Getting Started with Single Sign-On
This topic outlines the steps for accessing and configuring the Single Sign-On service.
Request a service plan to access the Single Sign-On service. The Single Sign-On service is available to users of Pivotal Web Services (PWS) with Enterprise support. The Single Sign-On service is a multi-tenant service, and a service plan corresponds to a tenant. This allows an enterprise to segregate users or environments using plans. Each service plan is accessible at a tenant-specific URL in the format
https://AUTH-DOMAIN.login.run.pivotal.io. You must request access to a service plan to access the Single Sign-On service from the services marketplace.
Edit a service plan. You can use the SSO dashboard to configure service plans at any time.
Create a service instance. Single Sign-On service plans can provide single sign-on capabilities for applications in various spaces. A service instance lets you bind an application to a service plan.
Configure an identity provider. In addition to the Internal User Store, you can configure external identity providers to provide single sign-on to applications. External identity providers must support SAML 2.0.
Configure your applications. Single Sign-On supports both Pivotal Cloud Foundry-hosted applications as well as externally hosted applications. Your applications must be able to request an OAuth or OpenID Connect token.
Create resources for your applications. If your registered applications need to make external API calls, you can assign the API endpoints as resources permitted for the application. This will whitelist the endpoints for use by the application or client.
A user’s role determines which parts of an SSO configuration it can manage. SSO uses the existing user roles Pivotal Administrator and Space Developer, as well as a SSO-specific Plan Administrator role. This chart shows the management permissions for each role.
|Management access by role||Pivotal Administrator||Plan Administrator||Space Developer|