Using SAML 2 Bearer token with our own UAA Server #uaa


Shetty, Viraj S [CTR]
 

I am trying to prototype a situation where a user is already authenticated to an On-prem application using ADFS using SAML. Now, this application needs to call a web service deployed on cloud.gov (Cloud foundry). We also have our own instance of UAA running in cloud.gov which is used for authorization. IF the user has already been authenticated with the on-prem application, then it should be possible to exchange the SAML token with an OAuth Bearer token with the UAA Server installed on cloud.gov. So, as a prototype I obtained the SAML token for a user and tried to exchange with  OAuth Bearer token by calling the UAA on cloud.gov as specified in 

https://docs.cloudfoundry.org/api/uaa/version/74.4.0/index.html#saml2-bearer-grant

However, I keep getting an error no matter what. I even decrypted the SAML token and then sent the Base64 URI but still no luck. The error I am getting is the following

Anyone has any ideas why this might be happening ? 

10:44:22.088: [APP/PROC/WEB.0] [2019-12-10 15:44:22.086] uaa - 7 [http-nio-8080-exec-2] .... ERROR --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Uncaught Exception:
10:44:22.088: [APP/PROC/WEB.0] java.lang.ClassCastException: class org.opensaml.saml2.core.impl.ResponseImpl cannot be cast to class org.opensaml.saml2.core.Assertion (org.opensaml.saml2.core.impl.ResponseImpl and org.opensaml.saml2.core.Assertion are in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @3ed242a4)
10:44:22.088: [APP/PROC/WEB.0] at org.cloudfoundry.identity.uaa.authentication.SamlAssertionDecoder.doDecode(SamlAssertionDecoder.java:97) ~[cloudfoundry-identity-server-74.5.0.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) ~[openws-1.5.6.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder.decode(BaseSAML2MessageDecoder.java:70) ~[opensaml-2.6.6.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:105) ~[spring-security-saml2-core-1.0.9.RELEASE.jar:1.0.9.RELEASE]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.security.saml.processor.SAMLProcessorImpl.retrieveMessage(SAMLProcessorImpl.java:172) ~[spring-security-saml2-core-1.0.9.RELEASE.jar:1.0.9.RELEASE]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.security.saml.SAMLProcessingFilter.attemptAuthentication(SAMLProcessingFilter.java:85) ~[spring-security-saml2-core-1.0.9.RELEASE.jar:1.0.9.RELEASE]
10:44:22.088: [APP/PROC/WEB.0] at org.cloudfoundry.identity.uaa.authentication.BackwardsCompatibleTokenEndpointAuthenticationFilter.attemptTokenAuthentication(BackwardsCompatibleTokenEndpointAuthenticationFilter.java:218) ~[cloudfoundry-identity-server-74.5.0.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.cloudfoundry.identity.uaa.authentication.BackwardsCompatibleTokenEndpointAuthenticationFilter.doFilter(BackwardsCompatibleTokenEndpointAuthenticationFilter.java:114) ~[cloudfoundry-identity-server-74.5.0.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
10:44:22.088: [APP/PROC/WEB.0] at org.cloudfoundry.identity.uaa.authentication.ClientBasicAuthenticationFilter.doFilterInternal(ClientBasicAuthenticationFilter.java:142) ~[cloudfoundry-identity-server-74.5.0.jar:?]
10:44:22.088: [APP/PROC/WEB.0] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.10.RELEASE.jar:5.1.10.RELEASE]
 

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.