Configuring Internal User Store
This topic describes how Pivotal Platform admins can configure a Pivotal Single Sign‑On service plan to manage user access to Pivotal Platform apps with the internal user store.
By default, each Single Sign‑On service plan comes with an internal user store, which natively stores user accounts in a User Account and Authentication (UAA) database.
To manage the internal user store:
- Configure the Internal User Store
- Add Internal Users Using UAAC
- Test Identity Provider Configurations
You can also configure a Single Sign‑On service plan to use an external identity provider to manage user accounts. For more information, see Configuring External Identity Providers.
To configure the internal user store:
Log in to the SSO Operator Dashboard at
https://p-identity.YOUR-SYSTEM-DOMAINusing your UAA admin credentials. You can find these credentials in your Pivotal Application Service tile in Ops Manager under the Credentials tab.
Under Name, click the plan name and select Manage Identity Providers from the dropdown.
Under Name, click Internal User Store and select Edit Provider from the dropdown.
Under Email Domains, enter a comma-separated list of the email domains for service plan.
(Optional) Under Authentication Policy select one of the following:
- Disable Internal Authentication: This option prevents authentication against the internal user store.
You must have at least one external identity provider configured.
Note: The login page does not include the Email and Password fields if you select this option.
- Disable User Management: This option prevents all users, including admins,
from managing internal users.
Note: The login page does not include Create Account and Reset Password links if you select this option.
- Disable Internal Authentication: This option prevents authentication against the internal user store. You must have at least one external identity provider configured.
Under Password Policy Settings, select Use Recommended Settings, Use Default Settings, or enter custom settings in the Password Complexity and Lockout Policy fields.
See the following table for configuration instructions:
Field Instructions Password Complexity Min Length Enter the minimum password length. Uppercase Enter the minimum number of uppercase characters required in a password. Lowercase Enter the minimum number of lowercase characters required in a password. Special Characters Enter the minimum number of special characters required in a password. Numerals Enter the minimum number of numeric characters required in a password. Lockout Policy Failures Allowed Enter the number of failed login attempts permitted per hour before a user is locked out. Lockout Period Enter the number of seconds a user is locked out for after excessive failed login attempts. Password Expires Enter the number of months passwords are valid for before users needs to enter a new password.
Click Save Identity Provider.
You can create new internal user accounts with the UAA Command Line Interface (UAAC). You can also use the Internal Users admin pane to send invitations to users to enable them to add themselves to the internal user store. However, you cannot use the admin pane to add users directly. For information about the admin pane, see Manage Users in an Internal User Store.
To create new internal user accounts with the UAAC:
If you do not already have the UAAC installed, install the UAAC by running the following command:
gem install cf-uaac
Create an admin client that can manage users for the Single Sign‑On service plan with the following scopes:
To create an admin client, see Create Admin Client.
Record the App ID and App Secret. These are used as your client ID and client secret.
Target the authentication domain of your Single Sign‑On service plan by running the following command:
uaac target https://AUTH-DOMAIN.login.SYSTEM-DOMAIN
AUTH-DOMAINis the URL you provided when you create your service plan. This URL is where users authenticate to access apps.
SYSTEM-DOMAINis the URL for your Pivotal Platform system domain.
Obtain an access token for your admin client by running the following command:
uaac token client get APP-ID
APP-IDis the App ID you recorded in the above step.
When prompted for
Client secret, enter the App Secret admin client secret you recorded in the above step.
Add new users by running the following command:
uaac user add --emails USER-EMAIL
USER-EMAILis the email address for the user you are creating.
When prompted for
Password, enter a username and password for the user you are creating.
(Optional) Create a user group and add users to the group by doing the following:
Create the user group by running the following command:
uaac group add GROUP-NAME
GROUP-NAMEis the name of the group you are creating.
Add a member to your new group by running the following command:
uaac member add GROUP-NAME USER-NAME
Pivotal provides sample apps you can deploy to validate your identity provider configurations. To deploy a sample app, follow the instructions in identity-sample-apps in Github.