Configuring Plan-to-Plan OIDC Integration
This topic describes how to set up the Plan-to-Plan OpenID Connect (OIDC) integration between two Single Sign-On service plans, one acting as an identity provider (“identity provider plan” or IDP) and one acting as a relying party (“relying party plan” or RP).
Doing this allows users from the identity provider plan to authenticate into the relying party plan through OIDC.
- Your IDP must be visible to your Org.
- You must add the IDP as a service instance in a Space so you can access the app developer dashboard.
If you haven’t completed these prerequisites, see Create or Edit Service Plans.
- Navigate to Apps Manager.
- Select the Space.
- Click into the Service tab.
- Click to select the service you wish to modify.
- Click Manage.
- Click New App. The New App page appears.
- Type a name in the App Name field.
- Choose Web App from the list of Application Types.
- Type a temporary URL in the Auth Redirect URIs field. You’ll replace this URL when you have configured an identity provider on the relying party plan.
- In the Scopes field, type
openidfrom the list of Auto-Approved Scopes. By adding
openidas an automatically approved scope, you will keep users from being prompted to authorize a login from the identity provider.
- Click Register App. If the app is created successfully, you will be prompted to download your app credentials.
- Click Download App Credentials to save the credentials for your application.
Important: This is the last time you will be able to download your app credentials. Pivotal strongly recommends that you download the credentials and store them securely.
- Navigate to
- Log into the SSO Operator Dashboard using the credentials associated with your UAA administrator account. You can find these credentials in your Pivotal Application Service tile in Ops Manager. For more information, see Logging in to Apps Manager.
- Click the Relying Party plan name and choose Manage Identity Providers from the dropdown.
- Click New Identity Provider. The New Identity Provider screen appears.
- Enter an Identity Provider Name. This string, in lowercase with dashes replacing spaces, will become your Origin Key. For example, “My Test Provider” will become “my-test-provider.”
- Enter a Description. This description will be visible to Space developers when they select an IDP for their application.
- Select OpenID Connect as the Identity Provider type. The OpenID Connect Settings appear.
- If you’re using a self-signed certificate for PCF where the IDP is located, select the Skip SSL Validation checkbox. If you’re not using a self-signed certificate, you can leave this box unchecked.
- Select the Enable Discovery checkbox and type in the Discovery Endpoint URL.
This URL will be
IDP_AUTH_DOMAINis the Auth Domain setting you entered when you created the IDP service plan you are integrating with.
- Fill in the Relying Party OAuth Client ID with the App Client ID from the previous section.
- Fill in the Relying Party OAuth Client Secret with the App Secret from the previous section.
- Confirm that
openidis selected as a Scope by clicking All Selected.
Once you’ve created an app, you can return to the App page to finish configuration.
- Return to the app you created.
- Click Edit Config. The app configuration screen appears.
- Add a Auth Redirect URL. The URL should read
https://RP_AUTH_DOMAIN/login/callback/ORIGIN_KEY, where the
RP_AUTH_DOMAINis the Auth Domain setting you entered during RP configuration and the
ORIGIN_KEYis based on the IDP name you set in the SSO Operator Dashboard.
- Click Save Config.