Warning: Single Sign‑On for Pivotal Cloud Foundry v1.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic explains how to install Single Sign-On (SSO) for Pivotal Cloud Foundry.

Breaking Change: Before you upgrade the Pivotal Application Service tile to PCF v2.0, you must first upgrade the SSO tile to v1.5.3 and configure the AppsManager errand in OpsManager. To properly prepare for upgrading to PCF v2.0 with the SSO tile, see the SSO upgrade knowledge base article.


Install SSO via Ops Manager

  1. From Pivotal Network, select a Single Sign-On tile version and download the product release file.

  2. From the Ops Manager Installation Dashboard, select the Import a Product button to upload the product file.

  3. Click the plus sign icon next to the uploaded product to add this product to your staging area.

  4. Click on the Single Sign-On tile to enter any configurations.

    Note: The Single Sign-On service tile requires a network with only one subnet until version 1.3.0. Starting with 1.3.1 multiple subnets are supported.

    Note: The SSO Identity Service Broker is deployed as a PCF application from a BOSH errand, and has no associated BOSH VMs that require selecting a corresponding network. If you are forced to select a network during installation, select the Deployment network, also known as the PAS or ERT network.

  5. Click Apply Changes to install the product.

Update SSL and Load Balancer

You must update the SSL certificate for the domains listed below for each plan you create. Depending on your infrastructure and load balancer, you must also update your load balancer configuration for the following domains:



  • *.login.SYSTEM-DOMAIN


Configure Application Security Groups

The Single Sign-On service requires the following network connections:

  • TCP connection to load balancer(s) on port 443
  • TCP and UDP connection to Domain Name Servers on port 53
  • (Optional) TCP connection to your external identity provider on port 80 or 443

To enable access to the Single Sign-On service, you must ensure your Application Security Group allows access to the load balancer(s) and domain name servers that provide access to Cloud Controller and UAA. Optionally, you can configure access to your external identity provider to receive SAML metadata. For more details on how to set up application security groups, see the Application Security Groups topic.