Plan-to-Plan OIDC Integration Guide

This topic describes how to set up the Pivotal Single Sign‑On to integrate a Single Sign‑On service plan as an OpenID Connect (OIDC) identity provider.

Service plans are represented in User Access and Administration (UAA) as identity zones. UAA provides the ability to integrate any two UAAs with one acting as the relying party and the other acting as the identity provider. This includes identity zones within the same multi-tenant UAA, as well as separate UAA instances, such as the Bosh UAA, Ops Manager UAA, or a standalone UAA (provided they are on a version that has OIDC implemented).

This topic explains how you can perform the integration from one Pivotal Single Sign‑On service plan to another using Pivotal Single Sign‑On.


To integrate Plan-to-Plan OIDC with Pivotal Single Sign‑On, you must have the following:

  • An active Pivotal Single Sign‑On service plan. This plan act as an identity provider.
  • A second active Pivotal Single Sign‑On service plan. This plan act as the relying party.
  • A user with admin privileges.

Note: To configure OIDC according to these steps, you must have the Pivotal Single Sign‑On service broker installed in your Pivotal Platform deployment. You need to create a plan, add any plan administrators, and specify any organizations for which this plan should be the authentication authority. For help configuring plans, see Managing Service Plans.

Integrating a Plan-to-Plan OIDC for Pivotal Single Sign‑On

Complete this process to set up Plan-to-Plan OIDC integration for the Pivotal Single Sign‑On service. For more information, see Configuring Plan-to-Plan OIDC Integrations.

Testing the OIDC Connection

After you have configured the Plan-to-Plan OIDC integration for Pivotal Single Sign‑On, you can test it to confirm it works. For more information, see Testing.


For information about common configuration problems and error states, see Troubleshooting.