Pivotal Cloud Foundry v1.9

Adding Existing SAML or LDAP Users to a Pivotal Cloud Foundry Deployment

Page last updated:

This topic describes the procedure for adding existing SAML or LDAP users to a Pivotal Cloud Foundry (PCF) deployment enabled with SAML or LDAP.

Note: You must have admin access to the PCF Ops Manager Installation Dashboard for your deployment to complete the procedure described in this topic.

Step 1: Add SAML or LDAP Users

Note: Do not create new users in Elastic Runtime using the Cloud Foundry Command Line Interface (cf CLI), by UAAC, or by using invitations in Apps Manager. Doing so creates a user identity in the internal user store, separate from the SAML or LDAP user identity. Instead, follow the procedure described below.

Two ways exist to add existing SAML or LDAP users to your PCF deployment:

  • In bulk, using the UAA Bulk Import Tool. See the UAA Users Import README for instructions on installing and using the tool.

  • Individually, through the cf CLI, as described below:

    1. Each existing SAML or LDAP user must log in to Apps Manager or to the cf CLI using their SAML (by entering cf login --sso) or LDAP credentials. Users will not have access to any org or space until these are granted by an Org or Space Manager.
    2. The PCF Admin must log in to the cf CLI and associate the user with the desired org and space roles. See Org and App Space Roles.

(Advanced Option) Integrate with Enterprise Identity Management System

If your organization uses an Enterprise Identity Management System for centralized provisioning and deprovisioning of users, you can use the Users API and Organizations API to write a connector to manage users and permissions in Elastic Runtime.

Step 2: Create User

  1. Run the command below to create the user in UAA. Replace ‘EXAMPLE-USERNAME’ with the username of the SAML or LDAP user you wish to add.

    • For LDAP, set user origin to ldap.
      $ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d '{"userName":"EXAMPLE-USERNAME", "emails":[{"value":""}], "origin":"ldap","externalId":"cn=EXAMPLE-USERNAME,ou=Users,dc=test,dc=com"}'
    • For SAML, set user origin to the SAML identity provider name set in the Elastic Runtime tile under Authentication and Enterprise SSO.
      $ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d '{"userName":"EXAMPLE-USERNAME", "emails":[{"value":""}], "origin":"YOUR-SAML-PROVIDER","externalId":"EXAMPLE-USERNAME"}'
  2. Target the API endpoint for your PCF deployment:

    $ cf target https://api.YOUR-SYSTEM-DOMAIN

  3. Log in to the cf CLI:

    $ cf login

  4. Create an environment variable for your OAuth token to use in the next step:

    $ export OAUTH_TOKEN=$(cf oauth-token|cut -d ' ' -f 2)

  5. Create a User record in the Cloud Controller Database with the SAML or LDAP GUID you created by running the following curl command. The command uses the Users API.

    $ curl "https://api.YOUR-SYSTEM-DOMAIN/v2/users" -d '{
    "guid": "YOUR-USER-GUID"
    }' -X POST \
    -H "Authorization: bearer $OAUTH_TOKEN" \
    -H "Host: api.YOUR-SYSTEM-DOMAIN" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Cookie: "

Step 3: Provide User Access to Orgs

Use the Organizations API to associate the user with the appropriate orgs in your Elastic Runtime deployment.

Step 4: Associate User with Space or Org Role

You can grant Space and Org roles to users using the following API calls:

Create a pull request or raise an issue on the source for this page in GitHub