After upgrading to TKGi v1.23.3, SAML authentication fails with Invalid ProxyRestriction assertion error:

TKGi UAA logs, with DEBUG enabled

uaa - 11 [https-jsse-nio-8443-exec-1] - [2f9461bd67baac41,2f9461bd67baac41] ....  WARN --- SamlResponseLoggerBinding: Malformed SAML response. More details at log level DEBUG.
uaa - 11 [https-jsse-nio-8443-exec-1] - [2f9461bd67baac41,2f9461bd67baac41] .... DEBUG --- ProviderManager: Authentication failed with provider OpenSaml4AuthenticationProvider since Invalid assertion [AID-####-############-############-HkpQmPLXPT5mzJX8yvLBlC] for SAML response [########-####-####-####-3b77a5834631]: Unknown Condition '{urn:oasis:names:tc:SAML:2.0:assertion}ProxyRestriction' of type 'null' in assertion 'AID-####-#############-#############-HkpQmPLXPT5mzJX8yvLBlC'

TKGi v1.23 and 1.24 with SAML authentication

In TKGi 1.23 and v1.24, there are stricter validations of SAML assertions. In this case, the SAML assertion contains ProxyRestriction and it fails the validation.

This is a known issue in UAA <= v78.8.0 that is bundled in TKGi v1.23 and TKGi v1.24.

Issue is resolved in UAA v78.9.0, please review TKGi release notes for versions that include this UAA version.

The SAML assertion can be retrieved by gathering SAML trace export (XML) during the failed login attempt, see How to gather a SAML trace KB.