Configuring Internal User Store

This topic describes how Pivotal Platform admins can configure a Pivotal Single Sign‑On service plan to manage user access to Pivotal Platform apps with the internal user store.

Overview

By default, each Pivotal Single Sign‑On service plan comes with an internal user store, which natively stores user accounts in a User Account and Authentication (UAA) database.

To manage the internal user store:

  1. Configure the Internal User Store
  2. Add Internal Users Using UAAC
  3. Test Identity Provider Configurations

You can also configure a Pivotal Single Sign‑On service plan to use an external identity provider to manage user accounts. For more information, see Configuring External Identity Providers.

Configure the Internal User Store

To configure the internal user store:

  1. Log in to the SSO Operator Dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your UAA admin credentials. You can find these credentials in your tile in Ops Manager under the Credentials tab.

  2. Under Name, click the plan name and select Manage Identity Providers from the dropdown.

  3. Under Name, click Internal User Store and select Edit Provider from the dropdown.

  4. Under Email Domains, enter a comma-separated list of the email domains for service plan. Email Domains field for the Internal User Store

  5. (Optional) Under Authentication Policy select one of the following:

    • Disable Internal Authentication: This option prevents authentication against the internal user store. You must have at least one external identity provider configured.

      Note: The login page does not include the Email and Password fields if you select this option.

    • Disable User Management: This option prevents all users, including admins, from managing internal users.

      Note: The login page does not include Create Account and Reset Password links if you select this option.

      Authentication Policy field for the Internal User Store
  6. Under Password Policy Settings, select Use Recommended Settings, Use Default Settings, or enter custom settings in the Password Complexity and Lockout Policy fields.  Password Policy Settings for the Internal User Store

    See the following table for configuration instructions:

    Field Instructions
    Password Complexity
    Min Length Enter the minimum password length.
    Uppercase Enter the minimum number of uppercase characters required in a password.
    Lowercase Enter the minimum number of lowercase characters required in a password.
    Special Characters Enter the minimum number of special characters required in a password.
    Numerals Enter the minimum number of numeric characters required in a password.
    Lockout Policy
    Failures Allowed Enter the number of failed login attempts permitted per hour before a user is locked out.
    Lockout Period Enter the number of seconds a user is locked out for after excessive failed login attempts.
    Password Expires Enter the number of months passwords are valid for before users needs to enter a new password.
  7. Click Save Identity Provider.

Add Internal Users Using UAAC

You can create new internal user accounts with the UAA Command Line Interface (UAAC). You can also use the Internal Users admin pane to send invitations to users to enable them to add themselves to the internal user store. However, you cannot use the admin pane to add users directly. For information about the admin pane, see Manage Users in an Internal User Store.

To create new internal user accounts with the UAAC:

  1. If you do not already have the UAAC installed, install the UAAC by running the following command:

    gem install cf-uaac
    
  2. Create an admin client that can manage users for the Pivotal Single Sign‑On service plan with the following scopes:

    • clients.admin
    • scim.read
    • scim.write

    To create an admin client, see Create Admin Client.

  3. Record the App ID and App Secret. These are used as your client ID and client secret.

  4. Target the authentication domain of your Pivotal Single Sign‑On service plan by running the following command:

    uaac target https://AUTH-DOMAIN.login.SYSTEM-DOMAIN
    

    Where:

    • AUTH-DOMAIN is the URL you provided when you create your service plan. This URL is where users authenticate to access apps.
    • SYSTEM-DOMAIN is the URL for your Pivotal Platform system domain.
  5. Obtain an access token for your admin client by running the following command:

    uaac token client get APP-ID
    

    Where APP-ID is the App ID you recorded in the above step.

  6. When prompted for Client secret, enter the App Secret admin client secret you recorded in the above step.

  7. Add new users by running the following command:

    uaac user add --emails USER-EMAIL
    

    Where USER-EMAIL is the email address for the user you are creating.

  8. When prompted for User name and Password, enter a username and password for the user you are creating.

  9. (Optional) Create a user group and add users to the group by doing the following:

    1. Create the user group by running the following command:

      uaac group add GROUP-NAME
      

      Where GROUP-NAME is the name of the group you are creating.

    2. Add a member to your new group by running the following command:

      uaac member add GROUP-NAME USER-NAME
      

Test Identity Provider Configurations

Pivotal provides sample apps you can deploy to validate your identity provider configurations. To deploy a sample app, follow the instructions in identity-sample-apps in Github.