Single Sign-On v1.7

Updating Identity Providers with UAAC

This topic describes how to update the configuration of identity providers using the User Account and Authentication Command Line Interface (UAAC). For instructions on configuring identity providers, see Configuring Identity Providers.

Create a UAA Identity Zone Admin Client

To use the UAA identity provider API for your SSO service plan, you need a special identity zone admin client.

  1. Create a UAA identity zone admin client.

    For instructions, see Create a UAA Identity Zone Admin Client.

  2. Using the instructions above, give this client the and idps.write scopes.

  3. Record the App ID and App Secret. You need these for the procedure below.

Update UAA Identity Provider Configurations with the API

This section shows how to use the UAAC to update UAA identity provider configurations, using a PUT command.

WARNING: This flow is for advanced users only. You must always run the PUT command with the latest data by doing a GET before the PUT command. You must also provide all configuration values, otherwise, data can be lost.

For general information about UAAC, see the CF UAA API documentation page.

To make UAA identity provider API calls:

  1. Fetch a token using the identity zone admin client created from Create a UAA Identity Zone Admin Client above.

  2. Target the authdomain specified in your Service Plan.
    For example:

    uaac target
  3. Obtain an access token using this command:

    uaac token client get ZONE-ADMIN-CLIENT-ID


    • ZONE-ADMIN-CLIENT-ID is the MY-APP-ID you recorded in the procedure above.
  4. When prompted for the client secret, provide the App Secret you recorded in the procedure above.

  5. (Optional) If you do not know your identity provider ID, to retrieve it, use the command below:

    uaac curl -k /identity-providers > file.txt

    Your identity provider ID is the value of id. In most cases, this command returns one identity provider. If there are several, you can identify your identity provider by the name.

  6. Run the following command, directing the output to a text file:

    uaac curl -k /identity-providers/YOUR-IDENTITY-PROVIDER-ID > TEXT-FILE.txt


    • YOUR-IDENTITY-PROVIDER-ID is your identity provider ID.
    • TEXT-FILE.txt is the name of your text file.
  7. The command above outputs a JSON blob similar to the example below. Confirm that the ID in this output matches YOUR-IDENTITY-PROVIDER-ID.

      "type": "uaa",
      "config": "{"emailDomain\":null,
      "id": "b38dfbbc-f187-4eeb-a3f3-21a3c72c6975",
      "originKey": "uaa",
      "name": "uaa",
      "version": 0,
      "created": 1530220213000,
      "last_modified": 1530220213000,
      "active": true,
      "identityZoneId": "uaa"
  8. In your TEXT-FILE.txt, update the configurations in the JSON blob as needed, and then save the file.

    WARNING: You must provide all config values, otherwise, data can be lost when doing an API update as a PUT command.

  9. Submit a UAAC curl request to apply your updated configurations to the identity provider, as shown below.

    WARNING: You must always run this command with the latest data by doing a GET before a PUT command.

    $ uaac curl -k /identity-providers/YOUR-IDENTITY-PROVIDER-ID -X PUT 
    \-H 'Content-Type: application/json' -d "$(cat file.txt)"


    • YOUR-IDENTITY-PROVIDER-ID is your identity provider ID.

    A minimal example command would look similar to the following:

    $ uaac curl -k /identity-providers/b38dfbbc-f187-4eeb-a3f3-21a3c72c6975\
         -X PUT \
         -H 'Content-Type: application/json' \
         -d '{
             "type": "uaa",
             "config": {
                 "emailDomain": null,
                 "providerDescription": null,
                 "passwordPolicy": null,
                 "lockoutPolicy": {
                     "lockoutPeriodSeconds": 8,
                     "lockoutAfterFailures": 8,
                     "countFailuresWithin": 8
                 "disableInternalUserManagement": false
             "originKey": "uaa",
             "name": "uaa",
             "version": 0,
             "active": true

For a full list of UAA API update parameters, see the Identity Providers Update Documentation.

Enable Client Auth for OpenID Connect (OIDC)

Some OIDC providers only support client secrets via POST instead of via basic authentication.

In these cases, Client Auth can be configured using config.clientAuthInBody in the request body. For information about this field, see the UAA documentation.

Note: Azure Active Directory integrations using the response type of code only work with clientAuthInBody.

Skip SSL Validation for SAML

Note: This section assumes you have created the SAML Identity Provider, most likely by providing the SAML metadata directly. For more information, see Add a SAML Provider.

For cases where the SAML provider is configured using a valid SAML URL, you might need to skip SSL validation on a self-signed certificate.

You can configure skipping SSL for SAML Identity Providers using config.skipSslValidation in the request body. For documentation about this field, see the UAA documentation.

Create a pull request or raise an issue on the source for this page in GitHub