Re: UAA, SAML, and LDAP questions

Aaron Huber

That’s the main concern we have as well – we currently need LDAP for the CLI since SAML doesn’t work in that case, but we’d like SAML for web-based interactions (SSO in a portal, etc.). But at present it seems like that’s not possible without the user having to deal with effectively two separate accounts.


From: Mike Youngstrom [mailto:youngm(a)]
Sent: Wednesday, May 13, 2015 1:34 PM
To: Filip Hanik
Cc: Huber, Aaron M; CF Developers Mailing List
Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

Well, that's a bummer. Is there any way around that? Our SAML is backed by the same LDAP so they are the same user. We can provide a unique ID to correlate SAML with LDAP users.


On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <fhanik(a)<mailto:fhanik(a)>> wrote:
yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <aaron.m.huber(a)<mailto:aaron.m.huber(a)>> wrote:
Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?


View this message in context:
Sent from the CF Dev mailing list archive at
cf-dev mailing list

cf-dev mailing list

Join { to automatically receive all group messages.