uaa job from uaa/32

The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.

Github source: 2cd642f4 or master branch

Properties¶

env¶

http_proxy¶

The http_proxy across the VMs used for all requests over http

Example

http://test.proxy:8080

https_proxy¶

The http_proxy across the VMs used for all requests over https

Example

http://test.proxy:8080

no_proxy¶

Set No_Proxy across the VMs

Example

localhost,127.0.0.0/8,127.0.1.1

login¶

analytics¶

code¶

Google analytics code. If Google Analytics is desired set both login.analytics.code and login.analytics.domain

domain¶

Google analytics domain. If Google Analytics is desired set both login.analytics.code and login.analytics.domain

asset_base_url¶

Deprecated in favor of branding properties. Base url for static assets, allows custom styling of the login server. Use ‘/resources/pivotal’ for Pivotal style.

Default

/resources/oss

branding¶

company_name¶

This name is used on the UAA Pages and in account management related communication in UAA

footer_legal_text¶

This text appears on the footer of all UAA pages

footer_links¶

These links appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.

Example

linkDisplayName: linkDisplayUrl

product_logo¶

This is a base64 encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.

square_logo¶

This is a base64 encoded PNG image which will be used as the favicon for the UAA pages

home_redirect¶

URL for configuring a custom home page

idpDiscoveryEnabled¶

IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider. This property will also enable a list of selectable accounts that have signed in via the browser.

Default

false

links¶

A hash of home/passwd/signup URLS (see commented examples below)

passwd¶

URL for requesting password reset

Default

/forgot_password

signup¶

URL for requesting to signup/register for an account

Default

/create_account

logout¶

redirect¶

parameter¶

disable¶

When set to false, this allows an operator to leverage an open redirect on the UAA (/logout.do?redirect=google.com). No open redirect enabled

Default

true

whitelist¶

A list of URLs. When this list is non null, including empty, and disable=false, logout redirects are allowed, but limited to the whitelist URLs. If a redirect parameter value is not white listed, redirect will be to the default URL.

url¶

The Location of the redirect header following a logout of the the UAA (/logout.do).

Default

/login

messages¶

A nested or flat hash of messages that the login server uses to display UI message This will be flattened into a java.util.Properties file. The example below will lead to four properties, where the key is the concatenated value delimited by dot, for example scope.tokens.read=message

Example

messages:
  scope:
    tokens:
      read: View details of your approvals you have granted to this and other applications
      write: Cancel the approvals like this one that you have granted to this and
        other applications
scope.tokens.read: View details of your approvals you have granted to this and other
  applications
scope.tokens.write: Cancel the approvals like this one that you have granted to this
  and other applications

notifications¶

url¶

The url for the notifications service (configure to use Notifications Service instead of SMTP server)

oauth¶

providers¶

Contains a hash of OpenID Connect/Oauth Identity Providers, the key will be used as the origin key for that provider, followed by key/value pairs. Presence of the userInfoUrl will mark it as an OpenID provider instead of OAuth.

Example

my-oauth-provider:
  addShadowUserOnLogin: true
  attributeMappings:
    external_groups:
    - <attribute holding roles or group memberships in the OIDC id_token>
    - <other attribute holding roles or group memberships in the OIDC id_token>
    family_name: <Attribute holding family name in the OIDC ID Token>
    given_name: <Attribute holding given name in the OIDC ID Token>
    user:
      attribute:
        name-of-attribute-in-uaa-id-token: name-of-attribute-in-provider-token
        name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-provider-token
    user_name: <Attribute holding username in the OIDC ID Token>
  authUrl: <URL to the authorize endpoint of the provider>
  issuer: <optional - if the issuer URL is different than tokenUrl URL>
  linkText: My Oauth Provider
  relyingPartyId: <OIDC Client ID>
  relyingPartySecret: <OIDC Client secret>
  scopes:
  - openid
  - <other scope>
  showLinkText: true
  skipSslValidation: false
  tokenKey: <Token verification key>
  tokenKeyUrl: <URL for token verification. Will be used if tokenKey is not specified.>
  tokenUrl: <URL to the token endpoint of the provider>
  type: oidc1.0

prompt¶

password¶

text¶

The text used to prompt for a password during login

Default

Password

username¶

text¶

The text used to prompt for a username during login

Default

Email

protocol¶

Scheme to use for HTTP communication (http/https)

