uaa job from uaa/75.22.0
The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.
Github source:
38888d6
or
master branch
Properties¶
encryption
¶
active_key_label
¶The key label of the encryption passphrase that will be used to create the key using a Key Derivation Function for encrypting new data within the UAA database.
- Example
key-1
encryption_keys
¶Map of key labels and encryption passphrases that will be used to create keys using a Key Derivation Function. All passphrase values must be at least 8 characters long.
- Example
|+ - label: 'key-1' passphrase: 'MY-PASSPHRASE' - label: 'key-2' passphrase: 'MY-PASSPHRASE-TWO'
env
¶
http_proxy
¶The http_proxy across the VMs used for all requests over http
- Example
http://test.proxy:8080
https_proxy
¶The http_proxy across the VMs used for all requests over https
- Example
http://test.proxy:8080
no_proxy
¶Set No_Proxy across the VMs
- Example
localhost,127.0.0.0/8,127.0.1.1
login
¶
accountChooserEnabled
¶This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin.
- Default
false
analytics
¶
code
¶Google analytics code. If Google Analytics is desired set both login.analytics.code and login.analytics.domain
domain
¶Google analytics domain. If Google Analytics is desired set both login.analytics.code and login.analytics.domain
asset_base_url
¶Deprecated in favor of branding properties. Base url for static assets, allows custom styling of the login server. Use ‘/resources/pivotal’ for Pivotal style.
- Default
/resources/oss
branding
¶
banner
¶
backgroundColor
¶This is the color to be used for the background of the banner area on the UAA discovery login page
link
¶This is the link to be used for the banner logo or banner text on the UAA discovery login page
logo
¶This is a base64 encoded PNG image which will be used as the banner on the UAA discovery login page
text
¶This is text that will be used in the banner area on the UAA discovery login page if no banner logo is configured
textColor
¶This is the color to be used for banner text if banner text is defined to be used on the UAA discovery login page
company_name
¶This name is used on the UAA Pages and in account management related communication in UAA
consent
¶
link
¶If
login.branding.consent.text
is set, the text afterI agree to
will be hyperlinked to this location.
text
¶This text appears on registration and invitation after the words
I agree to
alongside a checkbox that must be selected before the user can continue.
footer_legal_text
¶This text appears on the footer of all UAA pages
footer_links
¶These links appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
- Example
linkDisplayName: linkDisplayUrl
product_logo
¶This is a base64 encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
square_logo
¶This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
defaultIdentityProvider
¶This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint. When not set, legacy chained authentication (where uaa is attempted first followed by ldap) is used.
- Example
uaa
home_redirect
¶Deprecated. May 09, 2017. Please use login.links.homeRedirect
idpDiscoveryEnabled
¶IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider. This property will also enable a list of selectable accounts that have signed in via the browser.
- Default
false
links
¶A hash of home/passwd/signup URLS (see commented examples below)
global
¶
homeRedirect
¶Landing URL after successful authentication via UI This is set globally for all identity zones but can be overridden via Identity Zone API. The links also support two variables: {zone.id} and {zone.subdomain}
- Default
/- Example
https://{zone.subdomain}.myaccountmanager.domain.com/z/{zone.id}/success
passwd
¶URL for requesting password reset. Displayed on the home page of the UAA. This is set globally for all identity zones but can be overridden via Identity Zone API. The links also support two variables: {zone.id} and {zone.subdomain}
- Default
/forgot_password- Example
https://{zone.subdomain}.myaccountmanager.domain.com/z/{zone.id}/forgot_password
signup
¶URL for requesting to signup/register for an account This is set globally for all identity zones but can be overridden via Identity Zone API. The links also support two variables: {zone.id} and {zone.subdomain}
- Default
/create_account- Example
https://{zone.subdomain}.myaccountmanager.domain.com/z/{zone.id}/create_account
homeRedirect
¶Landing URL after successful authentication via UI
- Default
/
passwd
¶URL for requesting password reset for the default zone
- Default
/forgot_password
signup
¶URL for requesting to signup/register for an account
- Default
/create_account
logout
¶
redirect
¶
parameter
¶disable
¶Deprecated as of v52/uaa-4.7.0. Value ignored. Value is always false. Will be removed in the future.
- Default
falsewhitelist
¶A list of URLs that are accepted and honored as values to the
/logout.do?redirect
parameter . If a redirect parameter value is not white listed, redirect will be to the default URL, /login or to the value of uaa.login.logout.redirect.url if set.
url
¶The Location of the redirect header following a logout of the the UAA (/login).
- Default
/login
messages
¶A nested or flat hash of messages that the login server uses to display UI message This will be flattened into a java.util.Properties file. The example below will lead to four properties, where the key is the concatenated value delimited by dot, for example scope.tokens.read=message
- Example
messages: scope: tokens: read: View details of your approvals you have granted to this and other applications write: Cancel the approvals like this one that you have granted to this and other applications scope.tokens.read: View details of your approvals you have granted to this and other applications scope.tokens.write: Cancel the approvals like this one that you have granted to this and other applications
mfa
¶
enabled
¶Set true to enable Multi-factor Authentication (MFA) for the default zone. Defaults to false.
- Default
false
providerName
¶The unique name of the MFA provider to use for default zone.
providers
¶A list of providers and their configuration. Provider names must be alphanumeric. Currently only
google-authenticator
is supported with no additional attributes. Issuer is optional.
- Example
myExampleProvider1: config: issuer: uaa providerDescription: test adding a google authenticator to the default zone type: google-authenticator
notifications
¶
url
¶The url for the notifications service (configure to use Notifications Service instead of SMTP server)
oauth
¶
providers
¶Contains a hash of OpenID Connect/Oauth Identity Providers, the key will be used as the origin key for that provider, followed by key/value pairs. Presence of the userInfoUrl will mark it as an OpenID provider instead of OAuth. If the provider has
override: false
set, the provider values will only be stored in the database if the provider doesn’t exist.
