Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[question] SAML IdPs added via API get deactivated on UAA restart

See original GitHub issue

Hi, not sure if this is the right place, but I have a general question regarding custom IdPs that I’m adding through UAA’s identity-provider API. Each created IdP represents an IdP configuration (e.g. Okta) for a given tenant within an external system. I store each IdP with the active flag set to true. However on UAA restart, it appears that any IdP’s active flag gets reverted back to false.

This is what an example IdP record looks like in UAA:

    "type": "saml",
    "config": {
      "emailDomain": null,
      "additionalConfiguration": null,
      "providerDescription": null,
      "externalGroupsWhitelist": [],
      "attributeMappings": {},
      "addShadowUserOnLogin": true,
      "storeCustomAttributes": false,
      "metaDataLocation": "metadata here",
      "idpEntityAlias": "ORIGIN-17",
      "zoneId": "uaa",
      "nameID": null,
      "assertionConsumerIndex": 0,
      "metadataTrustCheck": false,
      "showSamlLink": false,
      "linkText": "ORIGIN-17",
      "iconUrl": null,
      "groupMappingMode": "EXPLICITLY_MAPPED",
      "skipSslValidation": false,
      "socketFactoryClassName": null
    "id": "3378be77-1f75-4c96-93b8-2cba7d1768fa",
    "originKey": "ORIGIN-17",
    "name": "SAML-c4693123",
    "version": 55,
    "created": 1505362860495,
    "last_modified": 1508300404832,
    "active": false,
    "identityZoneId": "uaa"

From looking at the source code the IdentityProviderBootstrap.deactivateUnusedProviders method sets active status to false for all IdP if their type is not uaa (in my case type is saml) and if they are not among current configured providers. “Configured providers” are loaded in via the BootstrapSamlIdentityProviderConfigurator, which looks into the login.yml. I have the entire provider section commented out in the login.yml, since I am adding IdPs via the API and don’t know which ones will exist in advance.

#    providers:
#      okta-signed-or-encrypted:
#        idpMetadata: |
#          <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2

Is this the intended behavior? Do I need to change the “type” of my saml IdP record to “uaa” to avoid its active field to get set to false?


Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

fhanikcommented, Oct 19, 2017

@munic yes, there is, channel #uaa - you can request access here

sreetummidicommented, Jan 25, 2018

being fixed in 4.9.0

Read more comments on GitHub >

github_iconTop Results From Across the Web

uaa/UAA-APIs.rst at develop · cloudfoundry/uaa - GitHub
The UAA supports two additional types of identity providers, SAML and LDAP, and these providers can be created for a given zone. Adding...
Read more >
Overview – UAA API Reference - Cloud Foundry Documentation
is an OAuth2 / OpenID Connect (OIDC) server that can be used for centralized identity management. owns the user accounts and authentication sources...
Read more >
Guide for User Authentication and Authorization in SAP Cloud ...
INTRODUCTION User account and authentication(UAA) is the process by which an application identifies a user, verifies his/her identity and ...
Read more >
Proficy Authentication 2022 - User Guide - General Electric
Shared Proficy Authentication (UAA) means that if you have a Proficy product installed that uses Proficy. Authentication, additional Proficy products installed ...
Read more >
Managing Service Plan Configurations - VMware Docs
Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN using your UAA admin credentials. You can find these credentials in ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found