Configuring Multi-Foundation Support in Apps Manager

Overview
Configure Multi-Foundation Support

Page last updated:

Warning: Pivotal Application Service (PAS) v2.8 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to configure multi-foundation support in Apps Manager.

Warning: Multi-foundation support in Apps Manager is in beta. You can use this feature to connect foundations that use the same major and minor version of Pivotal Application Service (PAS). If you connect foundations that use different PAS versions, Apps Manager functionality might not work.

Overview

Configuring multi-foundation support in Apps Manager allows you to search, view, and manage orgs, spaces, apps, and service instances across multiple foundations from a single interface.

Configure Multi-Foundation Support

This section describes the procedures for configuring multi-foundation support in Apps Manager.

Configure PAS

This section describes how to configure Pivotal Application Service (PAS) on a foundation to enable multi-foundation support in Apps Manager.

To configure multi-foundation support in Apps Manager:

In the PAS tile of one of your foundations, select Apps Manager.

For Multi-foundation configuration (beta), enter a JSON object for each additional foundation that you want to manage. Use the following format for the JSON object:

{
  "FOUNDATION-NAME": {
    "ccUrl": "https://api.FOUNDATION-SYSTEM-DOMAIN.com",
    "systemDomain": "FOUNDATION-SYSTEM-DOMAIN.com",
    "usageServiceUrl": "https://app-usage.FOUNDATION-SYSTEM-DOMAIN.com",
    "invitationsServiceUrl": "https://p-invitations.FOUNDATION-SYSTEM-DOMAIN.com",
    "logoutUrl": "https://login.FOUNDATION-SYSTEM-DOMAIN.com/logout.do",
    "metricsUrl": "https://metrics.FOUNDATION-SYSTEM-DOMAIN.com",
    "uaaUrl": "https://login.FOUNDATION-SYSTEM-DOMAIN.com"
  }
}

Where:

FOUNDATION-NAME is a name for the foundation.
FOUNDATION-SYSTEM-DOMAIN is the system domain of the foundation. The system domain is listed in the Domains pane of the PAS tile.
metricsUrl is an optional field. If Pivotal App Metrics is installed on the foundation, provide the Pivotal App Metrics URL.

Do one of the following, depending on your version of PAS:
- For PAS versions v2.8.4 and later: In the Redirect URIs field, enter a comma-separated list of the URI for each additional foundation on which you enabled multi-foundation support. Use the following format for each URI:
```
https://apps.FOUNDATION-SYSTEM-DOMAIN.com/**
```
  Where FOUNDATION-SYSTEM-DOMAIN is the system domain of the foundation on which you enabled multi-foundation support.
- For PAS versions v2.8.3 and earlier: Follow the procedure in Add Redirects in UAA (For PAS v2.8.3 and earlier) to add redirects for each foundation you want to manage with Apps Manager.

Add Redirects in UAA (For PAS v2.8.3 and earlier)

The Apps Manager UAA clients on each foundation you want to manage must include a redirect to the foundation on which you enabled multi-foundation support. This allows Apps Manager to redirect to the other foundations and back when authenticating with UAA. For more information about UAA clients and configuring valid redirect URIs, see Client.redirect-uri in UAA Concepts.

To add redirects:

Install the UAA CLI. See the Cloud Foundry UAA Command Line Client repository in GitHub.
Record the UAA admin client credentials password for a foundation you want to manage with Apps Manager:
1. In the Credentials tab of the PAS tile, for Admin Client Credentials, click Link to Credentials.
2. Record the value in the password field.
Target UAA on the foundation:
```
uaac target uaa.FOUNDATION-SYSTEM-DOMAIN.com
```
Where FOUNDATION-SYSTEM-DOMAIN is the system domain of the foundation.
Generate a token for the UAA admin client:
```
uaac token client get admin -s ADMIN-CLIENT-PASSWORD
```
Where ADMIN-CLIENT-PASSWORD is the Admin Client Credentials password you recorded in step 2.
Record the UAA redirect URIs. To view the redirect URIs on the UAA apps_manager_js client:
```
uaac client get apps_manager_js
```
Add the URI of the foundation on which you enabled multi-foundation support to the apps_manager_js client:
```
uaac client update apps_manager_js --redirect_uri \
    'PREVIOUS-REDIRECT-URIS,https://apps.FOUNDATION-SYSTEM-DOMAIN.com/**'
```
Where:
- PREVIOUS-REDIRECT-URIS is one or more redirect URIs that you recorded in the previous step. Include the previous redirect URIs in the command to ensure they are not overwritten.
- FOUNDATION-SYSTEM-DOMAIN is the system domain of foundation on which you enabled multi-foundation support.
Repeat steps 2 through 6 for each foundation you want to manage with Apps Manager.

Add Trusted Certificate Authorities

Apps Manager must be able to validate the certificate authorities (CAs) used by all foundations.

If any foundation uses a certificate for TLS termination that is not signed by a globally-trusted CA, add the CA that signed the TLS certificate as a trusted CA on the foundation on which you enabled multi-foundation support.

For more information, see Setting Trusted Certificates.

(Optional) Configure the SAML Identity Provider

Pivotal recommends that all foundations use the same external SAML identity provider. This allows Apps Manager to automatically authenticate with the identity provider.

To configure all foundations to use the same SAML identity provider:

In the PAS tile, select Authentication and Enterprise SSO.
Verify that the foundation uses the correct provider for Provider name.
Repeat the above steps for each foundation in your deployment.

For more information on UAA and identity providers, see Identity Providers in UAA.

For more information on how to set up identity providers in UAA, see Adding Existing SAML or LDAP Users to a Pivotal Platform Deployment.

Create a pull request or raise an issue on the source for this page in GitHub