Installing Pivotal Single Sign-On

This topic explains how to install Pivotal Single Sign‑On.

Prerequisites

To install Pivotal Single Sign‑On, you must have:

  • Ops Manager

  • SSL certificates

  • Application Security Groups

Install Pivotal Single Sign‑On using Ops Manager

Note: If you are upgrading to this version of Pivotal Single Sign‑On, you must update the definitions of any BOSH Add-Ons you are using to include the Xenial stemcell. See Update Add-ons to Run with Xenial Stemcell below.

  1. From Pivotal Network, select a Pivotal Single Sign‑On tile version and download the product release file.

  2. From the Ops Manager Installation Dashboard, select the Import a Product button to upload the product file.

  3. Click the + icon next to the uploaded product to add this product to your staging area.

  4. Click on the Pivotal Single Sign‑On tile to enter any configurations.

    Note: The Pivotal Single Sign‑On Identity Service Broker is deployed as an app from a BOSH errand, and has no associated BOSH VMs that require selecting a corresponding network. If you are forced to select a network during installation, select the Deployment network, also known as the network.

  5. In the Ops Manager Dashboard, do the following to complete the installation:

    1. If you are using Ops Manager v2.3 or later, click Review Pending Changes. For more information about this Ops Manager page, see Reviewing Pending Product Changes.

    2. Click Apply Changes.

Update Stemcell

If required, do the following to update the stemcell for Pivotal Single Sign‑On:

  1. Download the stemcell from Pivotal Network.
  2. In the Ops Manager, click Stemcell Library.
  3. Click Import Stemcell, and then select the stemcell you downloaded from Pivotal Network.


    Stemcell Library

  4. Click Save.

Update SSL and Load Balancer

You must update the SSL certificate for the domains listed below for each plan you create. Depending on your infrastructure and load balancer, you must also update your load balancer configuration for the following domains:

  • *.SYSTEM-DOMAIN

  • *.APPS-DOMAIN

  • *.login.SYSTEM-DOMAIN

  • *.uaa.SYSTEM-DOMAIN

Configure Application Security Groups

Pivotal Single Sign‑On requires the following network connections:

  • TCP connection to load balancer(s) on port 443
  • TCP and UDP connection to Domain Name Servers on port 53
  • (Optional) TCP connection to your external identity provider on port 80 or 443

To enable access to Pivotal Single Sign‑On, you must ensure your Application Security Group allows access to the load balancer(s) and domain name servers that provide access to Cloud Controller and UAA. Optionally, you can configure access to your external identity provider to receive SAML metadata. For how to set up application security groups, see Application Security Groups.

Update Add-ons to Run with Xenial Stemcell

Pivotal Single Sign‑On v1.7.1 and later requires a Xenial stemcell. If you are using any of the following BOSH Add-ons with your deployment, you must update the add-on definition to include the Xenial stemcell before you deploy Pivotal Single Sign‑On v1.7.1: