Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add acr value into User Authentication #3127

Merged
merged 1 commit into from
Nov 12, 2024

Conversation

@strehle strehle requested a review from duanemay November 12, 2024 14:24
Copy link
Member

@duanemay duanemay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank You!

@strehle strehle merged commit 115fff6 into new-saml-0530 Nov 12, 2024
24 checks passed
@strehle strehle deleted the new-saml-0530-acr-values branch November 12, 2024 15:58
strehle added a commit that referenced this pull request Nov 26, 2024
* remove: SAML extension library dependency

Co-authored-by: Peter Chen <[email protected]>
Co-authored-by: Bruce Ricard <[email protected]>
Co-authored-by: Danny Faught <[email protected]>

* Ignore non-functioning SAML tests

* Instead of calling fail(). We have a suspicion that there is a bug in
  the way the tests are running (most of them are somehow not running
  with "./gradlew test" and we have a theory that a combination of mixing
  junit4 imports and the junit5 fail() might be contributing.
* I was careful to use @Ignore for tests importing the junit4 @Test, and
  @Disabled for tests using the junit5 @Test.
* These annotations were added, with the idea that you can search for
  '@Ignore("SAML' and '@Disabled("SAML' to find the tests that need
  attention before we finish the SAML library conversion.
@Ignore("SAML test fails")
@Ignore("SAML test doesn't compile")
@Ignore("SAML test setup doesn't compile")
@Disabled("SAML test fails")
@Disabled("SAML test doesn't compile")
* A few tests are set to ignore because they're failing for the right
  reasons, but more work is needed to finish that and get back to green.
  The goal is to start tracking these annotations instead of failing
  tests, so we can stay green.
* Tests now running:
    server module: 3,435 (in IntelliJ) (98 total ignored)
    uaa module: 67 (command line run of "./gradlew test" for all tests
    - still needs troubleshooting)

Co-authored-by: Danny Faught <[email protected]>

* update @Ignore - test now compiles

Co-authored-by: Hongchol Sinn <[email protected]>

* feat: switch to new Spring Security SAML library

* Removed commented-out references to the outdated SAML extension library

Co-authored-by: Duane May <[email protected]>

* feat: Supply metadata through /saml/metadata

- Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop

[#186986697]

Co-authored-by: Peter Chen <[email protected]>

* fix: handle case when Servlet Path is null  and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green

- fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test -
HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED
    java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL>

[#186986697]

Co-authored-by: Duane May <[email protected]>

* remove: SAML extension library dependency

Co-authored-by: Peter Chen <[email protected]>
Co-authored-by: Bruce Ricard <[email protected]>
Co-authored-by: Danny Faught <[email protected]>

* Ignore non-functioning SAML tests

* Instead of calling fail(). We have a suspicion that there is a bug in
  the way the tests are running (most of them are somehow not running
  with "./gradlew test" and we have a theory that a combination of mixing
  junit4 imports and the junit5 fail() might be contributing.
* I was careful to use @Ignore for tests importing the junit4 @Test, and
  @Disabled for tests using the junit5 @Test.
* These annotations were added, with the idea that you can search for
  '@Ignore("SAML' and '@Disabled("SAML' to find the tests that need
  attention before we finish the SAML library conversion.
@Ignore("SAML test fails")
@Ignore("SAML test doesn't compile")
@Ignore("SAML test setup doesn't compile")
@Disabled("SAML test fails")
@Disabled("SAML test doesn't compile")
* A few tests are set to ignore because they're failing for the right
  reasons, but more work is needed to finish that and get back to green.
  The goal is to start tracking these annotations instead of failing
  tests, so we can stay green.
* Tests now running:
    server module: 3,435 (in IntelliJ) (98 total ignored)
    uaa module: 67 (command line run of "./gradlew test" for all tests
    - still needs troubleshooting)

Co-authored-by: Danny Faught <[email protected]>

* feat: Supply metadata through /saml/metadata

- Adds back endpoint and incorporates forwarding for new pattern saml2 endpoints, Still has some wip elements WithHttpsNotRequired > samlMetadataReturnsOk still red RelyingPartyRegistration is hardcoded in xml, /saml/metadata/ with trailing slash not working missing parity with develop

[#186986697]

Co-authored-by: Peter Chen <[email protected]>

* fix: handle case when Servlet Path is null  and ensures test WithHttpsNotRequired -> samlMetadataReturnsOk is green

- fixed one test but still WithHttpsRequired > samlMetadataReturnsOk is red after fixing this test -
HealthzShouldNotBeProtectedMockMvcTests > WithHttpsRequired > samlMetadataRedirects() FAILED
    java.lang.AssertionError: Range for response status value 200 expected:<REDIRECTION> but was:<SUCCESSFUL>

[#186986697]

Co-authored-by: Peter Chen <[email protected]>

* feat: reliably serve SAML SP metadata

- With the new SAML lib, SAML SP metadata generation relies on a relyingPartyRegistration,
which requires a valid SAML IDP
metadata. In the context of UAA external SAML IDP login, UAA does not know what the SAML IDP
metadata is, until the operator adds it via the /identity-providers endpoint. Also, some SAML
IDPs might require you to supply the SAML SP metadata first before you can obtain the
SAML IDP metadata. See relevant issue: https://github.com/spring-projects/spring-security/issues/11369
- Previously, to solve this problem, the SAML SP metadata generation relies
on relyingPartyRegistration values in saml-providers.xml, which
hardcodes a SAML IDP metadata URL (point to some example Okta SAML instance);
this means that UAA's SP metadata generation relies on the
example Okta SAML instance to be running.
- This commit, instead, supplies a hardcoded dummy SAML IDP metadata here to unblock the SAML
SP metadata generation, at the advice of Spring Security team, so that UAA's functioning
does not rely on some external running Okta instance.
- code reference: https://github.com/spring-projects/spring-security-samples/blob/1b28351693d60f01a511cbcc18b64590452a3851/servlet/java-configuration/saml2/login/src/main/java/example/SecurityConfiguration.java#L62

[#186986697]

Co-authored-by: Peter Chen <[email protected]>

* Ignore failing SAML test

- A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1
- This test is failing as early as
  e7beec7a5aa53fa761ca1d752d647f930ebcc6b7 due to the removal of SAML
  code, as this test is related the SAML feature

[#186986697]

Co-authored-by: Peter Chen <[email protected]>

* disable docs test that shouldn't be running

* Has to be commented out of the erb file even when the test method used @Disabled.

Co-authored-by: Peter Chen <[email protected]>

* Ignore failing SAML test

- A continuation of https://github.com/cloudfoundry/uaa/commit/65d1f0f8d2ad538c5670277ae15e9964cfc16af1
- This is a test recently added to develop branch, so
ignoring this here because the SAML feature is still being
built.

[#186986697]

Co-authored-by: Peter Chen <[email protected]>

* refactor: shorten the dummy IDP metadata

- to reflect the fact that this IDP metadata just needs
to exist in its bare minimal form, where the specific fields
in it do not affect the SP metadata generation

[#186986697]

Co-authored-by: Peter Chen <[email protected]>

* fix: "invalid XML" error in tests

- previously some tests error with:
```
net.shibboleth.utilities.java.support.xml.XMLParserException: Unable to parse inputstream, it contained invalid XML
```
- this issue is fixed once we switch to loading
the idp saml metadata via a file (instead of an InputStream)

[186822654]

Co-authored-by: Danny Faught <[email protected]>

* wip: configure some metadata params

Co-authored-by: Danny Faught <[email protected]>

* disable failing test

* We're reprioritizing the test to get this test to pass.

Co-authored-by: Bruce Ricard <[email protected]>

* WIP

Co-authored-by: Duane May <[email protected]>

* wip

Co-authored-by: Duane May <[email protected]>

* wip: ensuring the endpoint for metadata works both in forward and direct request

- Tests are failing but they are behaving as expected with curl and browser for /saml/metadata /saml/metadata/example and /saml/metadata/example/

- /saml/metadata/ is not returning xml

- The dispatcher ordering along with position in the filter-mapping must be set properly.

[#186986697]

Co-authored-by: Bruce Ricard <[email protected]>

* add metadata redirect test

Co-authored-by: Duane May <[email protected]>

* wip: ensuring the saml metadata endpoint for metadata works in Mock MVC Tests

- /saml/metadata/ is not returning xml

[#186986697]

Co-authored-by: Filip Hanik <[email protected]>

* wip: entityID assertion works in testSamlMetadataDefault

Co-authored-by: Alicia Yingling <[email protected]>
Co-authored-by: Duane May <[email protected]>

* feat: entity_id assertion passes

Co-authored-by: Alicia Yingling <[email protected]>
Co-authored-by: Duane May <[email protected]>

* wip: use working metadata path temporarily

* Must be changed back to /saml/metadata later, removing "example".

Co-authored-by: Alicia Yingling <[email protected]>
Co-authored-by: Duane May <[email protected]>

* wip: xml refactor

Co-authored-by: Alicia Yingling <[email protected]>
Co-authored-by: Duane May <[email protected]>

* wip: updating to non forwarding for /saml/metadata to the example default

- Updated to use direct GetMapping

[#186986697]

Co-authored-by: Filip Hanik <[email protected]>

* wip: Ensuring the WantsAssertionSigned and AuthnRequestsSigned are populated in SPSSODescriptor

- Building out EntityDescriptor in the RelyingPartyRegistration which contains the SPSSODescriptor picked up by the resolve method

[#186986697]

Co-authored-by: Duane May <[email protected]>

* wip: Adding in signature elements for SAML metadata.xml endpoint payload

- Need to fix credential type being empty

Caused by: java.lang.IllegalArgumentException: credentials types cannot be empty
....(SamlRelyingPartyRegistrationRepository.java:84)
[#186986697]

Co-authored-by: Duane May <[email protected]>

* wip: Adding in signature elements for SAML metadata.xml endpoint payload

- Signature is not positioned correctly. It should be a child of EntityDescriptor, but the singingX509Credential.signing call positions it in SPSODescriptor

[#186986697]

Co-authored-by: Duane May <[email protected]>

* feat: populate SAMP SP metadata fields: entityID, NameIDFormat, AuthnRequestsSigned

- correctly reads off UAA configs to populate these fields, instead
of using hardcoded values
- refactor to directly reading `login.saml.NameID` config (a more modern approach) instead
of constructing a bean in xml (a more legacy approach)
- side note: update the UAA config used in mock mvc tests (/uaa/src/test/resources/integration_test_properties.yml)
to use a non-default option of `login.saml.nameID` so that we can test
that the correct value is being piped through

