Manage Service Plans

Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.

This topic describes how Plan Administrators edit Single Sign-On service plans.

Single Sign-On is a multi-tenant service, which enables a deployment to host multiple tenants as service plans. Each service plan can have its own administrators, applications and users. This lets enterprises segregate access by using separate plans. For example, the following tenants might require separate plans:

  • Business units and geographical locations

  • Employees, consumers, and partners

  • Development, staging, and production instances

You may also want to configure an SSO Service Plan as an OpenID Connect (OIDC) identity provider. For more information, see Plan-to-Plan OIDC Integration Guide.

Edit Service Plans

You can use the SSO dashboard to configure service plans at any time.

Note: You must first request and gain access to at least one service plan for your organization.

  1. Log into the SSO dashboard at using your administrator credentials.

  2. Click YOUR-PLAN > Edit Plan on the SSO dashboard to edit a Single Sign-On service plan.

    Edit svc plan 1

  3. Edit the Plan Name.

    Edit plan

  4. Enter a Description to appear as a plan feature in the Services Marketplace.

  5. Enter an Instance Name to appear on the login page and in other user-facing content, such as email communications.

  6. Add Plan Administrators. These users can view the plan and manage identity providers.

  7. Under Org Visibility, select which organizations in your Pivotal Cloud Foundry deployment should have access to your Single Sign-On service plan. If you do not select any organizations, the plan will not be available for use and it will not be displayed in the Services Marketplace.

  8. Click Create Plan. Your new plan appears in the Services Marketplace in the organizations you have selected. Users in those organizations view the plan either in Apps Manager or through the CF CLI by entering cf marketplace in a terminal window.

Delete Service Plans

  1. Log in to the SSO dashboard at using your administrator credentials.

  2. Select the name of the plan you want to delete, and click Edit Plan in the drop-down menu.

  3. Select Delete at the bottom of the page.

  4. In the popup that appears, click Delete Plan to confirm that you want to delete the plan.

Note: This action cannot be undone. Deleting a Single Sign-On service plan removes from the SSO database all of the configurations, identity providers, users, application configurations and resources associated with the plan. It also deletes the associated service instances and service bindings. You must rebind any applications bound to the deleted service instances to new service instances.

Configure a Token Policy

Access tokens carry information about users and clients to servers that manage resources. Servers use access tokens to determine whether the client is authorized or not. Access tokens typically have a short-lived expiration time. Refresh tokens carry information necessary to retrieve a new access token after an existing access token expires. Refresh tokens typically have a longer expiration time than access tokens.

Note: The Single Sign-On service allows administrators to override the default expiry of access tokens (12 hours) and refresh tokens (30 days) by zone.

  1. Log in to the SSO dashboard at using your administrator credentials.

  2. Select the name of the plan you want to configure a token policy for, and click Configure in the drop-down menu.

  3. Enter the number of seconds for Access Token Expiration or select Use System Default.

  4. Enter the number of seconds for Refresh Token Expiration or select Use System Default.

  5. Click Save.