By default, Stratos will authenticate against a UAA using username and password, for both logging into Stratos and when connecting Cloud Foundry endpoints.
UAA can support richer login mechanisms than username and password. To accommodate this, you can configure Stratos to use the UAA's Single Sign On UI for login.
This can be enabled by setting the config setting SSO_LOGIN to true.
Most importantly, you will need to ensure that the Client used when communicating with your UAA is configured to allow Stratos to use Single Sign On - i.e. that the Stratos SSO Login callback URI is registered with the UAA.
Adding the Stratos SSO Callback URI
You'll need the
uaac CLI to configure your Client to accept the Stratos SSO Callback URI - see here.
NOTE: The Stratos SSO Redirect URI that you'll need is:
DOMAINdepend on your Stratos installation.
Target your UAA
Login to your UAA with the
Next, check the configuration of your Client - for example, for the
You'll get the current configuration - there are two properties of interest
Note: The following commands will overwrite existing values for the settings specified. To keep the existing values along with the new value include them in the new value as a comma-separated list.
redirect_uri value should contain the Stratos redirect URI. If not update the Client with:
authorized_grant_types value should contain
authorization_code. If not update the Client with:
Adding a Stratos SSO State Whitelist
When SSO has been configured Stratos's log in request will contain a URL that tells SSO where to return to. When using a browser this is automatically populated. To avoid situations where this can be hijacked or called separately an SSO
state whitelist can be provided via the environment variable
SSO_WHITELIST. This is a comma separated list. For example...
When set, any requests to log in with a different
state will be denied.
In order for the SSO
state to match an entry from the whitelist the schema, hostname, port and path must match exactly. A wildcard
* can be provided for the path to match anything.
User has selected the incorrect application authorities when logging in to Stratos via SSO for the first time.
- The user can update their permissions and other account settings via https://login.< uaa address >/profile
Administrator wants to remove the application authorities selection users see when logging in to Stratos via SSO for the first time
This is carried out at the Admins discretion
uaaccli update the 'autoapprove' property of the client used by Stratos to either
truefor all authorities or a comma separated list for the authorities to be removed.uaac client update <console client> --autoapprove true
User sees the error message
No scopes were grantedwhen trying to log in to Stratos via SSO
- User may not have selected any of the application authorities when logging in to Stratos via SSO for the first time
- Either of the resolutions to 1 and 2 can be made