An official website of the United States government US flag signifying that this is a United States Federal Government website

Federated identity

Federated identity

This page is primarily for the cloud.gov team. It's public so that you can learn from it. For help using cloud.gov, see the user docs.

Federated identity in cloud.gov is supported via SAML 2.0. UAA acts as a SAML service provider (SP) to authenticate with trusted identity providers (IdP).

Approval from the Program Manager is required before adding a new trusted identity provider.

Adding a new Identity Provider

Provide the IdP with our SP metadata. This is a machine-readable document describing our SAML endpoints and configuration.

In return, the IdP needs to provide their metadata (either as an XML file or a URL), a list of domains the IdP is responsible for authenticating, and a logo that will be displayed on our login page.

Using the information provided by the IdP, add a new entry under login.providers in the Cloud Foundry secrets using this template:

example.com:
  assertionConsumerIndex: 0
  metadataTrustCheck: true
  showSamlLoginLink: true
  addShadowUserOnLogin: true
  idpMetadata: 'URL to IdP metadata or or contents of metadata XML file'
  linkText: 'name of the IdP'
  iconUrl: 'URL to the image or an image embedded as a data URI'
  emailDomain:
    - example.com

After Concourse deploys the updated secrets, the new IdP will be displayed and available for use on the login page.