uaa icon indicating copy to clipboard operation
uaa copied to clipboard
verified publisher icon cloudfoundry

Avoid necessity to configure SAML SP in UAA

Open torsten-sap opened this issue 1 year ago • 6 comments

What version of UAA are you running?

76.30

How are you deploying the UAA?

  • using cf-deployment

What did you do?

Usage of UAA without the need of SAML.

What did you expect to see? What goal are you trying to achieve with the UAA?

No need to configure SAML SP (including private key + certificate etc.) in uaa.yml.

What did you see instead?

SAML SP configuration (private key + certificate etc.) is required in uaa.yml. Otherwise, UAA will not startup.

torsten-sap avatar Feb 21 '24 14:02 torsten-sap

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187088205

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Feb 21 '24 14:02 cf-gitbot

Reproduce the issue:

  1. remove https://github.com/cloudfoundry/uaa/blob/develop/scripts/cargo/uaa.yml#L58-L99
  2. start uaa

Open /login

The IdentityZone should be usable even without SAML keys, but there is execption:

.....a.lang.NullPointerException: Cannot invoke "org.springframework.security.saml.key.KeyManager.getDefaultCredentialName()" because the return value of "org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder.getSamlSPKeyManager()" is null at org.cloudfoundry.identity.uaa.provider.saml.ZoneAwareKeyManager.getDefaultCredentialName(ZoneAwareKeyManager.java:41) ~[cloudfoundry-identity-server-0.0.0.jar:?] at org.springframework.security.saml.metadata.MetadataGenerator.getSigningKey(MetadataGenerator.java:802) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE] at org.springframework.security.saml.metadata.MetadataGenerator.buildSPSSODescriptor(MetadataGenerator.java:323) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE] at org.cloudfoundry.identity.uaa.provider.saml.ZoneAwareMetadataGenerator.buildSPSSODescriptor(ZoneAwareMetadataGenerator.java:101) ~[cloudfoundry-identity-server-0.0.0.jar:?] at org.springframework.security.saml.metadata.MetadataGenerator.generateMetadata(MetadataGenerator.java:189) ~[spring-security-saml2-core-1.0.10.RELEASE.jar:1.0.10.RELEASE]

strehle avatar Feb 22 '24 17:02 strehle

We will plan to look into it to prioritize in next iteration planning session.

hsinn0 avatar Feb 26 '24 23:02 hsinn0