Version: Develop

a9s SSO Proxy

The a9s SSO Proxy component sits in front of the a9s Service Dashboard and does single sign-on against an UAA when you access the dashboard via browser.

It also does verify the authorization of the user accessing the dashboard by asking Cloud Foundry for the user's permission to access the Service Instance. The user must have the permission 'manage' for the Cloud Foundry API endpoint GET /v2/service_instances/:guid/permissions, see the documentation Retrieving permissions on a Service Instance.

The a9s SSO Proxy does verify the token expiration time and tries to refresh the token if a refresh token exists.

When the Application Developers use the a9s Service Dashboard API via Cloud Foundry's bearer token, there is no refresh token in place and they will receive HTTP status 401 (Unauthorized).

BOSH Properties

uaa_checkup_interval

The a9s SSO Proxy has an interval during which the UAA will not be polled and the requests will be considered verified on the basis of authorization of the initial request by the instance. The default value for this interval is 10 seconds.

This means that if you have set this interval for 10 minutes, then after verifying the first request of an instance via UAA, the SSO Proxy will assume subsequent calls for that user and instance as valid for the next 10 minutes.

You can change the value for this interval by setting the BOSH property uaa_checkup_interval. The unit is seconds and the value should be an integer bigger than 0.

To set the uaa_checkup_interval to 10 minutes, the manifest would look the following way:

...
- name: service-dashboard
  jobs:
  - name: sso-proxy
    properties:
      sso-proxy:
        uaa_checkup_interval: 600
        ...
...

BOSH Properties​

uaa_checkup_interval​

BOSH Properties

uaa_checkup_interval