a9s SSO Proxy

The a9s SSO Proxy component sits in front of the a9s Service Dashboard and does single sign-on against an UAA when you access the dashboard via browser.

It also does verify the authorization of the user accessing the dashboard by asking Cloud Foundry for the user's permission to access the service instance. The user must have the permission 'manage' for the Cloud Foundry API endpoint GET /v2/service_instances/:guid/permissions, see the documentation Retrieving permissions on a Service Instance.

The a9s SSO Proxy does verify the token expiration time and tries to refresh the token if a refresh token exists.

When the application developers use the a9s Service Dashboard API via Cloud Foundry's bearer token, there is no refresh token in place and they will receive HTTP status 401 (Unauthorized).

BOSH Properties

token_expiration_time

The a9s SSO Proxy does expire the access token more aggressive than the actual UAA component. The default value is 600 seconds.

This means that if you have a token that is valid for 120 minutes, the a9s SSO Proxy will not allow this token anymore after 10 minutes and will try to refresh the token if a refresh token is present.

You can change the more aggressive a9s SSO Proxy expiration handling by setting the BOSH property token_expiration_time. The unit is seconds and the value should be an integer bigger than 0.

To set the token_expiration_time to 120 minutes, the manifest would look the following way:

...
- name: service-dashboard
  jobs:
  - name: sso-proxy
    properties:
      sso-proxy:
        token_expiration_time: 7200
        ...
...