This topic tells you how to update the configuration of identity providers by using the User Account and Authentication Command Line Interface (UAAC).

For instructions on configuring identity providers, see Configuring Identity Providers.

Create a UAA Identity Zone Admin Client

To use the UAAC with your Single Sign‑On for VMware Tanzu Application Service service plan, you need an identity zone admin client. To create the identity zone admin client, you must create a UAA admin client that corresponds to your Single Sign‑On service plan.

Create an admin client

To create a UAA admin client:

1. Follow the procedure in Create an admin client.

2. Using the preceding instructions, give the admin client the idps.read, idps.write and, clients.admin scopes.

3. Record the App ID and App Secret. You need these for the procedure below.

Create a UAA identity zone admin client

To create a UAA identity zone admin client:

1. Install the UAAC as follows:

   gem install cf-uaac
   

   For information about the UAAC, see the UAAC Github Repository.

2. Use the UAAC to target your service plan:

   uaac target MY-AUTH-DOMAIN.login.example.com
   

   Where MY-AUTH-DOMAIN is the Auth Domain you entered when you created the Service Plan.

3. Run the following command to authenticate and obtain an access token for the admin client for your service plan. UAAC stores the token in ~/.uaac.yml.

   uaac token client get MY-APP-ID -s MY-APP-SECRET
   

   Where:

   • MY-APP-ID is your admin app ID.
   • MY-APP-SECRET is your app secret.

   Use the App ID and App Secret provided when you created the admin client in the preceding procedure.

4. Run the following command to display your client context and verify that you have idps.read, idps.write, and clients.admin under the scope section.

   uaac context
   

   For example:

   $ uaac context
   [1]*[ExampleAppID]
     client_id: ExampleAppID
       access_token: aBcdEfg0hIJKlm123.e
       token_type: bearer
       expires_in: 43200
       scope: uaa.resource idps.read idps.write clients.admin
       jti: 91b3-abcd1233
   

5. Run this command to create an identity zone admin client.
   

   uaac client add ZONE-ADMIN-CLIENT-ID --authorized_grant_types client_credentials --authorities uaa.admin
   

   Where ZONE-ADMIN-CLIENT-ID is an ID you want to use to identify this zone admin client.

   When prompted for a New client secret, provide a client secret for this identity zone admin client. Ensure that you use a secure value for your client secret.

   For example:

   $ uaac client add ExampleZoneAdminClientID --authorized\_grant\_types client\_credentials --authorities uaa.admin
   New client secret:  *****
   Verify new client secret:  *****
   

   Record the values you provide for ZONE-ADMIN-CLIENT-ID and New client secret.

   You can delete the original admin client created through the SSO Operator Dashboard after you create the identity zone client.

6. Run this command to authenticate and obtain an access token for the identity zone admin client for your service plan.

   uaac token client get ZONE-ADMIN-CLIENT-ID
   

   Where ZONE-ADMIN-CLIENT-ID is zone admin client ID you provided earlier in the procedure.

   When prompted for a Client secret, use the client secret you provided earlier.

   For example:

   $ uaac token client get ExampleZoneAdminClientID
   Client secret:  *****
   

7. Use the following command to display your client context and verify that you have uaa.admin under the scope section.

   uaac context
   

   For example:

   $ uaac context
   [1]*[ExampleZoneAdminClientID]
     client_id: ExampleZoneAdminClientID
       access_token: asdioqwuelk12312.e21e
       token_type: bearer
       expires_in: 43200
       scope: uaa.admin
       jti: 123908dkl1-23298
   

   You can now do operator level API configurations for the Single Sign‑On service plan. You do not have permissions for any other Single Sign‑On service plan.

Update UAA Identity Provider Configurations with the API

This section shows how to use the UAAC to update UAA identity provider configurations, using a PUT command.

This flow is for advanced users only. You must always run the PUT command with the latest data by doing a GET before the PUT command. You must also provide all configuration values, otherwise, data can be lost.

For general information about UAAC, see the CF UAA API documentation page.

To make UAA identity provider API calls, do the following:

1. Create an identity zone admin client following Create a UAA Identity Zone Admin Client above.

2. To retrieve your identity provider ID, run the following command:

   uaac curl -k /identity-providers > ID-TEXT.txt
   

   Where:

   • YOUR-IDENTITY-PROVIDER-ID is your identity provider ID.
   • ID-TEXT.txt is the name of your text file.

   The command above outputs a JSON blob similar to the example below.

