Configuring a Single Sign-On Service Provider
Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.
This topic describes how to add an external identity provider to your Single Sign‑On for VMware Tanzu service plan.
Set up SAML
Log in to the SSO Operator Dashboard at
https://p-identity.SYSTEM-DOMAINas a Plan Administrator.Select your plan and click Manage Identity Providers on the drop-down menu.
Click New Identity Provider to create a new identity provider.
To create a new identity provider, do the following:
- Enter an Identity Provider Name.
- (Optional) Enter an Identity Provider Description.
- Enter the App Federation Metadata Url you obtained from step 7 in Set up SAML in Azure Active Directory (AD) and click Fetch Metadata.
- (Optional) Enter mappings under Advanced SAML Settings > Attribute Mappings.
Click Create Identity Provider.
Configure Group Permissions
Note: Azure AD passes the Object ID of the groups recorded in step 5 of Set up Claims Mapping to the Single Sign‑On plan.
Add groups to be propagated from the external identity provider to the ID token by following these steps:
- Log in to the SSO Operator Dashboard at
https://p-identity.SYSTEM-DOMAINas a Plan Administrator. - Select your plan and click Manage Identity Providers on the drop-down menu.
- Click Group Whitelist next to your identity provider.
- Enter the group names.
- Click Save Group Whitelist.
- Log in to the SSO Operator Dashboard at
Map the groups to resources defined in Single Sign‑On by following these steps:
- Log in at
https://p-identity.SYSTEM-DOMAINas a Plan Administrator. - Select your plan and click Manage Identity Providers on the drop-down menu.
- Click Resource Permissions.
- Click New Permissions Mapping and perform the following steps:
- Enter a Group Name.
- For Select Permissions, select the permissions that the members of the group from the external identity provider should have access to.
- Click Save Permissions Mapping.
- Log in at