uaa job from cf/240
The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions.
Github source:
cf65a6e9
or
master branch
Properties¶
domain
¶
Deprecated. Use uaa.url for setting the location of UAA
env
¶
http_proxy
¶The http_proxy across the VMs
https_proxy
¶The https_proxy across the VMs
no_proxy
¶Set No_Proxy across the VMs
- Example
localhost,127.0.0.0/8,127.0.1.1
login
¶
analytics
¶
code
¶Google analytics code. If Google Analytics is desired set both login.analytics.code and login.analytics.domain
domain
¶Google analytics domain. If Google Analytics is desired set both login.analytics.code and login.analytics.domain
asset_base_url
¶Base url for static assets, allows custom styling of the login server. Use ‘/resources/pivotal’ for Pivotal style.
- Default
/resources/oss
branding
¶
company_name
¶This name is used on the UAA Pages and in account management related communication in UAA
footer_legal_text
¶This text appears on the footer of all UAA pages
footer_links
¶These links appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
- Example
linkDisplayName: linkDisplayUrl
product_logo
¶This is a base64 encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
square_logo
¶This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
entity_id
¶Deprecated. Use login.saml.entityid
home_redirect
¶URL for configuring a custom home page
idpDiscoveryEnabled
¶IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider
- Default
false
ldap
¶
localPasswordCompare
¶Deprecated. Use uaa.ldap.localPasswordCompare - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
"true"
passwordAttributeName
¶Deprecated. Use uaa.ldap.passwordAttributeName - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
userPassword
passwordEncoder
¶Deprecated. Use uaa.ldap.passwordEncoder - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
org.cloudfoundry.identity.uaa.login.ldap.DynamicPasswordComparator
profile_type
¶Deprecated. Use uaa.ldap.profile_type - login.ldap prefix is used for backwards compatibility to enable ldap from login config
searchBase
¶Deprecated. Use uaa.ldap.searchBase - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
""
searchFilter
¶Deprecated. Use uaa.ldap.searchFilter - login.ldap prefix is used for backwards compatibility to enable ldap from login config
- Default
cn={0}
sslCertificate
¶Deprecated. Use uaa.ldap.sslCertificate - login.ldap prefix is used for backwards compatibility to enable ldap from login config
sslCertificateAlias
¶Deprecated. Use uaa.ldap.sslCertificateAlias - login.ldap prefix is used for backwards compatibility to enable ldap from login config
url
¶Deprecated. Use uaa.ldap.url - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userDN
¶Deprecated. Use uaa.ldap.userDN - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userDNPattern
¶Deprecated. Use uaa.ldap.userDNPattern - login.ldap prefix is used for backwards compatibility to enable ldap from login config
userPassword
¶Deprecated. Use uaa.ldap.userPassword - login.ldap prefix is used for backwards compatibility to enable ldap from login config
links
¶A hash of home/passwd/signup URLS (see commented examples below)
passwd
¶URL for requesting password reset
- Default
/forgot_password
signup
¶URL for requesting to signup/register for an account
- Default
/create_account
logout
¶
redirect
¶
parameter
¶disable
¶When set to false, this allows an operator to leverage an open redirect on the UAA (/logout.do?redirect=google.com). No open redirect enabled
- Default
truewhitelist
¶A list of URLs. When this list is non null, including empty, and disable=false, logout redirects are allowed, but limited to the whitelist URLs. If a redirect parameter value is not white listed, redirect will be to the default URL.
url
¶The Location of the redirect header following a logout of the the UAA (/logout.do).
- Default
/login
messages
¶A nested or flat hash of messages that the login server uses to display UI message This will be flattened into a java.util.Properties file. The example below will lead to four properties, where the key is the concatenated value delimited by dot, for example scope.tokens.read=message
- Example
messages: scope: tokens: read: View details of your approvals you have granted to this and other applications write: Cancel the approvals like this one that you have granted to this and other applications scope.tokens.read: View details of your approvals you have granted to this and other applications scope.tokens.write: Cancel the approvals like this one that you have granted to this and other applications
notifications
¶
url
¶The url for the notifications service (configure to use Notifications Service instead of SMTP server)
oauth
¶
providers
¶Contains a hash of OpenID Connect/Oauth Identity Providers, the key will be used as the origin key for that provider, followed by key/value pairs. Presence of the userInfoUrl will mark it as an OpenID provider instead of OAuth.
