UAA Overview

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v2.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

User Account and Authentication (UAA) is an open source identity server project under the Cloud Foundry (CF) Foundation.

UAA provides enterprise-scale identity management features. For example, it is used by the following commercial services:

What Is UAA?

UAA provides identity-based security for apps and APIs. It supports open standards for authentication and authorization, including:

  • OAuth
  • OpenID Connect
  • SAML
  • LDAP
  • SCIM

The major features of UAA include:

  • User Single Sign-On (SSO) using federated identity protocols
  • API security with OAuth
  • User and group management
  • Multi-tenancy support
  • Support for JWT and opaque as a token format
  • Token revocation
  • Operational flexibility
    • Operate and run as a BOSH release, which allows multi-cloud deployment capabilities
    • Push as an app to PAS
  • Database flexibility, including support for MySQL and Postgres
  • Auditing, logging, and monitoring
  • Token exchange for SAML and JWT bearers
  • Rest APIs for authentication, authorization, and configuration management

UAA Architecture

UAA architecture diagram

Protocol Purpose Profiles
OAuth 2.0 Authorizes apps and APIs Authorization Server,
Relying Party
OpenID Connect 1.0 Federates to external identity providers for SSO
Acts as an identity provider for SSO
Identity Provider,
Relying Party
SAML 2.0 Federates to external identity providers for SSO
Acts as an identity provider for SSO
Identity Provider,
Service Provider
LDAP Authenticate users in external user store LDAP Client
SCIM 1.0 User and group management Identity Provisioning

Client-Side Tools and Libraries

Name Language
UAAC
CF-UAA-LIB
Ruby
Spring Security OAuth Java
CF Java Client Java
UAA Javascript SDK (Singular) JS

The Role of UAA in Securing PAS

PAS relies on UAA for its identity and access management requirements. UAA secures user and system access to PAS installations.

Since PAS is primarily used in the enterprise context, UAA supports enterprise SSO workflows. If a user has already authenticated against the enterprise identity provider, they can access PAS without re-entering credentials.

Some of the major components of PAS that use UAA include:

  • Cloud Controller
  • Gorouter
  • Loggregator
  • Container networking

Each of these components expose APIs for user and system interaction. UAA uses OAuth to secure the APIs exposed by core PAS components.

UAA secures many different CF components, including:

  • CF CLI
  • Cloud Controller
  • Loggregator
  • Notifications
  • Gorouter
  • Container Networking
  • Diego
  • Operations Manager/BOSH Director
  • Autoscaler