Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Single Sign-On for PCF®
DocumentationVersion 1.4
Published: 11 March 2019
© 2019 Pivotal Software, Inc. All Rights Reserved.
23689
1013151722242835373839404243535562636471738082838789949697
101103107108112114120122123129131137138139143145152
Table of ContentsTable of ContentsSingle Sign-On OverviewRelease NotesInstallationGetting Started with Single Sign-OnUsing the System PlanManage Service PlansManage Service InstancesConfigure Identity ProvidersIdentity Provider DiscoveryManage UsersConfigure ApplicationsWeb AppNative Mobile AppSingle-Page Javascript AppService-to-Service AppManage ResourcesActive Directory Federation Services Integration Guide OverviewConfigure Active Directory Federation Services as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingAzure Active Directory SAML Integration Guide OverviewConfigure Azure Active Directory as a SAML Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingCA Single Sign-On Integration Guide OverviewConfigure CA Single Sign-On as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingGoogle Cloud Platform OIDC Integration Guide OverviewConfigure GCP as an OIDC Identity ProviderTestingTroubleshootingOkta Integration Guide OverviewConfigure Okta as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingPingFederate Integration Guide OverviewConfigure PingFederate as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingPingOne Cloud Integration Guide OverviewConfigure PingOne Cloud as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshooting
© Copyright Pivotal Software Inc, 2013-2018 2 1.2
SingleSign-OnOverview
ThistopicprovidesanoverviewoftheSingleSign-On serviceforPivotalCloudFoundry(PCF).
TheSingleSign-Onserviceisanall-in-onesolutionforsecuringaccesstoapplicationsandAPIsonPCF.TheSingleSign-Onserviceprovidessupportfornativeauthentication,federatedsinglesign-on,andauthorization.Operatorscanconfigurenativeauthenticationandfederatedsinglesign-on,forexampleSAML,toverifytheidentitiesofapplicationusers.Afterauthentication,theSingleSign-OnserviceusesOAuth2.0tosecureresourcesorAPIs.
SingleSign-OnTheSingleSign-Onserviceallowsuserstologinthroughasinglesign-onserviceandaccessotherapplicationsthatarehostedorprotectedbytheservice.Thisimprovessecurityandproductivitysinceusersdonothavetologintoindividualapplications.
Developersareresponsibleforselectingtheauthenticationmethodforapplicationusers.TheycanselectnativeauthenticationprovidedbytheUserAccountandAuthentication(UAA)orexternalidentityproviders.UAAisanopensourceidentityserverprojectundertheCloudFoundry(CF)foundationthatprovidesidentitybasedsecurityforapplicationsandAPIs.
SSOsupportsserviceprovider-initiatedauthenticationflowandsinglelogout.Itdoesnotsupportidentityprovider-initiatedauthenticationflow.AllSSOcommunicationtakesplaceoverSSL.
OAuth2.0AuthorizationAfterauthentication,theSingleSign-OnserviceusesOAuth2.0forauthorization.OAuth2.0isanauthorizationframeworkthatdelegatesaccesstoapplicationstoaccessresourcesonbehalfofaresourceowner.
DevelopersdefineresourcesrequiredbyanapplicationboundtoaSingleSign-On(SSO)serviceinstanceandadministratorsgrantresourcepermissions.SeetheConfigureApplicationstopicformoredetails.
ProductSnapshotThefollowingtableprovidesversionandversion-supportinformationaboutSingleSign-On forPCF:
Element Details
Version v1.4.6
Releasedate November9,2017
CompatibleOpsManagerversion(s) v1.11orlater
CompatibleElasticRuntimeversion(s) v1.11orlater
IaaSsupport AWS,GCP,OpenStack,andvSphere
UpgradingtotheLatestVersionConsiderthefollowingcompatibilityinformationbeforeupgradingSingleSign-OnforPCF.PivotalrecommendsupgradingPCFbeforeupgradingSSOtothesupportedversion.Forexample,whenupgradingfromPCFv1.10toPCFv1.11,upgradePCFsothatSSOv1.3isrunningonPCFv1.11,andthenupgradeSSOv1.3toSSOv1.4assoonaspossible.
ElasticRuntimeVersionSupportedUpgradesfromSSOVersions
From To
1.6.x 1.0.1–1.0.25 1.0.26
1.7.x1.0.1–1.0.26
1.1.41.1.0–1.1.3
1.1.0–1.1.4
Note:SingleSign-OnforPCFv1.4isnolongersupported.Thesupportperiodforv1.4hasexpired.Tostayup-to-datewiththelatestsoftwareandsecurityupdates,upgradetoasupportedversion.
© Copyright Pivotal Software Inc, 2013-2018 3 1.2
1.8.x 1.2.0–1.2.3 1.2.4
1.9.x&1.10.x 1.2.0–1.2.4 1.3.6
1.11.x 1.3.0-1.3.6 1.4.x
1.12.x1.4.1-1.4.6
1.5.31.5.0-1.5.2
2.0.x 1.5.3 1.6.0
2.1.x 1.6.0 1.6.x
SingleSign-OnforPCFInstallation
GettingStartedwithSingleSign-On
UsingtheSystemPlan
ManageServicePlans
ManageServiceInstances
ConfigureIdentityProviders
IdentityProviderDiscovery
ManageUsers
ConfigureApplications
AuthorizationCodeGrantTypeImplicitGrantTypeClientCredentialsGrantTypeResourceOwnerPasswordCredentialsGrantType
ManageResources
ActiveDirectoryFederationServices(ADFS)IntegrationGuideActiveDirectoryFederationServicesIntegrationGuide
ConfigureActiveDirectoryFederationServicesasanIdentityProviderConfigureSSOServiceTestingTroubleshooting
AzureActiveDirectoryIntegrationGuideAzureActiveDirectorySAMLIntegrationGuide
ConfigureAzureActiveDirectoryasaSAMLIdentityProviderConfigureSSOServiceTestingTroubleshooting
Note:TheSingleSign-OnservicetileoperatesinlockstepwithElasticRuntime.TheSSOv1.1.xtilesarecompatiblewithPCFv1.7.x
TheSSOv1.2.xtilesarecompatiblewithPCFv1.8.xandlater
TheSSOv1.3.xtilesarecompatiblewithPCFv1.9.xandlater
TheSSOv1.4.xtilesarecompatiblewithPCFv1.11.xandlater
Note:SSOv1.4.1–v1.4.3arenotcompatiblewithPCFv1.12withoutusingtheworkaroundinthecorrespondingKnowledgeBase article.
