Skip to content

login job from cf/213

Handles authentication in Cloud Foundry and delegates all other identity management tasks to the UAA. Also provides OAuth2 endpoints issuing tokens to client apps for Cloud Foundry (the tokens come from the UAA and no data are stored locally).

Github source: 4ac0c237 or master branch

Properties

domain

The domain name for this CloudFoundry deploy

env

http_proxy

The http_proxy accross the VMs

https_proxy

The https_proxy accross the VMs

no_proxy

Set No_Proxy accross the VMs

login

analytics

code

Analytics code

domain

Analytics domain

asset_base_url

Base url for static assets, allows custom styling of the login server. Use ‘/resources/pivotal’ for Pivotal style.

brand

The brand to use for the reset password emails, available values are oss and pivotal

Default
oss

catalina_opts

entity_id

Deprecated: Use login.saml.entityid

invitations_enabled

Allows users to send invitations to email addresses outside the system and invite them to create an account. Disabled by default.

ldap

localPasswordCompare

deprecated. use UAA configuration.

Default
"true"
passwordAttributeName

deprecated. use UAA configuration.

Default
userPassword
passwordEncoder

deprecated. use UAA configuration.

Default
org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator
profile_type

deprecated. use UAA configuration.

searchBase

deprecated. use UAA configuration.

Default
""
searchFilter

deprecated. use UAA configuration.

Default
cn={0}
sslCertificate

deprecated. use UAA configuration.

sslCertificateAlias

deprecated. use UAA configuration.

url

deprecated. use UAA configuration.

userDN

deprecated. use UAA configuration.

userDNPattern

deprecated. use UAA configuration.

userPassword

deprecated. use UAA configuration.

A hash of home/passwd/signup URLS (see commented examples below)

home

URL for primary console/dashboard for users

Default
https://console.run.pivotal.io
network

URL for Pivotal Network

Default
https://network.gopivotal.com/login
passwd

URL for requesting password reset

Default
https://console.run.pivotal.io/password_resets/new
signup

URL for requesting to signup/register for an account

Default
https://console.run.pivotal.io/register
signup-network

URL for requesting to signup/register for an account at Pivotal Network

Default
https://network.gopivotal.com/registrations/new

messages

A nested or flat hash of messages that the login server uses to display UI message This will be flattened into a java.util.Properties file. The example below will lead to four properties, where the key is the concatenated value delimited by dot, for example scope.tokens.read=message Nested example: messages: scope: tokens: read: View details of your approvals you have granted to this and other applications write: Cancel the approvals like this one that you have granted to this and other applications cloud_controller: read: View details of your applications and services write: Push applications to your account and create and bind services Flat example: messages: scope.tokens.read: View details of your approvals you have granted to this and other applications scope.tokens.write: Cancel the approvals like this one that you have granted to this and other applications scope.cloud_controller.read: View details of your applications and services scope.cloud_controller.write: Push applications to your account and create and bind services

notifications

url

The url for the notifications service (configure to use Notifications Service instead of SMTP server)

port

Default
8080

protocol

The scheme in which login server should use to contact the UAA

Default
http

restricted_ips_regex

A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server.

Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}

saml

assertion_consumer_index

Deprecated: Use login.saml.providers list objects

Default
1
entityid

The ID to represent this server

idpEntityAlias

Deprecated: Use login.saml.providers list objects

idpMetadataURL

Deprecated: Use login.saml.providers list objects

idp_metadata_file

Deprecated: Use login.saml.providers list objects

keystore_key

Key name of the SAML login server keystore.

Default
selfsigned
keystore_name

Name of the SAML login server keystore.

Default
samlKeystore.jks
keystore_password

Key password to the SAML login server keystore.

Default
password
metadataTrustCheck

Deprecated: Use login.saml.providers list objects

Default
true
nameidFormat

Deprecated: Use login.saml.providers list objects

Default
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
providers

Contains a hash of SAML Identity Providers, the key is the IDP Alias, followed by key/value pairs for idpMetadata, nameID, assertionConsumerIndex, metadataTrustCheck, showSamlLoginLink, linkText, iconUrl

serviceProviderCertificate

Service provider certificate.

serviceProviderKey

Private key for the service provider certificate.

serviceProviderKeyPassword

Password to protect the service provider private key.

signMetaData

Whether to sign XML metadata

Default
true
signRequest

Whether to sign authentication requests

Default
true
socket
connectionManagerTimeout

Timeout in milliseconds for connection pooling for SAML metadata HTTP requests

soTimeout

Read timeout in milliseconds for SAML metadata HTTP requests

Enable account creation and password reset links in the login server. Enabled by default.

signups_enabled

Enable account creation and password reset links in the login server. Enabled by default. (DEPRECATED: Use login.self_service_links_enabled instead)

smtp

SMTP server configuration, for password reset emails etc.

host

SMTP server host address

Default
localhost
password

SMTP server password

port

SMTP server port

Default
2525
user

SMTP server username

spring_profiles

deprecated. use UAA configuration.

tiles

A list of links to other services to show on the landing page after logging in and/or signing up, depending on whether login-link and/or signup-link is specified.

uaa_base

Location of the UAA.

uaa_certificate

Certificate to import if the UAA is using self-signed certificates

nats

machines

IP of each NATS cluster member.

password

Password for NATS login

port

TCP port of NATS server

user

User name for NATS login

networks

apps

The Login network name

uaa

clients

login
secret

Login client secret - overrides uaa.login.client_secret

dump_requests

login

client_secret

Deprecated. Default login client secret if no login client is defined

require_https

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/login/ directory (learn more).

  • bin/install_crt (from install_crt.erb)
  • bin/login_cf-registrar_ctl (from cf-registrar_ctl)
  • bin/login_ctl (from login_ctl.erb)
  • config/cf-registrar/config.yml (from cf-registrar.config.yml.erb)
  • config/log4j.properties (from log4j.properties.erb)
  • config/login.yml (from login.yml.erb)
  • config/messages.properties (from messages.properties.erb)
  • config/tomcat/logging.properties (from tomcat.logging.properties)
  • config/tomcat/server.xml (from tomcat.server.xml.erb)
  • config/tomcat/web.xml (from web.xml.erb)
  • config/uaa.crt (from uaa.crt.erb)
  • config/varz.yml (from varz.yml.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.