Pivotal Cloud Foundry (PCF) all versions
Single Sign-On (SSO) for PCF (service instance binding to user app)
Binding an app instance that contains an underscore in it's route to an SSO service instance returns an error.
Note: The 'test_app' instance below has a route such as 'test_app.myappdomain.com'
Binding service sample-instance to app test_app in org test / space test as admin... FAILED Server error, status code: 502, error code: 10001, message:
Service broker error: Client registration with UAA failed
This is a bug.
The UAA component contains a check to validate Client Redirect URIs. This validation does not allow underscore characters in the sub-domain and fails, resulting in the above error message.
While the official RFC standards do not allow "_" in domain names, they do allow "_" in sub-domains.
The bug is fixed in UAA Release v4.9.0, please see the release notes below.
The following steps can be completed as a workaround for the problem:
- Add an alternate route for the App under the Map a route section in Apps Manager or via the CLI making sure there is no underscore.
- Refer to https://docs.pivotal.io/p-identity/1-5/configure-apps/index.html#properties on how to pass an explicit value for SSO_REDIRECT_URIS and set it to the new route set above without the "_". This involves specifying the new route explicitly in the application's "manifest.yml" file, which is then made available for binding/rebinding to service instances through an environment variable, for example:
env: SSO_REDIRECT_URIS: https://my-domain-here.domain.org
Refer to Release Notes for UAA v4.9.0