LATEST VERSION: 1.6 - CHANGELOG
Single Sign-On v1.6

Managing Service Plans

This topic describes how Pivotal Cloud Foundry (PCF) Administrators manage Single Sign-On service plans.

Single Sign-On (SSO) is a multi-tenant service, which enables a deployment to host multiple tenants as service plans. Each service plan can have its own administrators, applications and users. This lets enterprises segregate access by using separate plans. For example, the following tenants might require separate plans:

  • Business units and geographical locations

  • Employees, consumers, and partners

  • Development, staging, and production instances

You may also want to configure an SSO Service Plan as an OpenID Connect (OIDC) identity provider. For more information, see Plan-to-Plan OIDC Integration Guide.

Create or Edit Service Plans

Administrators can create new SSO service plans at any time from the SSO dashboard. You can use the SSO dashboard to create and configure service plans at any time.

Note: You must create at least one plan for any service before your applications can use it.

  1. Log into the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your User Account and Authentication (UAA) administrator credentials. You can find these credentials in the Pivotal Application Service (PAS) tile in Ops Manager in the Credentials tab.

  2. Click New Plan on the SSO dashboard to create a new SSO service plan.

    Managing create plan

  3. Enter a Plan Name.

  4. Enter a Description to appear as a plan feature in the Services Marketplace.

  5. Enter an Auth Domain to be the URL where users authenticate to access applications covered by the service plan.

  6. Enter an Instance Name to appear on the login page and in other user-facing content, such as email communications.

  7. Add Plan Administrators. These users can view the plan and manage identity providers.

  8. Under Organizations, select specific organizations in your PCF deployment that can access your Single Sign-On service plan, or select Enable for all Orgs.

    • If you select Enable for all Orgs the plan is available for use and displayed in the Services Marketplace for all developers in any organization. This is only recommended for test plans to allow developers to experiment with the SSO service.

    • If you do not select any organizations, the plan is not available for use and it is not displayed in the Services Marketplace.
  9. Click Create Plan. Your new plan appears in the Services Marketplace in the organizations you selected. Users in those organizations view the plan either in Apps Manager or through the CF CLI by entering cf marketplace in a terminal window.

Delete Service Plans

Note: This action cannot be undone. Deleting a Single Sign-On service plan removes from the SSO database all of the configurations, identity providers, users, application configurations and resources associated with the plan. It also deletes the associated service instances and service bindings. You must rebind any applications bound to the deleted service instances to new service instances.

  1. Log in to the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your UAA administrator credentials. You can find these credentials in your Pivotal Elastic Runtime tile in Ops Manager under the Credentials tab.

  2. Select the name of the plan you want to delete, and click Edit Plan in the drop-down menu.

  3. Select Delete at the bottom of the page.

  4. In the popup that appears, click Delete Plan to confirm that you want to delete the plan.

Configure a Token Policy

The Single Sign-On service allows administrators to override the default expiry of access tokens (12 hours) and refresh tokens (30 days) by zone.

  • Access tokens carry information about users and clients to servers that manage resources. Servers use access tokens to determine whether the client is authorized or not. Access tokens typically have a short-lived expiration time.
  • Refresh tokens carry information necessary to retrieve a new access token after an existing access token expires. Refresh tokens typically have a longer expiration time than access tokens.

To configure the token policy, do the following:

  1. Log in to the SSO dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your UAA administrator credentials. You can find these credentials in your Pivotal Application Service (PAS) tile in Ops Manager in the Credentials tab.

  2. Select the name of the plan you want to configure a token policy for, and click Configure from the drop-down menu.

  3. Enter the number of seconds for Access Token Expiration or select Use System Default.

  4. Enter the number of seconds for Refresh Token Expiration or select Use System Default.

  5. Click Save.

Create a pull request or raise an issue on the source for this page in GitHub