--- name: uaa encryption: active_key_label: key1 encryption_keys: - label: key1 passphrase: my-passphrase database: url: jdbc:postgresql://10.244.0.30:5524/uaadb?sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory username: uaaadmin password: "admin" maxactive: 100 maxidle: 10 minidle: 0 removeabandoned: false logabandoned: true abandonedtimeout: 300 testwhileidle: false spring_profiles: postgresql logging: config: /var/vcap/jobs/uaa/config/log4j2.properties jwt: token: queryString: enabled: true revocable: false policy: accessTokenValiditySeconds: 43200 refreshTokenValiditySeconds: 2592000 global: accessTokenValiditySeconds: 43200 refreshTokenValiditySeconds: 2592000 signing-key: | -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDHFr+KICms+tuT1OXJwhCUmR2dKVy7psa8xzElSyzqx7oJyfJ1 JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMXqHxf+ZH9BL1gk9Y6kCnbM5R6 0gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBugspULZVNRxq7veq/fzwIDAQAB AoGBAJ8dRTQFhIllbHx4GLbpTQsWXJ6w4hZvskJKCLM/o8R4n+0W45pQ1xEiYKdA Z/DRcnjltylRImBD8XuLL8iYOQSZXNMb1h3g5/UGbUXLmCgQLOUUlnYt34QOQm+0 KvUqfMSFBbKMsYBAoQmNdTHBaz3dZa8ON9hh/f5TT8u0OWNRAkEA5opzsIXv+52J duc1VGyX3SwlxiE2dStW8wZqGiuLH142n6MKnkLU4ctNLiclw6BZePXFZYIK+AkE xQ+k16je5QJBAN0TIKMPWIbbHVr5rkdUqOyezlFFWYOwnMmw/BKa1d3zp54VP/P8 +5aQ2d4sMoKEOfdWH7UqMe3FszfYFvSu5KMCQFMYeFaaEEP7Jn8rGzfQ5HQd44ek lQJqmq6CE2BXbY/i34FuvPcKU70HEEygY6Y9d8J3o6zQ0K9SYNu+pcXt4lkCQA3h jJQQe5uEGJTExqed7jllQ0khFJzLMx0K6tj0NeeIzAaGCQz13oo2sCdeGRHO4aDh HH6Qlq/6UOV5wP8+GAcCQFgRCcB+hrje8hfEEefHcFpyKH+5g1Eu1k0mLrxK2zd+ 4SlotYRHgPCEubokb2S1zfZDWIXW3HmggnGgM949TlY= -----END RSA PRIVATE KEY----- verification-key: | -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHFr+KICms+tuT1OXJwhCUmR2d KVy7psa8xzElSyzqx7oJyfJ1JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMX qHxf+ZH9BL1gk9Y6kCnbM5R60gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBug spULZVNRxq7veq/fzwIDAQAB -----END PUBLIC KEY----- refresh: restrict_grant: false unique: false rotate: false format: jwt authentication: enableUriEncodingCompatibilityMode: false policy: lockoutAfterFailures: 5 countFailuresWithinSeconds: 1200 lockoutPeriodSeconds: 300 global: lockoutAfterFailures: 5 countFailuresWithinSeconds: 3600 lockoutPeriodSeconds: 300 password: policy: minLength: 0 maxLength: 255 requireUpperCaseCharacter: 0 requireLowerCaseCharacter: 0 requireDigit: 0 requireSpecialCharacter: 0 expirePasswordInMonths: 0 global: minLength: 0 maxLength: 255 requireUpperCaseCharacter: 0 requireLowerCaseCharacter: 0 requireDigit: 0 requireSpecialCharacter: 0 expirePasswordInMonths: 0 disableInternalAuth: false disableInternalUserManagement: false issuer: uri: https://uaa.bosh-lite.com oauth: authorize: ssl: true clients: cc-service-dashboards: id: cc-service-dashboards authorities: clients.read,clients.write,clients.admin authorized-grant-types: client_credentials scope: openid,cloud_controller_service_permissions.read secret: cc-broker-secret cc_routing: id: cc_routing authorities: routing.router_groups.read authorized-grant-types: client_credentials secret: cc-routing-secret cf: id: cf secret: '' access-token-validity: 600 authorities: uaa.none authorized-grant-types: password,refresh_token override: true refresh-token-validity: 2592000 scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write,doppler.firehose,uaa.user,routing.router_groups.read cloud_controller_username_lookup: id: cloud_controller_username_lookup authorities: scim.userids authorized-grant-types: client_credentials secret: cloud-controller-username-lookup-secret doppler: id: doppler authorities: uaa.resource override: true secret: doppler-secret authorized-grant-types: client_credentials gorouter: id: gorouter authorities: routing.routes.read authorized-grant-types: client_credentials secret: gorouter-secret notifications: id: notifications authorities: cloud_controller.admin,scim.read authorized-grant-types: client_credentials secret: notification-secret ssh-proxy: id: ssh-proxy authorized-grant-types: authorization_code autoapprove: true override: true redirect-uri: http://ssh-proxy-redirect-domain.com/login scope: openid,cloud_controller.read,cloud_controller.write,cloud_controller.admin secret: ssh-proxy-secret tcp_emitter: id: tcp_emitter authorities: routing.routes.write,routing.routes.read,routing.router_groups.read authorized-grant-types: client_credentials secret: tcp-emitter-secret tcp_router: id: tcp_router authorities: routing.routes.read,routing.router_groups.read authorized-grant-types: client_credentials secret: tcp-router-secret admin: authorized-grant-types: client_credentials authorities: clients.read,clients.write,clients.secret,uaa.admin,scim.read,scim.write,password.write id: admin secret: "admin-secret" implicit_ok: id: implicit_ok scope: openid authorized-grant-types: implicit secret: null redirect-uri: "http://some.redirect.com/callback" many_redirects: id: many_redirects scope: uaa.user authorized-grant-types: authorization_code secret: secret redirect-uri: http://localhost,http://localhost:8080,http://localhost:8080/uaa,http://valid.com,http://sub.valid.com,http://valid.com/with/path,https://subsub.sub.valid.com/**,https://valid.com/path/*/path,http://sub.valid.com/*/with/path**,http*://sub.valid.com/*/with/path**,http*://*.valid.com/*/with/path**,http://*.valid.com/*/with/path**,https://*.valid.com/*/with/path**,https://*.*.valid.com/*/with/path**,http://sub*.valid.com/*/with/path**,http://*.domain.com,http://username:password@some.server.com,http://username:password@some.server.com/path user: authorities: - openid - scim.me - cloud_controller.read - cloud_controller.write - cloud_controller_service_permissions.read - password.write - uaa.user - approvals.me - oauth.approvals - notification_preferences.read - notification_preferences.write - profile - roles - user_attributes - uaa.offline_token scim: userids_enabled: true user: override: true users: - admin|admin|admin|||scim.write,scim.read,openid,cloud_controller.admin,clients.read,clients.write,doppler.firehose,routing.router_groups.read|uaa zones: internal: hostnames: - uaa.service.cf.internal require_https: true https_port: 8443 uaa: url: https://uaa.bosh-lite.com limitedFunctionality: statusFile: /var/vcap/data/uaa/bbr_limited_mode.lock whitelist: endpoints: - /oauth/authorize/** - /oauth/token/** - /check_token/** methods: - GET - HEAD shutdown: sleep: 5000 oauth: redirect_uri: allow_unsafe_matching: true links: global: passwd: /forgot_password signup: /create_account homeRedirect: '/' homeRedirect: '/' passwd: https://login.bosh-lite.com/forgot_password signup: https://login.bosh-lite.com/create_account smtp: host: localhost password: port: 2525 user: from_address: auth: false starttls: false sslprotocols: TLSv1.2 assetBaseUrl: /resources/oss logout: redirect: url: /login parameter: disable: false login: mfa: enabled: true providerName: myExampleProvider url: https://login.bosh-lite.com selfServiceLinksEnabled: true defaultIdentityProvider: uaa idpDiscoveryEnabled: false accountChooserEnabled: false entityBaseURL: https://login.bosh-lite.com entityID: login.bosh-lite.com prompt: username: text: Email password: text: Password serviceProviderKey: | -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5 L39WqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vA fpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQAB AoGAVOj2Yvuigi6wJD99AO2fgF64sYCm/BKkX3dFEw0vxTPIh58kiRP554Xt5ges 7ZCqL9QpqrChUikO4kJ+nB8Uq2AvaZHbpCEUmbip06IlgdA440o0r0CPo1mgNxGu lhiWRN43Lruzfh9qKPhleg2dvyFGQxy5Gk6KW/t8IS4x4r0CQQD/dceBA+Ndj3Xp ubHfxqNz4GTOxndc/AXAowPGpge2zpgIc7f50t8OHhG6XhsfJ0wyQEEvodDhZPYX kKBnXNHzAkEAyCA76vAwuxqAd3MObhiebniAU3SnPf2u4fdL1EOm92dyFs1JxyyL gu/DsjPjx6tRtn4YAalxCzmAMXFSb1qHfwJBAM3qx3z0gGKbUEWtPHcP7BNsrnWK vw6By7VC8bk/ffpaP2yYspS66Le9fzbFwoDzMVVUO/dELVZyBnhqSRHoXQcCQQCe A2WL8S5o7Vn19rC0GVgu3ZJlUrwiZEVLQdlrticFPXaFrn3Md82ICww3jmURaKHS N+l4lnMda79eSp3OMmq9AkA0p79BvYsLshUJJnvbk76pCjR28PK4dV1gSDUEqQMB qy45ptdwJLqLJCeNoR0JUcDNIRhOCuOPND7pcMtX6hI/ -----END RSA PRIVATE KEY----- serviceProviderKeyPassword: password serviceProviderCertificate: | -----BEGIN CERTIFICATE----- MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO MAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO MAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h cnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx CzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM BgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb BgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W qS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw znoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha MIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc gBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD VQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD VQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh QGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ 0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC KdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK RpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0= -----END CERTIFICATE----- saml: signMetaData: true signRequest: true wantAssertionSigned: true disableInResponseToCheck: false signatureAlgorithm: SHA256 socket: connectionManagerTimeout: 10000 soTimeout: 10000 providers: okta-signed-or-encrypted: idpMetadata: | MIICmTCCAgKgAwIBAgIGAUPATqmEMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB1Bpdm90YWwxHDAaBgkqhkiG9w0BCQEWDWlu Zm9Ab2t0YS5jb20wHhcNMTQwMTIzMTgxMjM3WhcNNDQwMTIzMTgxMzM3WjCBjzELMAkGA1UEBhMC VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoM BE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdQaXZvdGFsMRwwGgYJKoZIhvcN AQkBFg1pbmZvQG9rdGEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeil67/TLOiTZU WWgW2XEGgFZ94bVO90v5J1XmcHMwL8v5Z/8qjdZLpGdwI7Ph0CyXMMNklpaR/Ljb8fsls3amdT5O Bw92Zo8ulcpjw2wuezTwL0eC0wY/GQDAZiXL59npE6U+fH1lbJIq92hx0HJSru/0O1q3+A/+jjZL 3tL/SwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAI5BoWZoH6Mz9vhypZPOJCEKa/K+biZQsA4Zqsuk vvphhSERhqk/Nv76Vkl8uvJwwHbQrR9KJx4L3PRkGCG24rix71jEuXVGZUsDNM3CUKnARx4MEab6 GFHNkZ6DmoT/PFagngecHu+EwmuDtaG0rEkFrARwe+d8Ru0BN558abFburn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress assertionConsumerIndex: 0 metadataTrustCheck: true showSamlLoginLink: true linkText: 'Okta Preview Signed' okta-local: idpMetadata: https://pivotal.oktapreview.com/app/k36wkjw6EAEJVZXFFDAU/sso/saml/metadata nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress assertionConsumerIndex: 0 metadataTrustCheck: true showSamlLoginLink: true linkText: 'Okta Preview 1' iconUrl: 'http://link.to/icon.jpg' addShadowUserOnLogin: true externalGroupsWhitelist: - admin - user emailDomain: - example.com attributeMappings: given_name: firstName family_name: surname providerDescription: 'Human readable description of this provider' authorize: url: https://uaa.bosh-lite.com/oauth/authorize servlet: session-store: memory idle-timeout: 1800 session-cookie: max-age: -1 rest: template: timeout: 10000 maxTotal: 20 maxPerRoute: 5 maxKeepAlive: 0 cors: enforceSystemZonePolicyInAllZones: true