Configure Plan-to-Plan OIDC Integration

Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.

This topic describes how to set up the Plan-to-Plan OpenID Connect (OIDC) integration between two Single Sign-On service plans, one acting as an identity provider (“identity provider plan” or IDP) and one acting as a relying party (“relying party plan” or RP).

Doing this allows users from the identity provider plan to authenticate into the relying party plan through OIDC.

Set Up Relying Party Configurations in the Identity Provider Plan


  • Your IDP must be visible to your Org.
  • You must add the IDP as a service instance in a Space so you can access the app developer dashboard.

If you haven’t completed these prerequisites, see Create or Edit Service Plans.

  1. Navigate to Apps Manager.
  2. Select the Space.
  3. Click into the Service tab.
  4. Click to select the service you wish to modify.
  5. Click Manage.
  6. Click New App. The New App page appears.
  7. Type a name in the App Name field.
  8. Choose Web App from the list of Application Types.
  9. Type a temporary URL in the Auth Redirect URIs field. You’ll replace this URL when you have configured an identity provider on the relying party plan.
  10. In the Scopes field, type openid.
    Optionally, select openid from the list of Auto-Approved Scopes. By adding openid as an automatically approved scope, you will keep users from being prompted to authorize a login from the identity provider.
  11. Click Create App. If the app is created successfully, you will be prompted to download your app credentials.
  12. Click Download App Credentials to save the credentials for your application.

    Important: This is the last time you will be able to download your app credentials. Pivotal strongly recommends that you download the credentials and store them securely.

Set Up the OIDC Identity Provider Configuration in the Relying Party Plan

  1. Navigate to
  2. Log into the SSO dashboard using your administrator credentials.
  3. Click the Relying Party plan name and choose Manage Identity Providers from the dropdown.
  4. Click New Identity Provider. The New Identity Provider screen appears.
  5. Enter an Identity Provider Name. This string, in lowercase with dashes replacing spaces, will become your Origin Key. For example, “My Test Provider” will become “my-test-provider.”
  6. Enter a Description. This description will be visible to Space developers when they select an IDP for their application.
  7. Select OpenID Connect as the Identity Provider type. The OpenID Connect Settings appear.
  8. If you’re using a self-signed certificate where the IDP is located, select the Skip SSL Validation checkbox. If you’re not using a self-signed certificate, you can leave this box unchecked.
  9. Select the Enable Discovery checkbox and type in the Discovery Endpoint URL.
    This URL will be https://IDP_AUTH_DOMAIN/.well-known/openid-configuration, where IDP_AUTH_DOMAIN is the Auth Domain setting you entered when you created the IDP service plan you are integrating with.
  10. Fill in the Relying Party OAuth Client ID with the App Client ID from the previous section.
  11. Fill in the Relying Party OAuth Client Secret with the App Secret from the previous section.
  12. Confirm that openid is selected as a Scope by clicking All Selected.

Finalizing Configuration

Once you’ve created an app, you can return to the App page to finish configuration.

  1. Return to the app you created.
  2. Click Edit Config. The app configuration screen appears.
  3. Add a Auth Redirect URL. The URL should read https://RP_AUTH_DOMAIN/login/callback/ORIGIN_KEY, where the RP_AUTH_DOMAIN is the Auth Domain setting you entered during RP configuration and the ORIGIN_KEY is based on the IDP name you set in the SSO dashboard.
  4. Click Save Config.