LATEST VERSION: 1.3 - CHANGELOG
Single Sign-On v1.3

Manage Service Plans

This topic describes how Pivotal Cloud Foundry (PCF) Administrators manage Single Sign-On service plans.

Single Sign-On is a multi-tenant service, which enables a deployment to host multiple tenants as service plans. Each service plan can have its own administrators, applications and users. This lets enterprises segregate access by using separate plans. For example, the following tenants might require separate plans:

  • Business units and geographical locations

  • Employees, consumers, and partners

  • Development, staging, and production instances

Administrators can create new Single Sign-On service plans at any time from the SSO dashboard.

Create or Edit Service Plans

You can use the SSO dashboard to create and configure service plans at any time.

Note: You must create at least one plan for any service before your applications can use it.

  1. Log into the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your User Account and Authentication (UAA) administrator credentials. You can find these credentials in your Pivotal Elastic Runtime tile in Ops Manager under the Credentials tab.

  2. Click New Plan on the SSO dashboard to create a new Single Sign-On service plan.

    Managing create plan

  3. Enter a Plan Name.

  4. Enter a Description to appear as a plan feature in the Services Marketplace.

  5. Enter an Auth Domain to be the URL where users authenticate to access applications covered by the service plan.

  6. Enter an Instance Name to appear on the login page and in other user-facing content, such as email communications.

  7. Add Plan Administrators. These users can view the plan and manage identity providers.

  8. Under Org Visibility, select which organizations in your Pivotal Cloud Foundry deployment should have access to your Single Sign-On service plan. If you do not select any organizations, the plan will not be available for use and it will not be displayed in the Services Marketplace.

  9. Click Create Plan. Your new plan appears in the Services Marketplace in the organizations you have selected. Users in those organizations view the plan either in Apps Manager or through the CF CLI by entering cf marketplace in a terminal window.

Delete Service Plans

  1. Log in to the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your UAA administrator credentials. You can find these credentials in your Pivotal Elastic Runtime tile in Ops Manager under the Credentials tab.

  2. Select the name of the plan you want to delete, and click Edit Plan in the dropdown menu.

  3. Select Delete at the bottom of the page.

  4. In the popup that appears, click Delete Plan to confirm that you want to delete the plan.

Note: This action cannot be undone. Deleting a Single Sign-On service plan removes from the SSO database all of the configurations, identity providers, users, application configurations and resources associated with the plan. It also deletes the associated service instances and service bindings. You must rebind any applications bound to the deleted service instances to new service instances.

Configure a Token Policy

Access tokens carry information about users and clients to servers that manage resources. Servers use access tokens to determine whether the client is authorized or not. Access tokens typically have a short-lived expiration time. Refresh tokens carry information necessary to retrieve a new access token after an existing access token expires. Refresh tokens typically have a longer expiration time than access tokens.

Note: The Single Sign-On service allows administrators to override the default expiry of access tokens (12 hours) and refresh tokens (30 days) by zone.

  1. Log in to the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your UAA administrator credentials. You can find these credentials in your Pivotal Elastic Runtime tile in Ops Manager under the Credentials tab.

  2. Select the name of the plan you would like to configure a token policy for, and click Manage Token Policy in the dropdown menu.

  3. Enter the number of seconds for Access Token Expiration or select Use System Default.

  4. Enter the number of seconds for Refresh Token Expiration or select Use System Default.

  5. Click Save.

Create a pull request or raise an issue on the source for this page in GitHub