Configure Plan-to-Plan OIDC Integration
Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.
This topic describes how to set up the Plan-to-Plan OpenID Connect (OIDC) integration between two Single Sign-On service plans, one acting as an identity provider (“identity provider plan” or IDP) and one acting as a relying party (“relying party plan” or RP).
Doing this allows users from the identity provider plan to authenticate into the relying party plan through OIDC.
- Your IDP must be visible to your Org.
- You must add the IDP as a service instance in a Space so you can access the app developer dashboard.
If you haven’t completed these prerequisites, see Create or Edit Service Plans.
- Navigate to Apps Manager.
- Select the Space.
- Click into the Service tab.
- Click to select the service you wish to modify.
- Click Manage.
- Click New App. The New App page appears.
- Type a name in the App Name field.
- Choose Web App from the list of Application Types.
- Type a temporary URL in the Auth Redirect URIs field. You’ll replace this URL when you have configured an identity provider on the relying party plan.
- In the Scopes field, type
openidfrom the list of Auto-Approved Scopes. By adding
openidas an automatically approved scope, you will keep users from being prompted to authorize a login from the identity provider.
- Click Create App. If the app is created successfully, you will be prompted to download your app credentials.
- Click Download App Credentials to save the credentials for your application.
Important: This is the last time you will be able to download your app credentials. Pivotal strongly recommends that you download the credentials and store them securely.
- Navigate to
- Log into the SSO dashboard using your administrator credentials.
- Click the Relying Party plan name and choose Manage Identity Providers from the dropdown.
- Click New Identity Provider. The New Identity Provider screen appears.
- Enter an Identity Provider Name. This string, in lowercase with dashes replacing spaces, will become your Origin Key. For example, “My Test Provider” will become “my-test-provider.”
- Enter a Description. This description will be visible to Space developers when they select an IDP for their application.
- Select OpenID Connect as the Identity Provider type. The OpenID Connect Settings appear.
- If you’re using a self-signed certificate where the IDP is located, select the Skip SSL Validation checkbox. If you’re not using a self-signed certificate, you can leave this box unchecked.
- Select the Enable Discovery checkbox and type in the Discovery Endpoint URL.
This URL will be
IDP_AUTH_DOMAINis the Auth Domain setting you entered when you created the IDP service plan you are integrating with.
- Fill in the Relying Party OAuth Client ID with the App Client ID from the previous section.
- Fill in the Relying Party OAuth Client Secret with the App Secret from the previous section.
- Confirm that
openidis selected as a Scope by clicking All Selected.
Once you’ve created an app, you can return to the App page to finish configuration.
- Return to the app you created.
- Click Edit Config. The app configuration screen appears.
- Add a Auth Redirect URL. The URL should read
https://RP_AUTH_DOMAIN/login/callback/ORIGIN_KEY, where the
RP_AUTH_DOMAINis the Auth Domain setting you entered during RP configuration and the
ORIGIN_KEYis based on the IDP name you set in the SSO dashboard.
- Click Save Config.