UAA Overview

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

User Account and Authentication (UAA) is an open source identity server project under the Cloud Foundry (CF) Foundation.

UAA provides enterprise-scale identity management features. For example, it is used by the following commercial services:

What is UAA?

UAA provides identity-based security for applications and APIs. It supports open standards for authentication and authorization, including the following:

  • OAuth
  • OpenID Connect
  • SAML
  • LDAP
  • SCIM

The major features of UAA include the following:

  • User Single Sign-On (SSO) using federated identity protocols
  • API security with OAuth
  • User and group management
  • Multi-tenancy support
  • Support for JWT and opaque as a token format
  • Token revocation
  • Operational flexibility
    • Operate and run as a BOSH release, which allows multi-cloud deployment capabilities
    • Push as an app to Cloud Foundry
  • Database flexibility, including support for MySQL, Postgres, and SQL Server
  • Auditing, logging, and monitoring
  • Token exchange for SAML and JWT bearers
  • Rest APIs for authentication, authorization, and configuration management

UAA Architecture

UAA architecture diagram

Protocol Purpose Profiles
OAuth 2.0 Authorizes apps and APIs Authorization Server
Relying Party
OpenID Connect 1.0 Federates to external identity providers for SSO
Acts as an identity provider for SSO
Identity Provider
Relying Party
SAML 2.0 Federates to external identity providers for SSO
Acts as an identity provider for SSO
Identity Provider
Service Provider
LDAP Authenticate users in external user store LDAP Client
SCIM 1.0 User and group management Identity Provisioning

Client-Side Tools and Libraries

Name Language
Spring Security OAuth Java
CF Java Client Java
UAA Javascript SDK (Singular) JS

The Role of UAA in Securing Cloud Foundry

Cloud Foundry relies on UAA for its identity and access management requirements. UAA secures user and system access to Cloud Foundry installations.

Since Cloud Foundry is primarily used in the enterprise context, UAA supports enterprise SSO workflows. If a user has already authenticated against the enterprise identity provider, they can access Cloud Foundry without re-entering credentials.

Some of the major components of Cloud Foundry that use UAA include the following:

  • Cloud Controller
  • Gorouter
  • Loggregator
  • Container Networking

Each of these components expose APIs for user and system interaction. UAA uses OAuth to secure the APIs exposed by core Cloud Foundry components.

UAA secures many different CF components, including the following:

  • CF CLI
  • Cloud Controller
  • Loggregator
  • Notifications
  • Gorouter
  • Container Networking
  • Diego
  • Operations Manager/BOSH Director
  • Autoscaler