forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
_uaa.html.md.erb
52 lines (32 loc) · 4.73 KB
/
_uaa.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
1. Select **UAA**.
1. (Optional) Under **JWT Issuer URI**, enter the URI that UAA uses as the issuer when generating tokens.
<%= image_tag('ert_uaa_jwt_uri.png') %>
1. Under **SAML Service Provider Credentials**, enter a certificate and private key to be used by UAA as a SAML Service Provider for signing outgoing SAML authentication requests. You can provide an existing certificate and private key from your trusted Certificate Authority or generate a self-signed certificate. The following domain must be associated with the certificate: `*.login.YOUR-SYSTEM-DOMAIN`.
<p class="note"><strong>Note</strong>: The Pivotal Single Sign-On Service and Pivotal Spring Cloud Services tiles require the <code>*.login.YOUR-SYSTEM-DOMAIN</code>.</p>
1. If the private key specified under **Service Provider Credentials** is password-protected, enter the password under **SAML Service Provider Key Password**.
<%= image_tag("service-provider.png") %>
1. (Optional) To override the default value, enter a custom SAML Entity ID in the **SAML Entity ID Override** field. By default, the SAML Entity ID is `http://login.YOUR-SYSTEM-DOMAIN` where `YOUR-SYSTEM-DOMAIN` is set in the **Domains** > **System Domain** field.
1. For **Signature Algorithm**, choose an algorithm from the dropdown menu to use for signed requests and assertions. The default value is `SHA256`.
1. (Optional) In the **Apps Manager Access Token Lifetime**, **Apps Manager Refresh Token Lifetime**, **Cloud Foundry CLI Access Token Lifetime**, and **Cloud Foundry CLI Refresh Token Lifetime** fields, change the lifetimes of tokens granted for Apps Manager and Cloud Foundry Command Line Interface (cf CLI) login access and refresh. Most deployments use the defaults.
<%= image_tag("authsso-uaa-bottom.png") %>
1. (Optional) In the **Global Login Session Max Timeout** and **Global Login Session Idle Timeout** fields, change the maximum number of seconds before a global login times out. These fields apply to the following:
* **Default zone sessions**: Sessions in Apps Manager, PCF Metrics, and other web UIs that use the UAA default zones
* **Identity zone sessions**: Sessions in apps that use a UAA identity zone, such as a Single Sign-On service plan
1. (Optional) Customize the text prompts used for username and password from the cf CLI and Apps Manager login popup by entering values for **Customize Username Label (on login page)** and **Customize Password Label (on login page)**.
1. (Optional) The **Proxy IPs Regular Expression** field contains a pipe-delimited set of regular expressions that UAA considers to be reverse proxy IP addresses. UAA respects the `x-forwarded-for` and `x-forwarded-proto` headers coming from IP addresses that match these regular expressions. To configure UAA to respond properly to Gorouter or HAProxy requests coming from a public IP address, append a regular expression or regular expressions to match the public IP address.
1. You can configure UAA to use an internal MySQL database provided with PCF, or you can configure an external database provider. Follow the procedures in either the [Internal Database Configuration](#uaa-internal) or the [External Database Configuration](#uaa-external) section below.
<p class="note"><strong>Note</strong>: If you are performing an upgrade, do not modify your existing internal database configuration or you may lose data. You must migrate your existing data before changing the configuration. See <a href="upgrading-pcf.html">Upgrading Pivotal Cloud Foundry</a> for additional upgrade information, and contact <a href="https://support.pivotal.io">Pivotal Support</a> for help. </p>
###<a id='uaa-internal'></a> Internal Database Configuration
When you configure the UAA to use an internal MySQL database, it uses the type of database selected in the **Databases** pane, which can be one of two options. See [Migrate to TLS Communication](../opsguide/scaling-down-mysql.html#migrate) for details.</p>
1. Select **Internal MySQL**.
1. Click **Save**.
1. Ensure that you complete the [Configure Internal MySQL](#internal-db) step later in this topic to configure high availability for your internal MySQL databases.
###<a id='uaa-external'></a> External Database Configuration
1. From the **UAA** section in Pivotal Application Service (PAS), select **External**.
<%= image_tag('ert_uaa_external.png') %>
1. For **Hostname**, enter the hostname of the database server.
1. For **TCP Port**, enter the port of the database server.
1. For **User Account and Authentication database username**, specify a unique username that can access this specific database on the database server.
1. For **User Account and Authentication database password**, specify a password for the provided username.
1. Click **Save**.