Getting Started with Single Sign-On

Warning: Single Sign‑On for Pivotal Cloud Foundry v1.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic outlines the steps for installing and configuring the Single Sign-On service.

Install and Set Up SSO for Applications

  1. Install Single Sign-On via Ops Manager.

  2. Create a service plan. The Single Sign-On service is a multi-tenant service, and a service plan corresponds to a tenant. This allows an enterprise to segregate users or environments using plans. Each service plan is accessible at a tenant-specific URL in the format https://AUTH-DOMAIN.login.SYSTEM-DOMAIN.

  3. Create a service instance. Single Sign-On service plans can provide single sign-on capabilities for applications in various spaces. A service instance lets you bind an application to a service plan.

  4. Configure an identity provider. In addition to the Internal User Store, you can configure external identity providers to provide single sign-on to applications.

  5. Configure your applications. Single Sign-On supports both Pivotal Cloud Foundry-hosted applications as well as externally hosted applications. Your applications must be able to request an OAuth or OpenID Connect token.

  6. Create resources for your applications. If your registered applications need to make external API calls, you can assign the API endpoints as resources permitted for the application. This will whitelist the endpoints for use by the application or client.

SSO User Roles

A user’s role determines which parts of an SSO configuration it can manage. SSO uses the existing user roles PCF Administrator and Space Developer, as well as a SSO-specific Plan Administrator role. This chart shows the management permissions for each role.

Management access by rolePCF AdministratorPlan AdministratorSpace Developer
Service plansX
Service instancesXXX
Identity providersXX

Using SSO for Pivotal Cloud Foundry Components

In addition to applications, SSO supports single sign-on for components of Pivotal Cloud Foundry, including Ops Manager and Apps Manager. This allows users already managed in an external identity provider to sign into Pivotal services. Refer to the following pages for instructions on configuring SSO to enable users in an external identity store to access PCF components: