When trying to attach a foundation using the "automatic attach" and it's failing with below error:

ERROR: TAS UAA's external IDP type (saml) does not match Hub UAA's external IDP type (ldap). Exiting..

In the Elastic App Runtime tile, under the "Authentication and Enterprise SSO" tab, the configured UAA method is a SAML provider for authentication.

In the Hub tile there is no SAML option. 

The error is seen during pre-start of ensemble_stitching vm

Elastic Application Runtime 10.3.4

Tanzu Hub 10.3.4 

During "automatic attach" or "manual attach" process there is additional task that creates UAA related users in order for some of the components to be able to authenticate and get credentials from the EAR (Elastic Application Runtime).

As part of the checks during this process the script verify if the EAR uses IDP for authentication and if it does, it verifies if the authentication process matches with what is configured in Tanzu Hub.

In case they does not match the pre-start script in ensemble_stitching service will have below messages:

[2026-xx-09T13:xx:18.298Z] Querying TAS UAA /info endpoint to obtain external IDP origin key
[2026-xx-09T13:xx:18.331Z] Querying Hub UAA /info endpoint to obtain external IDP origin key
[2026-xx-09T13:xx:18.367Z] No non-LDAP external identity provider configured in Hub UAA: , assumes that an external LDAP is configured
[2026-xx-09T13:xx:18.367Z] ERROR: TAS UAA's external IDP type (saml) does not match Hub UAA's external IDP type (ldap). Exiting..

The Apply change will error with:

  L Error: Action Failed get_task: Task c8xxxxf4-xxxx-xxxx-xxxx-d98bxxxxab65 result: 1 of 4 pre-start scripts failed. Failed Jobs: ensemble-stitching. Successful Jobs: config_scanner, bpm, bosh-dns.

In case EAR is using SAML IDP there is no possible way to connect such environment to Tanzu Hub due to the above check will be triggered no matter the connection method used.