- Example
my-oauth-provider: addShadowUserOnLogin: true attributeMappings: external_groups: - <attribute holding roles or group memberships in the OAuth if an ID Token is present or the access token has claims> - <other attribute holding roles or group memberships in the OAuth if an ID Token is present or the access token has claims> family_name: <Attribute holding family name in the OAuth if an ID Token is present or the access token has claims> given_name: <Attribute holding given name in the OAuth if an ID Token is present or the access token has claims> user: attribute: name-of-attribute-in-uaa-id-token: name-of-attribute-in-provider-token name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-provider-token user_name: <Attribute holding username in the OAuth if an ID Token is present or the access token has claims> authUrl: <URL to the authorize endpoint of the provider> issuer: <optional - if the issuer URL is different than tokenUrl URL> linkText: My Oauth Provider override: false relyingPartyId: <OAuth Client ID> relyingPartySecret: <OAuth Client secret> scopes: - openid - <other scope> showLinkText: true skipSslValidation: false storeCustomAttributes: true tokenKey: <Token verification key> tokenKeyUrl: <URL for token verification. Will be used if tokenKey is not specified.> tokenUrl: <URL to the token endpoint of the provider> type: oauth2.0 my-oidc-provider: addShadowUserOnLogin: true attributeMappings: external_groups: - <attribute holding roles or group memberships in the OIDC id_token> - <other attribute holding roles or group memberships in the OIDC id_token> family_name: <Attribute holding family name in the OIDC ID Token> given_name: <Attribute holding given name in the OIDC ID Token> user: attribute: name-of-attribute-in-uaa-id-token: name-of-attribute-in-provider-token name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-provider-token user_name: <Attribute holding username in the OIDC ID Token> discoveryUrl: |+ <URL for OpenID Connect Identity Provider discovery, example: https://accounts.google.com/.well-known/openid-configuration> Using this automatic discovery and you can omit several attributes like issuer, auth endpoint, token endpoint, userinfo endpoint, token key url linkText: My Oauth Provider passwordGrantEnabled: false prompts: - name: username text: Email type: text - name: password text: Password type: password - name: passcode text: Temporary Authentication Code (Get on at /passcode) type: password relyingPartyId: <OIDC Client ID> relyingPartySecret: <OIDC Client secret> scopes: - openid - <other scope> showLinkText: true skipSslValidation: false storeCustomAttributes: true type: oidc1.0
prompt
¶
password
¶
text
¶The text used to prompt for a password during login
- Default
Password
username
¶
text
¶The text used to prompt for a username during login
- Default
protocol
¶Scheme to use for HTTP communication (http/https)
- Default
https
saml
¶
activeKeyId
¶The active key to be used for signing messages and the key to be used to encrypt messages. See login.saml.keys
disableInResponseToCheck
¶Disable InResponseToField SAML validation on the default zone. For non default zone, this flag is part of the zone configuration. Please see: https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
- Default
false
entity_base_url
¶The URL for which SAML identity providers will post assertions to. If set it overrides the default. This URL should NOT have the schema (http:// or https:// prefix in it) instead just the hostname. The schema is derived by #{login.protocol} property. The default value is
p("uaa.url").sub("://uaa.", "://login.")
, typically login.example.com The UAA will display this link in the cf –sso call if there is a SAML provider enabled.
entityid
¶This is used as the SAML Service Provider Entity ID. Each zone has a unique entity ID. Zones other than the default zone will derive their entity ID from this setting by prefexing it with the subdomain.
keys
¶A map of keys where each map key is the name of the key. The login.saml.activeKeyId must match one of the keys in the map. To rotate keys, simply add keys. To activate a key, add it as the login.saml.activeKeyId
- Example
|+ activeKeyId: key1 keys: key1: key: | -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEArRkvkddLUoNyuvu0ktkcLL0CyGG8Drh9oPsaVOLVHJqB1Ebr oNMTPbY0HPjuD5WBDZTi3ftNLp1mPn9wFy6FhMTvIYeQmTskH8m/kyVReXG/zfWq a4+V6UW4nmUcvfF3YNrHvN5VPTWTJrc2KBzseWQ70OaBNfBi6z4XbdOF45dDfck2 oRnasinUv+rG+PUl7x8OjgdVyyen6qeCQ6xt8W9fHg//Nydlfwb3/L+syPoBujdu Hai7GoLUzm/zqOM9dhlR5mjuEJ3QUvnmGKrGDoeHFog0CMgLC+C0Z4ZANB6GbjlM bsQczsaYxHMqAMOnOe6xIXUrPOoc7rclwZeHMQIDAQABAoIBAAFB2ZKZmbZztfWd tmYKpaW9ibOi4hbJSEBPEpXjP+EBTkgYa8WzQsSD+kTrme8LCvDqT+uE076u7fsu OcYxVE7ujz4TGf3C7DQ+5uFOuBTFurroOeCmHlSfaQPdgCPxCQjvDdxVUREsvnDd i8smyqDnFXgi9HVL1awXu1vU2XgZshfl6wBOCNomVMCN8mVcBQ0KM88SUvoUwM7i sSdj1yQV16Za8+nVnMW41FMHegVRd3Y5EsXJfwGuXnZMIG87PavH1nUqn9NOFq9Y kb4SeOO47PaMxv7jMaXltVVokdGH8L/BY4we8tBL+wVeUJ94aYx/Q/LUAtRPbKPS ZSEi/7ECgYEA3dUg8DXzo59zl5a8kfz3aoLl8RqRYzuf8F396IuiVcqYlwlWOkZW javwviEOEdZhUZPxK1duXKTvYw7s6eDFwV+CklTZu4A8M3Os0D8bSL/pIKqcadt5 JClIRmOmmQpj9AYhSdBTdQtJGjVDaDXJBb7902pDm9I4jMFbjAKLZNsCgYEAx8J3 Y1c7GwHw6dxvTywrw3U6z1ILbx2olVLY6DIgZaMVT4EKTAv2Ke4xF4OZYG+lLRbt hhOHYzRMYC38MNl/9RXHBgUlQJXOQb9u644motl5dcMvzIIuWFCn5vXxR2C3McNy