Pivotal Knowledge Base

Follow

Disabling SAML Identity Provider When Switching Identity Providers for PCF 2.1

Environment

Pivotal Cloud Foundry (PCF) 2.1

Purpose

The User Account and Authentication (UAA) service for Pivotal Application Service (PAS) on PCF 2.1 exposes the ability for operators to manage identity providers via APIs, which changes how UAA manifest values for identity providers behave.

When switching from SAML to another identity provider (LDAP or internal user store), the SAML identity provider will no longer be disabled by default. Operators must now manually disable the previous SAML identity provider using the UAA APIs.

Procedure

1. Obtain the UAA Admin Client Credentials for the PAS tile from Operations Manager.

2. Login to your domain via uaac

uaac target https://login.your-domain-here.com

uaac token client get admin

Enter client secret from Operations Manager.

3. Run the following commands to list the identity providers of the PAS tile using the list identity providers endpoint.

uaac curl -k /identity-providers?rawConfig=true 

Note: It is recommended to make a backup of these configurations by copying the full output to a text file in case you need to restore the SAML identity provider configurations at a later point.

4. Find the id and name fields of the SAML identity provider, which can be identified based on "type": "saml" and "active": "true"

You should see a larger response that contains the SAML provider similar to the below message. Look for the values shown below in bold. You need these values for the next step.

[

.... text here...

 {

   "type": "saml",

   "config": {

 
     .... text here…


   },

   "id": "783fe03f-4d9c-414d-b3ba-a66613d60ec3",

   "originKey": "saml-origin-name",

   "name": "SAML Identity Provider Name",

   "version": 1,

   "created": 1517282050000,

   "last_modified": 1517282241000,

   "active": true,

   "identityZoneId": "uaa"

 },


.... text here...
 

]

5. Use the Identity Provider Update API endpoint with the corresponding identity provider `id` to disable the SAML identity provider with `"active": false`. The `name` field is also required. Below is an example of the command:

uaac curl -k /identity-providers/783fe03f-4d9c-414d-b3ba-a66613d60ec3  -X PUT -H 'Content-Type: application/json' -d '{

   "name": "SAML Identity Provider Name",

   "active" : false

}'

You should see a response similar to the below message. Check that the field active is set to false.

 
200 OK

… text here ..

RESPONSE BODY:

{

 "type": "unknown",

 "config": "null",

 "id": "783fe03f-4d9c-414d-b3ba-a66613d60ec3",

 "originKey": "saml-origin-name",

 "name": "SAML Identity Provider Name",

 "version": 1,

 "created": 1517282050000,

 "last_modified": 1517612074000,

 "active": false,

 "identityZoneId": "uaa"

}

Comments

Powered by Zendesk