Skip to content

UAA can send you to cloudfoundry.org instead of your IDP #3650

New issue
New issue
Open
Open
UAA can send you to cloudfoundry.org instead of your IDP#3650
@schmidtsv

Description

@schmidtsv
schmidtsv
opened on Oct 21, 2025

Hello UAA people,

I had a customer request yesterday where they had issues with the reachability of their ADFS which I assume ended up landing the UAA into the code block here:

uaa/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/RelyingPartyRegistrationBuilder.java

Lines 116 to 130 in cedec71

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="%s">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>%s</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.cloudfoundry.org"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>""".formatted(entityId, certificate);
}

They got then sent to cloudfoundry.org instead of their ADFS, with the all parameters that would normally sent to the IDP:

Image

What I would prefer here would be a redirect to an UAA error page, instead of redirecting the entire request to cloudfoundry.org, which does not show an error or any indication why the user landed there. And leaks the request parameters while at it.

The error on the uaa.log that accompanied this:

[2025-10-20T08:05:55.018931Z] uaa - 22 [https-jsse-nio-8443-exec-11] - [cce0e491192946d96205971f0395733d,6205971f0395733d] ....  WARN --- ConfiguratorRelyingPartyRegistrationRepository: Cannot retrieve SAML trusted party.
org.springframework.security.saml2.Saml2Exception: java.net.SocketException: Connection reset by peer
  at org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations.fromMetadataLocation(RelyingPartyRegistrations.java:84) ~[spring-security-saml2-service-provider-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.provider.saml.RelyingPartyRegistrationBuilder.buildRelyingPartyRegistration(RelyingPartyRegistrationBuilder.java:61) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.cloudfoundry.identity.uaa.provider.saml.ConfiguratorRelyingPartyRegistrationRepository.createRelyingPartyRegistration(ConfiguratorRelyingPartyRegistrationRepository.java:79) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.cloudfoundry.identity.uaa.provider.saml.ConfiguratorRelyingPartyRegistrationRepository.findByRegistrationId(ConfiguratorRelyingPartyRegistrationRepository.java:45) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.cloudfoundry.identity.uaa.provider.saml.DelegatingRelyingPartyRegistrationRepository.findByRegistrationId(DelegatingRelyingPartyRegistrationRepository.java:41) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.cloudfoundry.identity.uaa.provider.saml.UaaRelyingPartyRegistrationResolver.resolve(UaaRelyingPartyRegistrationResolver.java:81) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.security.saml2.provider.service.web.authentication.OpenSamlAuthenticationRequestResolver.resolve(OpenSamlAuthenticationRequestResolver.java:127) ~[spring-security-saml2-service-provider-5.8.16.jar:5.8.16]
  at org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver.resolve(OpenSaml4AuthenticationRequestResolver.java:59) ~[spring-security-saml2-service-provider-5.8.16.jar:5.8.16]
  at org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter.doFilterInternal(Saml2WebSsoAuthenticationRequestFilter.java:185) ~[spring-security-saml2-service-provider-5.8.16.jar:5.8.16]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.oauth.DisableIdTokenResponseTypeFilter.doFilterInternal(DisableIdTokenResponseTypeFilter.java:93) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.security.web.CorsFilter.doFilterInternal(CorsFilter.java:129) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.zone.IdentityZoneResolvingFilter.doFilterInternal(IdentityZoneResolvingFilter.java:81) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.web.LimitedModeUaaFilter.doFilterInternal(LimitedModeUaaFilter.java:71) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.authentication.UTF8ConversionFilter.validateParamsAndContinue(UTF8ConversionFilter.java:69) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.cloudfoundry.identity.uaa.authentication.UTF8ConversionFilter.doFilter(UTF8ConversionFilter.java:53) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:102) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.web.BackwardsCompatibleScopeParsingFilter.doFilter(BackwardsCompatibleScopeParsingFilter.java:40) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.web.HeaderFilter.doFilter(HeaderFilter.java:52) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.metrics.UaaMetricsFilter.doFilterInternal(UaaMetricsFilter.java:79) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at brave.servlet.TracingFilter.doFilter(TracingFilter.java:80) ~[brave-instrumentation-servlet-6.3.0.jar:?]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129) ~[catalina.jar:9.0.106]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.ratelimiting.RateLimitingFilter$WithLimitingFilter.doFilter(RateLimitingFilter.java:122) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.cloudfoundry.identity.uaa.ratelimiting.RateLimitingFilter.doFilter(RateLimitingFilter.java:75) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:53) ~[servlet-api.jar:4.0.FR]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor$UaaLoggingFilter.doFilter(SecurityFilterChainPostProcessor.java:259) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor$HttpsEnforcementFilter.doFilter(SecurityFilterChainPostProcessor.java:203) ~[cloudfoundry-identity-server-77.35.0.jar:?]
