a9s SSO Proxy
The a9s SSO Proxy component sits in front of the a9s Service Dashboard and does single sign-on against an UAA when you access the dashboard via browser.
It also does verify the authorization of the user accessing the dashboard by
asking Cloud Foundry for the user's permission to access the service instance.
The user must have the permission 'manage' for the Cloud Foundry API endpoint
GET /v2/service_instances/:guid/permissions
, see the documentation
Retrieving permissions on a Service Instance.
The a9s SSO Proxy does verify the token expiration time and tries to refresh the token if a refresh token exists.
When the application developers use the a9s Service Dashboard API via Cloud
Foundry's bearer token, there is no refresh token in place and they will
receive HTTP status 401
(Unauthorized).
BOSH Properties
token_expiration_time
The a9s SSO Proxy does expire the access token more aggressive than the actual
UAA component. The default value is 600
seconds.
This means that if you have a token that is valid for 120 minutes, the a9s SSO Proxy will not allow this token anymore after 10 minutes and will try to refresh the token if a refresh token is present.
You can change the more aggressive a9s SSO Proxy expiration handling by setting
the BOSH property token_expiration_time
. The unit is seconds and the value
should be an integer bigger than 0
.
To set the token_expiration_time
to 120 minutes, the manifest would look
the following way:
...
- name: service-dashboard
jobs:
- name: sso-proxy
properties:
sso-proxy:
token_expiration_time: 7200
...
...