When you configure Tanzu Application Service -> Authentication and SSO to use an external SAML with 2 Factor Authentication (2FA) is enabled, users usually need to obtain a SSO code and they provide upon login. This KB discuss options on how to achieve seamless interaction when continuous integration and continuous delivery/deployment (CI/CD) model. 

Tanzu Application Service configured to use SAML with 2FA 

Here are 2 options to try:

Option 1:

cf login -a <api> -u <username> -p <password> --sso-passcode <sso-code>

Once you obtain a sso code from your SAML provider you can provide during cf login --sso-passcode argument. This option might be of a challenge since it still require an extra work/code to get the sso code and pass it on as an argument. Another challenge is timing, sso code is valid for a short period of time and can expire quickly.

Option 2:

cf auth <CLIENT_ID> <CLIENT_SECRET> --client-credentials

This is a better option for machine to machine communication.

1. To get a client you can use here, you need to have your administrator create a client in UAA that has the grant type client credentials. Login to uaac using admin account, for more info please see here

2. Then create a new client

uaac client add --name <new-client-name> --scope <scope> --authorized_grant_types client_credentials

3. Login with admin account

cf login -a <api> -u <username> -p <password> 

4. Allow client to access org with --client flag

cf set-org-role <new-client-name> <org> <role> --client

4. Allow client to access org with --client flag

cf set-space-role <new-client-name> <org> <apace> <role> --client

Creating clients in UAA

Set space role in CF CLI

Set org role in CF CLI