Default

https

saml¶

entity_base_url¶

The URL for which SAML identity providers will post assertions to. If set it overrides the default. This URL should NOT have the schema (http:// or https:// prefix in it) instead just the hostname. The schema is derived by #{login.protocol} property. The default value is #{uaa.url}.replaceFirst(‘uaa’,‘login’), typically login.example.com The UAA will display this link in the cf –sso call if there is a SAML provider enabled.

entityid¶

This is used as the SAML Service Provider Entity ID. Each zone has a unique entity ID. Zones other than the default zone will derive their entity ID from this setting by prefexing it with the subdomain.

providers¶

Contains a hash of SAML Identity Providers, the key is the IDP Alias, followed by key/value pairs. To learn more about how to setup a saml identity provider go to https://simplesamlphp.org

Example

my-identity-provider:
  assertionConsumerIndex: 0
  groupMappingMode: AS_SCOPES
  iconUrl: https://my.identityprovider.com/icon.png
  idpMetadata: http://my.identityprovider.com/saml2/idp/metadata.php
  linkText: Log in with My Saml Identity Provider
  metadataTrustCheck: false
  nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  showSamlLoginLink: true
  signMetaData: false
  signRequest: false
  skipSslValidation: false

serviceProviderCertificate¶

Service provider certificate.

Example

|+
  -----BEGIN CERTIFICATE-----
  MIIEJTCCA46gAwIBAgIJANIqfxWTfhpkMA0GCSqGSIb3DQEBBQUAMIG+MQswCQYD
  VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j
  aXNjbzEdMBsGA1UEChMUUGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Ns
  b3VkIEZvdW5kcnkgSWRlbnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2Yt
  YXBwLmNvbTEfMB0GCSqGSIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzAeFw0xNTA1
  MTQxNzE5MTBaFw0yNTA1MTExNzE5MTBaMIG+MQswCQYDVQQGEwJVUzETMBEGA1UE
  CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEdMBsGA1UEChMU
  UGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Nsb3VkIEZvdW5kcnkgSWRl
  bnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2YtYXBwLmNvbTEfMB0GCSqG
  SIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
  gYkCgYEA30y2nX+kICXktl1yJhBzLGvtTuzJiLeOMWi++zdivifyRqX1dwJ5MgdO
  sBWdNrASwe4ZKONiyLFRDsk7lAYq3f975chxSsrRu1BLetBZfPEmwBH7FCTdYtWk
  lJbpz0vzQs/gSsMChT/UrN6zSJhPVHNizLxstedyxxVVts644U8CAwEAAaOCAScw
  ggEjMB0GA1UdDgQWBBSvWY/TyHysYGxKvII95wD/CzE1AzCB8wYDVR0jBIHrMIHo
  gBSvWY/TyHysYGxKvII95wD/CzE1A6GBxKSBwTCBvjELMAkGA1UEBhMCVVMxEzAR
  BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHTAbBgNV
  BAoTFFBpdm90YWwgU29mdHdhcmUgSW5jMSQwIgYDVQQLExtDbG91ZCBGb3VuZHJ5
  IElkZW50aXR5IFRlYW0xHDAaBgNVBAMTE2lkZW50aXR5LmNmLWFwcC5jb20xHzAd
  BgkqhkiG9w0BCQEWEG1hcmlzc2FAdGVzdC5vcmeCCQDSKn8Vk34aZDAMBgNVHRME
  BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL5j1JCN5EoXMOOBSBUL8KeVZFQD3Nfy
  YkYKBatFEKdBFlAKLBdG+5KzE7sTYesn7EzBISHXFz3DhdK2tg+IF1DeSFVmFl2n
  iVxQ1sYjo4kCugHBsWo+MpFH9VBLFzsMlP3eIDuVKe8aPXFKYCGhctZEJdQTKlja
  lshe50nayKrT
  -----END CERTIFICATE----

serviceProviderKey¶

Private key for the service provider certificate.

Example

|+
  -----BEGIN RSA PRIVATE KEY-----
  MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3
  AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU
  JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB
  AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz
  a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb
  RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r
  LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr
  sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6
  J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL
  f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC
  AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf
  oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH
  waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw==
  -----END RSA PRIVATE KEY-----

serviceProviderKeyPassword¶

Passphrase for the service provider private key.