© Copyright Pivotal Software Inc, 2013-2018 4 1.2
CASingleSign-OnIntegrationGuideCASingleSign-OnIntegrationGuide
ConfigureCASingleSign-OnasanIdentityProviderConfigureSSOServiceTestingTroubleshooting
GoogleCloudPlatformOpenIDConnectIntegrationGuideGoogleCloudPlatformOpenIDConnectIntegrationGuide
ConfigureGCPasanOIDCIdentityProviderTestingTroubleshooting
OktaIntegrationGuideOktaIntegrationGuide
ConfigureOktaasanIdentityProviderConfigureSSOServiceTestingTroubleshooting
PingFederateIntegrationGuidePingFederateIntegrationGuide
ConfigurePingFederateasanIdentityProviderConfigureSSOServiceTestingTroubleshooting
PingOneCloudIntegrationGuidePingOneCloudIntegrationGuide
ConfigurePingOneasanIdentityProviderConfigureSSOServiceTestingTroubleshooting
AdditionalInformationReleaseNotes
© Copyright Pivotal Software Inc, 2013-2018 5 1.2
ReleaseNotes
ViewReleaseNotesforAnotherVersionToviewthereleasenotesforanotherproductversion,selecttheversionfromthedrop-downlistatthetopofthispage.
v1.4.x
v1.4.6ReleaseDate:November9,2017
PCFupdatedstemcellto3445series.ThisisasecurityupgradetobumpUbuntustemcellsforUSN-3420-2:Linuxkernel(XenialHWE)vulnerabilities.
v1.4.5ReleaseDate:October24,2017
Thisreleaseaddressesanissuewithmanagingserviceinstanceswhenmorethan50SpaceDevelopersexistwithinaspace.
v1.4.4ReleaseDate:September27,2017
ThisreleaseaddressestheupgradeissuesfortheSingleSign-OnServicetilewhenlegalfooterlinksareconfigured.
ThisreleaseaddressesaJavaBuildpackissuethatcausesrequiredmemorytoincreaseto1GB.
v1.4.3ReleaseDate:August30,2017
ThisisasecurityupgradethatresolvesthefollowingCVEs:
CVE-2017-8040
CVE-2017-8041
CVE-2017-8044
Additionalinformationcanbefoundathttps://pivotal.io/security .
v1.4.2ReleaseDate:June21,2017
PCFupdatedstemcellto3363series.ThisisasecurityupgradetobumpUbuntustemcellsforUSN-3334-1:Linuxkernel(XenialHWE)vulnerabilities.
v1.4.1ReleaseDate:June15,2017
What’sNew
ApplicationbootstrappingisavailableforappdeveloperstoautomatesandquicklyonboardclientandresourceconfigurationstoSingleSign-On.See
© Copyright Pivotal Software Inc, 2013-2018 6 1.2
theSetUpPCFAppstoUseSSO topicformoreinformation.
AdminUserManagementinterfaceenablesplanadministratorstobrowseandmanageusersacrosstheiridentityprovidersthroughasimpleuserinterfaceasopposedtothroughtheUIstohelpimproveproductivity.SeetheManageUserstopicformoreinformation.
OpenIDConnectandLDAPidentityproviderinterfacesarenowavailable.Planadministratorscannowimprovetheirproductivitybyutilizingasimpleuserinterfacetoconfigureandmaintaintheiridentityproviders.SeetheConfigureIdentityProviderstopicformoreinformation.
Youcanallowcustomattributestobemadeavailablethroughthe/userinfoendpointforyourexternalidentityproviders.Thiscanstreamlineuserattributesforyourapplications.Yourapplicationmusthavethe user_attributes tokenoncecustomattributesmappingsand Persist Custom Attributes areconfiguredforyouridentityprovider.
Youcanconfigurerequiredusergroupsthroughbootstrapping.Requireusergroupsaregroupsthatusersmusthaveinordertoauthenticatetoyourapplicationandobtainanaccesstoken.
© Copyright Pivotal Software Inc, 2013-2018 7 1.2
InstallationThistopicexplainshowtoinstallSingleSign-On(SSO)forPivotalCloudFoundry.
PrerequisitesPivotalCloudFoundry(OpsManager andElasticRuntime )version1.11orlater.
SSLCertificates.
ApplicationSecurityGroups.
InstallSSOviaOpsManager1. FromPivotalNetwork ,selectaSingleSign-Ontileversionanddownloadtheproductreleasefile.
2. FromtheOpsManagerInstallationDashboard,selecttheImportaProductbuttontouploadtheproductfile.
3. Clicktheplussigniconnexttotheuploadedproducttoaddthisproducttoyourstagingarea.
4. ClickontheSingleSign-Ontiletoenteranyconfigurations.
5. ClickApplyChangestoinstalltheproduct.
UpdateSSLandLoadBalancerYoumustupdatetheSSLcertificateforthedomainslistedbelowforeachplanyoucreate.Dependingonyourinfrastructureandloadbalancer,youmustalsoupdateyourloadbalancerconfigurationforthefollowingdomains:
*.SYSTEM-DOMAIN
*.APPS-DOMAIN
*.login.SYSTEM-DOMAIN
*.uaa.SYSTEM-DOMAIN
ConfigureApplicationSecurityGroupsTheSingleSign-Onservicerequiresthefollowingnetworkconnections:
TCPconnectiontoloadbalancer(s)onport443
TCPandUDPconnectiontoDomainNameServersonport53
(Optional)TCPconnectiontoyourexternalidentityprovideronport80or443
ToenableaccesstotheSingleSign-Onservice,youmustensureyourApplicationSecurityGroupallowsaccesstotheloadbalancer(s)anddomainnameserversthatprovideaccesstoCloudControllerandUAA.Optionally,youcanconfigureaccesstoyourexternalidentityprovidertoreceiveSAMLmetadata.Formoredetailsonhowtosetupapplicationsecuritygroups,seetheApplicationSecurityGroups topic.
Note:TheSingleSign-Onservicetilerequiresanetworkwithonlyonesubnetuntilversion1.3.0.Startingwith1.3.1multiplesubnetsaresupported.
Note:TheSSOIdentityServiceBrokerisdeployedasaPCFapplicationfromaBOSHerrand,andhasnoassociatedBOSHVMsthatrequireselectingacorrespondingnetwork.Ifyouareforcedtoselectanetworkduringinstallation,selecttheDeploymentnetwork,alsoknownasthePASorERTnetwork.
© Copyright Pivotal Software Inc, 2013-2018 8 1.2
GettingStartedwithSingleSign-OnThistopicoutlinesthestepsforinstallingandconfiguringtheSingleSign-On service.
InstallandSetUpSSOforApplications1. InstallSingleSign-OnviaOpsManager.
2. Createaserviceplan.TheSingleSign-Onserviceisamulti-tenantservice,andaserviceplancorrespondstoatenant.Thisallowsanenterprisetosegregateusersorenvironmentsusingplans.Eachserviceplanisaccessibleatatenant-specificURLintheformat https://AUTH-DOMAIN.login.SYSTEM-
DOMAIN .
3. Createaserviceinstance.SingleSign-Onserviceplanscanprovidesinglesign-oncapabilitiesforapplicationsinvariousspaces.Aserviceinstanceletsyoubindanapplicationtoaserviceplan.
4. Configureanidentityprovider.InadditiontotheInternalUserStore,youcanconfigureexternalidentityproviderstoprovidesinglesign-ontoapplications.
5. Configureyourapplications .SingleSign-OnsupportsbothPivotalCloudFoundry-hostedapplicationsaswellasexternallyhostedapplications.YourapplicationsmustbeabletorequestanOAuthorOpenIDConnecttoken.
6. Createresourcesforyourapplications.IfyourregisteredapplicationsneedtomakeexternalAPIcalls,youcanassigntheAPIendpointsasresourcespermittedfortheapplication.Thiswillwhitelisttheendpointsforusebytheapplicationorclient.
SSOUserRolesAuser’sroledetermineswhichpartsofanSSOconfigurationitcanmanage.SSOusestheexistinguserrolesPCFAdministratorandSpaceDeveloper,aswellasaSSO-specificPlanAdministratorrole.Thischartshowsthemanagementpermissionsforeachrole.
Managementaccessbyrole PCFAdministrator PlanAdministrator SpaceDeveloper
Serviceplans X
Serviceinstances X X X
Identityproviders X X
Applications X X X
Resources X X X
UsingSSOforPivotalCloudFoundryComponentsInadditiontoapplications,SSOsupportssinglesign-onforcomponentsofPivotalCloudFoundry,includingOpsManagerandAppsManager.ThisallowsusersalreadymanagedinanexternalidentityprovidertosignintoPivotalservices.RefertothefollowingpagesforinstructionsonconfiguringSSOtoenableusersinanexternalidentitystoretoaccessPCFcomponents:
OpsManager,onAmazonWebServices ,vSphere ,orOpenStack
AppsManager
© Copyright Pivotal Software Inc, 2013-2018 9 1.2
UsingtheSystemPlanThistopicexplainshowtousethesystemplanfortheSingleSign-On(SSO)serviceforPivotalCloudFoundry(PCF).Thesystemplanisthedefaultplanmeantfordeveloperapps,notend-userapps.
SSOforPCFcomeswithadefault system planthathasthefollowingfeatures:
Read-only
Minimalconfigurationoptions
Notdeletable
Allowsdeveloper-levelaccesstosystemcomponentslikeElasticRuntimeanditsAPIs
AvailableonlytoPCFadministrators
Restrictingthevisibilityofthissystemplantoasingle,developer-appsonlyorgsecuressystemcomponents,followingtheprincipleofleastprivilege.
Examplesofdeveloperappsincludescriptsorpipelinesthatpushotherappsandservices.AnyappthatusestheCloudFoundryAPIisadeveloperapp.
SystemPlanBestPracticePivotalrecommendsconfiguringyourorgsandSSOplansasfollowstopreventanyonefromapplyingthesystemplantoend-userapps:
1. Restrictalldeveloperappstoasingleorg.
2. Makethesystemplanvisibleonlytothedeveloper-appsorg.
3. ConfigureotherorgswithSSOserviceplansoftheirown.
Developerscanthenself-registertheirdevelopersappsinthedeveloper-appsorgforusebyotherdevelopers.
Administrators:ConfiguretheSystemPlanforanOrgPCFadministratorsfollowthestepsbelowtoenablethesystemplanandprovideaccesstoappdevelopers:
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.InyourElasticRuntimetileinOpsManager,theDomainsettingsshowyoursystemdomain,andtheCredentialstabshowstheUAAAdminCredentials.
2. NavigatetotheSystemPlanandenabletheplanintherelevantorg(s).
© Copyright Pivotal Software Inc, 2013-2018 10 1.2
Developers:CreateaSystemPlanInstanceforyourAppFollowthestepsbelowtocreateandusethe system serviceplanwithyourdeveloperapps.
1. FollowthestepstoCreateaServiceInstanceofSSO.
© Copyright Pivotal Software Inc, 2013-2018 11 1.2
2. IfyourapprunsonPCF,bindtheapplicationwiththeserviceinstanceyoucreated.SeetheBindanApplicationHostedonPCF topicformoreinformation.
