Pivotal Cloud Foundry v1.7

Adding Existing SAML or LDAP Users to a Pivotal Cloud Foundry Deployment

Page last updated:

This topic describes the procedure for adding existing SAML or LDAP users to a Pivotal Cloud Foundry (PCF) deployment enabled with SAML or LDAP.

Note: You must have admin access to the PCF Ops Manager Installation Dashboard for your deployment to complete the procedure described here.

Step 1: Add SAML or LDAP Users

Note: Do not create new users in Elastic Runtime via the Cloud Foundry command line interface (cf CLI), by UAAC, or by using invitations in Apps Manager. This will create a user identity in the internal user store separate from the SAML or LDAP user identity. Instead, follow the procedure described below.

There are two ways to add existing SAML or LDAP users to your PCF deployment:

  • In bulk, using the UAA Bulk Import Tool. See the README for instructions on installing and using the tool.

  • Individually, through the CF CLI, as described below:

    1. Each existing SAML or LDAP user must log in to Apps Manager or to the cf CLI using their SAML (by entering cf login --sso) or LDAP credentials. Users will not have access to any org or space until these are granted by an Org or Space Manager.
    2. The PCF Admin must log in to the cf CLI and associate the user with the desired org and space roles. See Org and App Space Roles.

(Advanced Option) Integrate with Enterprise Identity Management System

If your organization uses an Enterprise Identity Management System for centralized provisioning and deprovisioning of users, you can use the Users API and Organizations API to write a connector to manage users and permissions in Elastic Runtime.

Step 2: Create User

  1. Create the user in UAA by running the following command. Replace ‘EXAMPLE-USERNAME’ with the username of the SAML or LDAP user you wish to add.

    • For LDAP, set user origin to ldap.
      $ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d '{"userName":"EXAMPLE-USERNAME", "emails":[{"value":""}], "origin":"ldap","externalId":"cn=EXAMPLE-USERNAME,ou=Users,dc=test,dc=com"}'
    • For SAML, set user origin to the SAML identity provider name set in the Elastic Runtime tile under Authentication and Enterprise SSO.
      $ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d '{"userName":"EXAMPLE-USERNAME", "emails":[{"value":""}], "origin":"YOUR-SAML-PROVIDER","externalId":"EXAMPLE-USERNAME"}'
  2. Use the Users API to create a User record in the Cloud Controller Database with the existing user’s SAML or LDAP GUID.

    $ curl "https://api.YOUR-DOMAIN/v2/users" -d '{
    "guid": "YOUR-USER-GUID"
    }' -X POST \
    -H "Authorization: bearer YOUR-BEARER-TOKEN" \
    -H "Host: YOUR-HOST-URL" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Cookie: "

Step 3: Provide User Access to Orgs

Associate the user with the appropriate orgs in your Elastic Runtime deployment, using the Organizations API.

Step 4: Associate User with Space or Org Role

Users can be given Space and Org roles using the following API calls:

Create a pull request or raise an issue on the source for this page in GitHub