UAA Overview

Page last updated:

User Account and Authentication (UAA) is an open-source identity server project under the Cloud Foundry (CF) Foundation.

UAA provides enterprise-scale identity management features. For example, it is used by these commercial services:

What Is UAA?

UAA provides identity-based security for apps and APIs. It supports open standards for authentication and authorization, including:

  • OAuth
  • OpenID Connect
  • SAML
  • LDAP
  • SCIM

The major features of UAA include:

  • User Single Sign-On (SSO) using federated identity protocols
  • API security with OAuth
  • User and group management
  • Multi-tenancy support
  • Support for JWT and opaque as a token format
  • Token revocation
  • Operational flexibility
    • Operate and run as a BOSH release, which allows multi-cloud deployment capabilities
    • Push as an app to PAS
  • Database flexibility, including support for MySQL and Postgres
  • Auditing, logging, and monitoring
  • Token exchange for SAML and JWT bearers
  • Rest APIs for authentication, authorization, and configuration management

UAA Architecture

The diagram below illustrates the architecture of UAA:

UAA architecture diagram

The table below describes the protocols UAA can use:

Protocol Purpose Profiles
OAuth 2.0 Authorizes apps and APIs Authorization Server, Relying Party
OpenID Connect 1.0 Federates to external identity providers (IDPs) and acts as an IDP for SSO Identity Provider, Relying Party
SAML 2.0 Federates to external IDPs and acts as an IDP for SSO Identity Provider, Service Provider
LDAP Authenticates users in external user store LDAP Client
SCIM 1.0 Manages users and groups Identity Provisioning

Client-Side Tools and Libraries

The table below describes the client-side tools and libraries UAA uses:

Name Language
UAAC
CF-UAA-LIB
Ruby
Spring Security OAuth Java
CF Java Client Java
UAA Javascript SDK (Singular) JS

The Role of UAA in Securing PAS

PAS relies on UAA for its identity and access management requirements. UAA secures user and system access to PAS installations.

Since PAS is primarily used in the enterprise context, UAA supports enterprise SSO workflows. If a user has already authenticated against the enterprise IDP, they can access PAS without re-entering credentials.

Some of the major components of PAS that use UAA include:

  • Cloud Controller
  • Gorouter
  • Loggregator
  • Container networking

Each of these components expose APIs for user and system interaction. UAA uses OAuth to secure the APIs exposed by core PAS components.

UAA secures many different PAS components, including:

  • Cloud Foundry Command Line Interface (cf CLI)
  • Cloud Controller
  • Loggregator
  • Notifications
  • Gorouter
  • Container Networking
  • Diego
  • BOSH Director
  • Autoscaler