Enabling Identity Provider Discovery
This topic describes Identity Provider (IdP) Discovery and how to configure it for your Pivotal Platform apps that use Pivotal Single Sign‑On.
If users with different email domains access the same Pivotal Platform app, you can configure Single Sign‑On to authenticate them through different identity providers.
In this situation, IdP Discovery streamlines the login experience by automatically redirecting the user to their own IdP and shielding them from seeing the IdPs of other app users.
When a user logs in to an app, an account chooser autofills their email address from any previous login, or presents a choice if they have logged in from more than one account. Users can add or remove accounts from the account chooser.
As an example, consider an app where some users log in with
@example.com username and some with
With IdP Discovery, users with both email domains can log in from the same login page
and do not have to see or choose from a list of login options that covers all the domains.
IdP Discovery ascertains each user’s IdP from their email domain.
IdP Discovery is associated with a service plan, and configured for the apps bound to instances of that plan. To enable IdP Discovery for a service plan and the apps that use it, you must be a Administrator or a Plan Administrator.
- Enable IdP Discovery for the Single Sign‑On service instance that your app is bound to:
Log into the Pivotal Platform at
https://p-identity.SYSTEM-DOMAINusing your User Account and Authentication (UAA) administrator credentials. You can find these credentials in your Pivotal Application Service tile in Ops Manager under the Credentials tab.
- Click the plan name and select Configure under the plan menu.
- Select the checkbox under the Identity Provider Discovery section and click Save.
Click the plan name and select Manage Identity Providers under the plan menu.
Enter the Email domains you want to include as a comma-separated list under the configuration page for the identity provider plan.
In Apps Manager, navigate to your space, open the Service tab, and select your service instance.
Click the Manage link under the service name, and edit the app configuration by selecting the required Identity Providers.
After these steps, the login page prompts for the username first:
If the user enters their
@example.com username, they are redirected to the Okta login page: