Managing Users

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how a Plan Admin uses Single Sign‑On for VMware Tanzu to manage user access to VMware Tanzu Application Service for VMs (TAS for VMs) apps, for users with accounts in external identity providers.

Manage Users from an External Identity Provider

For each external identity provider that Single Sign‑On connects to, a user admin pane lets you browse, delete, and update permissions for user accounts from external identity providers, such as Okta SSO Users.

To open the external identity provider user admin pane:

  1. Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN using your User Account and Authentication (UAA) admin credentials. You can find these credentials in your TAS for VMs tile in Ops Manager under the Credentials tab.

  2. Click the plan name.

  3. Click the external identity provider you want to manage and then select the Users tab for your IdP. This brings you to the user admin pane for that external identity provider. The user admin pane for an example IdP. There is a username search field near the top. Below that is a **DELETE USER(S)** button. Below that is a table with columns called Username, Name, Verified, and Last Modified. A single page number with navigation arrows is at the bottom left. From the external identity provider user admin pane, you can:

    • Search existing users: To do so, enter a value into the search bar and click Search. Entering a blank value returns all users in the service plan internal user store.
    • Delete a user: To do so, select the checkbox next to their username and click Delete User(s).
    • View information about a user and their user permissions: To do so, click on their username.
    • Update user permissions: To do so, type the corresponding permissions into the search field, press Enter, then click UPDATE USER PERMISSIONS. Screenshot of an example user. There are Username, First Name, Last Name, Email, and Phone Number fields. At the bottom is a search field with example permissions on the right. Below is an UPDATE USER PERMISSIONS button.

Manage Users with the UAAC

You can also use the UAA Command Line Client (UAAC) to manage users for Single Sign‑On. For more information, see the UAAC repository in GitHub. You can use this approach to programmatically create new internal users or assign groups (scopes) to any internal or external user. These operations require administrative access through an admin client that an admin must configure for the service plan.

Note: Clients and groups for Single Sign‑On should be created directly using the SSO Developer Dashboard or through app manifest bootstrapping. Do not create these through UAAC, as additional metadata is required for their usage by Single Sign‑On.

  1. Install the UAAC by running:

    gem install cf-uaac

  2. Target your service plan by running:

    uaac target AUTH-DOMAIN.login.SYSTEM-DOMAIN

    Where:

    • AUTH-DOMAIN is the Auth Domain you entered in Create or Edit Service Plans.
    • SYSTEM-DOMAIN is the domain for system-level components you chose when installing the TAS for VMs tile.

      For example: 
      $ uaac target my-auth-domain.login.example.com

  3. Record the App ID and App Secret from your admin client created by following the steps in Create Admin Client. You must give your admin client scim.read to read user information. You can give your admin client either scim.write to create users and modify group (scope) memberships or scim.create to only create users.

  4. Authenticate and obtain an access token for the admin client for your service plan by running:

    uaac token client get ADMIN-APP-ID -s ADMIN-APP-SECRET

    Where:

    • ADMIN-APP-ID is your App ID and
    • ADMIN-APP-SECRET is your App Secret.

    For example: 

    $ uaac token client get MyAdminAppId -s MyAdminAppSecret

    UAAC stores the token in ~/.uaac.yml.

  5. Display the client context by running:

    uaac context

  6. Verify that you have the necessary scim.write or scim.create permissions under the scope section:

    For example: 

    $ uaac context
    


    [1]*[admin]
  client_id: MyAdminAppId
    access_token: aBcdEfg0hIJKlm123.e
    token_type: bearer
    expires_in: 43200
    scope: scim.read scim.write
    jti: 91b3-abcd1233

  7. Create a new internal user by running:

    uaac user add NEW-USERNAME -p NEW-PASSWORD --emails NEW-EMAIL

    Where:

    • NEW-USERNAME is the username
    • NEW-PASSWORD is the password
    • NEW-EMAIL is the email address

      For example: 
      $ uaac user add Adam -p newSecretPassword --emails adam@example.com

  8. Add any group to any internal or external user by running:

    uaac member add GROUP USERNAME

    Where GROUP is the group name and USERNAME is the user.

    For example: 

    $ uaac member add my-app.my-scope Adam

  9. Delete any group from any internal or external user.

    uaac member delete GROUP USERNAME

    Where GROUP is the group name and USERNAME is the user.

    For example: 

    $ uaac member delete my-app.my-scope Adam