User account and Authentication server

Page last updated:

This topic tells you about the User Account and Authentication (UAA) Server, the identity management service for Cloud Foundry.

The primary role of UAA is as an OAuth2 provider, that issues tokens for client apps to use when they act on behalf of Cloud Foundry users. In collaboration with the login server, UAA can authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those, or other, credentials.

UAA has endpoints for managing user accounts, registering OAuth2 clients, and various other management functions.

Different runtimes and services use separate UAA instances. Cloud Foundry has two UAA instances by default: one for BOSH Director, used to bootstrap the rest of the Cloud Foundry deployment; and one for the BOSH deployment, used as a shared resource by all apps that require user authentication. This is the minimum number of UAA instances Cloud Foundry must have. Other runtimes and services also have UAA instances. These instances are separate from each other. If you log into one runtime or service, you are not also logged into other runtimes and services that authenticate using UAA. You must log in to each runtime or service separately.

You can deploy UAA locally or to Cloud Foundry. See also Deploy UAA.

UAA architecture

The following diagram illustrates the architecture of UAA:

The following table describes the protocols UAA can use:

Client-side tools and libraries

The following table describes the client-side tools and libraries UAA uses: