Binding an app instance that contains an underscore in it's route to an SSO service instance returns an error.

Note- The 'test_app' instance below has a route such as 'test_app.myappdomain.com'

Error Message:

Binding service sample-instance to app test_app in org test / space test as admin...

FAILED

Server error, status code: 502, error code: 10001, message: 
Service broker error: Client registration with UAA failed

This is a bug.

The UAA component contains a check to validate Client Redirect URIs. This validation does not allow underscore characters in the sub-domain and fails, resulting in the above error message.

While the official RFC standards do not allow "_" in domain names, they do allow "_" in sub-domains.

The issue is fixed in UAA Release v4.9.0, please see the release notes below.

The following steps can be completed as a workaround for the problem:

• Add an alternate route for the App under the Map a route section in Apps Manager or via the CLI making sure there is no underscore.
• Refer to https://docs.pivotal.io/p-identity/1-5/configure-apps/index.html#properties on how to pass an explicit value for SSO_REDIRECT_URIS and set it to the new route set above without the "_". This involves specifying the new route explicitly in the application's "manifest.yml" file, which is then made available for binding/rebinding to service instances through an environment variable, for example:

env:      
SSO_REDIRECT_URIS: https://my-domain-here.domain.org