Re: UAA, SAML, and LDAP questions

Sree Tummidi

Hi Aaron,
You could potentially use the access token (similar to a personal access
token used for GitHub API ) to achieve the CLI automation. The access token
can either be retrieved via an authentication to the CLI itself or via UAAC.
Regular users would still continue to use the -sso option.

Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry

On Wed, May 13, 2015 at 1:56 PM, Huber, Aaron M <aaron.m.huber(a)>

That’s the main concern we have as well – we currently need LDAP for the
CLI since SAML doesn’t work in that case, but we’d like SAML for web-based
interactions (SSO in a portal, etc.). But at present it seems like that’s
not possible without the user having to deal with effectively two separate


*From:* Mike Youngstrom [mailto:youngm(a)]
*Sent:* Wednesday, May 13, 2015 1:34 PM
*To:* Filip Hanik
*Cc:* Huber, Aaron M; CF Developers Mailing List
*Subject:* Re: [cf-dev] UAA, SAML, and LDAP questions

Well, that's a bummer. Is there any way around that? Our SAML is backed
by the same LDAP so they are the same user. We can provide a unique ID to
correlate SAML with LDAP users.


On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <fhanik(a)> wrote:

yes, it would result in two different shadow accounts, differentiated by
the value of the user's origin field

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <aaron.m.huber(a)>

Would the same user logging in via SAML and LDAP result in two different
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?


View this message in context:
Sent from the CF Dev mailing list archive at

cf-dev mailing list

cf-dev mailing list

cf-dev mailing list

Join to automatically receive all group messages.