Concourse  PCF

Authenticating Concourse team members with PCF UAA

Concourse can be integrated with a Cloud Foundry UAA server to authenticate and authorize members of a specific team based on CF Organization/Space membership.

The authorization of the users for a Concourse team is validated against the user membership of a specific space in Cloud Foundry.

Such integration requires two steps:

1. Create a client-id and a client-secret on the UAA server side

Concourse needs to have a UAA client-id and client-secret to be able to request UAA to authenticate and authorize team user logins.

From a machine that can connect to PCF UAA (e.g. PCF Ops Managr VM) and where the UAAC cli is installed, create a client ID/secret. For example:

uaac target uaa.<pcf-system-domain> --skip-ssl-validation

uaac token client get admin   
     ## get the admin secret from Ops Mngr > Elastic Runtime > Credentials > UAA - Admin Client Credentials )

uaac client add concourse \
  --name concourse \
  --scope \
  --authorized_grant_types "authorization_code,refresh_token" \
  --access_token_validity 3600 \
  --refresh_token_validity 3600 \
  --secret <your-client-secret-goes-here> \     
  --redirect_uri https://<your-concourse-domain>/auth/uaa/callback

2. Configure a Concourse team that delegates authentication to UAA

From a machine that can connect to Concourse via FLY cli, set the Concourse team with UAA authentication:

fly -t <your-target> set-team -n <team-name> \
  --uaa-auth-client-id concourse \
  --uaa-auth-client-secret <your-client-secret-goes-here> \
  --uaa-auth-auth-url https://login.<pcf-system-domain>/oauth/authorize \
  --uaa-auth-token-url https://login.<pcf-system-domain>/oauth/token \
  --uaa-auth-cf-url https://api.<pcf-system-domain>\
  --uaa-auth-cf-space <space-guid> \             ## cf space <space-name> --guid
  --uaa-auth-cf-ca-cert <file-with-root-CA.crt>      
         ## get trusted certs from PCF Ops Mgr Director tile > Settings tab > Security > Trusted Certificates field

After the team is created, you can go to the Concourse UI and try to login into the new team. You should get re-routed to the UAA login page (e.g. PCF login) and then sent back to the Concourse UI once authenticated.