vPdzYS2M64xRGy+IENtPSCcUs9C99bEajRcuG+MCgYAONabEfFA8/OvEnA08NL4M fpIIHbGOb7VRClRHXxpo8G9RzXFOjk7hCFCFfUyPa/IT7awXIKSbHp2O9NfMK2+/ cUTF5tWDozU3/oLlXAV9ZX2jcApQ5ZQe8t4EVEHJr9azPOlI9yVBbBWkriDBPiDA U3mi3z2xb4fbzE726vrO3QKBgA6PfTZPgG5qiM3zFGX3+USpAd1kxJKX3dbskAT0 ymm+JmqCJGcApDPQOeHV5NMjsC2GM1AHkmHHyR1lnLFO2UXbDYPB0kJP6RXfx00C MozCP1k3Hf/RKWGkl2h9WtXyFchZz744Zz+ZG2F7+9l4cHmSEshWmOq2d3I2M5I/ M0wzAoGAa2oM4Q6n+FMHl9e8H+2O4Dgm7wAdhuZI1LhnLL6GLVC1JTmGrz/6G2TX iNFhc0lnDcVeZlwg4i7M7MH8UFdWj3ZEylsXjrjIspuAJg7a/6qmP9s2ITVffqYk 2slwG2SIQchM5/0uOiP9W0YIjYEe7hgHUmL9Rh8xFuo9y72GH8c= -----END RSA PRIVATE KEY----- passphrase: password certificate: | -----BEGIN CERTIFICATE----- MIID0DCCArgCCQDBRxU0ucjw6DANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMR8wHQYDVQQK ExZDbG91ZCBGb3VuZHJ5IElkZW50aXR5MQ4wDAYDVQQLEwVLZXkgMTEiMCAGA1UE AxMZbG9naW4uaWRlbnRpdHkuY2YtYXBwLmNvbTEgMB4GCSqGSIb3DQEJARYRZmhh bmlrQHBpdm90YWwuaW8wHhcNMTcwNDEwMTkxMTIyWhcNMTgwNDEwMTkxMTIyWjCB qTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp c2NvMR8wHQYDVQQKExZDbG91ZCBGb3VuZHJ5IElkZW50aXR5MQ4wDAYDVQQLEwVL ZXkgMTEiMCAGA1UEAxMZbG9naW4uaWRlbnRpdHkuY2YtYXBwLmNvbTEgMB4GCSqG SIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCtGS+R10tSg3K6+7SS2RwsvQLIYbwOuH2g+xpU4tUcmoHURuug 0xM9tjQc+O4PlYENlOLd+00unWY+f3AXLoWExO8hh5CZOyQfyb+TJVF5cb/N9apr j5XpRbieZRy98Xdg2se83lU9NZMmtzYoHOx5ZDvQ5oE18GLrPhdt04Xjl0N9yTah GdqyKdS/6sb49SXvHw6OB1XLJ6fqp4JDrG3xb18eD/83J2V/Bvf8v6zI+gG6N24d qLsagtTOb/Oo4z12GVHmaO4QndBS+eYYqsYOh4cWiDQIyAsL4LRnhkA0HoZuOUxu xBzOxpjEcyoAw6c57rEhdSs86hzutyXBl4cxAgMBAAEwDQYJKoZIhvcNAQELBQAD ggEBAB72QKF9Iri+UdCGAIok/qIeKw5AwZ0wtiONa+DF4B80/yAA1ObpuO3eeeka t0s4wtCRflE08zLrwqHlvKQAGKmJkfRLfEqfKStIUOTHQxE6wOaBtfW41M9ZF1hX NHpnkfmSQjaHVNTRbABiFH6eTq8J6CuO12PyDf7lW3EofvcTU3ulsDhuMAz02ypJ BgcOufnl+qP/m/BhVQsRD5mtJ56uJpHvri1VR2kj8N59V8f6KPO2m5Q6MulEhWml TsxyxUl03oyICDP1cbpYtDk2VddVNWipHHPH/mBVW41EBVv0VDV03LH3RfS9dXiK ynuP3shhqhFvaaiUTZP4l5yF/GQ= -----END CERTIFICATE----- key2: key: | -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAwt7buITRZhXX98apcgJbiHhrPkrgn5MCsCphRQ89oWPUHWjN j9Kz2m9LaKgq9DnNLl22U4e6/LUQToBCLxkIqwaobZKjIUjNAmNomqbNO7AD2+K7 RCiQ2qijWUwXGu+5+fSmF/MOermNKUDiQnRJSSSAPObAHOI980zTWVsApKpcFVaV vk/299L/0rk8I/mNvf63cdw4Nh3xn4Ct+oCnTaDg5OtpGz8sHlocOAti+LdrtNzH uBWq8q2sdhFQBRGe1MOeH8CAEHgKYwELTBCJEyLhykdRgxXJHSaL56+mb6HQvGO/ oyZHn+qHsCCjcdR1L/U4qt4m7HBimv0qbvApQwIDAQABAoIBAQCftmmcnHbG1WZR NChSQa5ldlRnFJVvE90jJ0jbgfdAHAKQLAI2Ozme8JJ8bz/tNKZ+tt2lLlxJm9iG jkYwNbNOAMHwNDuxHuqvZ2wnPEh+/+7Zu8VBwoGeRJLEsEFLmWjyfNnYTSPz37nb Mst+LbKW2OylfXW89oxRqQibdqNbULpcU4NBDkMjToH1Z4dUFx3X2R2AAwgDz4Ku HN4HoxbsbUCI5wLDJrTGrJgEntMSdsSdOY48YOMBnHqqfw7KoJ0sGjrPUy0vOGq2 CeP3uqbXX/mJpvJ+jg3Y2b1Zeu2I+vAnZrxlaZ+hYnZfoNqVjBZ/EEq/lmEovMvr erP8FYI5AoGBAOrlmMZYdhW0fRzfpx6WiBJUkFfmit4qs9nQRCouv+jHS5QL9aM9 c+iKeP6kWuxBUYaDBmf5J1OBW4omNd384NX5PCiL/Fs/lxgdMZqEhnhT4Dj4Q6m6 ZXUuY6hamoF5+z2mtkZzRyvD1LUAARKJw6ggUtcH28cYC3RkZ5P6SWHVAoGBANRg scI9pF2VUrmwpgIGhynLBEO26k8j/FyE3S7lPcUZdgPCUZB0/tGklSo183KT/KQY TgO2mqb8a8xKCz41DTnUPqJWZzBOFw5QaD2i9O6soXUAKqaUm3g40/gyWX1hUtHa K0Kw5z1Sf3MoCpW0Ozzn3znYbAoSvBRr53d0EVK3AoGAOD1ObbbCVwIGroIR1i3+ WD0s7g7Bkt2wf+bwWxUkV4xX2RNf9XyCItv8iiM5rbUZ2tXGE+DAfKrNCu+JGCQy hKiOsbqKaiJ4f4qF1NQECg0y8xDlyl5Zakv4ClffBD77W1Bt9cIl+SGC7O8aUqDv WnKawucbxLhKDcz4S6KyLR0CgYEAhuRrw24XqgEgLCVRK9QtoZP7P28838uBjNov Cow8caY8WSLhX5mQCGQ7AjaGTG5Gd4ugcadYD1wgs/8LqRVVMzfmGII8xGe1KThV HWEVpUssuf3DGU8meHPP3sNMJ+DbE8M42wE1vrNZlDEImBGD1qmIFVurM7K2l1n6 CNtF7X0CgYBuFf0A0cna8LnxOAPm8EPHgFq4TnDU7BJzzcO/nsORDcrh+dZyGJNS fUTMp4k+AQCm9UwJAiSf4VUwCbhXUZ3S+xB55vrH+Yc2OMtsIYhzr3OCkbgKBMDn nBVKSGAomYD2kCUmSbg7bUrFfGntmvOLqTHtVfrCyE5i8qS63RbHlA== -----END RSA PRIVATE KEY----- passphrase: password certificate: | -----BEGIN CERTIFICATE----- MIID0DCCArgCCQDqnPTUvA17+TANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMR8wHQYDVQQK ExZDbG91ZCBGb3VuZHJ5IElkZW50aXR5MQ4wDAYDVQQLEwVLZXkgMjEiMCAGA1UE AxMZbG9naW4uaWRlbnRpdHkuY2YtYXBwLmNvbTEgMB4GCSqGSIb3DQEJARYRZmhh bmlrQHBpdm90YWwuaW8wHhcNMTcwNDEwMTkxNTAyWhcNMTgwNDEwMTkxNTAyWjCB qTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp c2NvMR8wHQYDVQQKExZDbG91ZCBGb3VuZHJ5IElkZW50aXR5MQ4wDAYDVQQLEwVL ZXkgMjEiMCAGA1UEAxMZbG9naW4uaWRlbnRpdHkuY2YtYXBwLmNvbTEgMB4GCSqG SIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDC3tu4hNFmFdf3xqlyAluIeGs+SuCfkwKwKmFFDz2hY9QdaM2P 0rPab0toqCr0Oc0uXbZTh7r8tRBOgEIvGQirBqhtkqMhSM0CY2iaps07sAPb4rtE KJDaqKNZTBca77n59KYX8w56uY0pQOJCdElJJIA85sAc4j3zTNNZWwCkqlwVVpW+ T/b30v/SuTwj+Y29/rdx3Dg2HfGfgK36gKdNoODk62kbPyweWhw4C2L4t2u03Me4 Faryrax2EVAFEZ7Uw54fwIAQeApjAQtMEIkTIuHKR1GDFckdJovnr6ZvodC8Y7+j Jkef6oewIKNx1HUv9Tiq3ibscGKa/Spu8ClDAgMBAAEwDQYJKoZIhvcNAQELBQAD ggEBAKzeh/bRDEEP/WGsiYhCCfvESyt0QeKwUk+Hfl0/oP4m9pXNrnMRApyoi7FB owpmXIeqDqGigPai6pJ3xCO94P+Bz7WTk0+jScYm/hGpcIOeKh8FBfW0Fddu9Otn qVk0FdRSCTjUZKQlNOqVTjBeKOjHmTkgh96IR3EP2/hp8Ym4HLC+w265V7LnkqD2 SoMez7b2V4NmN7z9OxTALUbTzmFG77bBDExHvfbiFlkIptx8+IloJOCzUsPEg6Ur kueuR7IB1S4q6Ja7Gb9b9NYQDFt4hjb5mC9aPxaX+KK2JlZg4cTFVCdkIyp2/fHI iQpMzNWb7zZWlCfDL4dJZHYoNfg= -----END CERTIFICATE-----
providers
¶Contains a hash of SAML Identity Providers, the key is the IDP Alias, followed by key/value pairs. To learn more about how to setup a saml identity provider go to https://simplesamlphp.org If the provider has
override: false
set, the provider values will only be stored in the database if the provider doesn’t exist.