Co-authored-by: Peter Chen <[email protected]>

* refactor: clean up commented out code

- there are many commented out codes from
prior wip commits (which at this point, I decided, are
too hard to fix or tidy up). Hence, in this commit,
clean them up

[186822654]

Co-authored-by: Duane May <[email protected]>

* Ignore non-functioning SAML tests

- the SAML SP metadata is still WIP, so this IT will fail. Ignoring
it for now so that "CI" is green along with all other SAML tests
currently failing / non-functional due to the WIP state of the SAML
feature.
- see defails of this approach in https://github.com/cloudfoundry/uaa/commit/73520d92499f481929e2b666bfbded83aaaa3148

[186822654]

Co-authored-by: Duane May <[email protected]>

* Update opensaml libraries to 4.x

https: //docs.spring.io/spring-security/reference/5.8/migration/servlet/saml2.html
Co-authored-by: Duane May <[email protected]>

* Refactor annotations and formatting

Use RestController, Slf4j, Getter
Use textblocks

Co-authored-by: Duane May <[email protected]>

* Refactor tests: formatting, andExpectAll and assertThat

Use assertThat
Use textblocks

Co-authored-by: Duane May <[email protected]>

* Change from SAML XML to Java Config

Co-authored-by: Duane May <[email protected]>

* feat: populate sp metadata field WantAssertionsSigned

[#186986697]

Co-authored-by: Peter Chen <[email protected]>

* feat: saml sp metadata field - signing cert

- also: refactor the UAA config used in mock mvc tests
(/uaa/src/test/resources/integration_test_properties.yml)
from the deprecated saml key fields (eg: login.serviceProviderKey)
to the new ones (eg: login.saml.keys), so that we test for the
new fields.
  - also fix the api docs test so that it now correctly marks
  the retrieve id zones response's `config.samlConfig.certificate`
  as optional (this field is only returned if you use the
  deprecated saml key config fields)

[#186986697]

Co-authored-by: Duane May <[email protected]>

* feat: saml sp metadata encryption cert

- populate saml sp metadata field for use='encryption' cert
- might be counter-intuitive that the setting on rp registration
that controls this is "decryptionX509Credentials", but the resulting
sp metadata indeed includes use='encryption' which matches
develop branch

[186822654]

Co-authored-by: Duane May <[email protected]>

* refactor: consolidate saml sp configs

- to be processed by a single class "SamlConfiguration" where
the @ConfigurationProperties(prefix="login.saml") annotation
has the ability to process all fields under the login.saml section
of UAA.yml
  - this is helpful because we can now centrally read, process,
  even validate all saml config fields under "login.saml"
  - pay attention to @ConfigurationProperties annotation's various
  requirements though: such as the private field names need to match
  the actually UAA.yml field name (e.g.: login.saml.fooBar -> private
  String fooBar); and that there need to be public setters and getters
  for each field
  - see: https://docs.spring.io/spring-boot/docs/current/reference/html/features.html#features.external-config.typesafe-configuration-properties.using-annotated-types
- the exception of the saml entity id, which in UAA.yml is somehow
outside of the login.saml context (set by login.entityID) so that
field stays under class SamlEntityIdConfiguration

Co-authored-by: Duane May <[email protected]>

* refactor: use lombok

- these getters and setters are required
for @ConfigurationProperties annotation to work; use
lombok so that we don't need to explicitly
define them

[186822654]

Co-authored-by: Duane May <[email protected]>

* refactor: simplify lombok annotation

- as @Data covers the getters and setters

Co-authored-by: Duane May <[email protected]>

* fix: maintain existing saml sp metadata file name

- configure the file name of the saml sp metadata (the downloaded
xml file name when accessing the metadata endpoint: http://localhost:8080/uaa/saml/metadata)
to match the status quo on develop branch: "saml-sp.xml"
- This file name likely do not matter, but out of caution, we should
maintain the same file name as before

[186822654]

Co-authored-by: Duane May <[email protected]>

* fix: saml sp metadata test set up

- now that the metadata is being provided at
the correct location: /saml/metadata, we can correct
the test expectation to reflect that (hence matching
the develop branch)

[#186986697]

Co-authored-by: Duane May <[email protected]>

* fix: SAML SP metadata endpoint and its https redirect

- Removed forwarding of `/saml/metadata` endpoint to `/saml/metadata/example`. It is not necessary because `/saml/metadata` endpoint method already calls `/saml/metadata/{registrationId}` with `example` as the default registrationId. (See class `SamlMetadataEndpoint`.)
- Made `HttpsEnforcementFilter` to be added to the top of the `SecurityFilterChainPostProcessor`'s `SecurityFilterChain`.
- Added `secFilterOpen06SAMLMetadata` to `SecurityFilterChainPostProcessor`'s  `redirectToHttps` list.

[#186986697]

Co-authored-by: Duane May <[email protected]>
Co-authored-by: Peter Chen <[email protected]>

* Clean up unnecssary codes

- Removed SamlExtensionUrlForwardingFilter. Just commented out for now in case we need it later.
- Removed unneeded comments in test code.