3. IfyourappisapipelineorascriptthatrunsexternaltoPCFbutcallsPCFAPIs,dothefollowing:
a. FollowtheinstructionstoRegisteranExternalApplication andusetheguidelinesbelow:
ChooseNativeAppforyourapplicationtype.Intheappconfiguration,setavaluefortheRefreshtokenlifetimebasedonyourusecaseforautomatedaccess.
b. Togiveyouryourpipelineorscriptaccesstoyourresourceswithoutyourpresence,embedarefreshtokeninsteadofhardcodingyourcredentials:
i. Run uaac token sso get .ii. Attheprompts,entertheClientIDandSecretfromtheNextStepssectionoftheSSOdashboard.CopytheauthenticationURLfromthe
commandoutput.iii. PastetheauthenticationURLintoabrowser,andloginusingyourUAAAdminCredentials.iv. CopytheTemporaryAuthenticationCodefromthebrowserintotheUAACtofinishtheauthentication.v. Run uaac context .vi. Copythevalueoftherefreshtokenandusethatinyourcodetogetanewtokenbasedonyourclientidandsecretusingthestandard
OAuthrefreshtokenflowasdescribedintheUAAAPIdocumentation .
Developers:RevokeSystemPlanAccessforanExternalAppTorevokesystemplanaccessfromanappthatisexternaltoPCFandisregisteredwiththesystemplantoaccessPCFcomponents,dooneofthefollowing:
RegeneratetheAppSecret
Deletetheapp
© Copyright Pivotal Software Inc, 2013-2018 12 1.2
ManageServicePlansThistopicdescribeshowPivotalCloudFoundry(PCF)AdministratorsmanageSingleSign-Onserviceplans.
SingleSign-Onisamulti-tenantservice,whichenablesadeploymenttohostmultipletenantsasserviceplans.Eachserviceplancanhaveitsownadministrators,applicationsandusers.Thisletsenterprisessegregateaccessbyusingseparateplans.Forexample,thefollowingtenantsmightrequireseparateplans:
Businessunitsandgeographicallocations
Employees,consumers,andpartners
Development,staging,andproductioninstances
AdministratorscancreatenewSingleSign-OnserviceplansatanytimefromtheSSOdashboard.
CreateorEditServicePlansYoucanusetheSSOdashboardtocreateandconfigureserviceplansatanytime.
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClickNewPlanontheSSOdashboardtocreateanewSingleSign-Onserviceplan.
Note:Youmustcreateatleastoneplanforanyservicebeforeyourapplicationscanuseit.
© Copyright Pivotal Software Inc, 2013-2018 13 1.2
3. EnteraPlanName.
4. EnteraDescriptiontoappearasaplanfeatureintheServicesMarketplace.
5. EnteranAuthDomaintobetheURLwhereusersauthenticatetoaccessapplicationscoveredbytheserviceplan.
6. EnteranInstanceNametoappearontheloginpageandinotheruser-facingcontent,suchasemailcommunications.
7. AddPlanAdministrators.Theseuserscanviewtheplanandmanageidentityproviders.
8. UnderOrgVisibility,selectwhichorganizationsinyourPivotalCloudFoundrydeploymentshouldhaveaccesstoyourSingleSign-Onserviceplan.Ifyoudonotselectanyorganizations,theplanwillnotbeavailableforuseanditwillnotbedisplayedintheServicesMarketplace.
9. ClickCreatePlan.YournewplanappearsintheServicesMarketplaceintheorganizationsyouhaveselected.UsersinthoseorganizationsviewtheplaneitherinAppsManagerorthroughtheCFCLIbyentering cf marketplace inaterminalwindow.
DeleteServicePlans1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin
yourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. Selectthenameoftheplanyouwanttodelete,andclickEditPlaninthedrop-downmenu.
3. SelectDeleteatthebottomofthepage.
4. Inthepopupthatappears,clickDeletePlantoconfirmthatyouwanttodeletetheplan.
ConfigureaTokenPolicyAccesstokenscarryinformationaboutusersandclientstoserversthatmanageresources.Serversuseaccesstokenstodeterminewhethertheclientisauthorizedornot.Accesstokenstypicallyhaveashort-livedexpirationtime.Refreshtokenscarryinformationnecessarytoretrieveanewaccesstokenafteranexistingaccesstokenexpires.Refreshtokenstypicallyhavealongerexpirationtimethanaccesstokens.
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. Selectthenameoftheplanyouwanttoconfigureatokenpolicyfor,andclickConfigureinthedrop-downmenu.
3. EnterthenumberofsecondsforAccessTokenExpirationorselectUseSystemDefault.
4. EnterthenumberofsecondsforRefreshTokenExpirationorselectUseSystemDefault.
5. ClickSave.
Note:Thisactioncannotbeundone.DeletingaSingleSign-OnserviceplanremovesfromtheSSOdatabasealloftheconfigurations,identityproviders,users,applicationconfigurationsandresourcesassociatedwiththeplan.Italsodeletestheassociatedserviceinstancesandservicebindings.Youmustrebindanyapplicationsboundtothedeletedserviceinstancestonewserviceinstances.
Note:TheSingleSign-Onserviceallowsadministratorstooverridethedefaultexpiryofaccesstokens(12hours)andrefreshtokens(30days)byzone.
© Copyright Pivotal Software Inc, 2013-2018 14 1.2
ManageServiceInstancesThistopicdescribeshowSpaceDeveloperscreateaninstanceofaSingleSign-Onserviceplanintheirspaceandbindittoanapplication.
CreateServiceInstances1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN asaSpaceDeveloper.
2. Navigatetotheorganizationthattheserviceplanisenabledfor.
3. SelectMarketplaceandselecttheSingleSign-Onserviceyouwanttocreateaninstanceof.
4. ChooseyourserviceplanandclickSelectthisplan.
5. IntheConfigureInstancebox,enteranInstanceName.
1. FromtheAddtoSpacedrop-downmenu,chooseaspacefortheinstance.Thisspacehostsyourapplication.Thedefaultis development .
2. FromtheBindtoAppdrop-downmenu,chooseanapplicationtobindtheserviceinstanceto.Thisoptiondefaultsto [do not bind] .Ifyoudonotbindtheinstancetoanapp,youcanbinditatalatertime.
