In the UAA pane, you configure the User Account and Authentication (UAA) server.
To configure the UAA pane:
Click UAA.
Under UAA database location, select one of these options:
Caution Protect whichever database you use in your deployment with a password.
(Optional) If you selected External database, complete these fields as follows.
rds_port
in the Terraform output.3306
.rds_username
from your Terraform output.tas_sql_username
from your Terraform output.rds_password
from your Terraform output.tas_sql_password
from your Terraform output.Important The CA certificate text box only works if your external database host name matches a name specified in the certificate. This is not true with GCP CloudSQL.
(Optional) Under JWT issuer URI, enter the URI that UAA uses as the issuer when generating tokens.
Under SAML service provider credentials, enter a certificate and private key to be used by UAA as a SAML service provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a certificate. The domain *.login.SYSTEM-DOMAIN
must be associated with the certificate, where SYSTEM-DOMAIN
is the System domain you configured in the Domains pane.
Important The Operations Manager Single Sign-On Service and Operations Manager Spring Cloud Services tiles require the *.login.SYSTEM-DOMAIN
.
Under SAML service provider credentials, enter a certificate and private key to be used by UAA as a SAML service provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a certificate. The domain *.login.SYSTEM-DOMAIN
must be associated with the certificate, where SYSTEM-DOMAIN
is the System domain you configured in the Domains pane.
Important The Operations Manager Single Sign-On Service and Operations Manager Spring Cloud Services tiles require the *.login.SYSTEM-DOMAIN
.
If the private key specified under SAML service provider credentials is password-protected, enter the password under Private key password.
(Optional) To override the default value, enter a custom SAML Entity ID in the SAML Entity ID override text box. By default, the SAML Entity ID is http://login.SYSTEM-DOMAIN
, where SYSTEM-DOMAIN
is the System domain you configured in the Domains pane.
For Signature algorithm, choose an algorithm from the drop-down menu to use for signed requests and assertions. The default value is SHA256.
(Optional) In the Apps Manager access token lifetime, Cloud Foundry CLI access token lifetime, and Cloud Foundry CLI refresh token lifetime text boxes, change the lifetimes of tokens granted for Apps Manager and cf CLI login access and refresh. Most deployments use the defaults.
(Optional) In the Global login session maximum timeout and Global login session idle timeout text boxes, change the maximum number of seconds before a global login times out. These text boxes apply to:
(Optional) Customize the text prompts used for the user name and password from the cf CLI and Apps Manager login pop-up by entering values for Username label and Password label.
(Optional) The Proxy IPs regular expression field text box contains a pipe-separated set of regular expressions that UAA considers to be reverse proxy IP addresses. UAA respects the x-forwarded-for
and x-forwarded-proto
headers coming from IP addresses that match these regular expressions. To configure UAA to respond properly to Gorouter or HAProxy requests coming from a public IP address, append a regular expression or regular expressions to match the public IP address.
(Optional) Deselect the Client basic auth compatibility mode check box to require URL encoding for UAA client basic authentication credentials. By default, the check box is selected and URL encoding is not required. This represents the default behavior of UAA before UAA v74.0.0. URL encoding is defined by RFC6749. For more information, see RFC6749. To require URL encoding for certain UAA clients without deactivating compatibility mode, use the X-CF-ENCODED-CREDENTIALS=true
HTTP header.
CautionIf you deselect the Client basic auth compatibility mode check box, URL encoding is required for all UAA client apps in your deployment. To avoid breaking changes, ensure that all client apps support URL encoding before you deselect the check box.
(Optional) If you are using Single Sign-On for VMware Tanzu Application Service and you want to honor the CORS policy for custom identity zones, deselect the Enforce system zone CORS policy across all identity zones check box. This check box is selected by default. If you use Single Sign-On, UAA creates custom identity zones. If you leave this check box selected, UAA ignores the CORS policy for custom identity zones and applies the system default identity zone CORS policy to all zones.
CautionIf you deselect the Enforce system zone CORS policy across all identity zones check box, apps that are integrated with Single Sign-On might experience downtime because the default CORS policy of the custom identity zones is more restrictive. To prevent downtime, you must explicitly set the CORS policy of the custom identity zones according to the needs of your apps. For more information, see the Managing Service Plan Configurations in the Single Sign-On documentation.
(Optional) To override the default UAA internal user password policies, see Configuring UAA Password Policy.
Click Save.