Hi all,

The UAA team has come with a proposal for handling claims (User Attributes
& Group Memberships) from SAML Identity Providers. These claims can be
further mapped to CF roles in order to derive CF role memberships from
external group memberships.

The Proposal is split into two parts.


- Part 1 deals with the general UAA & SAML Integration for handling SAML
claims. This involves exposing them in OpenID Connect ID Token and allow
mapping of claims to OAuth Scopes for coarse grained authorization. The
proposal can be found here
<https://docs.google.com/a/pivotal.io/document/d/107sv7YqxdoDWi2vX5Z8WHm1JaqwHZOL_wa-esn2U5cE/edit?usp=sharing>
.
- Part 2 deals with leveraging the claims received in the ID Token to
derive CF role memberships. The proposal can be found here
<https://docs.google.com/a/pivotal.io/document/d/1UBtwEma5pkivNHD1QfTXOpPZAWCBE8Az9OVoT7oO0G4/edit?usp=sharing>
.



We are looking forward to you valuable feedback and suggestions on these
topics.
Happy Reviewing !!


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry