Managing Service Plans
This topic describes how Pivotal Cloud Foundry (PCF) Administrators manage Single Sign-On service plans.
Single Sign-On (SSO) is a multi-tenant service, which enables a deployment to host multiple tenants as service plans. Each service plan can have its own administrators, applications and users. This lets enterprises segregate access by using separate plans. For example, the following tenants might require separate plans:
Business units and geographical locations
Employees, consumers, and partners
Development, staging, and production instances
You may also want to configure an SSO Service Plan as an OpenID Connect (OIDC) identity provider. For more information, see Plan-to-Plan OIDC Integration Guide.
Administrators can create new SSO service plans at any time from the SSO dashboard. You can use the SSO dashboard to create and configure service plans at any time.
Note: You must create at least one plan for any service before your applications can use it.
Log into the SSO dashboard at
https://p-identity.YOUR-SYSTEM-DOMAINusing your User Account and Authentication (UAA) administrator credentials. You can find these credentials in the Pivotal Application Service (PAS) tile in Ops Manager in the Credentials tab.
Click New Plan on the SSO dashboard to create a new SSO service plan.
Enter a Plan Name.
Enter a Description to appear as a plan feature in the Services Marketplace.
Enter an Auth Domain to be the URL where users authenticate to access applications covered by the service plan.
Enter an Instance Name to appear on the login page and in other user-facing content, such as email communications.
Add Plan Administrators. These users can view the plan and manage identity providers.
Under Organizations, select specific organizations in your PCF deployment that can access your Single Sign-On service plan, or select Enable for all Orgs.
- If you select Enable for all Orgs the plan is available for use and displayed in the Services Marketplace for all developers in any organization.
This is only recommended for test plans to allow developers to experiment with the SSO service.
- If you do not select any organizations, the plan is not available for use and it is not displayed in the Services Marketplace.
- If you select Enable for all Orgs the plan is available for use and displayed in the Services Marketplace for all developers in any organization. This is only recommended for test plans to allow developers to experiment with the SSO service.
Click Create Plan. Your new plan appears in the Services Marketplace in the organizations you selected. Users in those organizations view the plan either in Apps Manager or through the CF CLI by entering
cf marketplacein a terminal window.
Note: This action cannot be undone. Deleting a Single Sign-On service plan removes from the SSO database all of the configurations, identity providers, users, application configurations and resources associated with the plan. It also deletes the associated service instances and service bindings. You must rebind any applications bound to the deleted service instances to new service instances.
Log in to the SSO dashboard at
https://p-identity.YOUR-SYSTEM-DOMAINusing your UAA administrator credentials. You can find these credentials in your Pivotal Elastic Runtime tile in Ops Manager under the Credentials tab.
Select the name of the plan you want to delete, and click Edit Plan in the drop-down menu.
Select Delete at the bottom of the page.
In the popup that appears, click Delete Plan to confirm that you want to delete the plan.
The Single Sign-On service allows administrators to override the default expiry of access tokens (12 hours) and refresh tokens (30 days) by zone.
- Access tokens carry information about users and clients to servers that manage resources. Servers use access tokens to determine whether the client is authorized or not. Access tokens typically have a short-lived expiration time.
- Refresh tokens carry information necessary to retrieve a new access token after an existing access token expires. Refresh tokens typically have a longer expiration time than access tokens.
To configure the token policy, do the following:
Log in to the SSO dashboard at
https://p-identity.YOUR-SYSTEM-DOMAINusing your UAA administrator credentials. You can find these credentials in your Pivotal Application Service (PAS) tile in Ops Manager in the Credentials tab.
Select the name of the plan you want to configure a token policy for, and click Configure from the drop-down menu.
Enter the number of seconds for Access Token Expiration or select Use System Default.
Enter the number of seconds for Refresh Token Expiration or select Use System Default.