Configuring a Single Sign-On Service Provider

This topic describes how to add an external identity provider to your Pivotal Single Sign-On (SSO) service plan.

Download Identity Provider Metadata

  1. Download the metadata from your Active Directory Federation Services server at the following URL: https://YOUR-ADFS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml

Setting up SAML

  1. Log in to the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN as a Plan Administrator.

  2. Select your plan and click Manage Identity Providers on the drop-down menu.

    Adfs manage id providers

  3. Click New Identity Provider to create a new identity provider.

    New id provider

  4. To create a new identity provider, perform the following steps:

    1. Enter an identity provider name in Identity Provider Name.
    2. (Optional) Enter a description in Identity Provider Description.
    3. Click SAML File Metadata (optional), then click Upload Identity Provider Metadata to upload your metadata XML.
    4. (Optional) Under Advanced SAML Settings, click Attribute Mappings to enter the mappings.
  5. Click Create Identity Provider.

  6. Click Resource Permissions.

  7. Click New Permissions Mapping and perform the following steps:

    1. Enter a Group Name.
    2. For Select Permissions, select the permissions to grant to the members of the group from the external identity provider.
  8. Navigate to the identity provider list.

  9. Click Group Whitelist and enter the group names from the external identity provider that should be propagated in the ID token.

Create Attribute Mappings for SAML Groups

Under User Attributes, map the User Schema Attribute of “external_groups” to the Attribute Name value of “groups”. If you did not perform the steps to customize the SAML assertion value, use “” as the Attribute Name instead.

An attribute mapping with a customized SAML assertion value looks like this: Customized

An attribute mapping with a non-customized SAML assertion value looks like this: Non customized

Groups now show up from the SAML assertion as claims. You can pull these values from the user’s stored custom attributes using the roles scope on the ID token or through the userinfo endpoint, or map these to permissions using Resource Permissions mappings. For more information, see Create or Edit Resource Permissions.