You are attempting or experience the following: 

• You are attempting to SAML authenticate with UAA but you get the error "Unsupported Request" in your browser after oauth flow.
• The environment was recently upgraded to Tanzu Application Service (TAS) for VMs versions 2.7.10, 2.7.11, 2.8.4, or 2.8.5. 
• The uaa.log contains the error "org.opensaml.common.SAMLException: Unsupported request":

uaa.log:Caused by: org.opensaml.common.SAMLException: Unsupported request
uaa.log:[2020-03-11 21:13:35.759] uaa - 18 [https-jsse-nio-8443-exec-7] .... DEBUG --- LoginSAMLAuthenticationFailureHandler: org.opensaml.common.SAMLException: Unsupported request

• The uaa.log contains failure "Incoming SAML message is invalid":

[2020-03-24 15:03:34.131] uaa - 16 [https-jsse-nio-8443-exec-6] .... DEBUG --- SAMLProcessingFilter: Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Incoming SAML message is invalid

The resolution to this issue is to upgrade Tanzu Application Service (TAS) for VMs to version 2.7.12 or 2.8.6 or higher versions.

This issue resulted from a version of Apache Tomcat that was used in the UAA release. The root cause is a bug in an underlying dependency of UAA. For more information, see the details in the UAA release notes.

Tomcat issue 64210 - Correcting a regression in the improvements to HTTP header validation that caused requests to be incorrectly treated as invalid if a CRLF sequence was split between TCP packets. Improve validation of request lines, including for HTTP/0.9 requests.