Default

""

Example

""

signMetaData¶

Global property to sign Local/SP metadata

Default

true

signRequest¶

Global property to sign Local/SP requests

Default

true

signatureAlgorithm¶

Signature hashing algorithm for SAML. Can be SHA1, SHA256, or SHA512.

Example

SHA256

socket¶

connectionManagerTimeout¶

Timeout in milliseconds for connection pooling for SAML metadata HTTP requests

Default

10000

soTimeout¶

Read timeout in milliseconds for SAML metadata HTTP requests

Default

10000

wantAssertionSigned¶

Global property to request that external IDPs sign their SAML assertion before sending them to the UAA

Default

true

self_service_links_enabled¶

Enable self-service account creation and password resets links.

Default

true

smtp¶

SMTP server configuration, for password reset emails etc.

auth¶

If true, authenticate using AUTH command. https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html

Default

false

from_address¶

SMTP from address

host¶

SMTP server host address

Default

localhost

password¶

SMTP server password

port¶

SMTP server port

Default

2525

starttls¶

If true, send STARTTLS command before login to server. https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html

Default

false

user¶

SMTP server username

url¶

Set if you have an external login server. The UAA uses this link on by its email service to create links The UAA uses this as a base domain for internal hostnames so that subdomain can be detected This defaults to the uaa.url property, and if not set, to login.

uaa¶

admin¶

client_secret¶

Secret of the admin client - a client named admin with uaa.admin as an authority

authentication¶

policy¶

countFailuresWithinSeconds¶

Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked

Default

1200

global¶

countFailuresWithinSeconds¶

Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked

Default

3600

lockoutAfterFailures¶

Number of allowed failures before account is locked

Default

5

lockoutPeriodSeconds¶

Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded

Default

300

lockoutAfterFailures¶

Number of allowed failures before account is locked

Default

5

lockoutPeriodSeconds¶

Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded

Default

300

catalina_opts¶

The options used to configure Tomcat

Default

-Xmx768m -XX:MaxMetaspaceSize=256m

clients¶

List of OAuth2 clients that the UAA will be bootstrapped with

Example

app:
  app-icon: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAD1BMVEWZttQvMDEoKisqKywAAAApvvoVAAAAGElEQVQYlWNgYUQBLAxMDCiAeXgLoHsfAD03AHOyfqy1AAAAAElFTkSuQmCC
  app-launch-url: http://myapppage.com
  authorities: test_resource.test_action
  authorized-grant-types: authorization_code,client_credentials,refresh_token
  autoapprove:
  - test_resource.test_action
  - test_resource.other_action
  id: app
  override: true
  redirect-uri: http://login.example.com
  scope: test_resource.test_action,test_resource.other_action
  secret: app-secret
  show-on-homepage: true
login:
  app-icon: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAD1BMVEWZttQvMDEoKisqKywAAAApvvoVAAAAGElEQVQYlWNgYUQBLAxMDCiAeXgLoHsfAD03AHOyfqy1AAAAAElFTkSuQmCC
  app-launch-url: http://myloginpage.com
  authorities: test_resource.test_action
  authorized-grant-types: authorization_code,client_credentials,refresh_token
  autoapprove: true
  id: login
  override: true
  redirect-uri: http://login.example.com
  scope: test_resource.test_action
  secret: some-secret
  show-on-homepage: true

database¶

abandoned_timeout¶

Timeout in seconds for the longest running queries. Take into DB migrations for this timeout as they may run during a long period of time.

Default

300

case_insensitive¶

Set to true if you don’t want to be using LOWER() SQL functions in search queries/filters, because you know that your DB is case insensitive. If this property is null, then it will be set to true if the UAA DB is MySQL and false otherwise, but even on MySQL you can override it by setting it explicitly to false

log_abandoned¶

Should connections that are forcibly closed be logged.

Default

true

max_connections¶

The max number of open connections to the DB from a running UAA instance

Default

100

max_idle_connections¶

The max number of open idle connections to the DB from a running UAA instance

Default

10

min_idle_connections¶

The min number of open idle connections to the DB from a running UAA instance

Default

0

remove_abandoned¶

True if connections that are left open longer then abandoned_timeout seconds during a session(time between borrow and return from pool) should be forcibly closed

Default

false

delete¶

Contains a map of actions, each with a list of IDs. Possible delete actions are ‘users’ and ‘clients’. These will be deleted in the database (default zone). Unrecognized map keys will be ignored

Example

|+
  clients:
    - client-to-be-deleted-1
    - client-to-be-deleted-2
  users:
    - user-to-be-deleted-1
    - user-to-be-deleted-2

disableInternalAuth¶

Disables internal user authentication

Default

false

disableInternalUserManagement¶

Disables UI and API for internal user management

Default

false

issuer¶

The url to use as the issuer URI

jwt¶

claims¶

exclude¶

List of claims to exclude from the JWT-based OAuth2 tokens.

