An official website of the United States government US flag signifying that this is a United States federal government website

Federated identity

Federated identity

Federated identity in cloud.gov is supported via SAML 2.0. UAA acts as a SAML service provider (SP) to authenticate with trusted identity providers (IdP).

Approval from the Program Manager is required before adding a new trusted identity provider.

Adding a new Identity Provider

Provide the IdP with our SP metadata. This is a machine-readable document describing our SAML endpoints and configuration.

In return, the IdP needs to provide their metadata (either as an XML file or a URL), a list of domains the IdP is responsible for authenticating, and a logo that will be displayed on our login page.

Using the information provided by the IdP, add a new entry under login.providers in the Cloud Foundry secrets using this template:

example.com:
  assertionConsumerIndex: 0
  metadataTrustCheck: true
  showSamlLoginLink: true
  addShadowUserOnLogin: true
  idpMetadata: 'URL to IdP metadata or or contents of metadata XML file'
  linkText: 'name of the IdP'
  iconUrl: 'URL to the image or an image embedded as a data URI'
  emailDomain:
    - example.com

After Concourse deploys the updated secrets, the new IdP will be displayed and available for use on the login page.