- Example
my-oauth-provider: addShadowUserOnLogin: true attributeMappings: external_groups: - <attribute holding roles or group memberships in the OIDC id_token> - <other attribute holding roles or group memberships in the OIDC id_token> family_name: <Attribute holding family name in the OIDC ID Token> given_name: <Attribute holding given name in the OIDC ID Token> user: attribute: name-of-attribute-in-uaa-id-token: name-of-attribute-in-provider-token name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-provider-token user_name: <Attribute holding username in the OIDC ID Token> authUrl: <URL to the authorize endpoint of the provider> linkText: My Oauth Provider relyingPartyId: <OIDC Client ID> relyingPartySecret: <OIDC Client secret> scopes: - openid - <other scope> showLinkText: true skipSslValidation: false tokenKey: <Token verification key> tokenKeyUrl: <URL for token verification. Will be used if tokenKey is not specified.> tokenUrl: <URL to the token endpoint of the provider> type: oidc1.0
prompt
¶
password
¶
text
¶The text used to prompt for a password during login
- Default
Password
username
¶
text
¶The text used to prompt for a username during login
- Default
protocol
¶Scheme to use for HTTP communication (http/https)
- Default
https
saml
¶
assertionConsumerIndex
¶Deprecated. Use login.saml.providers list objects
- Default
1
entity_base_url
¶The URL for which SAML identity providers will post assertions to. If set it overrides the default. This URL should NOT have the schema (http:// or https:// prefix in it) instead just the hostname. The schema is derived by #{login.protocol} property. The default value is #{uaa.url}.replaceFirst(‘uaa’,‘login’), typically login.example.com The UAA will display this link in the cf –sso call if there is a SAML provider enabled.
entityid
¶This is used as the SAML Service Provider Entity ID. Each zone has a unique entity ID. Zones other than the default zone will derive their entity ID from this setting by prefexing it with the subdomain.
idpEntityAlias
¶Deprecated. Use login.saml.providers list objects
idpMetadataURL
¶Deprecated. Use login.saml.providers list objects
idp_metadata_file
¶Deprecated. Use login.saml.providers list objects
metadataTrustCheck
¶Deprecated. Use login.saml.providers list objects
- Default
true
nameidFormat
¶Deprecated. Use login.saml.providers list objects
- Default
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
providers
¶Contains a hash of SAML Identity Providers, the key is the IDP Alias, followed by key/value pairs. To learn more about how to setup a saml identity provider go to https://simplesamlphp.org
- Example
my-identity-provider: assertionConsumerIndex: 0 groupMappingMode: AS_SCOPES iconUrl: https://my.identityprovider.com/icon.png idpMetadata: http://my.identityprovider.com/saml2/idp/metadata.php linkText: Log in with My Saml Identity Provider metadataTrustCheck: false nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress showSamlLoginLink: true signMetaData: false signRequest: false
serviceProviderCertificate
¶Service provider certificate.
- Example
|+ -----BEGIN CERTIFICATE----- MIIEJTCCA46gAwIBAgIJANIqfxWTfhpkMA0GCSqGSIb3DQEBBQUAMIG+MQswCQYD VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j aXNjbzEdMBsGA1UEChMUUGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Ns b3VkIEZvdW5kcnkgSWRlbnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2Yt YXBwLmNvbTEfMB0GCSqGSIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzAeFw0xNTA1 MTQxNzE5MTBaFw0yNTA1MTExNzE5MTBaMIG+MQswCQYDVQQGEwJVUzETMBEGA1UE CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEdMBsGA1UEChMU UGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Nsb3VkIEZvdW5kcnkgSWRl bnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2YtYXBwLmNvbTEfMB0GCSqG SIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA30y2nX+kICXktl1yJhBzLGvtTuzJiLeOMWi++zdivifyRqX1dwJ5MgdO sBWdNrASwe4ZKONiyLFRDsk7lAYq3f975chxSsrRu1BLetBZfPEmwBH7FCTdYtWk lJbpz0vzQs/gSsMChT/UrN6zSJhPVHNizLxstedyxxVVts644U8CAwEAAaOCAScw ggEjMB0GA1UdDgQWBBSvWY/TyHysYGxKvII95wD/CzE1AzCB8wYDVR0jBIHrMIHo gBSvWY/TyHysYGxKvII95wD/CzE1A6GBxKSBwTCBvjELMAkGA1UEBhMCVVMxEzAR BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHTAbBgNV BAoTFFBpdm90YWwgU29mdHdhcmUgSW5jMSQwIgYDVQQLExtDbG91ZCBGb3VuZHJ5 IElkZW50aXR5IFRlYW0xHDAaBgNVBAMTE2lkZW50aXR5LmNmLWFwcC5jb20xHzAd BgkqhkiG9w0BCQEWEG1hcmlzc2FAdGVzdC5vcmeCCQDSKn8Vk34aZDAMBgNVHRME BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL5j1JCN5EoXMOOBSBUL8KeVZFQD3Nfy YkYKBatFEKdBFlAKLBdG+5KzE7sTYesn7EzBISHXFz3DhdK2tg+IF1DeSFVmFl2n iVxQ1sYjo4kCugHBsWo+MpFH9VBLFzsMlP3eIDuVKe8aPXFKYCGhctZEJdQTKlja lshe50nayKrT -----END CERTIFICATE----
serviceProviderKey
¶Private key for the service provider certificate.
