LATEST VERSION: 1.5 - CHANGELOG
Single Sign-On v1.4

Manage Users

This topic describes how a Pivotal Cloud Foundry (PCF) Plan Administrator uses the Single Sign-On (SSO) service to manage user access to PCF apps, for users with accounts in the internal user store or with external identity providers.

Manage Users in an Internal User Store

The SSO service has an Internal Users admin pane that lets you manage user accounts in PCF’s internal user store: invite and delete users, request users to reset their passwords, and update user attributes and permissions.

To open the Internal Users pane:

  1. Log in to the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your User Account and Authentication (UAA) administrator credentials. Find these credentials in your Pivotal Elastic Runtime tile in Ops Manager under the Credentials tab.

  2. Click the plan name and select Manage Identity Providers from the drop-down menu.

  3. Click Internal User Store and select Internal Users from the drop-down menu. This brings you to the admin screen. SSO Admin

From the Internal Users pane, you can:

  • Invite users by clicking Invite User, entering their email address, and clicking Send Invite. Invite User

  • Search existing users by entering a value into the search bar and clicking Search. Entering a blank value returns all users in the service plan’s internal user store. Internal Users

  • Resend an invite to an unverified user by selecting the checkbox next to their username and clicking Resend Invite.

  • Ask a verified user to reset their password by selecting the checkbox next to their username and clicking Reset Password.

  • Delete a user by selecting the checkbox next to their username and clicking Delete User.

  • View information about a user by clicking their username. User Profile - Unverified

  • Update a user profile including their Email, First Name, Last Name, and Phone Number by entering the updated values and clicking Save User.

  • View user permissions by clicking the Permissions tab. Internal User Permissions

  • Update user permissions by selecting the corresponding permissions and clicking Save User.

Manage Users from an External Identity Provider

For each external identity provider that the SSO service connects to, a users admin pane (example: Okta SSO Users) lets you browse, delete, and update PCF permissions for user accounts from external identity providers.

To open the external identity provider users admin pane:

  1. Log in to the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your User Account and Authentication (UAA) administrator credentials. You can find these credentials in your Pivotal Elastic Runtime tile in Ops Manager under the Credentials tab.

  2. Click the plan name and select Manage Identity Providers from the drop-down menu.

  3. Click the external identity provider you want to manage and select the Users choice for the provider from the drop-down menu. This brings you to the users admin pane. Okta Users Search

From the external identity provider users admin pane, you can:

  • Search existing users by entering a value into the search bar and clicking Search. Entering a blank value returns all users in the service plan’s internal user store. Okta Users Search Results

  • Delete a user by selecting the checkbox next to their username and clicking Delete User.

  • View information about a user by clicking their username. User Profile - Verified

  • View user permissions by clicking the Permissions tab. External User Permissions

  • Update user permissions by selecting the corresponding permissions and clicking Save User.

Manage Users with the UAA CLI (UAAC)

You may also use the UAA CLI (UAAC) to manage users for the SSO service. You can use this approach to programatically create new internal users or assign groups (scopes) to any user (whether internal or external). These operations require administrative access through an admin client that must be configured by an administrator for the service plan.

Note: Clients and Groups for SSO should be created directly through the SSO UI or through application manifest bootstrapping. Do not create these through UAAC, as additional metadata is required for their usage by SSO.

  1. Install the UAA CLI, uaac.

    $ gem install cf-uaac
    

  2. Use the uaac target AUTH-DOMAIN command to target your service plan. Auth Domain setting you entered when you created the service plan.

    $ uaac target my-auth-domain.login.example.com
    

  3. Record the App ID and App Secret from your admin client created using the steps here. You will need to give your admin client scim.read to read user information. You can give your admin client either scim.write to create users and modify group (scope) memberships or scim.create to only create users.

  4. Run uaac token client get ADMIN-APP-ID -s ADMIN-APP-SECRET to authenticate and obtain an access token for the admin client for your service plan. Replace ADMIN-APP-ID with your App ID and ADMIN-APP-SECRET with your App Secret. UAAC stores the token in ~/.uaac.yml.

    $ uaac token client get MyAdminAppId -s MyAdminAppSecret
    

  5. Use the uaac contexts command to display the users and applications authorized by your service plan, and the permissions granted to each user and application. Check that you have the sufficient scim.write or scim.create permissions under the scope section.

    $ uaac contexts
    
    [1]*[admin]
      client_id: MyAdminAppId
        access_token: aBcdEfg0hIJKlm123.e
        token_type: bearer
        expires_in: 43200
        scope: scim.read scim.write 
        jti: 91b3-abcd1233
    
  6. Run the following command to create a new internal user: uaac user add NEW-USERNAME -p NEW-PASSWORD --emails NEW-EMAIL
    Replace NEW-USERNAME, NEW-PASSWORD, and NEW-EMAIL with appropriate information.

    $ uaac user add Adam -p newSecretPassword --emails adam@example.com
    

  7. Run uaac member add GROUP USERNAME to add any group to any user (internal or external). Replace GROUP and USERNAME with appropriate information.

    $ uaac member add my-app.my-scope Adam
    

  8. Run uaac member delete GROUP USERNAME to delete any group from to any user (internal or external). Replace GROUP and USERNAME with appropriate information.

    $ uaac member delete my-app.my-scope Adam
    

Create a pull request or raise an issue on the source for this page in GitHub