Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[question] SAML IdPs added via API get deactivated on UAA restart

See original GitHub issue

Hi, not sure if this is the right place, but I have a general question regarding custom IdPs that I’m adding through UAA’s identity-provider API. Each created IdP represents an IdP configuration (e.g. Okta) for a given tenant within an external system. I store each IdP with the active flag set to true. However on UAA restart, it appears that any IdP’s active flag gets reverted back to false.

This is what an example IdP record looks like in UAA:

  {
    "type": "saml",
    "config": {
      "emailDomain": null,
      "additionalConfiguration": null,
      "providerDescription": null,
      "externalGroupsWhitelist": [],
      "attributeMappings": {},
      "addShadowUserOnLogin": true,
      "storeCustomAttributes": false,
      "metaDataLocation": "metadata here",
      "idpEntityAlias": "ORIGIN-17",
      "zoneId": "uaa",
      "nameID": null,
      "assertionConsumerIndex": 0,
      "metadataTrustCheck": false,
      "showSamlLink": false,
      "linkText": "ORIGIN-17",
      "iconUrl": null,
      "groupMappingMode": "EXPLICITLY_MAPPED",
      "skipSslValidation": false,
      "socketFactoryClassName": null
    },
    "id": "3378be77-1f75-4c96-93b8-2cba7d1768fa",
    "originKey": "ORIGIN-17",
    "name": "SAML-c4693123",
    "version": 55,
    "created": 1505362860495,
    "last_modified": 1508300404832,
    "active": false,
    "identityZoneId": "uaa"
  }

From looking at the source code the IdentityProviderBootstrap.deactivateUnusedProviders method sets active status to false for all IdP if their type is not uaa (in my case type is saml) and if they are not among current configured providers. “Configured providers” are loaded in via the BootstrapSamlIdentityProviderConfigurator, which looks into the login.yml. I have the entire provider section commented out in the login.yml, since I am adding IdPs via the API and don’t know which ones will exist in advance.

#BEGIN SAML PROVIDERS
#    providers:
#      okta-signed-or-encrypted:
#        idpMetadata: |
#          <?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2
[...]

Is this the intended behavior? Do I need to change the “type” of my saml IdP record to “uaa” to avoid its active field to get set to false?

Cheers!

Issue Analytics

State:
Created 6 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

fhanikcommented, Oct 19, 2017

@munic yes, there is cloudfoundry.slack.com, channel #uaa - you can request access here https://slack.cloudfoundry.org/

0reactions

sreetummidicommented, Jan 25, 2018

being fixed in 4.9.0

Top Results From Across the Web

uaa/UAA-APIs.rst at develop · cloudfoundry/uaa - GitHub

The UAA supports two additional types of identity providers, SAML and LDAP, and these providers can be created for a given zone. Adding...

Overview – UAA API Reference - Cloud Foundry Documentation

is an OAuth2 / OpenID Connect (OIDC) server that can be used for centralized identity management. owns the user accounts and authentication sources...

Guide for User Authentication and Authorization in SAP Cloud ...

INTRODUCTION User account and authentication(UAA) is the process by which an application identifies a user, verifies his/her identity and ...

Proficy Authentication 2022 - User Guide - General Electric

Shared Proficy Authentication (UAA) means that if you have a Proficy product installed that uses Proficy. Authentication, additional Proficy products installed ...

Managing Service Plan Configurations - VMware Docs

Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN using your UAA admin credentials. You can find these credentials in ...