Re: UAA, SAML, and LDAP questions

Filip Hanik

The problem with SAML is that we never see the username. We only receive
the username in form of an email address from the SAML IDP. This would not
correspond to the username you would log in to LDAP with.

The use case you describe would indicate we want two different
authentication sources represent the same authentication source.
I believe the correct solution here is to implement the SAML ECP profile.
At that point you'd have an option to go LDAP or SAML rather than trying to
mix both.


On Wed, May 13, 2015 at 3:30 PM, Mike Youngstrom <youngm(a)> wrote:

Possibly, though I think regular user authentication would still be a
concern for our users since security forces a rather short TTL for our
access tokens. I'll have to take a look and try a few things. We may
decide to just use LDAP and forget about the SSO integration for now.


On Wed, May 13, 2015 at 3:03 PM, Sree Tummidi <stummidi(a)> wrote:

Hi Aaron,
You could potentially use the access token (similar to a personal access
token used for GitHub API ) to achieve the CLI automation. The access token
can either be retrieved via an authentication to the CLI itself or via UAAC.
Regular users would still continue to use the -sso option.

Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry

On Wed, May 13, 2015 at 1:56 PM, Huber, Aaron M <aaron.m.huber(a)>

That’s the main concern we have as well – we currently need LDAP for
the CLI since SAML doesn’t work in that case, but we’d like SAML for
web-based interactions (SSO in a portal, etc.). But at present it seems
like that’s not possible without the user having to deal with effectively
two separate accounts.


*From:* Mike Youngstrom [mailto:youngm(a)]
*Sent:* Wednesday, May 13, 2015 1:34 PM
*To:* Filip Hanik
*Cc:* Huber, Aaron M; CF Developers Mailing List
*Subject:* Re: [cf-dev] UAA, SAML, and LDAP questions

Well, that's a bummer. Is there any way around that? Our SAML is
backed by the same LDAP so they are the same user. We can provide a unique
ID to correlate SAML with LDAP users.


On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <fhanik(a)> wrote:

yes, it would result in two different shadow accounts, differentiated
by the value of the user's origin field

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <aaron.m.huber(a)>

Would the same user logging in via SAML and LDAP result in two different
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?


View this message in context:
Sent from the CF Dev mailing list archive at

cf-dev mailing list

cf-dev mailing list

cf-dev mailing list

Join to automatically receive all group messages.