Problem

After upgrading Operations Manager (OpsMan) from v3.2.x to v3.3.0, users are unable to log in via SAML authentication. While the upgrade itself is successful, attempting to authenticate results in an OAuth2 error page or an authentication failure message in the UAA logs.

Symptoms

• SAML login attempts fail with an OAuth2 Error page.
• Classic view displays: Authentication failure. Please log out of UAA and retry.
• Logs or retry attempts show the error: Did not decrypt response [ID] since it is not signed.
• The issue occurs even when the SAML configuration was working perfectly prior to the upgrade.

• Product: Tanzu Operations Manager
• Versions: Upgraded to v3.3.0 (contains UAA 2.12.0 / Spring Security 6.5.9)
• Identity Provider (IdP): Microsoft EntraID (formerly Azure AD) or other SAML IdPs configured to sign only assertions.

The issue is caused by a bug in the updated Spring Security / UAA components included in OpsMan v3.3.0. When wantAssertionSigned is set to true, the system incorrectly rejects SAML responses that contain signed and encrypted assertions if the outer SAML response itself is not signed.

Starting with these versions, encryption alone is no longer treated as a substitute for a digital signature on the response message

A permanent fix is in progress and is expected to be included in an upcoming product releases.

Workaround

To restore SAML login functionality immediately without rotating certificates or toggling local authentication, configure your Identity Provider (IdP) to sign the full SAML response.

1. Log in to your IdP Administration Console (e.g., Microsoft EntraID).
2. Navigate to the SAML Signing Settings for the OpsMan application.
3. Change the Signing Option from Sign SAML assertion to Sign SAML response and assertion (or Sign SAML response).
4. Save the changes and test the login to OpsMan.

Note: Documentation is being updated to reflect that either the response or the assertion must be digitally signed to satisfy the new security requirements.