SAML certificate issue new with v78.11.0

[cweibel]

While performing an upgrade to v78.11.0 from v78.10.0 we started to get this error in the logs:

[2026-04-13T18:56:25.949511Z] uaa/ - 10 [main] - [,] .... ERROR --- SpringApplication: Application run failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'identityZoneConfigurationBootstrap' defined in class path resource [org/cloudfoundry/identity/uaa/SpringServletXmlBeansConfiguration.class]: The zone configuration is invalid. You cannot set issuer value unless you have set your own signing key for this identity zone.

Our manifest roughly looks like:

...
  - name: uaa
    properties:
      bpm:
        enabled: true
      login:
        saml:
          activeKeyId: key-1
          entity_base_url: redacted
          keys:
            key-1:
              certificate: ((uaa_login_saml-key-1.certificate))
              key: ((uaa_login_saml-key-1.private_key))
              passphrase: ""
...

Which matches the underlying spec that hasn't changed in a decade

On a hunch I created a dev release based on v78.11.0 and removed the changes introduced with https://github.com/cloudfoundry/uaa/pull/3823/changes, deploying that results in a successful deploy.

To support the new issuer string, is there a new spec value that needs to be set?

[strehle]

Hi,
I transfered the issue to UAA
from uaa-release (which is the repo for Bosh)

The change https://github.com/cloudfoundry/uaa/pull/3823/changes was a fix for issuer.uri
Can you let us know, what you have set ?

FYI: @duanemay @fhanik

[strehle]

I now understand the issue, so you only have one key.
The SAML legacy structure was misleading at the begin, because the error is not SAML related.

We have for SAML legacy a test in our pipeline but we expect that UAA has only one key defined.

So if I remove this from our test yaml.
https://github.com/cloudfoundry/uaa/blob/develop/scripts/saml/saml-legacy-uaa.yml#L65-L105
, then start UAA, then I see

Caused by: org.cloudfoundry.identity.uaa.zone.InvalidIdentityZoneConfigurationException: You cannot set issuer value unless you have set your own signing key for this identity zone.

@cweibel You managed it to build a new UAA without a special PR, so you should be able to change your uaa.yaml so that you have a structure like

https://github.com/cloudfoundry/uaa/blob/develop/scripts/saml/saml-legacy-uaa.yml#L65-L105 . In worst case with a copy from the serviceProviderKey section

because I am not sure if should fix it, will try...

[cweibel]

I cut a dev release and rolled it with the changes in https://github.com/cloudfoundry/uaa/pull/3837/changes#diff-7c7bf7b1db8b258e7f969d13ebe3da984957bb12eab15fa10550b43208335826R65 over 78.11.0, my UAA is happy.

Took a look at my rendered /var/vcap/jobs/uaa/config/uaa.yml and I only have a single key there:

jwt:
  token:
    queryString:
      enabled: true
    revocable: false
    policy:
      accessTokenValiditySeconds: redacted
      refreshTokenValiditySeconds: redacted
      global:
        accessTokenValiditySeconds: redacted
        refreshTokenValiditySeconds: redacted
    signing-key: |
      -----BEGIN RSA PRIVATE KEY-----
      ...
    verification-key: |
      -----BEGIN PUBLIC KEY-----
      ...
    refresh:
      restrict_grant: false
      unique: false
      rotate: false
      format: jwt

Think I originally has the wrong chunk in play for the manifest stub

[strehle]

ok, then I think we update our
https://github.com/cloudfoundry/uaa/blob/develop/scripts/saml/saml-legacy-uaa.yml
So that we have a regression test for this struct. This would not be visible in IT testing, but would see it in https://oidc10.uaa-acceptance.cf-app.com

[duanemay]

Fixed in 78.12.0