1. posterid:474561
  2. Messages

Re: UAA : How to restrict that the user should use only the credentials of the client to whom it belongs to while login using password grant API?

Sree Tummidi
 

Hi Shilpa,

Users are associated with Identity Providers and not clients. Identity providers can be UAA internal user store or a SAML/LDAP/OIDC provider.

There are two levels at which you can restrict users in clients.

1. You can use the feature required user groups on each client. If the users is not part of all users groups listed, they cannot login
2. You can set allowed identity providers on a client. If the user is logging in via an allowed provider, they will be rejected.

Please refer to the UAA Client API docs on how to achieve setting the above.

Thanks,
Sree

Sent from my iPhone

On Jun 9, 2017, at 2:38 AM, shilpa kulkarni <shilpakulkarni91(a)gmail.com> wrote:

I am using cloud foundry UAA server. I have created one particular identity zone. In that identity zone[subdomain], I created 3 different clients. Under one client I created some users. But when I try to test user login API using password grant, It is allowing user to login using other clients credentials of that same zone.

For example: I created identity zone as z1. In that z1 zone, I created 3 clients say c1, c2 and c3. The client c1 created 3 users like user1, user2 and user3. These users should use client credentials of client c1 only for login using password grant. But if we give the credentials of clients c2 and c3 for user login using password grant API, then also it is allowing the user to login.

How to restrict that the users user1,user2 and user3 should use only the credentials of the client c1 [to whom it belongs to]?

How to restrict that the user should use only the credentials of the client to whom it belongs to?

Anyone can provide solution in this.

Thanks

Regards

Shilpa K
Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.