- Example
|+ -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3 AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6 J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw== -----END RSA PRIVATE KEY-----
serviceProviderKeyPassword
¶Password to protect the service provider private key.
- Example
""
signMetaData
¶Global property to sign Local/SP metadata
- Default
true
signRequest
¶Global property to sign Local/SP requests
- Default
true
socket
¶
connectionManagerTimeout
¶Timeout in milliseconds for connection pooling for SAML metadata HTTP requests
- Default
10000
soTimeout
¶Read timeout in milliseconds for SAML metadata HTTP requests
- Default
10000
wantAssertionSigned
¶Global property to request that external IDPs sign their SAML assertion before sending them to the UAA
- Default
false
self_service_links_enabled
¶Enable self-service account creation and password resets links.
signups_enabled
¶Deprecated. Use login.self_service_links_enabled. Instructs UAA to use ‘enable account creation flow’. Enabled by default.
- Default
true
smtp
¶SMTP server configuration, for password reset emails etc.
from_address
¶SMTP from address
host
¶SMTP server host address
- Default
localhost
password
¶SMTP server password
port
¶SMTP server port
- Default
2525
user
¶SMTP server username
tiles
¶A list of links to other services to show on the landing page after log in.
uaa_base
¶Deprecated. Use uaa.url for setting the location of UAA.
url
¶Set if you have an external login server. The UAA uses this link on by its email service to create links The UAA uses this as a base domain for internal hostnames so that subdomain can be detected This defaults to the uaa.url property, and if not set, to login.
uaa
¶
admin
¶
client_secret
¶Secret of the admin client - a client named admin with uaa.admin as an authority
authentication
¶
policy
¶
countFailuresWithinSeconds
¶Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked
- Default
1200
global
¶countFailuresWithinSeconds
¶Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked
- Default
3600lockoutAfterFailures
¶Number of allowed failures before account is locked
- Default
5lockoutPeriodSeconds
¶Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded
- Default
300
lockoutAfterFailures
¶Number of allowed failures before account is locked
- Default
5
lockoutPeriodSeconds
¶Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded
- Default
300
catalina_opts
¶The options used to configure Tomcat
- Default
-Xmx768m -XX:MaxPermSize=256m
client
¶
autoapprove
¶Deprecated
- Default
- login - support-signon
clients
¶List of OAuth2 clients that the UAA will be bootstrapped with
- Example
login: app-icon: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAD1BMVEWZttQvMDEoKisqKywAAAApvvoVAAAAGElEQVQYlWNgYUQBLAxMDCiAeXgLoHsfAD03AHOyfqy1AAAAAElFTkSuQmCC app-launch-url: http://myloginpage.com authorities: test_resource.test_action authorized-grant-types: authorization_code,client_credentials,refresh_token autoapprove: true id: login override: true redirect-uri: http://login.example.com scope: test_resource.test_action secret: some-secret show-on-homepage: true
database
¶
abandoned_timeout
¶Timeout in seconds for the longest running queries. Take into DB migrations for this timeout as they may run during a long period of time.