[#186986697]

Co-authored-by: Duane May <[email protected]>

* Load the Saml Provider Data

[#187084275]

Co-authored-by: Duane May <[email protected]>

* refactor: Spring Annotations on SamlRelyingPartyRegistrationRepository

- Change SamlRelyingPartyRegistrationRepository to Configuration
- Use constructor args instead of Autowired

Co-authored-by: Duane May <[email protected]>

* fix: multiple versions of the opensaml library

still had opensaml 3.4.6

Co-authored-by: Duane May <[email protected]>

* feat: send SAML authn request to IDP

- when SAML IDP is configured via uaa.yml, when
the user goes to "/uaa/saml2/authenticate/{saml-idp-alias}",
they will get sent to the configured SAML IDP with
a SAML authn request. Specifically, spring-security will do
the following:
 - when the IDP's Binding mode is "HTTP-Redirect", the
 user is redirected to the IDP
 - when the IDP's Binding mode is "HTTP-POST", the user's
 browser is triggered to POST to the IDP. For this to work,
 the ContentSecurityPolicyFilter needs to updated to exempt
 "/saml2" from policy enforcement, such that the script that
 initiates the POST can be executed in the browser. Similar
 to how this filter exempts /saml (the existing saml-related
 path on develop branch).

- refactor: update the dummy IDP metadata file
dummy-saml-idp-metadata.xml to not point
to example.com, but to https://www.cloudfoundry.org
(which is more of a known destination)

- refactor: use constant DEFAULT_REGISTRATION_ID

[#187084275]

Co-authored-by: Duane May <[email protected]>

* update saml link on login page

* fix: issue with 2 JsonObjects imported

* Merge SamlConfigProps to single class

prefix="login.saml" was in 2 ConfigProps classes before merged into 1

* Update SamlLoginIT

* feat: Saml Login redirects to IDP

Reads provider info from database
Passes the registrationId as relayState

Signed-off-by: Prateek Gangwal <[email protected]>

* fix: click first saml link matching text

when running multiple IT tests, the simplesamlphp2 link was also listed, and causing a conflict with url matcher

Signed-off-by: Duane May <[email protected]>

* feat: AssertionConsumerService SAML user login

Signed-off-by: Duane May <[email protected]>
Signed-off-by: Ivan Protsiuk <[email protected]>

#187106956

* Clean up and reenable tests

Signed-off-by: Ivan Protsiuk <[email protected]>

* Improve Testing of SAML Request/Response

- Improve Testing of SAML Request/Response with Saml2TestUtils
- Configure assertionConsumerServiceLocation in one location.

- Attempted move to OpenSaml4AuthenticationProvider
requires a shadow dependency on opensaml to remove the need for non-FIPS compliant security provider. Not yet in place

Signed-off-by: Duane May <[email protected]>
Signed-off-by: Alicia Yingling <[email protected]>

* Break up AuthProvider

Move user shadowing, attribute processing, and authorities processing to their own classes.

Enable Authorities

Signed-off-by: Ivan Protsiuk <[email protected]>

* Pull in OpenSaml4AuthenticationProvider

This provides general response validation.

Signed-off-by: Prateek Gangwal <[email protected]>

* Verify user attributes, roles, user name, email extraction

Signed-off-by: Prateek Gangwal <[email protected]>

#187809240

* Add editor and lombok config

Signed-off-by: Duane May <[email protected]>

* Run kill_uaa as part of integrationTests

Signed-off-by: Duane May <[email protected]>
Signed-off-by: Hongchol Sinn <[email protected]>

* Annotate Disabled tests with more information

Signed-off-by: Hongchol Sinn <[email protected]>

* feat: SAML Logout

- Main logout flows are working
- IDP Initiated logout is working
- Handle metadata XML passed in instead of metadata location for both bootstrap and SamlIdentityProviderConfigurator

Signed-off-by: Duane May <[email protected]>

* fix Selenium HomePage can be one of two urls.

- clean up the rest of the pageObjects package

Signed-off-by: Duane May <[email protected]>

* Update BootstrapTests

- now attempts to retrieve the non-existent url https://simplesamlphp.uaa.com/saml2/idp/metadata.php

Signed-off-by: Duane May <[email protected]>

* feature: Zone-aware SAML SP metadata

- Implemented to the same level as the default IdenityZone's SP metadata generation.
- Minus `NameIDFormat` value populaition and registration-ID specific implementation.

[#187846376]

* Disable `findByRegistrationIdWhenNoneFound` test as the assertion is not valid anymore.

* Update counter script

- No longer have Ignored tests only Disabled

Signed-off-by: Duane May <[email protected]>

* Update IdentityZone related classes and tests

Signed-off-by: Duane May <[email protected]>

* feat: basic SAML SP metadata for non-default ID zone

- correctly populates the basic fields of non-default zone SAML SP metadata (such as
WantAssertionsSigned and AuthnRequestsSigned), so that for default vs. non-default zones, the
SP metadatas have feature parity.

[#187846376]

Signed-off-by: Duane May <[email protected]>
Signed-off-by: Peter Chen <[email protected]>

* wip: zoned metadata fixes and zoned login

Signed-off-by: Peter Chen <[email protected]>

* rebase and revert entiyID checks

* Enable some passing SamlLoginIT tests

Co-authored-by: Duane May <[email protected]>

* refactor entityId and entityIdAlias resolution

- created a base class BaseUaaRelyingPartyRegistrationRepository, used by ConfiguratorRelyingPartyRegistrationRepository and DefaultRelyingPartyRegistrationRepository.
- moved getZoneEntityId and getZoneEntityIdAlias to base class

Co-authored-by: Duane May <[email protected]>
Signed-off-by: Peter Chen <[email protected]>

* backfill some SAML tests

* Enable SAML Automatic Redirect

Requires changing from discovery URL to the authentication request URL.

