Single Sign-On Overview

Warning: Single Sign‑On for Pivotal Cloud Foundry v1.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic provides an overview of the Single Sign-On service for Pivotal Cloud Foundry (PCF).

The Single Sign-On service is an all-in-one solution for securing access to applications and APIs on PCF. The Single Sign-On service provides support for native authentication, federated single sign-on, and authorization. Operators can configure native authentication and federated single sign-on, for example SAML, to verify the identities of application users. After authentication, the Single Sign-On service uses OAuth 2.0 to secure resources or APIs.

Single Sign-On

The Single Sign-On service allows users to log in through a single sign-on service and access other applications that are hosted or protected by the service. This improves security and productivity since users do not have to log in to individual applications.

Developers are responsible for selecting the authentication method for application users. They can select native authentication provided by the User Account and Authentication (UAA) or external identity providers. UAA is an open source identity server project under the Cloud Foundry (CF) foundation that provides identity based security for applications and APIs.

SSO supports service provider-initiated authentication flow and single logout. It does not support identity provider-initiated authentication flow. All SSO communication takes place over SSL.

OAuth 2.0 Authorization

After authentication, the Single Sign-On service uses OAuth 2.0 for authorization. OAuth 2.0 is an authorization framework that delegates access to applications to access resources on behalf of a resource owner.

Developers define resources required by an application bound to a Single Sign-On (SSO) service instance and administrators grant resource permissions. See the Configure Applications topic for more details.

Product Snapshot

The following table provides version and version-support information about Single Sign-On for PCF:

Element Details
Version v1.5.3
Release date December 11, 2017
Compatible Ops Manager version(s) v1.12 or v2.0
Compatible Elastic Runtime version v1.12
Compatible Pivotal Application Service version v2.0
IaaS support AWS, GCP, OpenStack, and vSphere

Upgrading to the Latest Version

Consider the following compatibility information before upgrading Single Sign-On for PCF. Pivotal recommends upgrading PCF before upgrading SSO to the supported version. For example, when upgrading from PCF v1.10 to PCF v1.11, upgrade PCF so that SSO v1.3 is running on PCF v1.11, and then upgrade SSO v1.3 to SSO v1.4 as soon as possible.

Breaking Change: Before you upgrade the Pivotal Application Service (PAS) tile to PCF v2.0, you must first upgrade the SSO tile to v1.5.3 and configure the AppsManager errand in OpsManager. To properly prepare for upgrading to PCF v2.0 with the SSO tile, see the SSO upgrade knowledge base article.

Elastic Runtime* or PAS Version Supported Upgrades from SSO Versions
From To
1.6.x 1.0.1–1.0.25 1.0.26
1.7.x 1.0.1–1.0.26 1.1.4
1.8.x 1.1.0–1.1.4 1.2.4
1.9.x and 1.10.x 1.2.0–1.2.4 1.3.6
1.11.x 1.3.0-1.3.6 1.4.6
1.12.x 1.4.1-1.4.6 1.5.3
2.0.x 1.5.3 1.5.x
2.1.x 1.6.0 1.6.x

* As of PCF v2.0, Elastic Runtime is renamed Pivotal Application Service (PAS).

Note: The Single Sign-On service tile operates in lockstep with Elastic Runtime.
  • The SSO v1.1.x tiles are compatible with PCF v1.7.x
  • The SSO v1.2.x tiles are compatible with PCF v1.8.x and later
  • The SSO v1.3.x tiles are compatible with PCF v1.9.x and later
  • The SSO v1.4.x tiles are compatible with PCF v1.11.x and later
  • The SSO v1.5.x tiles are compatible with PCF v1.12.x, and v1.5.3+ are also compatible with v2.0.x and v2.1.x

Single Sign-On for PCF

Active Directory Federation Services (AD FS) Integration Guide

Azure Active Directory SAML Integration Guide

Azure Active Directory OIDC Integration Guide

CA Single Sign-On Integration Guide

Google Cloud Platform OpenID Connect Integration Guide

Okta Integration Guide

PingFederate Integration Guide

PingOne Cloud Integration Guide

Plan-to-Plan OIDC Integration Guide

Additional Information