Enabling Identity Provider Discovery

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes Identity Provider (IdP) Discovery and how to configure it for your VMware Tanzu Application Service for VMs (TAS for VMs) apps that use Single Sign‑On for VMware Tanzu.

What IdP Discovery Does

If users with different email domains access the same TAS for VMs app, you can configure Single Sign‑On to authenticate them through different identity providers.

In this situation, IdP Discovery streamlines the login experience by automatically redirecting the user to their own IdP and shielding them from seeing the IdPs of other app users.

When a user logs in to an app, an account chooser autofills their email address from any previous login, or presents a choice if they have logged in from more than one account. Users can add or remove accounts from the account chooser.

Example

As an example, consider an app where some users log in with @example.com username and some with @gmail.com username. With IdP Discovery, users with both email domains can log in from the same login page and do not have to see or choose from a list of login options that covers all the domains. IdP Discovery ascertains each user’s IdP from their email domain.

Enable IdP Discovery

IdP Discovery is associated with a service plan, and configured for the apps bound to instances of that plan. To enable IdP Discovery for a service plan and the apps that use it, you must be a Admin or a Plan Admin.

To enable IdP Discovery:

  1. Enable IdP Discovery for the Single Sign‑On service instance that your app is bound to:

    1. Log in at https://p-identity.SYSTEM-DOMAIN using your User Account and Authentication (UAA) admin credentials. You can find these credentials in your VMware Tanzu Application Service for VMs tile in Ops Manager under the Credentials tab.
    2. Click the plan name and then select the Configure tab.
    3. Select the checkbox under the Identity Provider Discovery section and click Save. Screenshot of Configure tab shows Enable IdP Discovery checkbox under Identity Provider Discovery heading
  above the Save button at the bottom.
  2. Click the plan name and then select the Identity Providers tab.

  3. Click on the name of an identity provider to be associated with an Email domain.

  4. Enter the Email domains you want to include as a comma-separated list under the configuration page for the identity provider plan, and click Save. Screenshot of Edit IdP tab shows Email Domains (Optional) field under Identity Provider Discovery heading.
The example text in the field is example.com

  5. In Apps Manager, navigate to your space, open the Service tab, and select your service instance.

  6. Click the Manage link under the service name, and edit the app configuration by selecting the required Identity Providers.

After these steps, the login page prompts for the username first:

Screenshot of the login page shows the cloud foundry logo, the text Identity Demo,
  the text Sign in to continue, a field for the username and a Next button.

If the user enters their @example.com username, they are redirected to the Okta login page:

Screenshot of the Okta Login Page shows username and password fields,
a remember me checkbox and a sign in button.