3. ClickAddtocreatetheserviceinstance.
DeleteServiceInstances1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN asaSpaceDeveloper.
2. Navigatetotheorganizationandspacethatcontaintheserviceinstanceyouwanttodelete.
3. UnderServicesinthespacepage,findyourserviceinstanceandclickDelete.
4. ClickDeleteonthepop-uptoconfirmthatyouwanttodeletetheserviceinstanceandservicebindings.
Note:Thisactioncannotbeundone.DeletingaSingleSign-Onserviceinstancedeletestheconfigurationsontheserviceinstance,aswellasthe
© Copyright Pivotal Software Inc, 2013-2018 15 1.2
associatedservicebindings.Youmustbindanyapplicationsboundtothedeletedserviceinstancetoanewserviceinstance.
© Copyright Pivotal Software Inc, 2013-2018 16 1.2
ConfigureIdentityProvidersThistopicdescribeshowPivotalCloudFoundry(PCF)administratorsconfigureaSingleSign-On(SSO)serviceplantomanageuseraccesstoPCFapps,foruserswithaccountsintheinternaluserstoreorwithexternalidentityproviders.
ConfigureInternalUserStore1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.
FindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickInternalUserStoreandselectEditProviderfromthedrop-downmenu.
4. (Optional)UnderAuthenticationPolicyselectoneofthefollowing:
DisableInternalAuthentication:Thisoptionpreventsauthenticationagainsttheinternaluserstore.Youmusthaveatleastoneexternalidentityproviderconfigured.
DisableUserManagement:Thisoptionpreventsallusers,includingadministrators,fromperformingactionsoninternalusers.
5. UnderPasswordPolicySettings,selectUseRecommendedSettings,UseDefaultSettings,orentercustomsettingsinthefieldsbelow.
6. ClickSaveIdentityProvider.
AddInternalUsersFromtheCommandLineYoucanusetheInternalUsersadminpanetosendinvitationstousers,sothattheycanaddthemselvestotheinternaluserstore.Butyoucannotusetheadminpanetoaddusersdirectly.
Tocreatenewinternaluseraccountsdirectly,supplyingtheuser’sname,emailaddressandotherinfo,usetheUAACommandLineInterface(UAAC)asfollows:
1. IfyoudonotalreadyhavetheUAACinstalled,run gem install cf-uaac inaterminalwindow.
2. Createanadminclient thatcanmanageusersintheServicePlan.Includethefollowingscopesfortheclient:
clients.admin
scim.read
scim.write
3. RecordtheAppIDandAppSecret.TheseareusedasyourclientIDandclientsecret.
4. TargettheauthdomainofyourSSOserviceplan.ThisistheURLyouprovidedwhencreatingaServicePlanintheSSOdashboard.
$ uaac target https://YOUR-AUTH-DOMAIN.login.YOUR-SYSTEM-DOMAIN
5. FetchtheAppIDtokenfortheadminclientcreatedabove.
$ uaac token client get ADMIN-CLIENT-IDClient secret:
6. Whenpromptedwith Client secret ,entertheAppSecretadminclientsecretrecordedabove.
7. Addnewusersbyprovidingtheuser’semailaddress,username,andpassword.
Note:TheloginpagedoesnotincludetheEmailandPasswordfieldsifyouselectthisoption.
Note:TheloginpagedoesnotincludeCreateAccountandResetPasswordlinksifyouselectthisoption.
© Copyright Pivotal Software Inc, 2013-2018 17 1.2
$ uaac user add --emails [email protected] name: YOUR-USERPassword: ****Verify password: ****user account successfully added
8. (Optional)Youcanalsocreategroupsandadduserstothem.
$ uaac group addGroup name: YOUR-GROUPmetaversion: 0created: 2016-02-19T23:17:17.000Zlastmodified: 2016-02-19T23:17:17.000Zschemas: urn:scim:schemas:core:1.0id: 8725b5fd-8da2-4cfc-89b1-c57048f089c2displayname: YOUR-GROUP
Toaddamembertoyournewgroup,usethefollowingcommand.
$ uaac member add YOUR-GROUP YOUR-USER
DefinePasswordPolicyfortheInternalUserStoreAdministratorscandefinethepasswordpolicyforSSOusersintheinternaluserstore.Thepasswordpolicyenforcesrulesthatrestrictthekindsofpasswordsuserscancreate.
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickInternalUserStoreandselectEditProviderfromthedrop-downmenu.
4. ConfigurethefollowingunderthePasswordComplexitysection:
MinLength:Specifytheminimumpasswordlength.Uppercase:Specifytheminimumnumberofuppercasecharactersrequiredinapassword.Lowercase:Specifytheminimumnumberoflowercasecharactersrequiredinapassword.SpecialCharacters:Specifytheminimumnumberofspecialcharactersrequiredinapassword.Numerals:Specifytheminimumnumberofnumericcharactersrequiredinapassword.
5. ConfigurethefollowingundertheLockoutPolicysection:
FailuresAllowed:Specifythenumberoffailedloginattemptsallowedperhourbeforeauserislockedout.LockoutPeriod:Specifythenumberofsecondsauserislockedoutforafterexcessivefailedloginattempts.PasswordExpires:Specifythenumberofmonthspasswordsarevalidforbeforeusersneedstoenteranewpassword.
6. ClickSaveIdentityProvider.
ConfigureServiceProviderSAMLSettingsForeachplan,theSingleSign-OnserviceallowsyoutoconfigureSAMLsettingswhenSAMLisusedforexchangingauthenticationandauthorizationdatabetweentheidentityproviderandtheserviceprovider.TheSSOserviceprovidestheabilitytosignauthenticationrequestsandrequiresignedassertionsfromtheexternalidentityprovider.
