----
        serviceProviderCertificate: |
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----
  • Restart UAA on the BOSH Director using:
    monit restart uaa 


Powered by Zendesk