|Pivotal Cloud Foundry (PCF)|
|Elastic Runtime||1.6.15 and above|
This issue is noticed when upgrading from PCF version 1.5.x to 1.6.15 and above or PCF version 1.6.x to 1.6.15 and above and using the Pivotal single sign-on service (SSO) for Application Single Sign-On and having the Security Assertion Markup Language (SAML) identity provider enabled to validate incoming SAML authentication requests.
This issue can occur after upgrading to PCF version 1.6.15 and above as we switched the previous setting of the default SAML service provider configuration from signing outgoing SAML authentication requests to not signing them.
This causes the validation of the SAML authentication request signature to fail and causes the SSO to fail with the error below.
There are two methods to resolve this issue:
Method 1 (Recommended):
In this method, disabling the signature validation for the SAML requests on the SAML identity provider side is used.
Using Active Directory Federation Services (ADFS):
- Navigate to the "Signature" tab of the relying party entity in ADFS and delete the Signature Verification Certificate entry and save the changes.
Using CA SiteMinder:
- Navigate to Partnerships-> Partnership Name -> Edit -> Signature & Encryption -> Uncheck ‘Require Signed Authentication Requests’ and Save the changes.
Change the SAML service provider configuration for the SSO Service Plan in the database and restart UAA(s).
Step 1. SSH into the UAA database virtual machine (VM).
- When upgrading from version 1.5 installations, the UAA database is Postgres. You can locate the SSH credentials under the Elastic Runtime tile in Ops Manager.
- If using a new installation based on PCF 1.6 Elastic Runtime, the UAA Database is running on the MySQL Server VM. You can locate SSH credentials under the Elastic Runtime Tile in Ops Manager.
- Log on to the UAA database.
- Run the following:
select * from identity_zone where subdomain=’<replace with sso service plan auth domain in the URL>’;
- Copy the json value of the config column into a text editor.
- Change the requestSigned value to true.
- Update the identity zone table with the corrected json value:
UPDATE identity_zone SET config = '<replace with updated json config value>' where subdomain = ‘<replace with sso service plan auth domain in the URL>’;
Step 2. Restart UAA.
- SSH into the UAA vms and run 'monit restart uaa'.
- Do not change and save the SSO Service Plan configuration from the SSO Dashboard UI after this change. If you do this, you will need to perform all the steps listed above again.
- This will be resolved in Elastic Runtime 1.7