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickConfigureSAMLServiceProvider.
4. Configurethefollowingsettings:
© Copyright Pivotal Software Inc, 2013-2018 18 1.2
Performsignedauthenticationrequests:Theserviceprovidersignsrequestssenttotheexternalidentityprovider.Requiresignedassertions:Theserviceproviderrequiresthatresponsesfromtheexternalidentityprovideraresigned.
5. ClickSavetosavetheconfigurations.
6. ClickDownloadMetadata.
AddanExternalIdentityProviderSeethefollowingsetsofinstructionsforhowtoconfiguretheSSOservicetouseexternalidentityprovidersthatsupportSAML2.0,OpenIDConnect(OIDC),andLDAP.
AddaSAMLProvider1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin
yourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickNewIdentityProvider.
4. EnteranIdentityProviderName.
5. Select SAML 2.0 astheIdentityProviderType.
6. EnteraDescription.ThisisdisplayedtoSpaceDeveloperswhentheyselectanidentityproviderfortheirapp.
7. Entertheexternalidentityprovidermetadatainoneofthefollowingways:
Option1:ProvidetheIdentityProviderMetadataURLandclickFetchMetadata.Option2:ClickUploadIdentityProviderMetadatatouploadXMLmetadatathatyoudownloadedfromyourexternalidentityprovider.
8. ConfigureanyUserAttributestopropagatefromtheidentityprovidertotheserviceprovider.Theseattributescanincludeemailaddresses,firstorlastnames,orexternalgroups.TheyaresenttoappsviaOpenIDtokens,alongwithanyotherstoreduserinformationissuedbytheSingleSign-Onservice.
SelectaUserSchemeAttributefromthedrop-downmenu.EnteraSAMLAttributeNamewiththecorrespondingattributefromtheincomingSAMLassertion.
9. ConfigureanyCustomAttributestopropagatefromtheidentityprovidertotheserviceprovider.TheseattributesaresenttoappsviaOpenIDtokensissuedbytheSingleSign-Onservice.
EnteraCustomAttributeName.EnteraSAMLAttributeNamewiththecorrespondingattributefromtheincomingSAMLassertion.
10. (Optional)CheckPersistCustomAttributesifyouwanttoexposecustomuserattributesthroughthe /userinfo endpoint.Yourappmustalsohavethe user_attributes scopeassignedinorderforthecustomattributestoappear.
11. ClickCreateIdentityProvidertosavetheidentityprovider.
AddanOIDCProvider1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin
yourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
Note:IfyouchoosetouploadtheIdentityProviderMetadataasanXMLfile,youwillbeunabletousetheFetchMetadataoptiontoupdateyourIdentityProvidermetadatalater.IfmetadatachangesontheIdentityProviderside,youwillhavetomanuallyre-uploadthemasanupdatedXMLfile.
Note:ToconfiguretheserviceproviderSAMLsettings,suchasthesigningofauthenticationrequestsandincomingassertions,clickonConfigureSAMLServiceProviderontheIdentityProviderspage.
© Copyright Pivotal Software Inc, 2013-2018 19 1.2
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickNewIdentityProvider.
4. EnteranIdentityProviderName.
5. EnteraDescription.ThisisdisplayedtoSpaceDeveloperswhentheyselectanidentityproviderfortheirapp.
6. Select OpenID Connect astheIdentityProviderType.
7. EntertheexternalOpenIDConnect(OIDC)identityprovidermetadatainoneofthefollowingways:
Option1:SelecttheEnableDiscoverycheckbox,providetheDiscoveryEndpointURL,RelyingPartyOAuthClientID,andRelyingPartyOAuthClientSecretandclickFetchScopes.Option2:CleartheEnableDiscoverycheckboxandprovidetheAuthorizationEndpointURL,TokenEndpointURL,TokenKey(URL),RelyingPartyOAuthClientID,andRelyingPartyOAuthClientSecret.
8. SelecttheapplicableScopesfortheOIDCidentityprovider.
9. ConfigureanyUserAttributestopropagatefromtheidentityprovidertotheserviceprovider.Theseattributescanincludeemailaddresses,firstorlastnames,orexternalgroups.TheyaresenttoappsviaOpenIDtokens,alongwithanyotherstoreduserinformationissuedbytheSingleSign-Onservice.
SelectaUserSchemeAttributefromthedrop-downmenu.EnteranIDTokenAttributeNamewiththecorrespondingattributefromtheincomingOIDCIDtoken.
10. ConfigureanyCustomAttributestopropagatefromtheidentityprovidertotheserviceprovider.TheseattributesaresenttoappsviaOpenIDtokensissuedbytheSingleSign-Onservice.
EnteraCustomAttributeName.EnteranIDTokenAttributeNamewiththecorrespondingattributefromtheincomingOIDCIDtoken.
11. (Optional)CheckPersistCustomAttributesifyouwanttoexposecustomuserattributesthroughthe /userinfo endpoint.Yourappmustalsohavethe user_attributes scopeassignedinorderforthecustomattributestoappear.
12. ClickCreateIdentityProvidertosavetheidentityprovider.
AddanLDAPIdentityProviderWhenintegratingwithanexternalidentityproviderforLDAP,authenticationbecomeschained.Anauthenticationattemptwithauser’scredentialsisfirstattemptedagainsttheinternaluserstorebeforetheexternalLDAPidentityprovider.Toavoidusernamecollision,donotbootstraporcreateusersintheUAAdirectly.YoumayonlyhaveoneLDAPexternalidentityproviderperserviceplan.
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickNewIdentityProvider.
