Using the System Plan

Warning: Pivotal Single Sign-On v1.11 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic explains how to use the system plan for Pivotal Single Sign‑On. The system plan is the default plan meant for developer apps, not end-user apps.

Single Sign‑On comes with a default system plan that has the following features:

  • Read-only
  • Minimal configuration options
  • Not deletable
  • Allows developer-level access to system components like Pivotal Application Service and its APIs
  • Available only to Pivotal Platform administrators

Restricting the visibility of this system plan to a single, developer-apps only org secures system components, following the principle of least privilege.

Examples of developer apps include scripts or pipelines that push other apps and services. Any app that uses the Cloud Foundry API is a developer app.

System Plan Best Practice

Pivotal recommends configuring your orgs and Single Sign‑On plans as follows to prevent anyone from applying the system plan to end-user apps:

  1. Restrict all developer apps to a single org.

  2. Make the system plan visible only to the developer-apps org.

  3. Configure other orgs with Single Sign‑On service plans of their own.

Developers can then self-register their developers apps in the developer-apps org for use by other developers.

Administrators: Configure the System Plan for an Org

Pivotal Platform administrators follow the steps below to enable the system plan and provide access to app developers:

  1. Log into the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN using your User Account and Authentication (UAA) administrator credentials. In your PAS tile in Ops Manager, the Domain settings show your system domain, and the Credentials tab shows the UAA Admin Credentials.

  2. Navigate to the System Plan and enable the plan in the relevant org(s).

Enable System Plan for Org

Developers: Create a System Plan Instance for Your App

Follow the steps below to create and use the system service plan with your developer apps.

  1. Follow the steps to Create a Service Instance of Single Sign‑On.

  2. If you have a Pivotal Platform app, bind the application with the service instance you created. For more information, see Register a Pivotal Platform App.

  3. If your app is a pipeline or a script that runs external to Pivotal Platform but calls Pivotal Platform APIs, do the following:

    1. Follow the instructions to Register an Externally Hosted App Using the SSO Developer Dashboard and use the guidelines below:
      • Choose Native App for your application type.
      • In the app configuration, set a value for the Refresh token lifetime based on your use case for automated access.
    2. To give your your pipeline or script access to your resources without your presence, embed a refresh token instead of hardcoding your credentials:
      1. Run uaac token sso get.
      2. At the prompts, enter the Client ID and Secret from the Next Steps section of the SSO Developer Dashboard. Copy the login portal URL into a browser, and log in using your UAA Admin Credentials.
      3. Copy the Temporary Authentication Code from the browser into the UAAC to finish the authentication.
      4. Run uaac context.
      5. Copy the value of the refresh token and use that in your code to get a new token based on your client ID and secret using the standard OAuth refresh token flow as described in the UAA API documentation.

Developers: Revoke System Plan Access for an Externally Hosted App

To revoke system plan access from an externally hosted app that is registered with the system plan to access Pivotal Platform components, do one of the following:

  • Regenerate the App Secret
  • Delete the app