Integrating Single Sign‑On with Your App

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how to integrate Single Sign‑On for VMware Tanzu with Java and non-Java apps.

Integrate Single Sign‑On with an App

Because Single Sign‑On is based on the OAuth protocol, any app that uses Single Sign‑On must be OAuth-aware.

Java Apps

If you are using Java, see the Single Sign‑On Service Sample Applications repository. These are sample Spring Boot apps that demonstrate how to use Single Sign‑On Service libraries to configure the app for OAuth.

For Spring Boot 1.5, use spring-cloud-sso-connector and see the spring-boot-1.5 branch of the Single Sign‑On Service Sample Applications repository for examples.

For Spring Boot 2.1, use java-cfenv-boot-pivotal-sso and see the spring-boot-2.1 branch of the Single Sign‑On Service Sample Applications repository for examples.

After binding the app to a Single Sign‑On service instance, you must restart the app for the new Single Sign‑On configuration to take effect.

Non-Java Apps

To configure non-Java apps for OAuth, supply the following properties as environment variables to your app after you bind the app to a Single Sign‑On service instance. You can view this information on the Next Steps page of the SSO Developer Dashboard.

  • App ID, also known as OAuth Client ID
  • App Secret, also known as OAuth Client Secret
  • OAuth Authorization URL, the endpoint for client authorization
  • OAuth Token URL, the endpoint for token retrieval

To validate the token, you must verify the following:

  1. The token is a properly signed JSON Web Token with an appropriate public key. The key can be downloaded from the Token Verification Key endpoint specified on the Next Steps page.

  2. The value of aud in the token matches your App ID.

  3. The value of iss uses the following pattern:

    https://AUTH-DOMAIN.uaa.YOUR-SYSTEM-DOMAIN/oauth/token

    Where AUTH-DOMAIN is the Auth Domain you entered in Create or Edit Service Plans.

  4. The expiry time of the token, exp, has not passed.

Login Hints

When you make an authorization code, password or implicit grant request, a login hint can be provided so that the end user is automatically redirected to the appropriate identity provider.

An encoded JSON string containing origin_key tied to the origin key of an identity provider can be provided as a login hint using login_hint in a query parameter. For information about login hints, see the Authorization Code Grant in the UAA API documentation.