Example

- authorities

policy¶

accessTokenValiditySeconds¶

The access token validity for the default zone if nothing is configured on the client. Will override global validity policies for the default zone only.

Default

43200

active_key_id¶

The ID of the JWT signing key to be used when signing tokens.

Example

key-1

global¶

accessTokenValiditySeconds¶

The global access token validity for all zones if nothing is configured on the client

Default

43200

refreshTokenValiditySeconds¶

The global refresh token validity for all zones if nothing is configured on the client

Default

2.592e+06

keys¶

Map of key IDs and signing keys, each defined with a property signingKey.

Example

key-1:
  signingKey: |+
    -----BEGIN RSA PRIVATE KEY-----
    MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3
    AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU
    JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB
    AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz
    a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb
    RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r
    LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr
    sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6
    J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL
    f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC
    AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf
    oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH
    waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw==
    -----END RSA PRIVATE KEY-----

refreshTokenValiditySeconds¶

The refresh token validity for the default zone if nothing is configured on the client. Will override global validity policies for the default zone only.

Default

2.592e+06

refresh¶

format¶

The format for the refresh token. Allowed values are jwt, opaque

Default

jwt

restrict_grant¶

Disallows refresh-token grant for any client for which the user has not approved the uaa.offline_token scope

Default

false

unique¶

If true, uaa will only issue one refresh token per client_id/user_id combination

Default

false

revocable¶

Set to true if you wish that even JWT tokens become individually revocable and stored in the UAA token storage. This setting applies to the default zone only.

Default

false

signing_key¶

Deprecated. Use uaa.jwt.policy.keys. The key used to sign the JWT-based OAuth2 tokens.

verification_key¶

Deprecated. The key used to verify JWT-based OAuth2 tokens. If you are specifying your signing key(s) under uaa.jwt.policy.keys, the verification key does not need to be specified.

ldap¶

add_shadow_user_on_login¶

If set to false, only users pre-populated in the UAA user database will be allowed to authenticate via LDAP. If set to true, any user from LDAP will be allowed to authenticate and an internal user will be created if one does not yet exist.

Default

true

attributeMappings¶

Specifies how UAA user attributes map to LDAP attributes. given_name, family_name, and phone_number are UAA user attributes, while other attributes should be included using the prefix user.attribute

Example

family_name: sn
given_name: givenName
phone_number: telephoneNumber
user.attribute.name-of-attribute-in-uaa-id-token: name-of-attribute-in-ldap-record
user.attribute.name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-ldap-record

emailDomain¶

Sets the whitelist of emails domains that the LDAP identity provider handles

Example

- whitelist-domain1.org
- whitelist-domain2.org

enabled¶

Set to true to enable LDAP

Default

false

externalGroupsWhitelist¶

Whitelist of external groups from LDAP that get added as roles in the ID Token

Example

- admin
- user

groups¶

groupRoleAttribute¶

Used with groups-as-scopes, defines the attribute that holds the scope name(s).

Default

spring.security.ldap.dn

groupSearchFilter¶

Search query filter to find the groups a user belongs to, or for a nested search, groups that a group belongs to

Default

member={0}

maxSearchDepth¶

Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)

Default

"1"

profile_type¶

What type of group integration should be used. Values are: ‘no-groups’, ‘groups-as-scopes’, ‘groups-map-to-scopes’

Default

no-groups

searchBase¶

Search start point for a user group membership search, and sequential nested searches.. You can set this value to ‘memberOf’ when using Active Directory and skip group search but use the calculated memberOf field on the user records. No nested search will be performed.

Default

""

searchSubtree¶

Boolean value, set to true to search below the search base

Default

"true"

localPasswordCompare¶

Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server.