- Example
my-identity-provider: assertionConsumerIndex: 0 groupMappingMode: AS_SCOPES iconUrl: https://my.identityprovider.com/icon.png idpMetadata: http://my.identityprovider.com/saml2/idp/metadata.php linkText: Log in with My Saml Identity Provider metadataTrustCheck: false nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress override: false showSamlLoginLink: true signMetaData: false signRequest: false skipSslValidation: false storeCustomAttributes: true
serviceProviderCertificate
¶Deprecated. Use login.saml.keys. Service provider certificate.
- Example
|+ -----BEGIN CERTIFICATE----- MIIEJTCCA46gAwIBAgIJANIqfxWTfhpkMA0GCSqGSIb3DQEBBQUAMIG+MQswCQYD VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j aXNjbzEdMBsGA1UEChMUUGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Ns b3VkIEZvdW5kcnkgSWRlbnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2Yt YXBwLmNvbTEfMB0GCSqGSIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzAeFw0xNTA1 MTQxNzE5MTBaFw0yNTA1MTExNzE5MTBaMIG+MQswCQYDVQQGEwJVUzETMBEGA1UE CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEdMBsGA1UEChMU UGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Nsb3VkIEZvdW5kcnkgSWRl bnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2YtYXBwLmNvbTEfMB0GCSqG SIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA30y2nX+kICXktl1yJhBzLGvtTuzJiLeOMWi++zdivifyRqX1dwJ5MgdO sBWdNrASwe4ZKONiyLFRDsk7lAYq3f975chxSsrRu1BLetBZfPEmwBH7FCTdYtWk lJbpz0vzQs/gSsMChT/UrN6zSJhPVHNizLxstedyxxVVts644U8CAwEAAaOCAScw ggEjMB0GA1UdDgQWBBSvWY/TyHysYGxKvII95wD/CzE1AzCB8wYDVR0jBIHrMIHo gBSvWY/TyHysYGxKvII95wD/CzE1A6GBxKSBwTCBvjELMAkGA1UEBhMCVVMxEzAR BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHTAbBgNV BAoTFFBpdm90YWwgU29mdHdhcmUgSW5jMSQwIgYDVQQLExtDbG91ZCBGb3VuZHJ5 IElkZW50aXR5IFRlYW0xHDAaBgNVBAMTE2lkZW50aXR5LmNmLWFwcC5jb20xHzAd BgkqhkiG9w0BCQEWEG1hcmlzc2FAdGVzdC5vcmeCCQDSKn8Vk34aZDAMBgNVHRME BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL5j1JCN5EoXMOOBSBUL8KeVZFQD3Nfy YkYKBatFEKdBFlAKLBdG+5KzE7sTYesn7EzBISHXFz3DhdK2tg+IF1DeSFVmFl2n iVxQ1sYjo4kCugHBsWo+MpFH9VBLFzsMlP3eIDuVKe8aPXFKYCGhctZEJdQTKlja lshe50nayKrT -----END CERTIFICATE----
serviceProviderKey
¶Deprecated. Use login.saml.keys. Private key for the service provider certificate.
- Example
|+ -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3 AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6 J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw== -----END RSA PRIVATE KEY-----
serviceProviderKeyPassword
¶Deprecated. Use login.saml.keys. Passphrase for the service provider private key.
- Default
""- Example
""
signMetaData
¶Global property to sign Local/SP metadata
- Default
true
signRequest
¶Global property to sign Local/SP requests
- Default
true
signatureAlgorithm
¶Signature hashing algorithm for SAML. Can be SHA1, SHA256, or SHA512.
- Example
SHA256
socket
¶
connectionManagerTimeout
¶Timeout in milliseconds for connection pooling for SAML metadata HTTP requests
- Default
10000
soTimeout
¶Read timeout in milliseconds for SAML metadata HTTP requests
- Default
10000
wantAssertionSigned
¶Global property to request that external IDPs sign their SAML assertion before sending them to the UAA
- Default
true
self_service_links_enabled
¶Enable self-service account creation and password resets links.
- Default
true
smtp
¶SMTP server configuration, for password reset emails etc.
auth
¶If true, authenticate using AUTH command. https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html
- Default
false
from_address
¶SMTP from address
host
¶SMTP server host address
- Default
localhost
password
¶SMTP server password
port
¶SMTP server port
- Default
2525
sslprotocols
¶If set, specifies the SSL protocols that will be enabled for SSL connections. The property value is a whitespace separated list of tokens. https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html
- Default
TLSv1.2
starttls
¶If true, send STARTTLS command before login to server. https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html
- Default
false
user
¶SMTP server username
url
¶Set if you have an external login server. The UAA uses this link on by its email service to create links The UAA uses this as a base domain for internal hostnames so that subdomain can be detected This defaults to the uaa.url property, and if not set, to login.
release_level_backup
¶
DEPRECATED: Do not use this property. Use the corresponding property in bbr-uaadb.
