You can integrate Tanzu SSO with an external identity. When you test accessing your application and you noticed that the scopes returned is not what is expected you can use UAA endpoints to check on query scopes on specific users or client.

You can use the UAA endpoints to get scope details for troubleshooting SSO issues:

1. login using your uaac cli

uaac target uaa.UAA-DOMAIN --skip-ssl-validation
uaac token client get admin -s ADMIN-CLIENT-SECRET

2. Determine your subdomain

uaac curl -k "/identity-zones"

3. Use the following UAA endpoint to query User or Client Scopes

Scope details for users

• Listing all User details which include user ids and scope on specific subdomain

uaac curl -k "/Users" -H "X-Identity-Zone-Subdomain:<sub-domain>"

• Listing a User detail with specific user id within a subdomain

uaac curl -k "/Users/<user-id>" -H "X-Identity-Zone-Subdomain:<sub-domain>"

• Listing a User detail with specific username within a subdomain

uaac curl -H "X-Identity-Zone-Subdomain:<sub-domain>" "/Users?filter=username+eq+%22<username>%22"

Getting scope details for clients

• Listing all client details within a subdomain

uaac curl -k "/oauth/clients" -H "X-Identity-Zone-Subdomain:<sub-domain>"

• Listing a client details within a subdomain

uaac curl -k "/oauth/clients" -H "X-Identity-Zone-Subdomain:<sub-domain>"