Default

"true"

mailAttributeName¶

The name of the LDAP attribute that contains the users email address

Default

mail

mailSubstitute¶

Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication

Default

""

mailSubstituteOverridesLdap¶

Set to true if you wish to override an LDAP user email address with a generated one

Default

false

passwordAttributeName¶

Used with search-and-compare only. The name of the password attribute in the LDAP directory

Default

userPassword

passwordEncoder¶

Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory.

Default

org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator

profile_type¶

The file to be used for configuring the LDAP authentication. Options are: ‘simple-bind’, ‘search-and-bind’, ‘search-and-compare’

Default

search-and-bind

referral¶

Configures the UAA LDAP referral behavior. The following values are possible: - follow -> Referrals are followed - ignore -> Referrals are ignored and the partial result is returned - throw -> An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html

Default

follow

searchBase¶

Used with search-and-bind and search-and-compare. Define a base where the search starts at.

Default

""

searchFilter¶

Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}

Default

cn={0}

ssl¶

skipverification¶

Set to true, and LDAPS connection will not validate the server certificate.

Default

false

tls¶

If using StartTLS, what mode to enable. Default is none, not enabled. Possible values are none, simple

Default

none

sslCertificate¶

Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection.

sslCertificateAlias¶

Used with ldaps:// URLs. The certificate alias, to be trusted by this connection and stored in the keystore.

url¶

The URL to the ldap server, must start with ldap:// or ldaps://. Allows multiple servers to be specified, space separated

Example

ldap://localhost:389 ldaps://secure.host:636

userDN¶

Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information.

userDNPattern¶

Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search.

userDNPatternDelimiter¶

The delimiter character in between user DN patterns for simple-bind authentication

Default

;

userPassword¶

Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.

logging_level¶

Set UAA logging level. (e.g. TRACE, DEBUG, INFO)

Default

DEBUG

logging_use_rfc3339¶

Sets the time format for log messages to be yyyy-MM-dd’T’HH:mm:ss.SSSXXX instead of yyyy-MM-dd HH:mm:ss.SSS

Default

false

newrelic¶

To enable newrelic monitoring, the sub element of this property will be placed in a configuration file called newrelic.yml in the jobs config directory. The syntax that must adhere to documentation in https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file The JVM option -javaagent:/path/to/newrelic.jar will be added to Apache Tomcat’s startup script The enablement of the NewRelic agent in the UAA is triggered by the property uaa.newrelic.common.license_key The property uaa.newrelic.common.license_key must be set!

password¶

policy¶

expirePasswordInMonths¶

Number of months after which current password expires

Default

0

global¶

expirePasswordInMonths¶

Number of months after which current password expires

Default

0

maxLength¶

Maximum number of characters required for password to be considered valid

Default

255

minLength¶

Minimum number of characters required for password to be considered valid

Default

0

requireDigit¶

Minimum number of digits required for password to be considered valid

Default

0

requireLowerCaseCharacter¶

Minimum number of lowercase characters required for password to be considered valid

Default

0

requireSpecialCharacter¶

Minimum number of special characters required for password to be considered valid

Default

0

requireUpperCaseCharacter¶

Minimum number of uppercase characters required for password to be considered valid

Default

0

maxLength¶

Maximum number of characters required for password to be considered valid

Default

255

minLength¶

Minimum number of characters required for password to be considered valid

Default

0

requireDigit¶

Minimum number of digits required for password to be considered valid

Default

0

requireLowerCaseCharacter¶

Minimum number of lowercase characters required for password to be considered valid

Default

0

requireSpecialCharacter¶

Minimum number of special characters required for password to be considered valid

Default

0

requireUpperCaseCharacter¶

Minimum number of uppercase characters required for password to be considered valid

Default

0

port¶

Port that uaa will accept connections on

Default

8080

proxy¶

servers¶

Array of the router IPs acting as the first group of HTTP/TCP backends. These will be added to the proxy_ips_regex as exact matches.

Default

[]

proxy_ips_regex¶

A pipe delimited set of regular expressions of IP addresses that are considered reverse proxies. When a request from these IP addresses come in, the x-forwarded-for and x-forwarded-proto headers will be respected.