Enable the following tests in SamlLoginIT:
- samlInvitationAutomaticRedirectInZone2
- samlLoginClientIDPAuthorizationAutomaticRedirect
- samlLoginClientIDPAuthorizationAutomaticRedirectInZone1
- samlLoginMapGroupsInZone1

Co-authored-by: Duane May <[email protected]>
Signed-off-by: Peter Chen <[email protected]>

* build(deps): bump org.gradle:test-retry-gradle-plugin

Bumps org.gradle:test-retry-gradle-plugin from 1.5.9 to 1.5.10.

Co-authored-by: Peter Chen <[email protected]>

---
updated-dependencies:
- dependency-name: org.gradle:test-retry-gradle-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Fix regression in identity-provider endpoint (#2962)

* Fix regression in identity-provider endpoint

Issue:
If existing entries in identity-provider with new external_key the field is null, which is expected.
If external_key is null, this must not overwrite the issuer in rest endpoint, but it does

For SAML there is no issue, because here the entityId is really new in REST output and in DB.
For OIDC and OAuth2 the issuer was used in REST already and there was no check before overwrite it from external_key.

* review

* add case if issuer is null from config, allowed for oauth2 IdP

* spelling

* revert the logic of external key, stay with issuer

* set entityId on update

* test coverage

Co-authored-by: Peter Chen <[email protected]>

* build(deps): bump k8s.io/client-go from 0.30.2 to 0.30.3 in /k8s (#2964)

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.30.2 to 0.30.3.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.30.2...v0.30.3)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Replace SamlLegacyAliasResponseForwardingFilter

- Added a RelayStateRelyingPartyRegistrationResolver which looks for the Registration Id from the RelayState, instead of the last part of the URL.
- The url contains entity id, for backward compatibility, instead of the registration Id.
- The filter required redirect filter processing, which broke the CSRF Filter (noticed on LoginServerSecurityIntegrationTests)

Co-authored-by: Duane May <[email protected]>
Signed-off-by: Peter Chen <[email protected]>

* fix: correct test expectation

- the saml assertion consumer endpoint should end with
the configured login.entityID in UAA.yml (when login.saml.entityIDAlias is not set)

* Update test classes

- DefaultIntegrationTestConfig: use Durations
- IdentityZoneEndpointsMockMvcTests sonar, asserts
- LdapIntegrationTests: junit5, sonar, asserts

Signed-off-by: Duane May <[email protected]>

* Update scripts for testing

- kill_uaa: make port aware
- debug_uaa: for running uaa in debug or suspended debug mode
- create_test_providers: adds providers to running UAA via API
- create_test_zones: adds zones and providers to running UAA via API

Signed-off-by: Duane May <[email protected]>

* check entityId in validate SAML (#2970)

* WIP: replace SamlLegacyAliasResponseForwardingFilter

- the receiveAuthnResponseFromIdpToLegacyAliasUrl test still failing, see
comments within this test

Co-authored-by: Duane May <[email protected]>

* WIP: check entityId in validate SAML

* WIP: re-establish validation of metadata in /identity-providers endpoint

* WIP: test fix

---------

Co-authored-by: Peter Chen <[email protected]>
Co-authored-by: Duane May <[email protected]>

* feat: Handle Multiple SAML keys

- Rotation Tests working
- Uses keys from SamlConfig for each zone
- Fall back to default keys if none set

[#187994938]

Signed-off-by: Duane May <[email protected]>

* fix: Couple of failing test cases due to `500 INTERNAL_SERVER_ERROR` from `/oauth/token` endpoint

- Stepping through the server code revealed that an exception was thrown as follows:
```
org.cloudfoundry.identity.uaa.util.JsonUtils$JsonUtilException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "relyingPartyRegistrationId" (class org.cloudfoundry.identity.uaa.authentication.UaaPrincipal), not marked as ignorable (6 known properties: "origin", "zoneId", "id", "email", "externalId", "name"])
at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 205] (through reference chain: org.cloudfoundry.identity.uaa.authentication.UaaPrincipal["relyingPartyRegistrationId"])
```
- Added a `jackson` annotation to ignore the 3 properties in UaaSamlPrincipal that were causing the `UnrecognizedPropertyException`.
- Added back a line that sets zoneId in a test case, which apparently had been removed by mistake.

[#187986233]
[#187986220]

* Clean up and reimplement SamlKeyManager and SamlKeyManagerFactory

- added these methods back to IdentityZoneHolder, even though that has been Deprecated
- Migrate BouncyCastle Setup and IdentityZoneHolderInitializer from XML to Java
- Removed some of the old classes that were in this area

Signed-off-by: Duane May <[email protected]>

* Migrate tests from ZoneAwareMetadataGeneratorTests

- Moved tests for rotation to SamlMetadataEndpointKeyRotationTests
- Moved tests related to SamlRedirectUtils to SamlRedirectUtilsTest

Signed-off-by: Duane May <[email protected]>

* feature: Handle icorrect SAML response

- Set the `Saml2WebSsoAuthenticationFilter`'s `AuthenticationFailureHandler` to the custom failure handler.
- Updated the test case's page source validation condition to check for the string that is based on the new exception message.

