Set Up an OIDC Service Provider in SSO

This topic describes how to add an OpenID Connect (OIDC) external identity provider to your Pivotal Single Sign-On (SSO) service plan, using Azure Active Directory (Azure AD) as an example.

Follow the steps below to set up an OIDC provider for the SSO service.

  1. Log into the SSO dashboard at https://p-identity.run.pivotal.io using your administrator credentials.

  2. Click the plan name and select Manage Identity Providers from the drop-down menu.

  3. Click New Identity Provider.

  4. Enter an Identity Provider Name. This value in all lowercase with dashes replacing spaces becomes your Origin Key. For example, Example Azure Origin becomes example-azure-origin. If you did not enter this for your OAuth Client’s authorized redirect URIs, go back and edit the value in Azure.

  5. Enter a Description. Space developers see this description when they select an identity provider for their app.

  6. Under Identity Provider type, select OpenID Connect .

    Azure oidc new idp

  7. Clear the Enable Discovery checkbox and enter the following information from the OpenID Connect metadata endpoint you constructed at the end of the previous section.

    • For Authorization Endpoint URL, enter in the authorization_endpoint value from the metadata endpoint.
    • For Token Endpoint URL, enter the token_endpoint value from the metadata endpoint.
    • For Token Key, enter the jwks_uri value from the metadata endpoint.
    • For Issuer, enter the issuer value from the metadata endpoint.
    • For User Info Endpoint URL, enter the userinfo_endpoint value from the metadata endpoint.
    • For Response Type, select id_token.
    • For Relying Party OAuth Client ID, enter the Application ID value recorded from the previous section.
    • For Relying Party OAuth Client Secret, enter the Client Secret value recorded in the previous section.

    Azure oidc settings

  8. Select openid as a scope. You can select additional scopes.

    Azure oidc scopes

  9. Under Advanced Settings > User Attributes, map user_name to unique_name. This enables SSO to identify the authenticated user.

  10. (Optional) Configure additional attribute mappings.

  11. Click Create Identity Provider to save your settings.

  12. (Optional) Enable identity provider discovery for the service plan.

Create a pull request or raise an issue on the source for this page in GitHub