Default

10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}

require_https¶

Request came in on a secure connection. Expect the load balancer/proxy to set the proper headers (x-forwarded-for, x-forwarded-proto)

Default

true

scim¶

external_groups¶

External group mappings. Either formatted as an OpenStruct. As an OpenStruct, the mapping additionally specifies an origin to which the mapping is applied: origin1: external_group1: - internal_group1 - internal_group2 - internal_group3 external_group2: - internal_group2 - internal_group4 origin2: external_group3: - internal_group3 - internal_group4 - internal_group5

groups¶

Contains a hash of group names and their descriptions. These groups will be added to the UAA database for the default zone but not associated with any user. Example: uaa: scim: groups: my-test-group: ‘My test group description’ another-group: ‘Another group description’

user¶

override¶

If true override users defined in uaa.scim.users found in the database.

Default

true

userids_enabled¶

Enables the endpoint /ids/Users that allows consumers to translate user ids to name

Default

true

users¶

A list of users to be bootstrapped with authorities. Each entry supports the following format: Short OpenStruct: - name: username password: password groups: - group1 - group2 Long OpenStruct: - name: username password: password groups: - group1 - group2 firstName: first name lastName: lastName email: email origin: origin-value - most commonly uaa

Example

- email: [email protected]
  firstName: Marissa
  groups:
  - group_name
  lastName: Bloggs
  name: marissa
  origin: uaa
  password: koala

servlet¶

session-cookie¶

Optional configuration of the UAA session cookie. Defaults are the following key value pairs: secure: <(boolean)this value if set, otherwise require_https> http-only: <(boolean) - default to true. set HttpOnly flag on cookie. max-age: <(int) lifetime in seconds of cookie - default to 30 minutes) name: <(String) name of cookie, default is JSESSIONID> comment: <(String) optional comment in cookie> path: <(String) path for cookie, default is /> domain: <(String) domain for cookie, default is incoming request domain>

ssl¶

port¶

If this property Tomcat will listen to this port and expect https traffic. If set to -1, Tomcat will not listen for https traffic.

Default

8443

protocol_header¶

The header to look for to determine if ssl termination was performed by a front end load balancer.

Default

x-forwarded-proto

sslCertificate¶

The server’s ssl certificate. The default is a self-signed certificate and should always be replaced for production deployments

Default

""

Example

|+
  -----BEGIN CERTIFICATE-----
  MIIDAjCCAmugAwIBAgIJAJtrcBsKNfWDMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
  VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
  aXNjbzEQMA4GA1UECgwHUGl2b3RhbDERMA8GA1UECwwISWRlbnRpdHkxFjAUBgNV
  BAMMDU1hcmlzc2EgS29hbGExIDAeBgkqhkiG9w0BCQEWEW1rb2FsYUBwaXZvdGFs
  LmlvMB4XDTE1MDczMDE5Mzk0NVoXDTI1MDcyOTE5Mzk0NVowgZkxCzAJBgNVBAYT
  AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
  MRAwDgYDVQQKDAdQaXZvdGFsMREwDwYDVQQLDAhJZGVudGl0eTEWMBQGA1UEAwwN
  TWFyaXNzYSBLb2FsYTEgMB4GCSqGSIb3DQEJARYRbWtvYWxhQHBpdm90YWwuaW8w
  gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPVOIGvG8MFbkqi+ytdBHVbEGde4
  jaCphmvGm89/4Ks0r+041VsS55XNYnHsxXTlh1FiB2KcbrDb33pgvuAIYpcAO2I0
  gqGeRoS2hNsxzcFdkgSZn1umDAeoE4bCATrquN93KMcw/coY5jacUfb9P2CQztkS
  e2o+QWtIaWYAvI3bAgMBAAGjUDBOMB0GA1UdDgQWBBTkEjA4CEjevAGfnPBciyXC
  3v4zMzAfBgNVHSMEGDAWgBTkEjA4CEjevAGfnPBciyXC3v4zMzAMBgNVHRMEBTAD
  AQH/MA0GCSqGSIb3DQEBCwUAA4GBAIEd8U32tkcvwG9qCOfe5raBENHM4ltTuhju
  zZWIM5Ik1bFf6+rA71HVDD1Z5fRozidhMOl6mrrGShfu6VUjtqzctJeSjaOPIJL+
  wvrXXcAkCYZ9QKf0sqlUWcIRy90nqrD5sL/rHAjNjxQ3lqIOj7yWOgty4LUzFQNr
  FHiyd3T6
  -----END CERTIFICATE-----

sslPrivateKey¶

The server’s ssl private key. Only passphrase-less keys are supported

Default

""

