Monitoring Service Plans and Apps
This topic explains how to monitor Single Sign-On (SSO) for Pivotal Cloud Foundry (PCF) service plans and apps.
SSO uses the User Account and Authentication (UAA) service to log security events through Loggregator. UAA security events can be filtered to destinations through a syslog drain. To configure logs to monitor SSO plan events, app, and UAA client events you need to obtain the IDs for the corresponding plan or app.
To obtain the identity zone ID for SSO plans, do one of the procedures in Monitor SSO Plan Events.
To obtain the client ID for an app or UAA client, do the procedure in Monitor App Events.
For information about configuring logging in Pivotal Application Services (PAS), see Configuring Logging in PAS.
For information about UAA security events, see UAA Logging.
All SSO service plans are given a unique identity zone ID. You can monitor all events for a plan by filtering UAA generated logs using the plan’s identity zone ID.
You can obtain a list of plans and their corresponding identity zone IDs by doing one of the following:
- Making a call to the SSO API. See Use the SSO API.
- Using the SSO Operator Dashboard. See Use the SSO Operator Dashboard.
Before you can use the SSO API to monitor plan events, you must do the following:
- Create an admin client. See Create an Admin Client.
- Create a UAA identity zone admin client. See Create a UAA Identity Zone Admin Client.
To use the SSO API to obtain plan identity zone IDs, run the following command:
curl -X GET "https://sso-api.YOUR-SYSTEM-DOMAIN/v1/plans" \ -H "Authorization: Bearer YOUR-TOKEN"
YOUR-SYSTEM-DOMAINis your PCF system domain URL.
YOUR-TOKENis the access token you obtained in Create a UAA Identity Zone Admin Client.
For more information, see SSO Service Plan Automation API in the SSO API documentation.
To use the SSO Operator Dashboard to obtain plan identity zone IDs, do the following:
- Log into the SSO Operator Dashboard at
- Click the plan you want to obtain the identity zone ID for and select Edit Plan.
Record the identity zone ID for your plan from the SSO Operator Dashboard URL. The URL looks similar to the following:
IDENTITY-ZONE-IDis your plan’s identity zone ID.
All apps that use SSO have a unique client ID. You can monitor app and UAA client events using the client ID.
To find your app’s client ID, do the following:
- Log in to Apps Manager as a Space Developer.
- Select the space where your service instance is located.
- Under Services, click the Single Sign-On service.
- Click Manage next to your SSO service instance to launch the SSO Developer Dashboard.
- Under Applications, click View Credentials near the name of your app.
- Record the value of App ID.