[#187986112]

* Remove duplicate tests

Various calls to metadata endpoint with and without trailing / and /example in HealthzShouldNotBeProtectedMockMvcTests were duplicated in SamlMetadataMockMvcTests

Signed-off-by: Duane May <[email protected]>

* Add signatures to Metadata and AuthnRequest

Includes:
- getting configured SignatureAlgorithm
- getting configured signMetadata
- Add Signature Algorithm and Digest Algorithm to Metadata
- Generate Signature Value and Digest Value to Metadata
- Add SignatureAlgorithm and keys to the RelyingPartyRegistration
- Sign the AuthnRequest

TPCF-6869
TPCF-6938

Signed-off-by: Duane May <[email protected]>

* Add tests for alternate config of signRequest and signMetaData

TPCF-6869
TPCF-6938

Signed-off-by: Duane May <[email protected]>

* Enable tests in BootstrapSamlIdentityProviderDataTests

Signed-off-by: Duane May <[email protected]>

* Enable test in HomeControllerViewTests

- Removed commented out Disabled annotation in SamlIdentityProviderConfiguratorTests
- TestClassNullifier moved to junit5

Signed-off-by: Duane May <[email protected]>

* feat: Allow InResponseTo checking to be configured

TPCF-6873

* feat: Add NameIdFormat to AuthnRequest

This comes from the property, login.saml.nameID

Also refactored the RelyingPartyRegistrationBuilder to use a Params object with builder since the param list was 8 items

TPCF-6874

Signed-off-by: Duane May <[email protected]>

* Support for login.saml.socket.* settings

TPCF-6882

Signed-off-by: Duane May <[email protected]>

* Only show failed tests

make it easier to find the failed tests in output

Signed-off-by: Duane May <[email protected]>

* Caffeine Caching

Guava Cache recommends moving to Caffeine
Mostly a drop in replacement
Although the refreshAfterWrite works a little different

Signed-off-by: Duane May <[email protected]>

* Log Malformed Saml Responses

The mechanism to achieve this in the old SAML library is no longer there. Added this in to the SamlLoginAuthenticationFailureHandler.

Left the logger name as SamlResponseLoggerBinding for backward compatibility, for jobs looking for the messages.

[TPCF-25429]

Signed-off-by: Duane May <[email protected]>

* Clean up and Sonar

Signed-off-by: Duane May <[email protected]>

* Update to LoginInfoEndpoint

Signed-off-by: Duane May <[email protected]>

* Add Oauth Token endpoint to metadata

maintains existing functionality

Signed-off-by: Duane May <[email protected]>

* Update tests

SamlLoginIT.springSamlEndpointsWithEmptyContext - functionality changed redirects
ZoneAwareKeyManagerTest - was 0 coverage, all calls are proxied to SamlKeyManager in the ThreadLocal managed by IdentityZoneHolder.

Signed-off-by: Duane May <[email protected]>

* Resolve Sonar security hotspots

Replace the //NOSONAR comment with a error specific SuppressWarnings annotation

* Correct malformed property placeholder.

* Update JavaPluginExtension settings

Signed-off-by: Duane May <[email protected]>

* Implement Saml2 Bearer Grants

Signed-off-by: Duane May <[email protected]>

* Unjava-doc-ify the copyright notices

Signed-off-by: Duane May <[email protected]>

* Fix tests for Invitations and Passcodes

Signed-off-by: Duane May <[email protected]>

* Sonar fixes

Signed-off-by: Duane May <[email protected]>

* Update tests with awaitility

Signed-off-by: Duane May <[email protected]>

* Update discovery urls to authenticate

Signed-off-by: Duane May <[email protected]>

* Enable tests and update disabled reasons for remaining

Signed-off-by: Duane May <[email protected]>

* Enable RelayState as a redirect target

- Remove the existing code to store registrationId on request in the relaystate, it is stored with the request.
- Also enable IDP initiated login, we don't get the registrationId in this case

Signed-off-by: Duane May <[email protected]>

* Update selenium page objects to use assert notation

- Uses assertj and awaitility
- Rename methods to include assert where applicable
- Tests should include assertions java:S2699

Signed-off-by: Duane May <[email protected]>

* Fix Sonar Issues

Signed-off-by: Duane May <[email protected]>

* doc: Update the comment for `login.entityBaseURL` property.

* build(deps): bump versions.springSecurityVersion from 5.8.14 to 5.8.15 (#3089)

Bumps `versions.springSecurityVersion` from 5.8.14 to 5.8.15.

Updates `org.springframework.security:spring-security-config` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-core` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-ldap` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-taglibs` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-test` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

Updates `org.springframework.security:spring-security-web` from 5.8.14 to 5.8.15
- [Release notes](https://github.com/spring-projects/spring-security/releases)
- [Changelog](https://github.com/spring-projects/spring-security/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-projects/spring-security/compare/5.8.14...5.8.15)

---
updated-dependencies:
- dependency-name: org.springframework.security:spring-security-config
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-core
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-ldap
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-taglibs
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-test
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.springframework.security:spring-security-web
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump org.apache.velocity:velocity-engine-core (#3090)

Bumps org.apache.velocity:velocity-engine-core from 2.4 to 2.4.1.