4. EnteranIdentityProviderName.
5. EnteraDescription.ThisisdisplayedtoSpaceDeveloperswhentheyselectanidentityproviderfortheirapp.
6. Select LDAP astheIdentityProviderType.YoumayonlyhaveoneLDAPproviderperServicePlan.
7. EntertheexternalLDAPidentityproviderconfigurations:
a. EntertheHostnameandPort.b. SelecttheapplicableSecurityprotocol.c. SelecttheapplicableReferral.d. EntertheUserDNandBindPasswordforyourLDAPserviceaccount.e. UndertheUserssection,entertheSearchBase.f. UndertheUserssection,youmayalsoenterinSearchFilter(Optional).g. UndertheUserssection,youmayselectJustinTimeProvisioning.Ifthisoptionisenabled,userswillbecreatedatlogintime.Ifthisoptionis
notenabled,usersmustbecreatedpriortobeingabletologin.h. UndertheGroupssection,youmayenterinentertheSearchBase(optional)andSearchFilter(optional)inordertoassociateLDAPgroups
withyouruser.Ifyouwishtousethe memberOf attributeonuserobjects,youcanenterinthevalue memberOf astheSearchBaseinsteadof
© Copyright Pivotal Software Inc, 2013-2018 20 1.2
anLDAPpathforagroupOU,andtheSearchFiltervaluewillbeignored.
8. ConfigureanyUserAttributestopropagatefromtheidentityprovidertotheserviceprovider.Theseattributescanincludeemailaddresses,firstorlastnames,orexternalgroups.TheyaresenttoappsviaOpenIDtokens,alongwithanyotherstoreduserinformationissuedbytheSingleSign-Onservice.
SelectaUserSchemeAttributefromthedrop-downmenu.EnteranLDAPAttributeNamewiththecorrespondingattributefromLDAP.
9. ConfigureanyCustomAttributestopropagatefromtheidentityprovidertotheserviceprovider.TheseattributesaresenttoappsviaOpenIDtokensissuedbytheSingleSign-Onservice.
EnteraCustomAttributeName.EnteranLDAPAttributeNamewiththecorrespondingattributefromLDAP.
10. (Optional)CheckPersistCustomAttributesifyouwanttoexposecustomuserattributesthroughthe /userinfo endpoint.Yourappmustalsohavethe user_attributes scopeassignedinorderforthecustomattributestoappear.
11. ClickCreateIdentityProvidertosavetheidentityprovider.
DeleteanExternalIdentityProvider1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin
yourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. Clickonthenameofyourexternalidentityprovider.
4. ClickDeleteatthebottomofthepage.
5. Inthepopupthatappears,clickDeleteIdentityProvidertoconfirmthatyouwanttodeletetheidentityprovider,alongwithallofitsconfigurations.
ConfigureGroupWhitelistforanExternalIdentityProviderAnadministratorcanincludegroupsfromanexternalidentityproviderinaGroupWhitelist.ThelistofgroupsinthewhitelistpropagatesintheIDtokenwhenauserauthenticatesthroughanexternalidentityprovider.AnappcanthenretrievefromtheIDtokenthelistofexternalgroupsthattheuserbelongsto.Anadministratorcanusethesegroupstoassignpermissionsbygroupratherthanindividualusers.
Formoredetailsonhowtocreateresourcepermissionmappings,seeCreateorEditResourcePermissions.
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickonthenameofyourexternalidentityproviderandselectGroupWhitelistfromthedrop-downmenu.
4. Addagroupnamefromyourexternalidentityprovider.
5. ClickSaveGroupWhitelist.
Note:Deletinganexternalidentityproviderdeletesallofitsconfigurations.Userswillnolongerbeabletoauthenticateusingtheexternalidentityprovider.Thisactioncannotbeundone.
Note:ForanapptoretrieveaGroupWhitelistcontainingexternalgroups,theappmustrequestthe roles scope,andtheGroupWhitelistmustlisttheexternalgroup.
© Copyright Pivotal Software Inc, 2013-2018 21 1.2
IdentityProviderDiscoveryThistopicdescribesIdentityProvider(IdP)DiscoveryandhowtoconfigureitforyourPivotalCloudFoundry(PCF)appsthatusetheSingleSign-On(SSO)service.
WhatitDoesIfuserswithdifferentemaildomainsaccessthesamePCFapp,youcanconfigureSSOtoauthenticatethemthroughdifferentidentityproviders.
Inthissituation,IdPDiscoverystreamlinestheloginexperiencebyautomaticallyredirectingtheusertotheirownIdPandshieldingthemfromseeingtheIdPsofotherappusers.
Whenauserlogsintoanapp,anaccountchooserautofillstheiremailaddressfromanypreviouslogin,orpresentsachoiceiftheyhaveloggedinfrommorethanoneaccount.Userscanaddorremoveaccountsfromtheaccountchooser.
ExampleAsanexample,consideranappusedbyacompany @company.com anditscompetingsuppliers @supplier-1.com and @supplier-2.com .WithIdPDiscovery,usersfromallthreecompaniescanloginfromthesamepage,anddonothavetoseeorchoosefromalistofloginoptionsthatcoversallthedomains.IdPDiscoveryascertainseachuser’sIdPfromtheiremaildomain.
EnableIdPDiscoveryIdPDiscoveryisassociatedwithaserviceplan,andconfiguredfortheappsboundtoinstancesofthatplan.ToenableIdPDiscoveryforaserviceplanandtheappsthatuseit,youmustbeaPCFAdministratororaPlanAdministrator.
1. EnableIdPDiscoveryfortheSSOServicePlaninstancethatyourappisboundto:
a. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
b. ClicktheplannameandselectConfigureundertheplanmenu.c. SelectthecheckboxundertheIdentityProviderDiscoverysectionandclickSave.
© Copyright Pivotal Software Inc, 2013-2018 22 1.2
2. ClicktheplannameandselectManageIdentityProvidersundertheplanmenu.
3. EntertheEmaildomainsyouwanttoincludeasacomma-separatedlistundertheconfigurationpagefortheidentityproviderplan.
4. InAppsManager,navigatetoyourspace,opentheServicetab,andselectyourserviceinstance.
5. ClicktheManagelinkundertheservicename,andedittheappconfigurationbyselectingtherequiredIdentityProviders.
© Copyright Pivotal Software Inc, 2013-2018 23 1.2
ManageUsersThistopicdescribeshowaPivotalCloudFoundry(PCF)PlanAdministratorusestheSingleSign-On(SSO)servicetomanageuseraccesstoPCFapps,foruserswithaccountsintheinternaluserstoreorwithexternalidentityproviders.
