Manage Users
This topic describes how a Pivotal Web Services (PWS) Plan Administrator uses the Single Sign-On (SSO) service to manage user access to their plan apps, for users with accounts in the internal user store or with external identity providers.
Manage Users in an Internal User Store
The SSO service has an Internal Users admin pane that lets you manage user accounts in the plan’s internal user store: invite and delete users, request users to reset their passwords, and update user attributes and permissions.
To open the Internal Users pane:
Log in to the SSO dashboard at
https://p-identity.run.pivotal.io
using your administrator credentials.Click the plan name and select Manage Identity Providers from the drop-down menu.
Click Internal User Store and select Internal Users from the drop-down menu. This brings you to the admin screen.
From the Internal Users pane, you can:
Invite users by clicking Invite User, entering their email address, and clicking Send Invite.
Search existing users by entering a value into the search bar and clicking Search. Entering a blank value returns all users in the service plan’s internal user store.
Resend an invite to an unverified user by selecting the checkbox next to their username and clicking Resend Invite.
Ask a verified user to reset their password by selecting the checkbox next to their username and clicking Reset Password.
Delete a user by selecting the checkbox next to their username and clicking Delete User.
View information about a user by clicking their username.
Update a user profile including their Email, First Name, Last Name, and Phone Number by entering the updated values and clicking Save User.
View user permissions by clicking the Permissions tab.
Update user permissions by selecting the corresponding permissions and clicking Save User.
Manage Users from an External Identity Provider
For each external identity provider that the SSO service connects to, a users admin pane (example: Okta SSO Users) lets you browse, delete, and update PWS permissions for user accounts from external identity providers.
To open the external identity provider users admin pane:
Log in to the SSO dashboard at
https://p-identity.run.pivotal.io
using your administrator credentials.Click the plan name and select Manage Identity Providers from the drop-down menu.
Click the external identity provider you want to manage and select the Users choice for the provider from the drop-down menu. This brings you to the users admin pane.
From the external identity provider users admin pane, you can:
Search existing users by entering a value into the search bar and clicking Search. Entering a blank value returns all users in the service plan’s internal user store.
Delete a user by selecting the checkbox next to their username and clicking Delete User.
View information about a user by clicking their username.
View user permissions by clicking the Permissions tab.
Update user permissions by selecting the corresponding permissions and clicking Save User.
Manage Users with the UAA CLI (UAAC)
You may also use the UAA CLI (UAAC) to manage users for the SSO service. You can use this approach to programatically create new internal users or assign groups (scopes) to any user (whether internal or external). These operations require administrative access through an admin client that must be configured by an administrator for the service plan.
Note: Clients and Groups for SSO should be created directly through the SSO UI or through application manifest bootstrapping. Do not create these through UAAC, as additional metadata is required for their usage by SSO.
Install the UAA CLI,
uaac
.$ gem install cf-uaac
Use the
uaac target AUTH-DOMAIN
command to target your service plan. Auth Domain setting you entered when you created the service plan.$ uaac target my-auth-domain.login.example.com
Record the App ID and App Secret from your admin client created using the steps here. You will need to give your admin client
scim.read
to read user information. You can give your admin client eitherscim.write
to create users and modify group (scope) memberships orscim.create
to only create users.Run
uaac token client get ADMIN-APP-ID -s ADMIN-APP-SECRET
to authenticate and obtain an access token for the admin client for your service plan. ReplaceADMIN-APP-ID
with your App ID andADMIN-APP-SECRET
with your App Secret. UAAC stores the token in~/.uaac.yml
.$ uaac token client get MyAdminAppId -s MyAdminAppSecret
Use the
uaac contexts
command to display the users and applications authorized by your service plan, and the permissions granted to each user and application. Check that you have the sufficientscim.write
orscim.create
permissions under thescope
section.$ uaac contexts [1]*[admin] client_id: MyAdminAppId access_token: aBcdEfg0hIJKlm123.e token_type: bearer expires_in: 43200 scope: scim.read scim.write jti: 91b3-abcd1233
Run the following command to create a new internal user:
uaac user add NEW-USERNAME -p NEW-PASSWORD --emails NEW-EMAIL
ReplaceNEW-USERNAME
,NEW-PASSWORD
, andNEW-EMAIL
with appropriate information.$ uaac user add Adam -p newSecretPassword --emails adam@example.com
Run
uaac member add GROUP USERNAME
to add any group to any user (internal or external). ReplaceGROUP
andUSERNAME
with appropriate information.$ uaac member add my-app.my-scope Adam
Run
uaac member delete GROUP USERNAME
to delete any group from to any user (internal or external). ReplaceGROUP
andUSERNAME
with appropriate information.$ uaac member delete my-app.my-scope Adam