Re: Cloudfoundry UAA / Questions
1. For users created in UAA database, are there any policies we could
apply regarding password expiry/strength of the password/lockout on
repeated retry failures etc..?
Currently there is a password score calculator. There is a feature being
implemented for a more clearly configurable password strength. Expect it to
be in the next release. Lockout is implemented, and will also be
configurable in the next release.
2. Is there any pluggable mechanism for user creation in UAA that we
could use to create them say in AD – instead of in UAA user database?
The UAA can integrate with LDAP (AD) or with SAML IDPs. When you use one
of these authentication mechanism, a shadow account will be created in the
UAA. These users will only be able to authenticate against their respective
3. Is there any work/pocs done on UAA integration with Shibboleth
Identity provider to have federated identity? I.e. Integration with
identity providers behind firewalls?
I believe Shibboleth is a SAML v2 provider, so it should be able to be
configured like any other provider.
4. Is UAA HA/DR capable if the underlying user database is replicated?
Basically does it boil down to underlying UAA database HA/DR and any
tenants identity provider’s HA/DR capability?
Yes, that is how we run our UAA in production. It's backed by a HA/DR
5. Other than notion of Zones/Multi-tenants are there any advantages of
using UAA over plain Spring Security OAuth2/Spring Cloud Security?
Yes, most of the work has already been done for you.
On Sat, May 30, 2015 at 11:58 AM, Reddy, Satyapal <satyapal.reddy(a)emc.com>
Looking into using UAA and have couple of questions: