a9s SSO Proxy
The a9s SSO Proxy component sits in front of the a9s Service Dashboard and does single sign-on against an UAA when you access the dashboard via browser.
It also does verify the authorization of the user accessing the dashboard by
asking Cloud Foundry for the user's permission to access the Service Instance.
The user must have the permission 'manage' for the Cloud Foundry API endpoint
GET /v2/service_instances/:guid/permissions
, see the documentation
Retrieving permissions on a Service Instance.
The a9s SSO Proxy does verify the token expiration time and tries to refresh the token if a refresh token exists.
When the Application Developers use the a9s Service Dashboard API via Cloud
Foundry's bearer token, there is no refresh token in place and they will
receive HTTP status 401
(Unauthorized).
BOSH Properties
uaa_checkup_interval
The a9s SSO Proxy has an interval during which the UAA will not be polled
and the requests will be considered verified on the basis of authorization of the initial
request by the instance. The default value for this interval is 10
seconds.
This means that if you have set this interval for 10 minutes, then after verifying the first request of an instance via UAA, the SSO Proxy will assume subsequent calls for that user and instance as valid for the next 10 minutes.
You can change the value for this interval by setting the
BOSH property uaa_checkup_interval
. The unit is seconds and the value
should be an integer bigger than 0
.
To set the uaa_checkup_interval
to 10 minutes, the manifest would look
the following way:
...
- name: service-dashboard
jobs:
- name: sso-proxy
properties:
sso-proxy:
uaa_checkup_interval: 600
...
...