uaa
¶
admin
¶
client_secret
¶Secret of the admin client - a client named admin with uaa.admin as an authority
authentication
¶
enable_uri_encoding_compatibility_mode
¶When enabled basic auth credentials will only be URI decoded when the
X-CF-ENCODED-CREDENTIALS
header is set totrue
- Default
false
policy
¶
countFailuresWithinSeconds
¶Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked
- Default
1200
global
¶countFailuresWithinSeconds
¶Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked
- Default
3600lockoutAfterFailures
¶Number of allowed failures before account is locked
- Default
5lockoutPeriodSeconds
¶Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded
- Default
300
lockoutAfterFailures
¶Number of allowed failures before account is locked
- Default
5
lockoutPeriodSeconds
¶Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded
- Default
300
ca_certs
¶Array of CA certificates to load into the UAA’s truststore
- Example
- |+ -----BEGIN CERTIFICATE----- MIIDAjCCAmugAwIBAgIJAJtrcBsKNfWDMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j aXNjbzEQMA4GA1UECgwHUGl2b3RhbDERMA8GA1UECwwISWRlbnRpdHkxFjAUBgNV BAMMDU1hcmlzc2EgS29hbGExIDAeBgkqhkiG9w0BCQEWEW1rb2FsYUBwaXZvdGFs LmlvMB4XDTE1MDczMDE5Mzk0NVoXDTI1MDcyOTE5Mzk0NVowgZkxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRAwDgYDVQQKDAdQaXZvdGFsMREwDwYDVQQLDAhJZGVudGl0eTEWMBQGA1UEAwwN TWFyaXNzYSBLb2FsYTEgMB4GCSqGSIb3DQEJARYRbWtvYWxhQHBpdm90YWwuaW8w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPVOIGvG8MFbkqi+ytdBHVbEGde4 jaCphmvGm89/4Ks0r+041VsS55XNYnHsxXTlh1FiB2KcbrDb33pgvuAIYpcAO2I0 gqGeRoS2hNsxzcFdkgSZn1umDAeoE4bCATrquN93KMcw/coY5jacUfb9P2CQztkS e2o+QWtIaWYAvI3bAgMBAAGjUDBOMB0GA1UdDgQWBBTkEjA4CEjevAGfnPBciyXC 3v4zMzAfBgNVHSMEGDAWgBTkEjA4CEjevAGfnPBciyXC3v4zMzAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4GBAIEd8U32tkcvwG9qCOfe5raBENHM4ltTuhju zZWIM5Ik1bFf6+rA71HVDD1Z5fRozidhMOl6mrrGShfu6VUjtqzctJeSjaOPIJL+ wvrXXcAkCYZ9QKf0sqlUWcIRy90nqrD5sL/rHAjNjxQ3lqIOj7yWOgty4LUzFQNr FHiyd3T6 -----END CERTIFICATE-----
catalina_opts
¶The options used to configure Tomcat
- Default
-Xmx768m -XX:MaxMetaspaceSize=256m
client
¶
redirect_uri
¶
matching_mode
¶When set to
legacy
, allow unsafe matching of redirect URIs. For example, https://example.com would also match all subdomains and all paths of https://example.com. When set toexact
, will provide OAuth2 spec-compliant (RFC6749) exact redirect URI matching.
- Default
legacy
secret
¶
policy
¶The client secret policy for clients in the default zone.
- Example
uaa: client: secret: policy: maxLength: 255 minLength: 0 requireDigit: 0 requireLowerCaseCharacter: 0 requireSpecialCharacter: 0 requireUpperCaseCharacter: 0global
¶The global client secret policy for clients in a zone. If the zone doesn’t have a client secret policy, this one will be used.
- Example
uaa: client: secret: policy: global: maxLength: 255 minLength: 0 requireDigit: 0 requireLowerCaseCharacter: 0 requireSpecialCharacter: 0 requireUpperCaseCharacter: 0maxLength
¶Maximum number of characters required for secret to be considered valid (defaults to 255).
minLength
¶Minimum number of characters required for secret to be considered valid (defaults to 0).
requireDigit
¶Minimum number of digits required for secret to be considered valid (defaults to 0).
requireLowerCaseCharacter
¶Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
requireSpecialCharacter
¶Minimum number of special characters required for secret to be considered valid (defaults to 0).
requireUpperCaseCharacter
¶Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
maxLength
¶Maximum number of characters required for secret to be considered valid (defaults to 255).
minLength
¶Minimum number of characters required for secret to be considered valid (defaults to 0).
requireDigit
¶Minimum number of digits required for secret to be considered valid (defaults to 0).
requireLowerCaseCharacter
¶Minimum number of lowercase characters required for secret to be considered valid (defaults to 0).
requireSpecialCharacter
¶Minimum number of special characters required for secret to be considered valid (defaults to 0).
requireUpperCaseCharacter
¶Minimum number of uppercase characters required for secret to be considered valid (defaults to 0).
clients
¶List of OAuth2 clients that the UAA will be bootstrapped with. These will be created in the default (
uaa
) zone.
- Example
app: app-icon: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAD1BMVEWZttQvMDEoKisqKywAAAApvvoVAAAAGElEQVQYlWNgYUQBLAxMDCiAeXgLoHsfAD03AHOyfqy1AAAAAElFTkSuQmCC app-launch-url: http://myapppage.com authorities: test_resource.test_action authorized-grant-types: authorization_code,client_credentials,refresh_token autoapprove: - test_resource.test_action - test_resource.other_action id: app override: true redirect-uri: http://login.example.com scopes: - test_resource.test_action - test_resource.other_action secret: app-secret show-on-homepage: true login: app-icon: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAD1BMVEWZttQvMDEoKisqKywAAAApvvoVAAAAGElEQVQYlWNgYUQBLAxMDCiAeXgLoHsfAD03AHOyfqy1AAAAAElFTkSuQmCC app-launch-url: http://myloginpage.com authorities: test_resource.test_action authorized-grant-types: authorization_code,client_credentials,refresh_token autoapprove: true id: login override: true redirect-uri: http://login.example.com scope: test_resource.test_action secret: some-secret show-on-homepage: true
cors
¶
default
¶
allowed
¶credentials
¶whether to allow credentials to be sent over non-xhr cors requests
headers
¶whitelist for allowed headers for non-xhr cors requests
methods
¶whitelist for allowed methods for non-xhr cors requests
origin
¶whitelist for allowed origins for non-xhr cors requests
uris
¶whitelist for allowed uris for non-xhr cors requests
max_age
¶how long the results of a preflight request is cached
xhr
¶
allowed
¶credentials
¶whether to allow credentials to be sent over xhr cors requests
headers
¶whitelist for allowed headers for xhr cors requests
methods
¶whitelist for allowed methods for xhr cors requests
origin
¶whitelist for allowed origins for xhr cors requests
uris
¶whitelist for allowed uris for xhr cors requests
max_age
¶how long the results of a preflight request is cached
database
¶
abandoned_timeout
¶Timeout in seconds for the longest running queries. Take into DB migrations for this timeout as they may run during a long period of time.
- Default
300
additionalParameters
¶Addtional parameters that should be added to the url that is used to connect to the database. Boolean values need to be passed as String.
- Example
tcpKeepAlive: "true" usePipelineAuth: "false"
case_insensitive
¶Set to true if you don’t want to be using LOWER() SQL functions in search queries/filters, because you know that your DB is case insensitive. If this property is null, then it will be set to true if the UAA DB is MySQL and false otherwise, but even on MySQL you can override it by setting it explicitly to false
log_abandoned
¶Should connections that are forcibly closed be logged.
- Default
true
max_connections
¶The max number of open connections to the DB from a running UAA instance
- Default
100
max_idle_connections
¶The max number of open idle connections to the DB from a running UAA instance
- Default
10
min_idle_connections
¶The min number of open idle connections to the DB from a running UAA instance
- Default
0
remove_abandoned
¶True if connections that are left open longer then abandoned_timeout seconds during a session(time between borrow and return from pool) should be forcibly closed
- Default
false
test_while_idle
¶If true, connections will be validated by the idle connection evictor (if any). If the validation fails, the connection is destroyed and removed from the pool.
