Pivotal Knowledge Base

Follow

BOSH Director SAML authentication fails after upgrade to 1.7 or 1.8

Environment

 Product  Version
 Pivotal Ops Manager   1.7.24, 1.8.16

Symptom

Getting a one-time passcode from BOSH Director could fail after upgrading to version 1.7 or 1.8 with SAML authentication enabled in Ops Manager.

From CLI, the user attempts to target and login to BOSH Director after upgrade completes successfully:

$ bosh --ca-cert /var/tempest/workspaces/default/root_ca_certificate login 10.0.0.11
One Time Code ( Get one at https://10.0.0.11:8443/passcode ):

When a user goes to the Web Address, the following error is observed:

Response has invalid status code urn:oasis:names:tc:SAML:2.0:status:Responder, status message is Unable to verify the signature

Cause

There was a regression in Ops Manager 1.7 and 1.8 which omits the SAML serviceProviderKey and serviceProviderCertificate keys from the director manifest. This Causes UAA on the director to use an expired SSL certificate and may cause SAML authentication to fail if the identity provider is performing a SSL verification.

Resolution

This issue only impacts Ops Manager version 1.7 and 1.8:

  • Fixed in Ops Manager 1.7.25 and higher
  • Fixed in Ops Manager 1.8.17 and higher

All later releases do not have this problem.

Workaround

  • Obtain the values of keys "serviceProviderKey" and "serviceProviderCertificate" from /home/tempest-web/uaa/config/login.yml on the Ops Manager host
  • SSH into the BOSH Director
  • Apply the key/values obtained from the Ops Manager UAA login.yml to the BOSH Director /var/vcap/jobs/uaa/config/login.yml file:
      login:
        serviceProviderKey: |
          -----BEGIN RSA PRIVATE KEY-----
          ...
          -----END RSA PRIVATE KEY-----
        
        serviceProviderCertificate: |
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----
  • Restart UAA on the BOSH Director using:
    monit restart uaa 

Comments

Powered by Zendesk