Configuring Plan-to-Plan OIDC Integration

Warning: Pivotal Single Sign-On v1.11 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to set up the Plan-to-Plan OpenID Connect (OIDC) integration between two Pivotal Single Sign‑On service plans, one acting as an identity provider (“identity provider plan” or IDP) and one acting as a relying party (“relying party plan” or RP).


A Plan-to-Plan OIDC integration enables users from the identity provider plan to authenticate into the relying party plan through OIDC.

To set up this integration:

  1. Meet the prerequisites
  2. Set up relying party configurations in the identity provider plan
  3. Set up the OIDC Identity Provider Configuration in the Relying Party Plan
  4. Finish the configuration


You must meet the following prerequisites to set up Plan-to-Plan OIDC integration:

  • Your IDP must be visible to your org.
  • You must add the IDP as a service instance in a space so you can access the app developer dashboard.

If you have not completed these prerequisites, see Create or Edit Service Plans.

Set Up Relying Party Configurations in the Identity Provider Plan

Follow the instructions below to set up relying party configurations in the identity provider plan.

  1. Navigate to Apps Manager.
  2. Select the space.
  3. Click into the Service tab.
  4. Click the service you want to modify.
  5. Click Manage.
  6. Click New App.
  7. Type a name in the App Name field.
  8. Choose Web App from the list of app types.
  9. Type a temporary URL in the Auth Redirect URIs field. You replace this URL after configuring an identity provider on the relying party plan.
  10. In the Scopes field, type openid.
    Optionally, select openid from the list of Auto-Approved Scopes. By adding openid as an automatically approved scope, you prevent users from being prompted to authorize a login from the identity provider.
  11. Click Register App. When the app is created successfully, you are prompted to download your app credentials.
  12. Click Download App Credentials to save the credentials for your app.

    Warning: This is the last time you can download your app credentials. Pivotal recommends that you download the credentials and store them securely.

Set Up the OIDC Identity Provider Configuration in the Relying Party Plan

To set up the OIDC Identity Provider Configuration in the relying party plan, follow the steps below.

  1. Follow steps 1–6 in Add an OIDC Provider.
  2. If you use a self-signed certificate for Pivotal Platform where the IDP is located, select the Skip SSL Validation checkbox. If you do not use a self-signed certificate, you can leave this box unchecked.
  3. Select the Enable Discovery checkbox and type in the Discovery Endpoint URL.

    This URL is https://IDP-DOMAIN/.well-known/openid-configuration, where IDP-DOMAIN is the domain setting you enter when you add the IDP service plan you are integrating.
  4. Fill in the Relying Party OAuth Client ID with the App Client ID from the previous section.
  5. Fill in the Relying Party OAuth Client Secret with the App Secret from the previous section.
  6. Confirm that openid is selected as a scope by clicking All Selected.

Finish Configuration

After you create an app, follow the steps below to finish configuration.

  1. Return to the page for the app you created.
  2. Click Edit Config. The app configuration screen appears.
  3. Add an Auth Redirect URL. The URL should read https://RELYING-PARTY-DOMAIN/login/callback/ORIGIN-KEY

    • RELYING-PARTY-DOMAIN is the domain setting you enter during Relying Party configuration.
    • ORIGIN-KEY is based on the IDP name you set in the SSO Operator Dashboard.
  4. Click Save Config.