- Default
300
case_insensitive
¶Set to true if you don’t want to be using LOWER() SQL functions in search queries/filters, because you know that your DB is case insensitive. If this property is null, then it will be set to true if the UAA DB is MySQL and false otherwise, but even on MySQL you can override it by setting it explicitly to false
log_abandoned
¶Should connections that are forcibly closed be logged.
- Default
true
max_connections
¶The max number of open connections to the DB from a running UAA instance
- Default
100
max_idle_connections
¶The max number of open idle connections to the DB from a running UAA instance
- Default
10
remove_abandoned
¶True if connections that are left open longer then abandoned_timeout seconds during a session(time between borrow and return from pool) should be forcibly closed
- Default
false
disableInternalAuth
¶Disables internal user authentication
- Default
false
disableInternalUserManagement
¶Disables UI and API for internal user management
- Default
false
dump_requests
¶When set to true dumps UAA requests to uaa.log
- Default
false
issuer
¶The url to use as the issuer URI
jwt
¶
claims
¶
exclude
¶List of claims to exclude from the JWT-based OAuth2 tokens
- Example
- authorities
policy
¶
accessTokenValiditySeconds
¶The access token validity for the default zone if nothing is configured on the client. Will override global validity policies for the default zone only.
- Default
43200
active_key_id
¶The ID of the JWT signing key to be used when signing tokens.
- Example
key-1
global
¶accessTokenValiditySeconds
¶The global access token validity for all zones if nothing is configured on the client
- Default
43200refreshTokenValiditySeconds
¶The global refresh token validity for all zones if nothing is configured on the client
- Default
2.592e+06
keys
¶Map of key IDs and signing keys, each defined with a property
signingKey
- Example
key-1: signingKey: |+ -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3 AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6 J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw== -----END RSA PRIVATE KEY-----
refreshTokenValiditySeconds
¶The refresh token validity for the default zone if nothing is configured on the client. Will override global validity policies for the default zone only.
- Default
2.592e+06
revocable
¶Set to true if you wish that even JWT tokens become individually revocable and stored in the UAA token storage. This setting applies to the default zone only.
- Default
false
signing_key
¶The key used to sign the JWT-based OAuth2 tokens
verification_key
¶The key used to verify JWT-based OAuth2 tokens
ldap
¶
attributeMappings
¶Specifies how UAA user attributes map to LDAP attributes. given_name, family_name, and phone_number are UAA user attributes, while other attributes should be included using the prefix
user.attribute
- Example
family_name: sn given_name: givenName phone_number: telephoneNumber user.attribute.name-of-attribute-in-uaa-id-token: name-of-attribute-in-ldap-record user.attribute.name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-ldap-record
emailDomain
¶Sets the whitelist of emails domains that the LDAP identity provider handles
- Example
- whitelist-domain1.org - whitelist-domain2.org
enabled
¶Set to true to enable LDAP
- Default
false
externalGroupsWhitelist
¶Whitelist of external groups from LDAP that get added as roles in the ID Token
- Example
- admin - user
groups
¶
autoAdd
¶Set to true when profile_type=groups_as_scopes to auto create scopes for a user. Ignored for other profiles.
- Default
"true"
groupRoleAttribute
¶Used with groups-as-scopes, defines the attribute that holds the scope name(s).
- Default
spring.security.ldap.dn
groupSearchFilter
¶Search query filter to find the groups a user belongs to, or for a nested search, groups that a group belongs to
- Default
member={0}
maxSearchDepth
¶Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)
- Default
"1"
profile_type
¶What type of group integration should be used. Values are: ‘no-groups’, ‘groups-as-scopes’, ‘groups-map-to-scopes’
- Default
no-groups
searchBase
¶Search start point for a user group membership search
- Default
""
searchSubtree
¶Boolean value, set to true to search below the search base
- Default
"true"
localPasswordCompare
¶Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server.
- Default
"true"
mailAttributeName
¶The name of the LDAP attribute that contains the users email address
- Default
mailSubstitute
¶Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication
- Default
""
mailSubstituteOverridesLdap
¶Set to true if you wish to override an LDAP user email address with a generated one
- Default
false
passwordAttributeName
¶Used with search-and-compare only. The name of the password attribute in the LDAP directory
- Default
userPassword
passwordEncoder
¶Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory.
