Managing Users

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how a Plan Administrator uses Single Sign‑On for VMware Tanzu to manage user access to VMware Tanzu Application Service for VMs (TAS for VMs) apps, for users with accounts in the internal user store or with external identity providers.

Manage Users in an Internal User Store

Single Sign‑On for VMware Tanzu has an Internal Users admin pane that lets you manage user accounts in the internal user store: invite and delete users, request users to reset their passwords, and update user attributes and permissions.

To open the Internal Users pane:

  1. Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN using your User Account and Authentication (UAA) admin credentials. You can find these credentials in your VMware Tanzu Application Service for VMs tile in Ops Manager under the Credentials tab.

  2. Click the plan name and select Manage Identity Providers from the dropdown.

  3. Click Internal User Store and select Internal Users from the dropdown. This brings you to the admin screen. Single Sign-On Admin

From the Internal Users pane, you can:

  • Invite users by clicking Invite User, entering their email address, and clicking Send Invite. Invite User

  • Search existing users by entering a value into the search bar and clicking Search. Entering a blank value returns all users in the service plan’s internal user store. Internal Users

  • Resend an invite to an unverified user by selecting the checkbox next to their username and clicking Resend Invite.

  • Ask a verified user to reset their password by selecting the checkbox next to their username and clicking Reset Password.

  • Delete a user by selecting the checkbox next to their username and clicking Delete User.

  • View information about a user by clicking their username. User Profile - Unverified

  • Update a user profile including their Email, First Name, Last Name, and Phone Number by entering the updated values and clicking Save User.

  • View user permissions by clicking the Permissions tab. Internal User Permissions

  • Update user permissions by selecting the corresponding permissions and clicking Save User.

Manage Users from an External Identity Provider

For each external identity provider that Single Sign‑On connects to, a users admin pane lets you browse, delete, and update permissions for user accounts from external identity providers. For example, Okta SSO Users.

To open the external identity provider users admin pane:

  1. Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN using your User Account and Authentication (UAA) admin credentials. You can find these credentials in your TAS for VMs tile in Ops Manager under the Credentials tab.

  2. Click the plan name and select Manage Identity Providers from the dropdown.

  3. Click the external identity provider you want to manage and select the Users choice for the provider from the dropdown. This brings you to the users admin pane. Okta Users Search

From the external identity provider users admin pane, you can:

  • Search existing users by entering a value into the search bar and clicking Search. Entering a blank value returns all users in the service plan internal user store. Okta Users Search Results

  • Delete a user by selecting the checkbox next to their username and clicking Delete User.

  • View information about a user by clicking their username. User Profile - Verified

  • View user permissions by clicking the Permissions tab. External User Permissions

  • Update user permissions by selecting the corresponding permissions and clicking Save User.

Manage Users with the UAA CLI

You may also use the UAA CLI, or UAAC, to manage users for Single Sign‑On. You can use this approach to programmatically create new internal users or assign groups (scopes) to any user (whether internal or external). These operations require administrative access through an admin client that must be configured by an admin for the service plan.

Note: Clients and Groups for Single Sign‑On should be created directly using the SSO Operator Dashboard or through app manifest bootstrapping. Do not create these through UAAC, as additional metadata is required for their usage by Single Sign‑On.

  1. Install the UAA CLI, uaac, by running:

    gem install cf-uaac
    
  2. Target your service plan by running:

    uaac target AUTH-DOMAIN.login.SYSTEM-DOMAIN
    

    Where AUTH-DOMAIN is the Auth Domain you entered in Create or Edit Service Plans.

    For example:

    $ uaac target my-auth-domain.login.example.com
    

  3. Record the App ID and App Secret from your admin client created by following the steps in Create Admin Client. You must give your admin client scim.read to read user information. You can give your admin client either scim.write to create users and modify group (scope) memberships or scim.create to only create users.

  4. Authenticate and obtain an access token for the admin client for your service plan by running:

    uaac token client get ADMIN-APP-ID -s ADMIN-APP-SECRET
    

    Where:

    • ADMIN-APP-ID is your App ID and
    • ADMIN-APP-SECRET is your App Secret.

    For example:

    $ uaac token client get MyAdminAppId -s MyAdminAppSecret
    

    UAAC stores the token in ~/.uaac.yml.

  5. Display the client context by running the following command and verify that you have the sufficient scim.write or scim.create permissions under the scope section:

    uaac context
    

    For example:

    $ uaac context

    [1]*[admin] client_id: MyAdminAppId access_token: aBcdEfg0hIJKlm123.e token_type: bearer expires_in: 43200 scope: scim.read scim.write jti: 91b3-abcd1233

  6. Create a new internal user by running:

    uaac user add NEW-USERNAME -p NEW-PASSWORD --emails NEW-EMAIL
    

    Replace NEW-USERNAME, NEW-PASSWORD, and NEW-EMAIL with appropriate information.

    For example:

    $ uaac user add Adam -p newSecretPassword --emails adam@example.com
    

  7. Add any group to any user (internal or external) by running:

    uaac member add GROUP USERNAME
    

    Replace GROUP and USERNAME with appropriate information.

    For example:

    $ uaac member add my-app.my-scope Adam
    

  8. Delete any group from to any user (internal or external).

    uaac member delete GROUP USERNAME
    

    Replace GROUP and USERNAME with appropriate information.

    For example:

    $ uaac member delete my-app.my-scope Adam