forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexternal-user-management.html.md.erb
70 lines (46 loc) · 4.87 KB
/
external-user-management.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
---
title: Adding Existing SAML or LDAP Users to a Pivotal Cloud Foundry Deployment
owner: Identity
---
<strong><%= modified_date %></strong>
This topic describes the procedure for adding existing SAML or LDAP users to a [Pivotal Cloud Foundry](https://network.pivotal.io/products/pivotal-cf) (PCF) deployment enabled with SAML or LDAP.
<p class='note'><strong>Note</strong>: You must have admin access to the PCF Ops Manager Installation Dashboard for your deployment to complete the procedure described in this topic.
</p>
## <a id='add-users'></a>Step 1: Add SAML or LDAP Users ##
<p class='note'><strong>Note</strong>: Do not create new users in <%= vars.product_full %> using the Cloud Foundry Command Line Interface (cf CLI), by UAAC, or by using invitations in Apps Manager. Doing so creates a user identity in the internal user store, separate from the SAML or LDAP user identity. Instead, follow the procedure described below.</p>
Two ways exist to add existing SAML or LDAP users to your PCF deployment:
- In bulk, using the UAA Bulk Import Tool. See [the UAA Users Import README](https://github.com/pivotalservices/uaausersimport/blob/master/README.md) for instructions on installing and using the tool.
- Individually, through the cf CLI, as described below:
1. Each existing SAML or LDAP user must log in to Apps Manager or to the cf CLI using their SAML (by entering `cf login --sso`) or LDAP credentials. Users will not have access to any org or space until these are granted by an Org or Space Manager.
1. The PCF Admin must log in to the cf CLI and associate the user with the desired org and space roles. See [Org and App Space Roles](../adminguide/cli-user-management.html#orgs-spaces).
### <a id='enterprise'></a> <strong>(Advanced Option)</strong> Integrate with Enterprise Identity Management System ###
If your organization uses an Enterprise Identity Management System for centralized provisioning and deprovisioning of users, you can use the [Users API](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/users/creating_a_user.html) and [Organizations API](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/organizations/associate_user_with_the_organization.html) to write a connector to manage users and permissions in <%= vars.product_full %>.
## <a id='step-id'></a>Step 2: Create User ##
1. Run the command below to create the user in UAA. Replace 'EXAMPLE-USERNAME' with the username of the SAML or LDAP user you wish to add.
- For LDAP, set user `origin` to `ldap`.
<pre class='terminal'>
$ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d '{"userName":"EXAMPLE-USERNAME", "emails":[{"value":"EXAMPLE-USERNAME<span>@</span>test.com"}], "origin":"ldap","externalId":"cn=EXAMPLE-USERNAME,ou=Users,dc=test,dc=com"}'
</pre>
- For SAML, set user `origin` to the SAML identity provider name [set in](../opsguide/auth-sso.html#configure-pcf-for-saml) the Elastic Runtime tile under **Authentication and Enterprise SSO**.
<pre class='terminal'>
$ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d '{"userName":"EXAMPLE-USERNAME", "emails":[{"value":"EXAMPLE-USERNAME<span>@</span>test.com"}], "origin":"YOUR-SAML-PROVIDER","externalId":"EXAMPLE-USERNAME"}'
</pre>
1. Use the [Users API](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/users/creating_a_user.html) to create a User record in the Cloud Controller Database with the existing user's SAML or LDAP GUID.
<pre class='terminal'>
$ curl "<span>https:</span>//api.YOUR-DOMAIN/v2/users" -d '{
"guid": "YOUR-USER-GUID"
}' -X POST \
-H "Authorization: bearer YOUR-BEARER-TOKEN" \
-H "Host: YOUR-HOST-URL" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Cookie: "
</pre>
## <a id='prov-user'></a>Step 3: Provide User Access to Orgs ##
Use the [Organizations API](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/organizations/associate_user_with_the_organization.html) to associate the user with the appropriate orgs in your <%= vars.product_full %> deployment.
## <a id='user-role'></a>Step 4: Associate User with Space or Org Role ##
You can grant Space and Org roles to users using the following API calls:
- [Associate an Auditor with a Space](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/spaces/associate_auditor_with_the_space.html)
- [Associate a Developer with a Space](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/spaces/associate_developer_with_the_space.html)
- [Associate a Manager with a Space](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/spaces/associate_manager_with_the_space.html)
- [Associate an Auditor with a Organization](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/organizations/associate_auditor_with_the_organization.html)
- [Associate a Manager with a Organization](http://apidocs.cloudfoundry.org/<%= vars.api_version %>/organizations/associate_manager_with_the_organization.html)