- Default
false
delete
¶Contains a map of actions, each with a list of IDs. Possible delete actions are ‘identityProviders’, ‘users’ and ‘clients’. Identity providers are identified by their alias These will be deleted in the default (
uaa
) zone. Unrecognized map keys will be ignored. If the ID exists both in the delete and create sections the delete section takes preceden
- Example
|+ clients: - client-to-be-deleted-1 - client-to-be-deleted-2 users: - user-to-be-deleted-1 - user-to-be-deleted-2 identityProviders: - octa - google
disableInternalAuth
¶Disables internal user authentication
- Default
false
disableInternalUserManagement
¶Disables UI and API for internal user management
- Default
false
issuer
¶The url to use as the issuer URI
jwt
¶
claims
¶
exclude
¶List of claims to exclude from the JWT-based OAuth2 tokens.
- Example
- authorities
policy
¶
accessTokenValiditySeconds
¶The access token validity for the default zone if nothing is configured on the client. Will override global validity policies for the default zone only.
- Default
43200
active_key_id
¶The ID of the JWT signing key to be used when signing tokens.
- Example
key-1
global
¶accessTokenValiditySeconds
¶The global access token validity for all zones if nothing is configured on the client
- Default
43200refreshTokenValiditySeconds
¶The global refresh token validity for all zones if nothing is configured on the client
- Default
2.592e+06
keys
¶Map of key IDs and signing keys, each defined with a property
signingKey
.
- Example
key-1: signingKey: |+ -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3 AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6 J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw== -----END RSA PRIVATE KEY-----
refreshTokenValiditySeconds
¶The refresh token validity for the default zone if nothing is configured on the client. Will override global validity policies for the default zone only.
- Default
2.592e+06
queryString
¶
enabled
¶If set to true, the /oauth/token and /check_token endpoints accept GET and query string parameters
- Default
true
refresh
¶
format
¶The format for the refresh token. Allowed values are
jwt
,opaque
- Default
jwt
restrict_grant
¶Disallows refresh-token grant for any client for which the user has not approved the
uaa.offline_token
scope
- Default
false
unique
¶Revokes existing refresh tokens for client-user combination when creating a new refresh token. Note: only applies if
uaa.jwt.revocable
is true.
- Default
false
revocable
¶Set to true if you wish that even JWT tokens become individually revocable and stored in the UAA token storage. This setting applies to the default zone only.
- Default
false
signing_key
¶Deprecated. Use uaa.jwt.policy.keys. The key used to sign the JWT-based OAuth2 tokens.
verification_key
¶Deprecated. The key used to verify JWT-based OAuth2 tokens. If you are specifying your signing key(s) under uaa.jwt.policy.keys, the verification key does not need to be specified.
ldap
¶
add_shadow_user_on_login
¶If set to false, only users pre-populated in the UAA user database will be allowed to authenticate via LDAP. If set to true, any user from LDAP will be allowed to authenticate and an internal user will be created if one does not yet exist.
- Default
true
attributeMappings
¶Specifies how UAA user attributes map to LDAP attributes. given_name, family_name, and phone_number are UAA user attributes, while other attributes should be included using the prefix
user.attribute
- Example
family_name: sn given_name: givenName phone_number: telephoneNumber user.attribute.name-of-attribute-in-uaa-id-token: name-of-attribute-in-ldap-record user.attribute.name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-ldap-record
emailDomain
¶Sets the whitelist of emails domains that the LDAP identity provider handles
- Example
- whitelist-domain1.org - whitelist-domain2.org
enabled
¶Set to true to enable LDAP
- Default
false
externalGroupsWhitelist
¶Whitelist of external groups from LDAP that get added as roles in the ID Token
- Example
- admin - user
groups
¶
groupRoleAttribute
¶Used with groups-as-scopes, defines the attribute that holds the scope name(s).
- Default
spring.security.ldap.dn
groupSearchFilter
¶Search query filter to find the groups a user belongs to, or for a nested search, groups that a group belongs to
- Default
member={0}
maxSearchDepth
¶Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)
- Default
"1"
profile_type
¶What type of group integration should be used. Values are: ‘no-groups’, ‘groups-as-scopes’, ‘groups-map-to-scopes’
- Default
no-groups
searchBase
¶Search start point for a user group membership search, and sequential nested searches.. You can set this value to ‘memberOf’ when using Active Directory and skip group search but use the calculated memberOf field on the user records. No nested search will be performed.
- Default
""
searchSubtree
¶Boolean value, set to true to search below the search base
- Default
"true"
localPasswordCompare
¶Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server.
- Default
"true"
mailAttributeName
¶The name of the LDAP attribute that contains the users email address
- Default
mailSubstitute
¶Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
- Default
""
mailSubstituteOverridesLdap
¶Set to true if you wish to override an LDAP user email address with a generated one
- Default
false
override
¶If the LDAP configuration has
override: false
set, the LDAP values will only be stored in the database if the LDAP has not been configured yet. If property is omitted, the default is override: true
passwordAttributeName
¶Used with search-and-compare only. The name of the password attribute in the LDAP directory
- Default
userPassword
passwordEncoder
¶Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory.
- Default
org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator
profile_type
¶The file to be used for configuring the LDAP authentication. Options are: ‘simple-bind’, ‘search-and-bind’, ‘search-and-compare’
- Default
search-and-bind
referral
¶Configures the UAA LDAP referral behavior. The following values are possible: - follow -> Referrals are followed - ignore -> Referrals are ignored and the partial result is returned - throw -> An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
- Default
follow
searchBase
¶Used with search-and-bind and search-and-compare. Define a base where the search starts at.
- Default
""
searchFilter
¶Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}
- Default
cn={0}
ssl
¶
skipverification
¶Set to true, and LDAPS connection will not validate the server certificate.
- Default
false
tls
¶If using StartTLS, what mode to enable. Default is none, not enabled. Possible values are none, simple
- Default
none
sslCertificate
¶Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection.
storeCustomAttributes
¶Stores custom attribute mappings from the attributeMappings configuration in the database so that they can be retrieved using the /userinfo endpoint
- Default
true
url
¶The URL to the ldap server, must start with ldap:// or ldaps://. Allows multiple servers to be specified, space separated
- Example
ldap://localhost:389 ldaps://secure.host:636
userDN
¶Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information.
userDNPattern
¶Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search.
userDNPatternDelimiter
¶The delimiter character in between user DN patterns for simple-bind authentication
- Default
;
userPassword
¶Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
limitedFunctionality
¶
statusFile
¶The UAA checks for the presence of this file. If this file exists, the UAA will continue to function but in limited mode. This means any authentication or token action will continue to work, but more API endpoints that change configuration will return 503 UNAVAILABLE. Normally, there is no need to change this value, unless you have other scripts that may rely on it
- Default
/var/vcap/data/uaa/bbr_limited_mode.lock
whitelist
¶
endpoints
¶Set the whitelisted API for UAA in degraded mode. Methods and Endpoints are unioned with each other: i.e. all methods are permitted for a whitelisted endpoint, and all endpoints are permitted for a whitelisted method
- Default
- /oauth/authorize/** - /oauth/token/** - /check_token/** - /login/** - /login.do - /logout/** - /logout.do - /saml/** - /autologin/** - /authenticate/** - /idp_discovery/**
methods
¶Set the whitelisted API for UAA in degraded mode. Methods and Endpoints are unioned with each other: i.e. all methods are permitted for a whitelisted endpoint, and all endpoints are permitted for a whitelisted method
- Default
- GET - HEAD - OPTIONS
localhost_http_port
¶The port on which UAA will accept HTTP traffic from the localhost machine only. Only used by monit to call the /healthz endpoint. Either use default or set to another value in range [1024-65535]. This port must not conflict with other ports configured on this VM, such as uaa.ssl.port.
- Default
8080
logging
¶
format
¶
timestamp
¶Format for timestamp in component logs. Valid values are ‘rfc3339’, ‘rfc3339-legacy’, and ‘deprecated’. ‘rfc3339’ sets the format to be {yyyy-MM-dd’T’HH:mm:ss.nnnnnn}{GMT+0}Z which is rfc3339 compliant but additionally has microsecond precision and is set to UTC timezone. ‘rfc3339-legacy’ sets the time format to be yyyy-MM-dd’T’HH:mm:ss.SSSXXX. ‘deprecated’ sets the time format to be yyyy-MM-dd HH:mm:ss.SSS.
- Default
rfc3339
logging_level
¶Set UAA logging level. (e.g. TRACE, DEBUG, INFO)
- Default
DEBUG
newrelic
¶To enable newrelic monitoring, the sub element of this property will be placed in a configuration file called newrelic.yml in the jobs config directory. The syntax that must adhere to documentation in https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file The JVM option -javaagent:/path/to/newrelic.jar will be added to Apache Tomcat’s startup script The enablement of the NewRelic agent in the UAA is triggered by the property uaa.newrelic.common.license_key The property uaa.newrelic.common.license_key must be set.
- Example
|+ uaa: newrelic: common: app_name: ((uaa_app_name)) license_key: ((uaa_license_key))
password
¶
policy
¶
expirePasswordInMonths
¶Number of months after which current password expires
- Default
0
global
¶expirePasswordInMonths
¶Number of months after which current password expires
- Default
0maxLength
¶Maximum number of characters required for password to be considered valid
- Default
255minLength
¶Minimum number of characters required for password to be considered valid
- Default
0requireDigit
¶Minimum number of digits required for password to be considered valid
- Default
0requireLowerCaseCharacter
¶Minimum number of lowercase characters required for password to be considered valid
- Default
0requireSpecialCharacter
¶Minimum number of special characters required for password to be considered valid
- Default
0requireUpperCaseCharacter
¶Minimum number of uppercase characters required for password to be considered valid
- Default
0
maxLength
¶Maximum number of characters required for password to be considered valid
- Default
255
minLength
¶Minimum number of characters required for password to be considered valid
- Default
0
requireDigit
¶Minimum number of digits required for password to be considered valid
- Default
0
requireLowerCaseCharacter
¶Minimum number of lowercase characters required for password to be considered valid
- Default
0
requireSpecialCharacter
¶Minimum number of special characters required for password to be considered valid
- Default
0
requireUpperCaseCharacter
¶Minimum number of uppercase characters required for password to be considered valid
- Default
0
proxy
¶
servers
¶Array of the router IPs acting as the first group of HTTP/TCP backends. These will be added to the proxy_ips_regex as exact matches.
- Default
[]
proxy_ips_regex
¶A pipe delimited set of regular expressions of IP addresses that are considered reverse proxies. When a request from these IP addresses come in, the x-forwarded-for and x-forwarded-proto headers will be respected.
- Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
rest
¶
template
¶
maxKeepAlive
¶Maximum time in ms that the connections of the RestTemplates are kept alive in the UAA
- Default
0- Example
0
maxPerRoute
¶Maximum number of connections to the same route that is used by the RestTemplates in the UAA
- Default
5- Example
5
maxTotal
¶Size of the connection pool used by the RestTemplates in the UAA
- Default
20- Example
20
timeout
¶Timeout for the RestTemplates used by the UAA in ms
- Default
10000- Example
10000
scim
¶
external_groups
¶External group mappings. Either formatted as an OpenStruct. As an OpenStruct, the mapping additionally specifies an origin to which the mapping is applied: origin1: external_group1: - internal_group1 - internal_group2 - internal_group3 external_group2: - internal_group2 - internal_group4 origin2: external_group3: - internal_group3 - internal_group4 - internal_group5
groups
¶Contains a hash of group names and their descriptions. These groups will be added to the UAA database for the default zone but not associated with any user. Example: uaa: scim: groups: my-test-group: ‘My test group description’ another-group: ‘Another group description’
user
¶
override
¶If true, override users defined in uaa.scim.users found in the database.
- Default
true
userids_enabled
¶Enables the endpoint
/ids/Users
that allows consumers to translate user ids to name
- Default
true
users
¶A list of users to be bootstrapped with authorities. These will be created in the default (
uaa
) zone. Each entry supports the following format: Short OpenStruct: - name: username password: password groups: - group1 - group2 Long OpenStruct: - name: username password: password groups: - group1 - group2 firstName: first name lastName: lastName email: email origin: origin-value - most commonly uaa
- Example
- email: [email protected] firstName: Marissa groups: - group_name lastName: Bloggs name: marissa origin: uaa password: koala
servlet
¶
idle-timeout
¶UAA session idle timeout in seconds.
- Default
1800
session-cookie
¶
max-age
¶Lifetime of the UAA session cookie in seconds. If -1, will use ‘Session’ lifetime.
- Default
-1
session-store
¶Select the backend where user sessions will be stored Valid options are: memory (use an in memory map structure), database (use the configured database as a session store)
- Default
memory
shutdown
¶
sleep
¶Used for draining connection during a graceful shutdown. When the UAA process receives a kill signal it will delay the shutdown for the configured number of milliseconds. During this period, the /healthz endpoint will return 503/stopping while all other endpoints continue to function.
- Default
5000
ssl
¶
port
¶The port on which UAA will accept HTTPS traffic. Either use default or set to another value in range [1024-65535]. This port must not conflict with other ports configured on this VM, such as uaa.localhost_http_port.
- Default
8443
port_header
¶The header to look for to determine the port where ssl termination was performed by a front end load balancer.
- Default
X-Forwarded-Port
protocol_header
¶The header to look for to determine if ssl termination was performed by a front end load balancer.
