Re: [EXTERNAL MESSAGE] Re: [cf-dev] Using SAML 2 Bearer token with our own UAA Server #uaa

Shetty, Viraj S [CTR]

Thanks.  I digged into this a little deeper. During the SAML verification, confirmed is never TRUE and that’s why it gives the following error


2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT Caused by: org.opensaml.common.SAMLException: Assertion invalidated by subject confirmation - can't be confirmed by the bearer method



   SPSSODescriptor spssoDescriptor = (SPSSODescriptor) context.getLocalEntityRoleMetadata();

   for (AssertionConsumerService service : spssoDescriptor.getAssertionConsumerServices()) {

        if (context.getCommunicationProfileId().equals(service.getBinding()) && service.getLocation().equals(data.getRecipient())) {

             confirmed = true;




Here are the consumer assertion services defined in my UAA metadata.





                  index="0" isDefault="true" />




                  index="1" />


The SAML Assertion that comes in – has the following



            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">HIDDEN</NameID>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                  <SubjectConfirmationData InResponseTo=""


                        Recipient="https:///saml/SSO/alias/cloudfoundry-saml-login-dev" />





See that the recipient matches with https:///saml/SSO/alias/cloudfoundry-saml-login-dev but I think the Binding does not match (in the code I am not sure what binding is matched to. Is it Method ?) .


Do I have to change my uaa.yml to somehow add a new Assertion Consumer Service ?


Viraj Shetty



From: cf-dev@... <cf-dev@...> On Behalf Of Filip Hanik
Sent: Tuesday, December 10, 2019 6:49 PM
To: CF Developers Mailing List <cf-dev@...>
Subject: [EXTERNAL MESSAGE] Re: [cf-dev] Using SAML 2 Bearer token with our own UAA Server #uaa


1. Take a look at the endpoint `/saml/metadata` on your server. For example


In the metadata, take a look at: urn:oasis:names:tc:SAML:2.0:bindings:URI binding, for the exact location to POST your Assertion" index="1"/>


2. You can have the NameID encrypted, not the assertion itself.






3. A fully working example you can run in your Debugger can be viewed here (no server required)






On Tue, Dec 10, 2019 at 2:07 PM vshetty via Lists.Cloudfoundry.Org <> wrote:

Still having issues. I tried several things and they all seem to fail. 

1. Per the documenatation, the URL should go to http://vyscu3.localhost:8080/uaa/oauth/token/alias/vyscu3.cloudfoundry-saml-login. For my environment, this should probably be 


How do I find if this URL is correct ? The receipient in the SAML Asserrtion is https:///saml/SSO/alias/cloudfoundry-saml-login-dev. tried this as well. 

2. When i used with encrypted assertion below, i get the following exception 



    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT java.lang.ClassCastException: class org.opensaml.saml2.core.impl.EncryptedAssertionImpl cannot be

 cast to class org.opensaml.saml2.core.Assertion (org.opensaml.saml2.core.impl.EncryptedAssertionImpl and org.opensaml.saml2.core.Assertion are in unna

 med module of loader org.apache.catalina.loader.ParallelWebappClassLoader @3ed242a4)

    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT     at org.cloudfoundry.identity.uaa.authentication.SamlAssertionDecoder.doDecode(SamlAssertionDec ~[cloudfoundry-identity-server-74.5.0.jar:?]

    2019-12-10T16:51:10.13-0500 [APP/PROC/WEB/0] OUT     at ~[ope




 3. then i tried unencrypted assertion, which gave me another exception 



 2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT Caused by: org.opensaml.common.SAMLException: Assertion invalidated by subject confirmation - can'

t be confirmed by the bearer method

   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at

   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at

   2019-12-10T16:45:24.58-0500 [APP/PROC/WEB/1] OUT     at


UAA does not seem to like the subject. Looking at the subject confirmation tag, there is attribute 'method' which is 'urn:oasis:names:tc:SAML:2.0:cm:bearer'

Any ideas ? IS there any expanation other than the UAA Api ? 


Join { to automatically receive all group messages.