Re: Custom Login Server with UAA 2.0+

Sree Tummidi

Hi Matt,
This new wild card route pattern was introduced for multi-tenancy in UAA post merge.
Anything before login or uaa in the URL is now treated as a zone subdomain and the zone context is derived from it.

We will have to look into various approaches to solve this because even if you take over the login subdomain there is possibility for the code to misinterpret the url as a zone specific one.

Let me discuss this with the team and get back to you with possible solutions for the same.


Sent from my iPad

On May 27, 2015, at 9:58 PM, Matt Cholick <cholick(a)> wrote:

Prior to the consolidation of uaa and the login server in uaa release 2.0, we were running our own login server to handle auth to our platform. We simply reduced the instance of the bundled CF login server to 0 and put our own in place, which snagged the login subdomain. This worked just fine; our solution implemented all the needed endpoints to login.

We're now upgrading to a newer release with uaa 2.0+ and having difficulties. The uaa registrar hardcodes grabbing the login subdomains:
- login.<%= properties.domain %>
- '*.login.<%= properties.domain %>'


This prevents us from taking over login. We locally removed those list items and our custom login server does continue to work. We have some questions about the right approach going forward though.

Are uaa and the login server going to continue to merge: to the point where we can no longer take over the login subdomain? Will this strategy no longer be feasible? What's the right answer non ldap/saml environments, if the uaa project's roadmap makes this replacement impossible?

If our current solution will continue to work for the foreseeable future, would the uaa team be amenable to a pull-request making the uri values configurable, so we can continue to take over the login subdomain?

-Matt Cholick
cf-dev mailing list

Join { to automatically receive all group messages.