Adding Existing SAML or LDAP Users to a PCF Deployment

This topic describes the procedure for adding existing SAML or LDAP users to a Pivotal Cloud Foundry (PCF) deployment enabled with SAML or LDAP.

The following two ways exist to add existing SAML or LDAP users to your PCF deployment:

Prerequisites

You must have the following to perform the procedures in this topic:

Option 1: Import Users in Bulk

You can import SAML or LDAP users in bulk by using the UAA Bulk Import Tool. See the UAA Users Import README for instructions about installing and using the tool.

Option 2: Add Users Manually

Perform the procedures below to add existing SAML or LDAP users to your PCF deployment manually.

Step 1: Create User

Perform the following steps to add a SAML or LDAP user:

  1. Run cf target https://api.YOUR-SYSTEM-DOMAIN to target the API endpoint for your PCF deployment. Replace YOUR-SYSTEM-DOMAIN with your system domain. For example:
    $ cf target https://api.example.com
  2. Run cf login and provide credentials for an account with the Admin user role:
    $ cf login
  3. Run cf create-user EXAMPLE-USERNAME --origin YOUR-PROVIDER-NAME to create the user in UAA. Replace EXAMPLE-USERNAME with the username of the SAML or LDAP user you wish to add, and select one of the options below:
    • For LDAP, replace YOUR-PROVIDER-NAME with ldap. For example:
      $ cf create-user j.smith@example.com --origin ldap
      
    • For SAML, replace YOUR-PROVIDER-NAME with the name of the SAML provider you provided when configuring Ops Manager. For example:
      $ cf create-user j.smith@example.com --origin example-saml-provider
      

Step 2: Associate User with Org or Space Role

After creating the SAML or LDAP user, you must associate the user with either an Org or Space role.

For more information about roles, see the Roles and Permissions section of the Orgs, Spaces, Roles, and Permissions topic.

Associate User with Org Role

Run cf set-org-role USERNAME YOUR-ORG ROLE to associate the SAML or LDAP user with an Org role. Replace USERNAME with the name of the SAML or LDAP user, and replace YOUR-ORG with the name of your Org.

For ROLE, enter one of the following:

  • OrgManager: Org Managers can invite and manage users, select and change plans, and set spending limits.
  • BillingManager: Billing Managers can create and manage the billing account and payment information.
  • OrgAuditor: Org Auditors have read-only access to Org information and reports.

Example:

$ cf set-org-role j.smith@example.com my-org OrgManager

Associate User with Space Role

Run cf set-space-role USERNAME YOUR-ORG YOUR-SPACE ROLE to associate the SAML or LDAP user with an Org role. Replace USERNAME with the name of the SAML or LDAP user, replace YOUR-ORG with the name of your Org, and YOUR-SPACE with the name of a Space in your Org.

For ROLE, enter one of the following:

  • SpaceManager: Space Managers can invite and manage users, and enable features for a given Space.
  • SpaceDeveloper: Space Developers can create and manage apps and services, and see logs and reports.
  • SpaceAuditor: Space Auditors can view logs, reports, and settings on this Space.

Example:

$ cf set-space-role j.smith@example.com my-org my-space SpaceDeveloper
Create a pull request or raise an issue on the source for this page in GitHub