---
updated-dependencies:
- dependency-name: org.apache.velocity:velocity-engine-core
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* pr/upgrade docs slate gems take 2 (#3091)

* In an attempt to upgrade Slate, and have successful builds

on both Mac and Linux using Ruby 3.3.5

Step 1 - Upgrade dependencies

* Fix jasmine-test script

* build(deps): bump k8s.io/client-go from 0.31.1 to 0.31.2 in /k8s (#3096)

Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.31.1 to 0.31.2.
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.31.1...v0.31.2)

---
updated-dependencies:
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix Sonar Issues

Signed-off-by: Duane May <[email protected]>

* Improve test coverage

Signed-off-by: Duane May <[email protected]>

* Cleanup and test coverage

Signed-off-by: Duane May <[email protected]>

* fix(k8s): fix `JAVA_HOME`

Updates the `JAVA_HOME` env var for the `build-uaa-truststore` init contianer to match the updated path used by the Paketo buildpack.

fixes: https://github.com/cloudfoundry/uaa/issues/2388
Signed-off-by: Rifa Achrinza <[email protected]>

* build(deps): bump rexml from 3.3.8 to 3.3.9 in /uaa/slate (#3100)

Bumps [rexml](https://github.com/ruby/rexml) from 3.3.8 to 3.3.9.
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](https://github.com/ruby/rexml/compare/v3.3.8...v3.3.9)

---
updated-dependencies:
- dependency-name: rexml
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump versions.jacksonVersion from 2.18.0 to 2.18.1 (#3101)

Bumps `versions.jacksonVersion` from 2.18.0 to 2.18.1.

Updates `com.fasterxml.jackson.core:jackson-annotations` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `com.fasterxml.jackson.core:jackson-databind` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson/commits)

Updates `com.fasterxml.jackson.dataformat:jackson-dataformat-yaml` from 2.18.0 to 2.18.1
- [Commits](https://github.com/FasterXML/jackson-dataformats-text/compare/jackson-dataformats-text-2.18.0...jackson-dataformats-text-2.18.1)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson.core:jackson-annotations
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.core:jackson-databind
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump versions.seleniumVersion from 4.25.0 to 4.26.0

Bumps `versions.seleniumVersion` from 4.25.0 to 4.26.0.

Updates `org.seleniumhq.selenium:selenium-java` from 4.25.0 to 4.26.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0)

Updates `org.seleniumhq.selenium:selenium-remote-driver` from 4.25.0 to 4.26.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Commits](https://github.com/SeleniumHQ/selenium/compare/selenium-4.25.0...selenium-4.26.0)

---
updated-dependencies:
- dependency-name: org.seleniumhq.selenium:selenium-java
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.seleniumhq.selenium:selenium-remote-driver
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump github.com/onsi/gomega from 1.34.2 to 1.35.0 in /k8s

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.2 to 1.35.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.34.2...v1.35.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump github.com/onsi/gomega from 1.35.0 to 1.35.1 in /k8s (#3105)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.35.0 to 1.35.1.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.35.0...v1.35.1)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Cleanup not used comments and fragments

* Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/AddBcProvider.java

* Delete server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java

* Delete server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java

* Enable simpleSamlLoginWithAddShadowUserOnLoginFalse

Signed-off-by: Duane May <[email protected]>

* Add coverage for UaaSavedRequestAwareAuthenticationSuccessHandler

Signed-off-by: Duane May <[email protected]>

* Fix Sonar issues

Signed-off-by: Duane May <[email protected]>

* sonar recommendation

* sonar recommendation

* sonar says not in use

* Remove duplicates in New-saml-0530  (#3117)

* renovate: : update dependency webrick to v1.9.0

* Refactor and fix duplicate

found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent

* Only show failed tests

make it easier to find the failed tests in output

Signed-off-by: Duane May <[email protected]>

* reduce duplicates

* rebase

* reduce duplicates

* Refactor and fix duplicate (#3112)

found by sonar in https://sonarcloud.io/component_measures?metric=new_duplicated_lines_density&selected=cloudfoundry-identity-parent%3Aserver%2Fsrc%2Fmain%2Fjava%2Forg%2Fcloudfoundry%2Fidentity%2Fuaa%2Fauthentication%2FPasscodeAuthenticationFilter.java&view=list&pullRequest=2908&id=cloudfoundry-identity-parent

* cleanup

* refactor saml bearer usage

* Migrate to Caffeine Caching (#3114)

* Migrate to Caffeine Caching

Guava Cache recommends moving to Caffeine
Mostly a drop-in replacement
Although the refreshAfterWrite works a little different

* more test coverage

* again more test coverage

* sonar

* sonar

---------

Co-authored-by: strehle <[email protected]>

* fix rebase

* fix rebase

---------

Signed-off-by: Duane May <[email protected]>
Co-authored-by: Duane May <[email protected]>
Co-authored-by: Duane May <[email protected]>

* fix rebase

* Store saml session index in UaaSamlPrincipal

needed later for SLO

* return plain error message (#3119)

in case of decryption issue (wrong key) do not show
class internals

* Disable csrf check in SAML-SLO (#3123)

Found in manual test with SAML SLO , POST Binding

* fix integration test

* fix integration test

* Add acr value into User Authentication (#3127)

re-establish IT

see former retrieval
https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L292-L298

* Cleanup shadow library (#3130)

* Cleanup libraries not needed anymore (#3129)

