Configure Identity Providers

This topic describes how administrators can use an internal user store or an external identity provider to manage user access to a Single Sign-On (SSO) service plan.

For each plan, SSO provides an internal user store that manages users. As an alternative to an internal user store, administrators can use an external identity provider to allow users who are externally managed to access applications.

Configure Internal User Store

  1. Log into the SSO dashboard at https://p-identity.run.pivotal.io using your administrator credentials.

  2. Click the plan name and select Manage Identity Providers from the dropdown menu.

  3. Click Internal User Store.

  4. Under Authentication Policy, optionally select one of the following:

    • Disable Internal Authentication: Select this option to prevent authentication against the internal user store. You must have at least one external identity provider configured.

      Note: The login page does not include the Email and Password fields if you select this option.

    • Disable User Management: Select this option to prevent all users, including administrators, from performing actions on internal users.

      Note: The login page does not include Create Account and Reset Password links if you select this option.

  5. Under Password Policy Settings, select Use Recommended Settings, Use Default Settings, or enter custom settings in the fields below.

  6. Click Save Identity Provider.

Add Users to the Internal User Store

Before completing the following steps, you must contact Pivotal Support to request a client for managing users, apps, and resources for your plan.

You cannot add users to Service Plans from the SSO dashboard. In order to add users to the internal user store for a given Service Plan, you must use the UAA Command Line Interface (UAAC). If you do not already have the UAAC installed, run gem install cf-uaac in a terminal window.

The following steps describe how to use UAAC to add users to the internal user store.

Step 1: Create an Admin Client

  1. Follow the steps to create an admin client that can manage users in the Service Plan. Include the following scopes for the client:
    • clients.admin
    • scim.read
    • scim.write
  2. Record the App ID and App Secret. These will be used as your client ID and client secret.

Step 2: Create Users

  1. Target the auth domain of your SSO service plan. This is the URL you provided when creating a Service Plan in the SSO dashboard.
    $ uaac target https://YOUR-AUTH-DOMAIN.login.YOUR-SYSTEM-DOMAIN
  2. Fetch the token for the admin client created in Step 1.
    $ uaac token client get ADMIN-CLIENT-ID
    Client secret:
    
  3. When prompted with Client secret, enter the admin client secret from Step 1.
  4. Add new users by providing the user’s email address, username, and password.
    $ uaac user add --emails YOUR-USER@EMAIL.COM
    User name:  YOUR-USER
    Password:  ****
    Verify password:  ****
    user account successfully added
  5. (Optional) You can also create groups and add users to them.
    $ uaac group add
    Group name:  YOUR-GROUP
    meta
    version: 0
    created: 2016-02-19T23:17:17.000Z
    lastmodified: 2016-02-19T23:17:17.000Z
    schemas: urn:scim:schemas:core:1.0
    id: 8725b5fd-8da2-4cfc-89b1-c57048f089c2
    displayname: YOUR-GROUP
    
    To add a member to your new group, use the following command.
    $ uaac member add YOUR-GROUP YOUR-USER

Define Password Policy for the Internal User Store

Administrators can define the password policy for SSO users that are stored in the internal user store. The internal user store password policy allows you to define and enforce password rules to manage the kind of passwords users can create.

  1. Log into the SSO dashboard at https://p-identity.run.pivotal.io using your administrator credentials.

  2. Click the plan name and select Manage Identity Providers from the dropdown menu.

  3. Click Internal User Store.

  4. Configure the following under the Password Complexity section:

    • Min Length: Specify the minimum password length.
    • Uppercase: Specify the minimum number of uppercase characters required in a password.
    • Lowercase: Specify the minimum number of lowercase characters required in a password.
    • Special Characters: Specify the minimum number of special characters required in a password.
    • Numerals: Specify the minimum number of numeric characters required in a password.
  5. Configure the following under the Lockout Policy section:

    • Failures Allowed: Specify the number of failed login attempts allowed per hour before a user is locked out.
    • Lockout Period: Specify the number of seconds a user is locked out for after excessive failed login attempts.
    • Password Expires: Specify the number of months passwords are valid for before users needs to enter a new password.
  6. Click Save Identity Provider.

Configure Service Provider SAML Settings

For each plan, the Single Sign-On service allows you to configure SAML settings when SAML is used for exchanging authentication and authorization data between the identity provider and the service provider. The SSO service provides the ability to sign authentication requests and require signed assertions from the external identity provider.

  1. Log into the SSO dashboard at https://p-identity.run.pivotal.io using your administrator credentials.

  2. Click the plan name and select Manage Identity Providers from the dropdown menu.

  3. Click Configure SAML Service Provider.

  4. Configure the following settings:

    • Perform signed authentication requests: The service provider signs requests sent to the external identity provider.
    • Require signed assertions: The service provider requires that responses from the external identity provider are signed.
  5. Click Save to save the SAML configurations.

  6. Click Download Metadata.

Add an External Identity Provider

  1. Log into the SSO dashboard at https://p-identity.run.pivotal.io using your administrator credentials.

  2. Click the plan name and select Manage Identity Providers from the dropdown menu.

  3. Click New Identity Provider.

  4. Enter an Identity Provider Name.

  5. Enter a Description. This is displayed to Space Developers when selecting an identity provider for their application.

  6. Enter the external identity provider metadata in one of the following ways:

    • Option 1: Provide the Identity Provider Metadata URL and click Fetch Metadata.
    • Option 2: Click Upload Identity Provider Metadata to upload XML metadata that you downloaded from your external identity provider.
  7. Configure any User Attributes to propagate from the identity provider to the service provider. These attributes can include e-mail addresses, first or last names, or external groups. They will be sent to applications via OpenID Connect tokens issued by the Single Sign-On service.

    • Select a User Scheme Attribute from the dropdown menu.
    • Enter a SAML Attribute Name with the corresponding attribute from the incoming SAML assertion.
  8. Configure any Custom Attributes that should be propagated from the identity provider to the service provider. These attributes will be sent to applications via OpenID Connect tokens issued by the Single Sign-On service.

    • Enter a Custom Attribute Name.
    • Enter a SAML Attribute Name with the corresponding attribute from the incoming SAML assertion.
  9. Click Create Identity Provider to save the identity provider.

Note: To configure the service provider SAML settings, such as the signing of authentication requests and incoming assertions, click on Configure SAML Service Provider on the Identity Providers page.

Delete an External Identity Provider

  1. Log into the SSO dashboard at https://p-identity.run.pivotal.io using your administrator credentials.

  2. Click the plan name and select Manage Identity Providers from the dropdown menu.

  3. Click on the name of your external identity provider.

  4. Click Delete at the bottom of the page.

  5. In the popup that appears, click Delete Identity Provider to confirm that you want to delete the identity provider, along with all of its configurations.

Note: Deleting an external identity provider deletes all of its configurations. Users will no longer be able to authenticate using the external identity provider. This action cannot be undone.

Configure Group Whitelist for an External Identity Provider

An administrator can configure groups from an external identity provider to be propagated in the ID token by including the group in the Group Whitelist. This will provide information to the application about the external identity groups that the user belongs to.

Note: The roles scope must be requested by the application and the external group must be listed in the Group Whitelist.

  1. Log into the SSO dashboard at https://p-identity.run.pivotal.io using your administrator credentials.

  2. Click the plan name and select Manage Identity Providers from the dropdown menu.

  3. Click Group Whitelist.

  4. Add a group name from your external identity provider.

  5. Click Save Group Whitelist.

Create a pull request or raise an issue on the source for this page in GitHub