1. Messages
  2. Using SAML 2 Bearer token with our own UAA Server

Re: Using SAML 2 Bearer token with our own UAA Server #uaa

Shetty, Viraj S [CTR]
 

Still having issues. I tried several things and they all seem to fail. 

1. Per the documenatation, the URL should go to http://vyscu3.localhost:8080/uaa/oauth/token/alias/vyscu3.cloudfoundry-saml-login. For my environment, this should probably be 

http://<host>/uaa/oauth/token/alias/cloudfoundry-saml-login-dev 

How do I find if this URL is correct ? The receipient in the SAML Asserrtion is https://<host>/saml/SSO/alias/cloudfoundry-saml-login-dev. tried this as well. 

2. When i used with encrypted assertion below, i get the following exception 

<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData ......
 
    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT java.lang.ClassCastException: class org.opensaml.saml2.core.impl.EncryptedAssertionImpl cannot be
 cast to class org.opensaml.saml2.core.Assertion (org.opensaml.saml2.core.impl.EncryptedAssertionImpl and org.opensaml.saml2.core.Assertion are in unna
 med module of loader org.apache.catalina.loader.ParallelWebappClassLoader @3ed242a4)
    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT     at org.cloudfoundry.identity.uaa.authentication.SamlAssertionDecoder.doDecode(SamlAssertionDec
 oder.java:97) ~[cloudfoundry-identity-server-74.5.0.jar:?]
    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT     at org.opensaml.ws.message.decoder.BaseMessageDecoder.decode(BaseMessageDecoder.java:79) ~[ope
nws-1.5.6.jar:?]
 
 
 3. then i tried unencrypted assertion, which gave me another exception 
 
 
 2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT Caused by: org.opensaml.common.SAMLException: Assertion invalidated by subject confirmation - can'
t be confirmed by the bearer method
   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifySubject(WebSSOProf
ileConsumerImpl.java:400)
   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.verifyAssertion(WebSSOPr
ofileConsumerImpl.java:296)
   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationRes
ponse(WebSSOProfileConsumerImpl.java:214)

UAA does not seem to like the subject. Looking at the subject confirmation tag, there is attribute 'method' which is 'urn:oasis:names:tc:SAML:2.0:cm:bearer'

Any ideas ? IS there any expanation other than the UAA Api ? 
Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.