LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.7

Configuring Authentication and Enterprise SSO for Elastic Runtime

Page last updated:

This topic describes Pivotal Cloud Foundry (PCF) authentication and single sign-on configuration with Lightweight Directory Access Protocol (LDAP) and Security Assertion Markup Language (SAML).

Refer to the instructions below to configure your deployment with SAML or LDAP.

Connecting Elastic Runtime to either the LDAP or SAML external user store allows the User Account and Authentication (UAA) server to delegate authentication to existing enterprise user stores.

If your enterprise user store is exposed as a SAML or LDAP Identity Provider for single sign-on (SSO), you can configure SSO to allow users to access the Apps Manager and Cloud Foundry Command Line Interface (cf CLI) without creating a new account or, if using SAML, without re-entering credentials.

See the Adding Existing SAML or LDAP Users to a PCF Deployment topic for information about managing user identity and pre-provisioning user roles with SAML or LDAP in PCF.

This Knowledge Base article explains the process used by the UAA Server when it attempts to authenticate a user through LDAP.

Configure PCF to Use a SAML Identity Provider

To connect PCF Elastic Runtime with SAML, you must perform the following tasks:

  1. Configure PCF as a service provider for SAML

  2. Configure SAML as an Identity Provider for PCF

Configure PCF as a Service Provider for SAML

Follow the instructions below to configure PCF as a service provider for SAML.

  1. From the Installation Dashboard, click the Elastic Runtime tile.

  2. Select the Domains tab and record your system domain.

    New domains

  3. Select Authentication and Enterprise SSO.

  4. Select SAML Identity Provider.

    Sso ert

  5. Set the Provider Name. This is a unique name you create for the Identity Provider. This name can include only alphanumeric characters, +, _, and -. You should not change this name after deployment because all external users use it to link to the provider.

  6. Enter a Display Name. Your provider display name appears as a link on your Pivotal login page, which you can access at https://login.YOUR-SYSTEM-DOMAIN.

    Login page

  7. Retrieve the metadata from your Identity Provider and copy it into either the Provider Metadata or the Provider Metadata URL fields, depending on whether your Identity Provider exposes a Metadata URL. Refer to the Configure SAML Identity Provider for PCF section of this topic for more information. Pivotal recommends that you use the Provider Metadata URL rather than Provider Metadata because the metadata can change. You can do this in either of the following ways:

    • If your Identity Provider exposes a Metadata URL, provide the Metadata URL.
    • Download your Identity Provider metadata and paste this XML into the Provider Metadata area.

    Note: You only need to select one of the above configurations. If you configure both, your Identity Provider defaults to the (OR) Provider Metadata URL.

    Note: Refer to the Adding Existing SAML or LDAP Users to a PCF Deployment topic for information on on-boarding SAML users and mapping them to PCF user roles.

  8. Select the Name ID Format for your SAML Identity Provider. This translates to username on PCF Elastic Runtime. The default is Email Address.

  9. By default, all SAML Authentication Request from PCF are signed. To change this, disable the Sign Authentication Requests checkbox and configure your Identity Provider to verify SAML authentication requests.

  10. To validate the signature for the incoming SAML assertions, enable the Required Signed Assertions checkbox and configure your Identity Provider to send signed SAML Assertions.

  11. For Signature Algorithm, choose an algorithm from the dropdown menu to use for signed requests and assertions. The default value is SHA1.

  12. Click Save.

  13. Return to the Installation Dashboard by clicking the link.

  14. On the Installation Dashboard, click Apply Changes.

    Apply changes

Configure SAML as an Identity Provider for PCF

Download the Service Provider Metadata from https://login.YOUR-SYSTEM-DOMAIN/saml/metadata. Consult the documentation from your Identity Provider for configuration instructions.

Refer to the table below for information about certain industry-standard Identity Providers and how to integrate them with PCF:

Solution Name Integration Guide
CA Single Sign-On aka CA SiteMinder PDF
Ping Federate PDF
Active Directory Federation Services PDF

Note: Some Identity Providers allow uploads of Service Provider Metadata. Other providers require you to manually enter the Service Provider Metadata into a form.

Configure PCF to Use an LDAP Identity Provider

To integrate the UAA with LDAP, configure Elastic Runtime with your LDAP endpoint information as follows:

  1. Log into the Operations Manager web interface.

  2. On the Product Dashboard, select Pivotal Elastic Runtime.

    Er tile

  3. In the left navigation menu, select Authentication and Enterprise SSO.

    Ldap config

  4. Under Configure your UAA select LDAP Server.

  5. Enter the Server URL, a URL pointing to the LDAP server. This URL must include one of the following protocols:

    • ldap://: This specifies that the LDAP server uses an unencrypted connection.
    • ldaps://: This specifies that the LDAP server uses SSL for an encrypted connection and requires that the LDAP server holds a trusted certificate or that you import a trusted certificate to the JVM truststore.
  6. For LDAP Credentials, enter the LDAP Distinguished Name (DN) and password for binding to the LDAP Server. Example DN: cn=administrator,ou=Users,dc=example,dc=com

    Note: Pivotal recommends that you provide LDAP credentials that grant read-only permissions on the LDAP Search Base and the LDAP Group Search Base.

  7. For User Search Base, enter the location in the LDAP directory tree from which any LDAP User search begins. The typical LDAP Search Base matches your domain name.

    For example, a domain named “cloud.example.com” typically uses the following LDAP User Search Base: ou=Users,dc=example,dc=com

  8. For User Search Filter, enter a string that defines LDAP User search criteria. These search criteria allow LDAP to perform more effective and efficient searches. For example, the standard LDAP search filter cn=Smith returns all objects with a common name equal to Smith.

    In the LDAP search filter string that you use to configure Elastic Runtime, use {0} instead of the username. For example, use cn={0} to return all LDAP objects with the same common name as the username.

    In addition to cn, other attributes commonly searched for and returned are mail, uid and, in the case of Active Directory, sAMAccountName.

    Note: This Knowledge Base article provides instructions for testing and troubleshooting your LDAP search filters.

  9. For Group Search Base, enter the location in the LDAP directory tree from which the LDAP Group search begins.

    For example, a domain named “cloud.example.com” typically uses the following LDAP Group Search Base: ou=Groups,dc=example,dc=com

    Follow the instructions in the Grant Admin Permissions to an External Group (SAML or LDAP) section of the Creating and Managing Users with the UAA CLI (UAAC) topic to map the groups under this search base to admin roles in PCF.

    Note: Refer to the Adding Existing SAML or LDAP Users to a PCF Deployment topic to on-board individual LDAP users and map them to PCF Roles.

  10. For Group Search Filter, enter string that defines LDAP Group search criteria. The standard value is member={0}.

  11. For Server SSL Cert, paste in the root certificate from your CA certificate or your self-signed certificate.

  12. Click Save.

  13. Return to the Installation Dashboard by clicking the link.

  14. On the Installation Dashboard, click Apply Changes.

    Apply changes

Create a pull request or raise an issue on the source for this page in GitHub