   {
     "type" : "uaa",
     "config" : "null",
     "id" : "4be9d903-b6ce-4a57-9c56-94e731b58628",
     "originKey" : "uaa",
     "name" : "uaa",
     "version" : 3,
     "created" : 946684800000,
     "last_modified" : 1538589026045,
     "active" : true,
     "identityZoneId" : "uaa"
   }
   

   Your identity provider ID is the value of id. In most cases, this command returns one identity provider. If there are several, you can identify your identity provider by the name.

3. Run the following command, directing the output to a text file:

   uaac curl -k /identity-providers/YOUR-IDENTITY-PROVIDER-ID > JSON-BLOB.txt
   

   Where:

   • YOUR-IDENTITY-PROVIDER-ID is the identity provider ID retrieved in the above step.
   • JSON-BLOB.txt is the name of your text file.

4. The command above outputs a JSON blob similar to the example below. Confirm that the ID in this output matches YOUR-IDENTITY-PROVIDER-ID.

   {
     "type": "uaa",
     "config": "{"emailDomain\":null,
     \"additionalConfiguration\":null,
     \"providerDescription\":null,
     \"passwordPolicy\":null,
     \"lockoutPolicy\":null,
     \"disableInternalUserManagement\":false}",
     "id": "b38dfbbc-f187-4eeb-a3f3-21a3c72c6975",
     "originKey": "uaa",
     "name": "uaa",
     "version": 0,
     "created": 1530220213000,
     "last_modified": 1530220213000,
     "active": true,
     "identityZoneId": "uaa"
   }
   

5. In your JSON-BLOB.txt, update the configurations in the JSON blob as needed, and then save the file.

   You must provide all config values, otherwise, data can be lost when doing an API update as a PUT command.

6. Submit a UAAC curl request to apply your updated configurations to the identity provider, as shown below.

   You must always run this command with the latest data by doing a GET before the following PUT command.

   uaac curl -k /identity-providers/YOUR-IDENTITY-PROVIDER-ID -X PUT
   \-H 'Content-Type: application/json' -d "$(cat file.txt)"
   

   Where YOUR-IDENTITY-PROVIDER-ID is the identity provider ID retrieved in the above step.

   A minimal example command would look similar to the following:

   $ uaac curl -k /identity-providers/b38dfbbc-f187-4eeb-a3f3-21a3c72c6975\
      -X PUT \
      -H 'Content-Type: application/json' \
      -d '{
          "type": "uaa",
          "config": {
              "emailDomain": null,
              "providerDescription": null,
              "passwordPolicy": null,
              "lockoutPolicy": {
                  "lockoutPeriodSeconds": 8,
                  "lockoutAfterFailures": 8,
                  "countFailuresWithin": 8
              },
              "disableInternalUserManagement": false
          },
          "originKey": "uaa",
          "name": "uaa",
          "version": 0,
          "active": true
          }'
   

   For a full list of UAA API update parameters, see the Identity Providers Update Documentation.

Enable Client Auth for OpenID Connect (OIDC)

Some OIDC providers only support client secrets via POST instead of through basic authentication.

Microsoft Entra ID integrations using the response type of code only work with clientAuthInBody.

To enable client authentication via POST, do the following:

1. Follow the steps 1-4 in Update UAA Identity Provider Configurations with the API above.

2. In step 5, add the following line to the config section in the JSON blob:

   "clientAuthInBody": true
   

3. Complete the procedure by following step 6.

For more information about client authentication, see OAuth/OIDC in the UAA API documentation.

Enable Password Grant for OpenID Connect (OIDC)

You can enable OIDC password grant to permit native apps to forward credentials to an enterprise identity provider for authentication.

To enable OIDC password grant, do the following:

1. Follow the steps 1-4 in Update UAA Identity Provider Configurations with the API above.

2. In step 5, add the following line to the config section in the JSON blob:

   "passwordGrantEnabled": true
   

3. Complete the procedure by following step 6.

For more information about OIDC password grant, see OAuth/OIDC in the UAA API documentation.

Skip SSL Validation for SAML

For cases where the SAML provider is configured using a valid SAML URL and a self-signed certificate, you might need to skip SSL validation.

This section assumes you have created the SAML identity provider, most likely by providing the SAML metadata directly. For more information, see Add a SAML Provider.

To enable skipping SSL validation, do the following:

1. Follow the steps 1-4 in Update UAA Identity Provider Configurations with the API above.

2. In step 5, add the following line to the config section in the JSON blob:

   "skipSslValidation": true
   

3. Complete the procedure by following step 6.

For more information about skipping SSL validation, see SAML in the UAA API documentation.

To test your identity provider configurations, you can deploy the Single Sign‑On for VMware Tanzu Application Service Sample Applications to validate the effects of the instructions given in this guide.