Crossing identity zones in Cloudfoundry UAA

Question

We are using UAA's multitenant functionality for our customers. As such, each are given their own identity zone. We'd also like to have an admin identity zone separate from the default UAA identity zone. However, it seems only a user in the default UAA identity zone is able to switch identity zones.

From the IdentiyZoneSwitchingFilter:

if (IdentityZoneHolder.isUaa() && oAuth2Authentication != null && !oAuth2Authentication.getOAuth2Request().getScope().isEmpty()) {
    SecurityContextHolder.getContext().setAuthentication(oAuth2Authentication);
} else {
    response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not authorized to switch to IdentityZone with id "+identityZoneId);
    return;
}

Obviously IdentityZoneHolder.isUaa() will be false for anything but the UAA identity zone.

In the past we made significant modifications to UAA to support our functionality, including installing our own IdentityZoneSwitchingFilter. We've recently upgraded to 3.3.0 and are trying to pull out all of our code to have a clean separation between our stuff and UAA.

We'd prefer to leave UAA unmodified however it looks like we will still need to configure our own IdentityZoneSwitchingFilter. Is this correct? Is there another way to accomplish this without modifying UAA?

Answer 1

UAA only supports zone switching from the default identity zone as this is treated as the zone from which other identity zones are administered.

Could you elaborate further on why do don't want to use the default zone for this purpose.