Getting Started with Pivotal Single Sign-On

This topic outlines the steps for installing and configuring the Pivotal Single Sign‑On.

Install and Set Up Pivotal Single Sign‑On for Apps

  1. Install Pivotal Single Sign‑On using Ops Manager.

  2. Create a service plan. Pivotal Single Sign‑On is a multi-tenant service and a service plan corresponds to a tenant. This enables an enterprise to segregate users or environments using plans. Each service plan is accessible at a tenant-specific URL in the format https://AUTH-DOMAIN.login.SYSTEM-DOMAIN.

  3. Create a service instance. Pivotal Single Sign‑On plans can provide single sign-on capabilities for applications in various spaces. A service instance lets you bind an application to a service plan.

  4. Configure an identity provider. In addition to the Internal User Store, you can configure external identity providers to provide single sign-on to applications.

  5. Configure your applications. Pivotal Single Sign‑On supports Pivotal Platform apps as well as externally hosted apps. Your applications must be able to request an OAuth or OpenID Connect token.

  6. Create resources for your applications. If your registered applications need to make external API calls, you can assign the API endpoints as resources permitted for the application. This adds the endpoints to an allow list for use by the application or client.

Pivotal Single Sign‑On User Roles

A user’s role determines which parts of an Pivotal Single Sign‑On configuration it can manage. Pivotal Single Sign‑On uses the existing user roles Pivotal Platform Administrator and Space Developer, as well as a Plan Administrator role that is specific to Pivotal Single Sign‑On.

This chart shows the management permissions for each role.

Management access by rolePivotal Platform AdministratorPlan AdministratorSpace Developer
Service plansX
Service instancesXXX
Identity providersXX
ApplicationsXXX
ResourcesXXX

Using Pivotal Single Sign‑On Components

In addition to apps, Pivotal Single Sign‑On supports single sign-on for components of Pivotal Platform, including Ops Manager and Apps Manager. This enables users already managed in an external identity provider to sign into Pivotal services.

Refer to the following pages for instructions on configuring Pivotal Single Sign‑On to enable users in an external identity store to access Pivotal Platform components: