Re: Using SAML 2 Bearer token with our own UAA Server #uaa

Shetty, Viraj S [CTR]

Still having issues. I tried several things and they all seem to fail. 

1. Per the documenatation, the URL should go to http://vyscu3.localhost:8080/uaa/oauth/token/alias/vyscu3.cloudfoundry-saml-login. For my environment, this should probably be 


How do I find if this URL is correct ? The receipient in the SAML Asserrtion is https://<host>/saml/SSO/alias/cloudfoundry-saml-login-dev. tried this as well. 

2. When i used with encrypted assertion below, i get the following exception 

<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData ......
    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT java.lang.ClassCastException: class org.opensaml.saml2.core.impl.EncryptedAssertionImpl cannot be
 cast to class org.opensaml.saml2.core.Assertion (org.opensaml.saml2.core.impl.EncryptedAssertionImpl and org.opensaml.saml2.core.Assertion are in unna
 med module of loader org.apache.catalina.loader.ParallelWebappClassLoader @3ed242a4)
    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT     at org.cloudfoundry.identity.uaa.authentication.SamlAssertionDecoder.doDecode(SamlAssertionDec ~[cloudfoundry-identity-server-74.5.0.jar:?]
    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT     at ~[ope
 3. then i tried unencrypted assertion, which gave me another exception 
 2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT Caused by: org.opensaml.common.SAMLException: Assertion invalidated by subject confirmation - can'
t be confirmed by the bearer method
   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at
   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at
   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at

UAA does not seem to like the subject. Looking at the subject confirmation tag, there is attribute 'method' which is 'urn:oasis:names:tc:SAML:2.0:cm:bearer'

Any ideas ? IS there any expanation other than the UAA Api ? 

Join to automatically receive all group messages.