Single Sign-On v1.1

Single Sign-On Overview

This topic provides an overview of the Single Sign-On service for Pivotal Cloud Foundry (PCF).

The Single Sign-On service is an all-in-one solution for securing access to applications and APIs on PCF. The Single Sign-On service provides support for native authentication, federated single sign-on, and authorization. Operators can configure native authentication and federated single sign-on, for example SAML, to verify the identities of application users. After authentication, the Single Sign-On service uses OAuth 2.0 to secure resources or APIs.

Single Sign-On

The Single Sign-On service allows users to log in through a single sign-on service and access other applications that are hosted or protected by the service. This improves security and productivity since users do not have to log in to individual applications.

Developers are responsible for selecting the authentication method for application users. They can select a native authentication provided by the UAA or an external identity provider.

OAuth 2.0 Concepts

After authentication, the Single Sign-On service uses OAuth 2.0 for authorization of applications and resources. The following describes the roles in an OAuth 2.0 scenario:

  • Resource Owner: A person or system capable of granting access to a protected resource.
  • Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Applications access the server through APIs.
  • Applications: A client that makes protected requests using the authorization of the resource owner.
  • Authorization Server: The Single Sign-On server that issues access tokens to client applications after successfully authenticating the resource owner.

OAuth 2.0 Example Flow

The flow below shows an example of an authenticated user who is attempting to access a to-do list application. This application is backed by a resource server and both are secured by the UAA authorization server.

Oauth auth code

  1. Authorization Request: The first time the user accesses the application, the application requests authorization to access the user’s to-do items.
  2. User Authorizes Application: The application requests access to the user’s to-do items. The user clicks Yes to authorize the application to access their items.
  3. Authorization Code Grant: After the user authorizes the to-do list app, the authorization server sends an authorization code.
  4. Access Token Request: The application receives the authorization code and requests an access token from the authorization server. This gives the application access to the user’s to-do items.
  5. Issue Access Token: The authorization server validates the authorization code and issues an access token.
  6. Resource Request w/ Access Token: The to-do list application requests the resource from the resource server through the API and presents the access token.
  7. Return Resource: If the access token is valid, the resource server returns the to-do items that the user authorized the application to receive.

The resource server runs in PCF under a given space and organization. Developers set the permissions for the resource server API endpoints. To do this, they create resources that correspond to API endpoints secured by the Single Sign-On service. Applications can then access these resources on behalf of users.

Product Snapshot

Current Single Sign-On for Pivotal Cloud Foundry Details

  • Version: 1.1.1
  • Release Date: 2016-05-05
  • Software component versions: Single Sign-On 1.1.1 Installer based on Elastic Runtime 1.7 or later
  • Compatible Ops Manager Version(s): 1.7 or later
  • Compatible Elastic Runtime Version(s): 1.7 or later
  • vSphere support? Yes
  • AWS support? Yes
  • OpenStack support? Yes

Upgrading to the Latest Version

Consider the following compatibility information before upgrading Single Sign-On for Pivotal Cloud Foundry®.

Elastic Runtime Version Supported Upgrades from SSO Versions
From To
1.6.x 1.0.1-1.0.15 1.0.16
1.7.x 1.0.1-1.0.16 1.1.1
Note: The Single Sign-On service tile operates in lockstep with Pivotal Elastic Runtime.
  • The SSO v1.0.x tiles are compatible with PCF v1.6.x
  • The SSO v1.1.x tiles are compatible with PCF v1.7.x
If you are a customer upgrading from PCF 1.6 to PCF 1.7 and you are using SSO v1.0.x, you must update to a SSO v1.1.x service tile before proceeding with the upgrade.

Single Sign-On for Pivotal Cloud Foundry

Active Directory Federation Services (AD FS) Integration Guide

Azure Active Directory Integration Guide

Okta Integration Guide

PingFederate Integration Guide

PingOne Cloud Integration Guide

Additional Information

Create a pull request or raise an issue on the source for this page in GitHub