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:225) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:190) ~[spring-security-web-5.8.16.jar:5.8.16]
  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.39.jar:5.3.39]
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) ~[catalina.jar:9.0.106]
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.106]
  at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:142) ~[spring-session-core-2.7.4.jar:2.7.4]
  at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:82) ~[spring-session-core-2.7.4.jar:2.7.4]
  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354) ~[spring-web-5.3.39.jar:5.3.39]
  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267) ~[spring-web-5.3.39.jar:5.3.39]
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168) ~[catalina.jar:9.0.106]
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) ~[catalina.jar:9.0.106]
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) ~[catalina.jar:9.0.106]
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[catalina.jar:9.0.106]
  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[catalina.jar:9.0.106]
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) ~[catalina.jar:9.0.106]
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[catalina.jar:9.0.106]
  at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:656) ~[catalina.jar:9.0.106]
  at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:762) ~[catalina.jar:9.0.106]
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:9.0.106]
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) ~[catalina.jar:9.0.106]
  at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397) ~[tomcat-coyote.jar:9.0.106]
  at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-coyote.jar:9.0.106]
  at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:935) ~[tomcat-coyote.jar:9.0.106]
  at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1826) ~[tomcat-coyote.jar:9.0.106]
  at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-coyote.jar:9.0.106]
  at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1189) ~[tomcat-util.jar:9.0.106]
  at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:658) ~[tomcat-util.jar:9.0.106]
  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-util.jar:9.0.106]
  at java.lang.Thread.run(Thread.java:1583) ~[?:?]
Caused by: java.net.SocketException: Connection reset by peer
  at sun.nio.ch.SocketDispatcher.write0(Native Method) ~[?:?]
  at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:62) ~[?:?]
  at sun.nio.ch.NioSocketImpl.tryWrite(NioSocketImpl.java:394) ~[?:?]
  at sun.nio.ch.NioSocketImpl.implWrite(NioSocketImpl.java:410) ~[?:?]
  at sun.nio.ch.NioSocketImpl.write(NioSocketImpl.java:440) ~[?:?]
  at sun.nio.ch.NioSocketImpl$2.write(NioSocketImpl.java:819) ~[?:?]
  at java.net.Socket$SocketOutputStream.write(Socket.java:1195) ~[?:?]
  at sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:271) ~[?:?]
  at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:89) ~[?:?]
  at sun.security.ssl.ClientHello$ClientHelloKickstartProducer.produce(ClientHello.java:643) ~[?:?]
  at sun.security.ssl.SSLHandshake.kickstart(SSLHandshake.java:526) ~[?:?]
  at sun.security.ssl.ClientHandshakeContext.kickstart(ClientHandshakeContext.java:112) ~[?:?]
  at sun.security.ssl.TransportContext.kickstart(TransportContext.java:263) ~[?:?]
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:448) ~[?:?]
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
  at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:586) ~[?:?]
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187) ~[?:?]
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1690) ~[?:?]
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1614) ~[?:?]
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:223) ~[?:?]
  at org.springframework.core.io.UrlResource.getInputStream(UrlResource.java:187) ~[spring-core-5.3.39.jar:5.3.39]
  at org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations.fromMetadataLocation(RelyingPartyRegistrations.java:77) ~[spring-security-saml2-service-provider-5.8.16.jar:5.8.16]
  ... 78 more

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    Foundational Infrastructure Working Group

    Status

    Inbox

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions