Rayson
Reputation: 1
UAA How to create identity zone admin
We are using UAA's Multitenancy Functionality to our customers. As such, we required to create an identity zone for each customer to manage individual customers' information.
However, based on the documentation, I'm unable to locate how could I create an identity zone admin with the scope of zone.<zoneid>.admin and obtain this admin token.
Name Description
Authorization Access token with scim.write or uaa.admin scope required
X-Identity-Zone-Id May include this header to administer another zone if using zones.<zoneId>.admin or uaa.admin scope against the default UAA zone.
X-Identity-Zone-Subdomain If using a zones.<zoneId>.admin scope/token, indicates what Identity Zone this request goes to by supplying a subdomain.
Create User API Reference Link
Is there any guideline or guidance that we could reference?
Thank you
Upvotes: 0
Views: 629
Answers (1)
Daniel Mikusa
Reputation: 15051
Here are the steps:
Target and get a token as the admin client
uaac target http://localhost:8080/uaa
uaac token client get admin -s adminsecret
Update your admin client
This is to make sure it has the correct scopes, you'd only need to do this once.
uaac client update admin --authorities "uaa.admin,clients.read,clients.write,clients.secret,scim.read,scim.write,clients.admin,zones.write"
Then get a new token, which will have the scopes just added.
uaac token client get admin -s adminsecret
Create the zone and add the admin client to the zone:
uaac -t curl -X POST -H "Content-Type:application/json" -H "Accept:application/json" --data '{ "id":"testzone1", "subdomain":"testzone1", "name":"The Twiglet Zone[testzone1]", "version":0, "description":"Like the Twilight Zone but tastier[testzone1]."}' /identity-zones
uaac -t curl -H "X-Identity-Zone-Id:testzone1" -X POST -H "Content-Type:application/json" -H"Accept:application/json" --data '{ "client_id" : "admin", "client_secret" : "adminsecret", "scope" : ["uaa.none"], "resource_ids" : ["none"], "authorities" : ["uaa.admin","clients.read","clients.write","clients.secret","scim.read","scim.write","clients.admin"], "authorized_grant_types" : ["client_credentials"]}' /oauth/clients
Target the zone & get a token as the admin client in that zone:
uaac target http://testzone1.localhost:8080/uaa
uaac token client get admin -s adminsecret
uaac token decode
Upvotes: 0
Related Questions
- Client Credentials for Cloud Foundry UAA Server
- CloudFoundry UAA Multi instances
- unlock local Cloud Foundry user. uaac?
- Newbie contribution to cloud foundry
- CloudFoundry UAA with Oracle DB
- Crossing identity zones in Cloudfoundry UAA
- cloudfoundry UAA as SAML IDP
- change cloud foundry default admin's scope
- how to set sope for cloudfoundry admin-ui
- Is cloudfoundry uaa can be used as common oauth/openid server?