Managing Identity Providers
Managing Identity Providers
An Identity Provider (IdP) manages accounts for users who may need secure access to the applications or services. A Service Provider (SP) is the server receiving request from a user for access to a service or application. In a typical SAML flow, when a user requests a service from the SP, the SP first requests and obtains an identity assertion from the IdP. The IdP receives the request from SP and generates an identity assertion based on the user account information. SP then decides whether to perform the service based on assertion provided by IdP. UAA supports SAML protocol for communicating with IdPs or SPs.
- If you administer users accounts locally in UAA using UAA SCIM APIs or UAA dashboard, then UAA is your default identity provider. You do not need any additional configuration for identity provider in UAA.
- If you provision your user accounts remotely on an external IdP such as Company SSO, you can configure UAA as SP that redirects to external IdP. For more information, see Configuring UAA as Service Provider for External Identity Provider.
- If you have applications that provide SP capability (For example, GitHub Enterprise or ServiceNow), you can configure UAA as IdP. For more information, see Configuring UAA as an Identity Provider.
- It is possible to configure UAA as both SP and IdP. However such a configuration is useful only as a test environment. To set up UAA as SP and IdP, you can complete steps for configuring UAA as both SP and IdP.
Configuring UAA as Service Provider for External Identity Provider
If you provision your user accounts remotely on an Identity Provider (IdP) such as Company SSO, you can configure UAA as Service Provider (SP) that redirects to external IdP.
Before You Begin
- Obtain your Identity Provider (IdP) metadata from your IdP administrator.
- Log In to Predix.io and go to Console view.
About This Task
Complete the following procedure to configure UAA as SP for external IdP:
Procedure
Configuring UAA as a Service Provider Using Scripts
As an optional procedure, you can use UAAC and configuration scripts instead of UAA Dashboard to configure UAA as a service provider.
Before You Begin
- Download the following scripts from GitHub.
create-saml-idp.sh
create-client-for-idp.sh
About This Task
You can configure UAA as Service Provider (SP) that redirects to external Identity Provider (IdP) such as Company SSO.
You can use the UAA command-line interface (UAAC), to manage your UAA instance. For more information on installing the command-line interface, see https://github.com/cloudfoundry/cf-uaac.
Procedure
Results
To test your setup, use the following URL:
<uaa_instance_url>/oauth/authorize?client_id=<my_app>&response_type=code&redirect_uri=<redirect_uri>
<client_id>
is the name of the client provisioned in the step 6redirect_uri
is the application URL. For example,https://security-predix-seed.grc-apps.svc.ice.ge.com
.
The request is redirected to your IdP login page where you can enter the credentials for user that you provisioned for your IdP. If login is successful, you are redirected back to redirect_uri
.
SAML Tracer
for Firefox to validate SAML flow.Updating IdP Configuration
Before You Begin
- Download the following scripts from GitHub.
update-saml-idp.sh
About This Task
Procedure
Identifying IdP Using Email Domain
You can configure UAA to use the email domain to identify the identity provider if you have configured more than one external identity providers.
About This Task
Procedure
- In UAA Dashboard, select the Customization tab.
- In the Customization page, turn on the Enable IDP Discovery option.
- Click Save.
Configuring UAA as an Identity Provider
If you have applications that provide Service Provider (SP) capability (For example, GitHub Enterprise or ServiceNow), you can configure UAA as an Identity Provider (IdP).
Before You Begin
- Obtain your SP metadata from your administrator.
- Log In to Predix.io and go to Console view.
About This Task
Complete the following procedure to configure UAA as SAML IdP to integrate with other service providers.
Procedure
Configuring UAA as an Identity Provider Using Scripts
As an optional procedure, you can use the configuration scripts instead of UAA Dashboard to configure UAA as Identity Provider.
Before You Begin
- Download the following script from GitHub.
create-saml-sp.sh
About This Task
You can configure UAA as SAML identity provider to integrate with other service providers.