- Default
x-forwarded-proto
sslCertificate
¶The server’s ssl certificate. The default is a self-signed certificate and should always be replaced for production deployments
- Default
""- Example
|+ -----BEGIN CERTIFICATE----- MIIDAjCCAmugAwIBAgIJAJtrcBsKNfWDMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j aXNjbzEQMA4GA1UECgwHUGl2b3RhbDERMA8GA1UECwwISWRlbnRpdHkxFjAUBgNV BAMMDU1hcmlzc2EgS29hbGExIDAeBgkqhkiG9w0BCQEWEW1rb2FsYUBwaXZvdGFs LmlvMB4XDTE1MDczMDE5Mzk0NVoXDTI1MDcyOTE5Mzk0NVowgZkxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRAwDgYDVQQKDAdQaXZvdGFsMREwDwYDVQQLDAhJZGVudGl0eTEWMBQGA1UEAwwN TWFyaXNzYSBLb2FsYTEgMB4GCSqGSIb3DQEJARYRbWtvYWxhQHBpdm90YWwuaW8w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPVOIGvG8MFbkqi+ytdBHVbEGde4 jaCphmvGm89/4Ks0r+041VsS55XNYnHsxXTlh1FiB2KcbrDb33pgvuAIYpcAO2I0 gqGeRoS2hNsxzcFdkgSZn1umDAeoE4bCATrquN93KMcw/coY5jacUfb9P2CQztkS e2o+QWtIaWYAvI3bAgMBAAGjUDBOMB0GA1UdDgQWBBTkEjA4CEjevAGfnPBciyXC 3v4zMzAfBgNVHSMEGDAWgBTkEjA4CEjevAGfnPBciyXC3v4zMzAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4GBAIEd8U32tkcvwG9qCOfe5raBENHM4ltTuhju zZWIM5Ik1bFf6+rA71HVDD1Z5fRozidhMOl6mrrGShfu6VUjtqzctJeSjaOPIJL+ wvrXXcAkCYZ9QKf0sqlUWcIRy90nqrD5sL/rHAjNjxQ3lqIOj7yWOgty4LUzFQNr FHiyd3T6 -----END CERTIFICATE-----
sslPrivateKey
¶The server’s ssl private key. Only passphrase-less keys are supported
- Default
""- Example
|+ -----BEGIN RSA PRIVATE KEY----- MIICXwIBAAKBgQD1TiBrxvDBW5KovsrXQR1WxBnXuI2gqYZrxpvPf+CrNK/tONVb EueVzWJx7MV05YdRYgdinG6w2996YL7gCGKXADtiNIKhnkaEtoTbMc3BXZIEmZ9b pgwHqBOGwgE66rjfdyjHMP3KGOY2nFH2/T9gkM7ZEntqPkFrSGlmALyN2wIDAQAB AoGBAPBvfz+kYt5iz0EuoMqTPBqLY3kZn1fWUbbZmGatxJyKq9UsW5NE2FDwWomn tXJ6d0PBfdOd2LDpEgZ1RSF5lobXn2m2+YeEso7A7yMiBRW8CIrkUn8wVA0s42t+ osElfvj73G2ZjCqQm6BLCjtFYnalmZIzfOCB26xRWaf0MJ7hAkEA/XaqnosJfmRp kmvto81LEvjVVlSvpo+6rt66ykywEv9daHWZZBrrwVz3Iu4oXlwPuF8bcO8JMLRf OH98T1+1PQJBAPfCj0r3fRhmBZMWqf2/tbeQPvIQzqSXfYroFgnKIKxVCV8Bkm3q 1rP4c0XDHEWYIwvMWBTOmVSZqfSxtwIicPcCQQDCcRqK7damo5lpvmpb0s3ZDBN9 WxI1EOYB6NQbBaG9sTGTRUQbS5u4hv0ASvulB7L3md6PUJEYUAcMbKCMs7txAkEA 7C8pwHJba0XebJB/bqkxxpKYntPM2fScNi32zFBGg2HxNANgnq3vDNN8t/U+X02f oyCimvs0CgUOknhTmJJSkwJBAPaI298JxTnWncC3Zu7d5QYCJXjU403Aj4LdcVeI 6A15MzQdj5Hm82vlmpC4LzXofLjiN4E5ZLluzEw+1TjRE7c= -----END RSA PRIVATE KEY-----
url
¶The base url of the UAA
user
¶
authorities
¶Contains a list of the default authorities/scopes assigned to a user
- Default
- openid - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - password.write - uaa.user - approvals.me - oauth.approvals - notification_preferences.read - notification_preferences.write - profile - roles - user_attributes - uaa.offline_token
zones
¶
internal
¶
hostnames
¶A list of hostnames that are routed to the UAA, specifically the default zone in the UAA. The UAA will reject any Host headers that it doesn’t recognize. By default the UAA recognizes: The hostname from the property uaa.url The hostname from the property login.url localhost (in order to accept health checks) Any hostnames added as a list are additive to the default hostnames allowed.
- Example
- hostname1 - hostname2.localhost - hostname3.example.com
uaadb
¶
address
¶The UAA database IP address. If this property is not set, the UAA will look for a
database
link and use the first instance address it can find in the list
databases
¶The list of databases used in UAA database including tag/name. The UAA will always look for the
uaa
tag and use the database name from that tag
- Example
- name: uaa tag: uaa
db_scheme
¶Database scheme for UAA DB. Supported schemes: postgres, mysql
port
¶The UAA database Port
roles
¶The list of database Roles used in UAA database including tag/name/password The UAA will always look for the tag
admin
and use thename
andpassword
properties as the database credentials
- Example
- name: uaa password: database-password-for-user-uaa tag: admin
tls
¶Use TLS connection for UAA database. Valid options are: enabled (use TLS with full certificate validation), enabled_skip_hostname_validation (use TLS but skip validation of common and alt names in the host certificate), enabled_skip_all_validation (use TLS but do not validate anything about the host certificate), disabled (do not use TLS)
The database’s CA certificate required when TLS is enabled should be added to the uaa.ca_certs configuration field.
- Default
enabled
tls_protocols
¶If using TLS, this property can be used to narrow down the protocols used by the UAA database driver. This option only takes effect when using
mysql
asuaadb.db_scheme
. The default is null, the database driver will pick the protocol to use. The values can be comma separated. PostgreSQL defaults to TLSv1.2 through the JDBC driver.
- Example
TLSv1.2,TLSv1.1
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/uaa/
directory
(learn more).
bin/bbr/post-backup-unlock
(frombbr/post-backup-unlock.sh.erb
)bin/bbr/post-restore-unlock
(frombbr/post-restore-unlock.sh
)bin/bbr/pre-backup-lock
(frombbr/pre-backup-lock.sh.erb
)bin/bbr/pre-restore-lock
(frombbr/pre-restore-lock.sh.erb
)bin/configure_newrelic
(frombin/configure_newrelic.erb
)bin/configure_proxy
(frombin/configure_proxy.erb
)bin/dns/healthy
(frombin/dns/healthy.erb
)bin/health_check
(frombin/health_check.erb
)bin/post-start
(frombin/post-start
)bin/pre-start
(frombin/pre-start.erb
)bin/uaa
(frombin/uaa
)config/bpm.yml
(fromconfig/bpm.yml.erb
)config/ldap.crt
(fromconfig/ldap.crt.erb
)config/log4j2.properties
(fromconfig/log4j2.properties.erb
)config/messages.properties
(fromconfig/messages.properties.erb
)config/newrelic.yml
(fromconfig/newrelic.yml.erb
)config/tomcat/context.xml
(fromconfig/tomcat/tomcat.context.xml.erb
)config/tomcat/logging.properties
(fromconfig/tomcat/tomcat.logging.properties
)config/tomcat/server.xml
(fromconfig/tomcat/tomcat.server.xml.erb
)config/uaa.crt
(fromconfig/uaa.crt.erb
)config/uaa.yml
(fromconfig/uaa.yml.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.