Installing Single Sign-On for VMware Tanzu Application Service
Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu Application Service.
Page last updated:
This topic explains how to install Single Sign‑On for VMware Tanzu Application Service.
To install Single Sign‑On, you must have:
Application Security Groups (ASGs)
From VMware Tanzu Network, select a Single Sign‑On tile version and download the product release file.
From the Ops Manager Installation Dashboard, select the Import a Product button to upload the product file.
Click the + icon next to the uploaded product to add this product to your staging area.
Click on the Single Sign‑On tile to enter any configurations.
Note: The Single Sign‑On Identity Service Broker is deployed as an app from a BOSH errand, and has no associated BOSH VMs that require selecting a corresponding network. If you are forced to select a network during installation, select the Deployment network, also known as the VMware Tanzu Application Service for VMs network.
(Optional) Click Property Configurations to set which buildpack Single Sign‑On uses when it pushes its component apps. VMware recommends the default
java_buildpack_offlinebuildpack. Because the component apps are Java-based, you must specify a Java-compatible buildpack.
In the Ops Manager Dashboard, do the following to complete the installation:
- If you are using Ops Manager v2.3 or later, click Review Pending Changes.
For more information about this Ops Manager page, see
Reviewing Pending Product Changes.
- Click Apply Changes.
- If you are using Ops Manager v2.3 or later, click Review Pending Changes. For more information about this Ops Manager page, see Reviewing Pending Product Changes.
If required, do the following to update the stemcell for Single Sign‑On:
- Download the stemcell from VMware Tanzu Network.
- In the Ops Manager, click Stemcell Library.
- Click Import Stemcell, and then select the stemcell you downloaded from VMware Tanzu Network.
- Click Save.
You must update the SSL certificate for the domains listed below for each plan you create. Depending on your infrastructure and load balancer, you must also update your load balancer configuration for the following domains:
Single Sign‑On requires the following network connections:
- TCP connection to load balancer(s) on port 443
- TCP and UDP connection to Domain Name Servers on port 53
- (Optional) TCP connection to your external identity provider on port 80 or 443
To enable access to Single Sign‑On, you must ensure your ASG allows access to the load balancers and domain name servers that provide access to Cloud Controller and UAA. Optionally, you can configure access to your external identity provider to receive SAML metadata. For how to set up ASGs, see Application Security Groups.