- Default
org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator
profile_type
¶The file to be used for configuring the LDAP authentication. Options are: ‘simple-bind’, ‘search-and-bind’, ‘search-and-compare’
- Default
search-and-bind
referral
¶Configures the UAA LDAP referral behavior. The following values are possible: - follow -> Referrals are followed - ignore -> Referrals are ignored and the partial result is returned - throw -> An error is thrown and the authentication is aborted Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
- Default
follow
searchBase
¶Used with search-and-bind and search-and-compare. Define a base where the search starts at.
- Default
""
searchFilter
¶Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}
- Default
cn={0}
ssl
¶
skipverification
¶Set to true, and LDAPS connection will not validate the server certificate.
- Default
false
sslCertificate
¶Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection.
sslCertificateAlias
¶Used with ldaps:// URLs. The certificate alias, to be trusted by this connection and stored in the keystore.
url
¶The URL to the ldap server, must start with ldap:// or ldaps://
userDN
¶Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information.
userDNPattern
¶Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search.
userDNPatternDelimiter
¶The delimiter character in between user DN patterns for simple-bind authentication
- Default
;
userPassword
¶Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information.
logging_level
¶Set UAA logging level. (e.g. TRACE, DEBUG, INFO)
- Default
DEBUG
logging_use_rfc3339
¶Sets the time format for log messages to be yyyy-MM-dd’T’HH:mm:ss.SSSXXX instead of yyyy-MM-dd HH:mm:ss.SSS
- Default
false
login
¶
client_secret
¶Default login client secret, if no login client is defined
newrelic
¶To enable newrelic monitoring, the sub element of this property will be placed in a configuration file called newrelic.yml in the jobs config directory. The syntax that must adhere to documentation in https://docs.newrelic.com/docs/agents/java-agent/configuration/java-agent-configuration-config-file The JVM option -javaagent:/path/to/newrelic.jar will be added to Apache Tomcat’s startup script The enablement of the NewRelic agent in the UAA is triggered by the property uaa.newrelic.common.license_key The property uaa.newrelic.common.license_key must be set!
password
¶
policy
¶
expirePasswordInMonths
¶Number of months after which current password expires
- Default
0
global
¶expirePasswordInMonths
¶Number of months after which current password expires
- Default
0maxLength
¶Maximum number of characters required for password to be considered valid
- Default
255minLength
¶Minimum number of characters required for password to be considered valid
- Default
0requireDigit
¶Minimum number of digits required for password to be considered valid
- Default
0requireLowerCaseCharacter
¶Minimum number of lowercase characters required for password to be considered valid
- Default
0requireSpecialCharacter
¶Minimum number of special characters required for password to be considered valid
- Default
0requireUpperCaseCharacter
¶Minimum number of uppercase characters required for password to be considered valid
- Default
0
maxLength
¶Maximum number of characters required for password to be considered valid
- Default
255
minLength
¶Minimum number of characters required for password to be considered valid
- Default
0
requireDigit
¶Minimum number of digits required for password to be considered valid
- Default
0
requireLowerCaseCharacter
¶Minimum number of lowercase characters required for password to be considered valid
- Default
0
requireSpecialCharacter
¶Minimum number of special characters required for password to be considered valid
- Default
0
requireUpperCaseCharacter
¶Minimum number of uppercase characters required for password to be considered valid
- Default
0
port
¶Port that uaa will accept connections on
- Default
8080
proxy
¶
servers
¶Array of the router IPs acting as the first group of HTTP/TCP backends. These will be added to the proxy_ips_regex as exact matches. When using spiff, these will be router_z1 and router_z2 static IPs from cf-jobs.yml
- Default
[]
proxy_ips_regex
¶A pipe delimited set of regular expressions of IP addresses that are considered reverse proxies. When a request from these IP addresses come in, the x-forwarded-for and x-forwarded-proto headers will be respected. If the uaa.restricted_ips_regex is set, it will be appended to this list for backwards compatibility purposes If spiff has been used and includes templates/cf-jobs.yml to generate the manifest. This list will automatically contain the Router IP addresses
- Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
require_https
¶Request came in on a secure connection. Expect the load balancer/proxy to set the proper headers (x-forwarded-for, x-forwarded-proto)
- Default
true
restricted_ips_regex
¶A pipe delimited set of regular expressions of IP addresses that can reach the listening HTTP port of the server.
