Adding Existing SAML or LDAP Users to an Ops Manager Deployment

Page last updated:

This topic describes the procedure for adding existing SAML or LDAP users to an Ops Manager deployment enabled with SAML or LDAP.

The following two ways exist to add existing SAML or LDAP users to your Ops Manager deployment:

Prerequisites

To perform the procedures in this topic, you must have:

Option 1: Import Users in Bulk

You can import SAML or LDAP users in bulk by using the CF-MGMT Tool. For instructions about installing and using the tool, see the CF-MGMT README.

Option 2: Add Users Manually

The following sections describe how to add existing SAML or LDAP users to your Ops Manager deployment manually.

Step 1: Create User

To add a SAML or LDAP user:

  1. Target the API endpoint for your Ops Manager deployment by running:

    cf target https://api.SYSTEM-DOMAIN
    

    Where SYSTEM-DOMAIN is your system domain.

  2. Run:

    cf login
    
  3. Provide credentials for an account with the Admin user role. For more information about the Admin user role, see Roles and Permissions in Orgs, Spaces, Roles, and Permissions.

  4. Create the user in UAA by running:

    cf create-user USERNAME --origin PROVIDER-NAME
    

    Where:

    • USERNAME is the username of the SAML or LDAP user you want to add.
    • PROVIDER-NAME is ldap for an LDAP user, or the name of the SAML provider you provided when configuring Ops Manager for a SAML user.

Step 2: Associate User with Org or Space Role

After creating the SAML or LDAP user, you must associate the user with either an Org or Space role.

For more information about roles, see Roles and Permissions in Orgs, Spaces, Roles, and Permissions.

Associate User with Org Role

To associate the SAML or LDAP user with an Org role:

  1. Run:

    cf set-org-role USERNAME ORG ROLE
    

    Where:

    • USERNAME is the name of the SAML or LDAP user.
    • ORG is the name of your org.
    • For ROLE, enter one of the following:
      • OrgManager: Org Managers can invite and manage users, select and change plans, and set spending limits.
      • BillingManager: Billing Managers can create and manage the billing account and payment information.
      • OrgAuditor: Org Auditors have read-only access to Org information and reports.

        For example:
      cf set-org-role j.smith@example.com example-org OrgManager
    

Associate User with Space Role

To associate the SAML or LDAP user with a Space role:

  1. Run:

    cf set-space-role USERNAME ORG SPACE ROLE
    

    Where:

    • USERNAME is the name of the SAML or LDAP user.
    • ORG is the name of your org.
    • SPACE is the name of a space in your org.
    • For ROLE, enter one of the following:
      • SpaceManager: Space Managers can invite and manage users, and enable features for a given Space.
      • SpaceDeveloper: Space Developers can create and manage apps and services, and see logs and reports.
      • SpaceAuditor: Space Auditors can view logs, reports, and settings on this Space.

        For example:
      cf set-space-role j.smith@example.com example-org example-space SpaceDeveloper