Plan-to-Plan OIDC Integration Guide

Pivotal Web Services End of Availability Announced
For more information, see Frequently Asked Questions.

This topic describes how to set up the Pivotal Web Services (PWS) Single Sign-On (SSO) to integrate a SSO Service Plan as an OpenID Connect (OIDC) identity provider.

Service plans are represented in User Access and Administration (UAA) as identity zones. UAA provides the ability to integrate any two UAAs with one acting as the relying party and the other acting as the identity provider. This includes identity zones within the same multi-tenant UAA, as well as separate UAA instances, such as the Bosh UAA, Ops Manager UAA, or a standalone UAA (provided they are on a version that has OIDC implemented). This topic explains how you can perform the integration from one SSO service plan to another through the SSO service tile.


To integrate Plan-to-Plan OIDC with PWS, you need:

  • An active SSO Service Plan that will act as an identity provider
  • A second active SSO Service Plan that will act as the relying party
  • A user with Administrator privileges

Note: To configure OIDC, you must contact Pivotal to have Single Sign-On enabled for your PWS organizations through plan creation. You should be added as a plan administrator. For help configuring plans, see the Manage Service Plans topic.

Integrate a Plan-to-Plan OIDC for SSO

Complete this process to set up Plan-to-Plan OIDC integration for the SSO service. For more information, see Configure Plan-to-Plan OIDC Integrations.

Test the OIDC Connection

Once you’ve configured the Plan-to-Plan OIDC integration for SSO, you can test it to confirm it works. For more information, see Test OIDC Integrations.


For information about common configuration problems and error states, see Troubleshoot Plan-to-Plan OIDC Integrations.