- Default
10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
scim
¶
external_groups
¶External group mappings. Either formatted as an OpenStruct or a list of pipe-separated specifications. The list format is deprecated. As an OpenStruct, the mapping additionally specifies an origin to which the mapping is applied: origin1: external_group1: - internal_group1 - internal_group2 - internal_group3 external_group2: - internal_group2 - internal_group4 origin2: external_group3: - internal_group3 - internal_group4 - internal_group5 As a list, each entry consists of the following (The origin defaults to ldap in this case.): - internal_group_name|space_delimited_external_groups another_group another_group_etc
groups
¶Contains a hash of group names and their descriptions. These groups will be added to the UAA database for the default zone but not associated with any user. Example: uaa: scim: groups: my-test-group: ‘My test group description’ another-group: ‘Another group description’ Deprecated format(still supported, but may be removed in the future): Comma separated list of groups that should be added to the UAA db, but not assigned to a user by default.
user
¶
override
¶If true override users defined in uaa.scim.users found in the database.
- Default
true
userids_enabled
¶Enables the endpoint
/ids/Users
that allows consumers to translate user ids to name
- Default
true
users
¶A list of users to be bootstrapped with authorities. Each entry supports the following format: Short Pipe: username|password|comma,separated,groups Long Pipe: username|password|email|firstName|lastName|comma,separated,groups|origin Short OpenStruct: - name: username password: password groups: - group1 - group2 Long OpenStruct: - name: username password: password groups: - group1 - group2 firstName: first name lastName: lastName email: email origin: origin-value - most commonly uaa
- Example
- marissa|koala|[email protected]|Marissa|Bloggs
servlet
¶
session-cookie
¶Optional configuration of the UAA session cookie. Defaults are the following key value pairs: secure: <(boolean)this value if set, otherwise require_https> http-only: <(boolean) - default to true. set HttpOnly flag on cookie. max-age: <(int) lifetime in seconds of cookie - default to 30 minutes) name: <(String) name of cookie, default is JSESSIONID> comment: <(String) optional comment in cookie> path: <(String) path for cookie, default is /> domain: <(String) domain for cookie, default is incoming request domain>
ssl
¶
port
¶If this property Tomcat will listen to this port and expect https traffic. If null, tomcat will not listen to this port
- Default
8443
protocol_header
¶The header to look for to determine if ssl termination was performed by a front end load balancer.
- Default
x-forwarded-proto
sslCertificate
¶The server’s ssl certificate. The default is a self-signed certificate and should always be replaced for production deployments
- Default
""- Example
|+ -----BEGIN CERTIFICATE----- MIIDAjCCAmugAwIBAgIJAJtrcBsKNfWDMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j aXNjbzEQMA4GA1UECgwHUGl2b3RhbDERMA8GA1UECwwISWRlbnRpdHkxFjAUBgNV BAMMDU1hcmlzc2EgS29hbGExIDAeBgkqhkiG9w0BCQEWEW1rb2FsYUBwaXZvdGFs LmlvMB4XDTE1MDczMDE5Mzk0NVoXDTI1MDcyOTE5Mzk0NVowgZkxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRAwDgYDVQQKDAdQaXZvdGFsMREwDwYDVQQLDAhJZGVudGl0eTEWMBQGA1UEAwwN TWFyaXNzYSBLb2FsYTEgMB4GCSqGSIb3DQEJARYRbWtvYWxhQHBpdm90YWwuaW8w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPVOIGvG8MFbkqi+ytdBHVbEGde4 jaCphmvGm89/4Ks0r+041VsS55XNYnHsxXTlh1FiB2KcbrDb33pgvuAIYpcAO2I0 gqGeRoS2hNsxzcFdkgSZn1umDAeoE4bCATrquN93KMcw/coY5jacUfb9P2CQztkS e2o+QWtIaWYAvI3bAgMBAAGjUDBOMB0GA1UdDgQWBBTkEjA4CEjevAGfnPBciyXC 3v4zMzAfBgNVHSMEGDAWgBTkEjA4CEjevAGfnPBciyXC3v4zMzAMBgNVHRMEBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4GBAIEd8U32tkcvwG9qCOfe5raBENHM4ltTuhju zZWIM5Ik1bFf6+rA71HVDD1Z5fRozidhMOl6mrrGShfu6VUjtqzctJeSjaOPIJL+ wvrXXcAkCYZ9QKf0sqlUWcIRy90nqrD5sL/rHAjNjxQ3lqIOj7yWOgty4LUzFQNr FHiyd3T6 -----END CERTIFICATE-----
