How to create a UAA client used for concourse pipelines in Operations Manager when SAML Authentication is enabled
search cancel

How to create a UAA client used for concourse pipelines in Operations Manager when SAML Authentication is enabled

book

Article ID: 293528

calendar_today

Updated On:

Products

Operations Manager

Environment


Cause

All of the existing custom UAA client will be deleted after switching from internal authentication to SAML authentication. This procedure is helps Operations recreate custom clients with require scopes. For more information on what scopes to choose from see https://docs.pivotal.io/pivotalcf/2-2/opsguide/config-rbac.html#about

Resolution

  • Obtain the opsman client security token using a SAML user that is a member of the SAML group mapped as the Operations manager Administrator.  This SAML group was configured in the page https://opsmgr.pivotal.io/saml_identity_provider/new.  
    • Just press enter when prompted for "Client secret:".  No secret required. 
      • ~:> uaac token sso get
Client ID:  opsman
Client secret:
Passcode (from https://opsmgr.pivotal.io/uaa/passcode):
  • Create a new client that has the following attributes needed to manage Operations Manager via a concourse Pipeline.
    • Scope: opsman.admin
    • Authorized Grant Types: client_credentials
    • Authorities: opsman.admin 
      • uaac client add --name new-client --scope opsman.admin --authorized_grant_types client_credentials --authorities opsman.admin
  • You can test this account by simply applying changes.
    • Login with the new client 
      • ~:> uaac token client get
  Client ID:  new-client
  Client secret:  ********
    • Get your new access token from "uaac context" and set it to the environment variable $TOKEN 
      • export TOKEN="xxxx"
    • (Optional) Execute apply changes as per the below example or submit a less intrusive GET request to /api/v0/deployed/products.  For a complete API reference navigate to the docs endpoint in your existing Operation Manger at https://opsmgr.pivotal.io/docs 
      • curl -vvv -H "Authorization: Bearer $TOKEN" -k https://opsmgr.pivotal.io/api/v0/installations -X POST


Additional Information

  • https://github.com/pivotal-cf/pcf-pipelines/blob/ae434bea5b4e3fa2b70051aa70c885dc2fa12218/upgrade-ops-manager/README.md#saml-for-authn-on-ops-manager
  • https://docs.pivotal.io/pivotalcf/2-0/opsguide/config-rbac.html#about


Powered by Wolken Software