Cloud Foundry UAA: Onwards and Upwards into the Cloud

August 18, 2014 Filip Hanik


I will open the floor to all crazy ideas that jump to people’s minds.

Mayor Joe Quimby

We’re back…

After two quarters of intense development, by the identity management team, we are coming back up for air to announce some exciting progress towards new features and integration points. We’re entering a time of innovation and striding towards making Cloud Foundry the platform of choice by improving our identity management.

In Cloud Foundry, identity management is provided by the User Account and Authentication server (UAA), providing both user authentication and authorized delegation for back-end services and applications by issuing OAuth2 access tokens.

In recent months we have added some noteworthy features, including but not limited to

  • Multi tenant user support
  • SAML Integration with Okta, VMware vCenter SSO and OpenAM
  • LDAP Integration
  • Wildcard scopes
  • User management
  • Paid down technical debt

Within the UAA, and it’s UI front end, the login-server, users can originate from multiple sources and still coexist. Our first step towards multi-tenancy support includes housing users that originated from LDAP and SAML authentication sources, as well as users managed directly by the UAA. Prefer to have a user authenticated through LDAP or SAML, but still need to add individual users directly to the UAA? The choice is over, you can incorporate all three in a single installation. SAML integration has been improved and verified with both Okta and VMware’s vCenter SSO module.

Directory integration has evolved from authentication only, to two different types of group integration. A Cloud Foundry system that integrates with LDAP as an authentication provider can either manage a user’s Oauth 2 token scopes directly within LDAP as part of a group that the user is a member of or map LDAP groups to one or more scopes that are managed by the UAA. This lets an organization represent permissions within Cloud Foundry through the group memberships in the organization’s employee directory.

Wildcard support has been added to client scopes. Wildcard scopes open the door for more fine grained permissions and effective access control.

The UI has been improved with flexible, pluggable branding, and we are also starting to see more and more UI around user management. Gone will be the days of user management being limited to a command line tool.

Finally the development team has worked hard on paying down technical debt. Code coverage is now over 80% and different configuration permutations are run through the CI with each commit. The build system has moved over to gradle, eliminating yet another software requirement on a developer’s machine, leaving a Java Development Kit to be the only requirement.

…and we’re open!

We’ve started receiving more contributions and feedback, and we’d like to encourage administrators, operators and users to continue providing feedback around features that your organization may need. The floor is open to all ideas, crazy or not.

For a more in-depth technical write up on LDAP integration make sure you read “UAA LDAP Integration”.

About the Author


How the New Cashless Economy and Digital World is Transforming Your Retail Experiences
How the New Cashless Economy and Digital World is Transforming Your Retail Experiences

The world is on a journey towards a cashless future. MasterCard Advisors did a study on the growing proport...

Creating Resource Pools and Port Groups via CLI
Creating Resource Pools and Port Groups via CLI

Creating a VMware vSphere resource pool is easily accomplished via the vSphere Web Client; however, the cre...

SpringOne 2021

Register Now