sslPrivateKey
¶The server’s ssl private key. Only passphrase-less keys are supported
- Default
""- Example
|+ -----BEGIN RSA PRIVATE KEY----- MIICXwIBAAKBgQD1TiBrxvDBW5KovsrXQR1WxBnXuI2gqYZrxpvPf+CrNK/tONVb EueVzWJx7MV05YdRYgdinG6w2996YL7gCGKXADtiNIKhnkaEtoTbMc3BXZIEmZ9b pgwHqBOGwgE66rjfdyjHMP3KGOY2nFH2/T9gkM7ZEntqPkFrSGlmALyN2wIDAQAB AoGBAPBvfz+kYt5iz0EuoMqTPBqLY3kZn1fWUbbZmGatxJyKq9UsW5NE2FDwWomn tXJ6d0PBfdOd2LDpEgZ1RSF5lobXn2m2+YeEso7A7yMiBRW8CIrkUn8wVA0s42t+ osElfvj73G2ZjCqQm6BLCjtFYnalmZIzfOCB26xRWaf0MJ7hAkEA/XaqnosJfmRp kmvto81LEvjVVlSvpo+6rt66ykywEv9daHWZZBrrwVz3Iu4oXlwPuF8bcO8JMLRf OH98T1+1PQJBAPfCj0r3fRhmBZMWqf2/tbeQPvIQzqSXfYroFgnKIKxVCV8Bkm3q 1rP4c0XDHEWYIwvMWBTOmVSZqfSxtwIicPcCQQDCcRqK7damo5lpvmpb0s3ZDBN9 WxI1EOYB6NQbBaG9sTGTRUQbS5u4hv0ASvulB7L3md6PUJEYUAcMbKCMs7txAkEA 7C8pwHJba0XebJB/bqkxxpKYntPM2fScNi32zFBGg2HxNANgnq3vDNN8t/U+X02f oyCimvs0CgUOknhTmJJSkwJBAPaI298JxTnWncC3Zu7d5QYCJXjU403Aj4LdcVeI 6A15MzQdj5Hm82vlmpC4LzXofLjiN4E5ZLluzEw+1TjRE7c= -----END RSA PRIVATE KEY-----
url
¶The base url of the UAA
user
¶
authorities
¶Contains a list of the default authorities/scopes assigned to a user
- Default
- openid - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - password.write - uaa.user - approvals.me - oauth.approvals - notification_preferences.read - notification_preferences.write - profile - roles - user_attributes
zones
¶
internal
¶
hostnames
¶A list of hostnames that are routed to the UAA, specifically the default zone in the UAA. The UAA will reject any Host headers that it doesn’t recognize. By default the UAA recognizes: The hostname from the property uaa.url The hostname from the property login.url localhost (in order to accept health checks) Any hostnames added as a list are additive to the default hostnames allowed.
- Example
- hostname1 - hostname2.localhost - hostname3.example.com
uaadb
¶
address
¶The UAA database IP address
databases
¶The list of databases used in UAA database including tag/name
db_scheme
¶Database scheme for UAA DB
port
¶The UAA database Port
roles
¶The list of database Roles used in UAA database including tag/name/password
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/uaa/
directory
(learn more).
bin/dns_health_check
(fromdns_health_check.erb
)bin/health_check
(fromhealth_check
)bin/install_crt
(frominstall_crt
)bin/install_uaa_crt
(frominstall_uaa_crt
)bin/post-start
(frompost-start
)bin/pre-start
(frompre-start
)bin/uaa_ctl
(fromuaa_ctl.erb
)config/ldap.crt
(fromldap.crt.erb
)config/log4j.properties
(fromlog4j.properties.erb
)config/login.yml
(fromlogin.yml.erb
)config/messages.properties
(frommessages.properties.erb
)config/newrelic.yml
(fromnewrelic.yml.erb
)config/tomcat/logging.properties
(fromtomcat.logging.properties
)config/tomcat/server.xml
(fromtomcat.server.xml.erb
)config/uaa.crt
(fromuaa.crt.erb
)config/uaa.yml
(fromuaa.yml.erb
)config/varz.log4j.properties
(fromvarz.log4j.properties
)config/varz.yml
(fromvarz.yml
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.