Managing Clients with UAAC

This topic explains how plan administrators use the User Account and Authentication Command Line Interface (UAAC) to manage existing UAA Identity Zone clients.

About Managing Clients with UAAC

This section explains when and why you use the UAAC to update UAA Identity Zone clients.

All clients mentioned on this page are UAA Identity Zone clients. However, there are two kinds of UAA Identity Zone clients:

  • Non-Admin clients—When app developers configure their apps to use Pivotal Single Sign‑On, each app corresponds to a non-admin client for a Pivotal Single Sign‑On service plan.
  • Admin clients—These can modify other clients and are created by completing the procedure below. See Create an Admin Client.

When Not to Use UAAC

Do not use the UAAC to do the following:

  • Create clients—Do not create clients through UAAC because additional metadata is required for their usage by Pivotal Single Sign‑On.

  • Make most types of updates—Most updates for UAA Identity Zone clients can be made through the SSO Developer Dashboard.

When to Use UAAC

Some updates cannot be done through the SSO Developer Dashboard and so must be made through the UAAC. You need to use the UAAC if you want to set a configuration to a value that is not listed on the SSO Developer Dashboard.

Create an Admin Client

To use the UAAC to modify clients, you need an admin client that corresponds to your Pivotal Single Sign‑On service plan.

If you do not already have an admin client for your UAA Identity Zone, follow the steps below to create an admin client.

Note: You can use the same admin client for updating service plans and identity providers. For information, see Updating Service Plans with UAAC and Updating Identity Providers with UAAC.

  1. Target your Pivotal Platform deployment using cf.
  2. Target an org and space that your service plan is visible in.
  3. If you have not already created a service instance for your service plan, create one now. For how to create an instance, see Create a Service Instance. The service instance exposes the SSO Developer Dashboard.
  4. Log in to the SSO Developer Dashboard as an administrator. You can find the dashboard URL by using Apps Manager or cf service SERVICE-INSTANCE-NAME.
  5. Click New App.
  6. Enter an App Name.
  7. Under Select an Application Type, select Service-to-Service App.
  8. Click Select Scopes > Admin Permissions.

    Set the scopes as necessary for configuring the UAA resource.

    For… Add these scopes… For more information, see…
    updating UAA clients clients.admin Update Clients with UAAC below.
    managing Pivotal Single Sign‑On service plans clients.admin Updating Service Plans with UAAC.
    updating identity providers idps.read and idps.write Updating Identity Providers with UAAC.
  9. Record the App ID and App Secret.