Configuring Internal User Store

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how admins can configure a Single Sign‑On for VMware Tanzu service plan to manage user access to TAS for VMs apps with the internal user store.

Overview

As of Single Sign‑On v1.13, you cannot configure the internal user store from the SSO Operator Dashboard. These settings are still configurable from the User Account and Authentication (UAA) API. By default, each Single Sign‑On service plan comes with an internal user store, which natively stores user accounts in a UAA database.

To manage the internal user store:

  1. Install UAAC
  2. Set up an Admin Client
  3. Obtain an Access Token
  4. Configure the Internal User Store
  5. Add Internal Users
  6. Test Identity Provider Configurations

You can also configure a Single Sign‑On service plan to use an external identity provider to manage user accounts. For more information, see Configuring External Identity Providers.

Install UAAC

Install UAA Command Line Client (UAAC), if you do not already have it installed:

  1. Install UAAC by running:

    gem install cf-uaac
    

Set up an Admin Client

To configure internal user store settings and users, set up an admin client for managing users:

  1. Follow the Create an Admin Client procedure to create an admin client and ensure it has the following permissions:

    • clients.admin
    • idps.write
    • idps.read
    • scim.read
    • scim.write
  2. Record the App ID and App Secret. These are used as your client ID and client secret.

  3. Target the login portal of your Single Sign‑On service plan by running:

    uaac target https://AUTH-DOMAIN.login.SYSTEM-DOMAIN
    

    Where:

    • AUTH-DOMAIN is the hostname you submitted in Create or Edit Service Plans.
    • SYSTEM-DOMAIN is the domain for system-level components you chose when installing the TAS for VMs tile.

Obtain an Access Token

You need an access token for your admin client for the Configure the Internal User Store procedure below.

To obtain an access token for your admin client:

  1. Run:

    uaac token client get APP-ID
    

    Where APP-ID is the App ID you recorded above in the Set up an Admin Client procedure.

  2. When prompted for the Client secret, enter the App Secret you recorded in the Set up an Admin Client procedure above.

Configure the Internal User Store

As of Single Sign‑On v1.13, when creating a new plan, the internal user store is not enabled by default. UAA does not present the internal user store as an option for users attempting to log in to the zone. For plans that were created using an earlier version, the internal user store retains its previous settings.

To configure the internal user store through the UAAC:

  1. If you have not already done so, complete the Obtain an Access Token procedure above.

  2. List the identity providers by running:

    uaac curl https://AUTH-DOMAIN.login.SYSTEM-DOMAIN/identity-providers -X GET
    

    Where:

    • AUTH-DOMAIN is the Auth Domain you submitted in Create or Edit Service Plans.
    • SYSTEM-DOMAIN is the domain for system-level components you chose when installing the TAS for VMs tile.
  3. From the output, capture the JSON and record the id for the identity provider named uaa.

  4. Enable the internal user store by setting active to true within the captured JSON.

  5. Enable user management by setting config.disableInternalUserManagement to false. Enabling user management enables you to add, update, and delete internal users.

  6. Configure to your needs the password policy, email domains, and other settings within the captured JSON.

  7. Remove the version, created, and last_modified keys from the JSON.

  8. To apply the modified JSON, send it through UAAC by running:

    uaac curl 'https://AUTH-DOMAIN.login.SYSTEM-DOMAIN/identity-providers/UAA-IDP-ID?rawConfig=true' -X PUT \
      -H 'Content-Type: application/json' \
      -d '{
        "type": "uaa",
        "config": {
          "emailDomain": [],
          "additionalConfiguration": null,
          "providerDescription": null,
          "passwordPolicy": {
            "minLength": 1,
            "maxLength": 255,
            "requireUpperCaseCharacter": 0,
            "requireLowerCaseCharacter": 0,
            "requireDigit": 0,
            "requireSpecialCharacter": 0,
            "passwordNewerThan": null,
            "expirePasswordInMonths": 0
          },
          "lockoutPolicy": {
            "lockoutPeriodSeconds": 300,
            "lockoutAfterFailures": 5,
            "countFailuresWithin": 3600
          },
          "disableInternalUserManagement": false
        },
        "id": "UAA-IDP-ID",
        "originKey": "uaa",
        "name": "uaa",
        "active": true,
        "identityZoneId": "IDENTITY-ZONE-ID"
      }'
    

    Where:

    • AUTH-DOMAIN is the Auth Domain you submitted in Create or Edit Service Plans.
    • UAA-IDP-ID is the UAA identity provider ID.
    • SYSTEM-DOMAIN is the domain for system-level components you chose when installing the TAS for VMs tile.
    • IDENTITY-ZONE-ID is the identity zone ID.

    You can also modify the values for config.passwordPolicy, config.lockoutPolicy, and config.emailDomain to your preferences. For more information, see the Cloud Foundry documentation.

Add Internal Users

To add internal user accounts through UAAC:

  1. Follow the Manage Users With The UAAC procedure.

Test Identity Provider Configurations

VMware Tanzu provides sample apps you can deploy to validate your identity provider configurations. To deploy a sample app, follow the instructions in identity-sample-apps in GitHub.