Example

|+
  -----BEGIN RSA PRIVATE KEY-----
  MIICXwIBAAKBgQD1TiBrxvDBW5KovsrXQR1WxBnXuI2gqYZrxpvPf+CrNK/tONVb
  EueVzWJx7MV05YdRYgdinG6w2996YL7gCGKXADtiNIKhnkaEtoTbMc3BXZIEmZ9b
  pgwHqBOGwgE66rjfdyjHMP3KGOY2nFH2/T9gkM7ZEntqPkFrSGlmALyN2wIDAQAB
  AoGBAPBvfz+kYt5iz0EuoMqTPBqLY3kZn1fWUbbZmGatxJyKq9UsW5NE2FDwWomn
  tXJ6d0PBfdOd2LDpEgZ1RSF5lobXn2m2+YeEso7A7yMiBRW8CIrkUn8wVA0s42t+
  osElfvj73G2ZjCqQm6BLCjtFYnalmZIzfOCB26xRWaf0MJ7hAkEA/XaqnosJfmRp
  kmvto81LEvjVVlSvpo+6rt66ykywEv9daHWZZBrrwVz3Iu4oXlwPuF8bcO8JMLRf
  OH98T1+1PQJBAPfCj0r3fRhmBZMWqf2/tbeQPvIQzqSXfYroFgnKIKxVCV8Bkm3q
  1rP4c0XDHEWYIwvMWBTOmVSZqfSxtwIicPcCQQDCcRqK7damo5lpvmpb0s3ZDBN9
  WxI1EOYB6NQbBaG9sTGTRUQbS5u4hv0ASvulB7L3md6PUJEYUAcMbKCMs7txAkEA
  7C8pwHJba0XebJB/bqkxxpKYntPM2fScNi32zFBGg2HxNANgnq3vDNN8t/U+X02f
  oyCimvs0CgUOknhTmJJSkwJBAPaI298JxTnWncC3Zu7d5QYCJXjU403Aj4LdcVeI
  6A15MzQdj5Hm82vlmpC4LzXofLjiN4E5ZLluzEw+1TjRE7c=
  -----END RSA PRIVATE KEY-----

url¶

The base url of the UAA

user¶

authorities¶

Contains a list of the default authorities/scopes assigned to a user

Default

  - openid
  - scim.me
  - cloud_controller.read
  - cloud_controller.write
  - cloud_controller_service_permissions.read
  - password.write
  - uaa.user
  - approvals.me
  - oauth.approvals
  - notification_preferences.read
  - notification_preferences.write
  - profile
  - roles
  - user_attributes
  - uaa.offline_token

zones¶

internal¶

hostnames¶

A list of hostnames that are routed to the UAA, specifically the default zone in the UAA. The UAA will reject any Host headers that it doesn’t recognize. By default the UAA recognizes: The hostname from the property uaa.url The hostname from the property login.url localhost (in order to accept health checks) Any hostnames added as a list are additive to the default hostnames allowed.

Example

- hostname1
- hostname2.localhost
- hostname3.example.com

uaadb¶

address¶

The UAA database IP address

databases¶

The list of databases used in UAA database including tag/name

db_scheme¶

Database scheme for UAA DB

port¶

The UAA database Port

roles¶

The list of database Roles used in UAA database including tag/name/password

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/uaa/ directory (learn more).

• bin/dns_health_check (from dns_health_check.erb)
• bin/health_check (from health_check)
• bin/install_crt (from install_crt)
• bin/install_uaa_crt (from install_uaa_crt)
• bin/post-start (from post-start)
• bin/pre-start (from pre-start)
• bin/uaa_ctl (from uaa_ctl.erb)
• config/ldap.crt (from ldap.crt.erb)
• config/log4j.properties (from log4j.properties.erb)
• config/messages.properties (from messages.properties.erb)
• config/newrelic.yml (from newrelic.yml.erb)
• config/tomcat/context.xml (from tomcat.context.xml.erb)
• config/tomcat/logging.properties (from tomcat.logging.properties)
• config/tomcat/server.xml (from tomcat.server.xml.erb)
• config/uaa.crt (from uaa.crt.erb)
• config/uaa.yml (from uaa.yml.erb)
• config/varz.log4j.properties (from varz.log4j.properties)
• config/varz.yml (from varz.yml)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

• uaa
• uaa_utils