Single Sign-On v1.7

Single Sign-On Overview

This topic provides an overview of the Single Sign-On service for Pivotal Cloud Foundry (PCF).

The Single Sign-On service is an all-in-one solution for securing access to applications and APIs on PCF. The Single Sign-On service provides support for native authentication, federated single sign-on, and authorization. Operators can configure native authentication and federated single sign-on, for example SAML, to verify the identities of application users. After authentication, the Single Sign-On service uses OAuth 2.0 to secure resources or APIs.

Single Sign-On

The Single Sign-On service allows users to log in through a single sign-on service and access other applications that are hosted or protected by the service. This improves security and productivity since users do not have to log in to individual applications.

Developers are responsible for selecting the authentication method for application users. They can select native authentication provided by the User Account and Authentication (UAA) or external identity providers. UAA is an open source identity server project under the Cloud Foundry (CF) foundation that provides identity based security for applications and APIs.

SSO supports service provider-initiated authentication flow and single logout. It does not support identity provider-initiated authentication flow. All SSO communication takes place over SSL.

OAuth 2.0 Authorization

After authentication, the Single Sign-On service uses OAuth 2.0 for authorization. OAuth 2.0 is an authorization framework that delegates access to applications to access resources on behalf of a resource owner.

Developers define resources required by an application bound to a Single Sign-On (SSO) service instance and administrators grant resource permissions. See the Configure Applications topic for more details.

Product Snapshot

The following table provides version and version-support information about Single Sign-On for PCF:

Element Details
Version v1.7.2
Release date November 2, 2018
Compatible Ops Manager version(s) v2.1.15 or later, v2.2.2 or later, and v2.3.x
Compatible Pivotal Application Service (PAS) version(s) v2.1.x, v2.2.x, and v2.3.x
IaaS support AWS, GCP, OpenStack, Azure, and vSphere

Support Matrix for SSO v1.4.x to v1.7.x

This table lists the supported versions of SSO on PCF.

PCF Supported SSO Versions
Recommended SSO Version Minimum SSO Version
2.3.x 1.7.2 1.7.0
2.2.x 1.7.2 1.7.0
2.1.x 1.7.2 (OpsMan v2.1.15 or higher) 1.6.0
2.0.x 1.6.0 1.5.3*
1.12.x 1.5.3 1.5.0
1.11.x 1.4.6 1.4.0

* If you are upgrading from PCF v1.12 to v2.0, see Upgrade SSO Service Tile Between PCF 1.12 and PCF 2.0 in the Pivotal Support knowledge base.

Upgrade Path to SSO v1.7

If you are using SSO v1.6.0 and PCF v2.1.0 and want to upgrade to the recommended version of SSO and PCF v2.2.x, do the following:

  1. Upgrade to SSO v1.7.0 on PCF v2.1.x.

  2. Upgrade PCF to v2.2.x.

    For how to upgrade PCF, see Upgrading Pivotal Cloud Foundry.

  3. Upgrade to the recommended version of SSO v1.7.

Integration Guides

Use these guides to help you plan and implement your integration with the Single Sign-On service for PCF.

Create a pull request or raise an issue on the source for this page in GitHub