* Cleanup libraries not needed anymore

bound to old opensaml

* Remove ESAPI finally

this dependency is only there because of old saml

* fix rebase

* sonar issue

https://sonarcloud.io/project/issues?impactSoftwareQualities=RELIABILITY&sinceLeakPeriod=true&issueStatuses=OPEN%2CCONFIRMED&pullRequest=2908&id=cloudfoundry-identity-parent

* remove not needed method

* Add test to run Authn with redirect binding

Will add more coverage in Saml2Utils

* minor sonar issue

* cleanup not used code

* sonar issue with unspecified type

* Fix Sonar issues

Signed-off-by: Duane May <[email protected]>

* Enhancements for SAML2 bearer flow (#3132)

* Test saml bearer

* Fixes for SAML2 bearer flow

* reverted test

* Enhancements for SAML2 bearer and IdP initiated SSO (#3136)

* Test saml bearer

* Fixes for SAML2 bearer flow

* reverted test

* Implement RelyingPartyRegistrationResolver

* support resolution of SAMLResponse from request
* remove default setting

* Use standard setting of metadata

the feature with classpath is new in this PR.

* refactorings based on sonar

* Replace dummy-saml-idp-metadata

and create the data based on real key data

Until now we do not deliver any keys in uaa.war.

* Cleanup test failure

Changed, because of hack with defaults.

* Rename DefaultRelyingPartyRegistrationResolver to UaaRelyingPartyRegistrationResolver

Signed-off-by: Duane May <[email protected]>

* Refactor text blocks

Signed-off-by: Duane May <[email protected]>

---------

Signed-off-by: Duane May <[email protected]>
Co-authored-by: Duane May <[email protected]>
Co-authored-by: Duane May <[email protected]>

* sonar: unused imports

* sonar: recommendation

* sonar: recommendation

* sonar changes

* sonar changes

* omit hard coded example name (#3140)

* build(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0 (#3146)

Bumps commons-io:commons-io from 2.17.0 to 2.18.0.

---
updated-dependencies:
- dependency-name: commons-io:commons-io
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feature: ingtegration test coverage

- Modified `cargo.local` to run with jacoco agent if a system property is set.
- Added a task to generate coverage report from the recorded jacoco data.

* Add the kill_uaa step to ensure jacoco file is written

* typo

* Bump Gradle to 8.11.1

* fix: default values of custom zone's saml entityID and saml alias (when the configured entityID is a URL)

- maintain the existing behavior where a custom identity zone's saml entityID is defaulted
to either 1) `zoneSubdomain.uaaWideSamlEntityID` if `uaaWideSamlEntityID` is not a URL, or
2) if `uaaWideSamlEntityID` is a URL, integration the zoneSubdomain into the URL
(see tests for example).

- similar logic for saml entity alias (which is used in various saml sp urls, such as `AssertionConsumerService`)
except that the alias should not include url scheme (aka without `https://`), so that
the resulting saml sp urls are valid urls (e.g.: `https://zone1.uaa.com/saml/SSO/alias/[saml entity alias]`,
see tests for examples).

- reference on develop branch (old saml code):
  - doc: https://github.com/cloudfoundry/uaa/blob/65952b1b53b8d01cf93e68493a3f6ac85ad8a825/docs/login/Okta-README.md?plain=1#L73-L75
  - code: https://github.com/cloudfoundry/uaa/blob/cc5f76fba495e5d1b3fd755ac3a6ff137fc91878/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java#L53-L54

- problem statement:
without this commit, when
* a custom zone is created without a `zone.config.samlConfig.entityID` specified
* the default zone's `login.entityID` is configured to a URL, such as `https://uaa.com`
* the default zone's `login.saml.entityIDAlias` is not set, aka default to `login.entityID`
Then the resulting custom zone sp metadata has some discrepancies with the old saml
code's metadata:

For `AssertionConsumerService`:
- old (correct) value is: https://test-zone-before.uaa.com/saml/SSO/alias/test-zone-before.uaa.com
- new value is: https://test-zone.uaa.com/saml/SSO/alias/test-zone.http:/uaa.com
For `entityID`:
- old (correct) value is: http://test-zone-before.uaa.com
- new value is: test-zone.http://uaa.com

This results in the external SAML login for this zone not working.

* clean version definition

not needed anymore

---------

Signed-off-by: Prateek Gangwal <[email protected]>
Signed-off-by: Duane May <[email protected]>
Signed-off-by: Ivan Protsiuk <[email protected]>
Signed-off-by: Alicia Yingling <[email protected]>
Signed-off-by: Hongchol Sinn <[email protected]>
Signed-off-by: Peter Chen <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Rifa Achrinza <[email protected]>
Co-authored-by: Danny Faught <[email protected]>
Co-authored-by: Peter Chen <[email protected]>
Co-authored-by: Bruce Ricard <[email protected]>
Co-authored-by: Hongchol Sinn <[email protected]>
Co-authored-by: Duane May <[email protected]>
Co-authored-by: Bruce Ricard <[email protected]>
Co-authored-by: Filip Hanik <[email protected]>
Co-authored-by: Duane May <[email protected]>
Co-authored-by: d036670 <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Markus Strehle <[email protected]>
Co-authored-by: Duane May <[email protected]>
Co-authored-by: Rifa Achrinza <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

Successfully merging this pull request may close these issues.

2 participants