ManageUsersinanInternalUserStoreTheSSOservicehasanInternalUsersadminpanethatletsyoumanageuseraccountsinPCF’sinternaluserstore:inviteanddeleteusers,requestuserstoresettheirpasswords,andupdateuserattributesandpermissions.
ToopentheInternalUserspane:
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.FindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickInternalUserStoreandselectInternalUsersfromthedrop-downmenu.Thisbringsyoutotheadminscreen.
FromtheInternalUserspane,youcan:
InviteusersbyclickingInviteUser,enteringtheiremailaddress,andclickingSendInvite.
SearchexistingusersbyenteringavalueintothesearchbarandclickingSearch.Enteringablankvaluereturnsallusersintheserviceplan’sinternaluserstore.
© Copyright Pivotal Software Inc, 2013-2018 24 1.2
ResendaninvitetoanunverifieduserbyselectingthecheckboxnexttotheirusernameandclickingResendInvite.
AskaverifiedusertoresettheirpasswordbyselectingthecheckboxnexttotheirusernameandclickingResetPassword.
DeleteauserbyselectingthecheckboxnexttotheirusernameandclickingDeleteUser.
Viewinformationaboutauserbyclickingtheirusername.
UpdateauserprofileincludingtheirEmail,FirstName,LastName,andPhoneNumberbyenteringtheupdatedvaluesandclickingSaveUser.
ViewuserpermissionsbyclickingthePermissionstab.
UpdateuserpermissionsbyselectingthecorrespondingpermissionsandclickingSaveUser.
ManageUsersfromanExternalIdentityProviderForeachexternalidentityproviderthattheSSOserviceconnectsto,ausersadminpane(example:OktaSSOUsers)letsyoubrowse,delete,andupdatePCFpermissionsforuseraccountsfromexternalidentityproviders.
Toopentheexternalidentityproviderusersadminpane:
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClicktheexternalidentityprovideryouwanttomanageandselecttheUserschoicefortheproviderfromthedrop-downmenu.Thisbringsyoutotheusersadminpane.
Fromtheexternalidentityproviderusersadminpane,youcan:
SearchexistingusersbyenteringavalueintothesearchbarandclickingSearch.Enteringablankvaluereturnsallusersintheserviceplan’sinternal
© Copyright Pivotal Software Inc, 2013-2018 25 1.2
userstore.
DeleteauserbyselectingthecheckboxnexttotheirusernameandclickingDeleteUser.
Viewinformationaboutauserbyclickingtheirusername.
ViewuserpermissionsbyclickingthePermissionstab.
UpdateuserpermissionsbyselectingthecorrespondingpermissionsandclickingSaveUser.
ManageUserswiththeUAACLI(UAAC)YoumayalsousetheUAACLI(UAAC)tomanageusersfortheSSOservice.Youcanusethisapproachtoprogramaticallycreatenewinternalusersorassigngroups(scopes)toanyuser(whetherinternalorexternal).Theseoperationsrequireadministrativeaccessthroughanadminclientthatmustbeconfiguredbyanadministratorfortheserviceplan.
Note:ClientsandGroupsforSSOshouldbecreateddirectlythroughtheSSOUIorthroughapplicationmanifestbootstrapping.DonotcreatethesethroughUAAC,asadditionalmetadataisrequiredfortheirusagebySSO.
© Copyright Pivotal Software Inc, 2013-2018 26 1.2
1. InstalltheUAACLI, uaac .
$ gem install cf-uaac
2. Usethe uaac target AUTH-DOMAIN commandtotargetyourserviceplan.AuthDomainsettingyouenteredwhenyoucreatedtheserviceplan.
$ uaac target my-auth-domain.login.example.com
3. RecordtheAppIDandAppSecretfromyouradminclientcreatedusingthestepshere .Youwillneedtogiveyouradminclient scim.read toreaduserinformation.Youcangiveyouradminclienteither scim.write tocreateusersandmodifygroup(scope)membershipsor scim.create toonlycreateusers.
4. Run uaac token client get ADMIN-APP-ID -s ADMIN-APP-SECRET toauthenticateandobtainanaccesstokenfortheadminclientforyourserviceplan.Replace ADMIN-APP-ID withyourAppIDand ADMIN-APP-SECRET withyourAppSecret.UAACstoresthetokenin ~/.uaac.yml .
$ uaac token client get MyAdminAppId -s MyAdminAppSecret
5. Usethe uaac contexts commandtodisplaytheusersandapplicationsauthorizedbyyourserviceplan,andthepermissionsgrantedtoeachuserandapplication.Checkthatyouhavethesufficient scim.write or scim.create permissionsunderthe scope section.
$ uaac contexts
[1]*[admin] client_id: MyAdminAppId access_token: aBcdEfg0hIJKlm123.e token_type: bearer expires_in: 43200 scope: scim.read scim.write jti: 91b3-abcd1233
6. Runthefollowingcommandtocreateanewinternaluser: uaac user add NEW-USERNAME -p NEW-PASSWORD --emails NEW-EMAIL Replace NEW-USERNAME , NEW-PASSWORD ,and NEW-EMAIL withappropriateinformation.
$ uaac user add Adam -p newSecretPassword --emails [email protected]
7. Run uaac member add GROUP USERNAME toaddanygrouptoanyuser(internalorexternal).Replace GROUP and USERNAME withappropriateinformation.
$ uaac member add my-app.my-scope Adam
8. Run uaac member delete GROUP USERNAME todeleteanygroupfromtoanyuser(internalorexternal).Replace GROUP and USERNAME withappropriateinformation.
$ uaac member delete my-app.my-scope Adam
© Copyright Pivotal Software Inc, 2013-2018 27 1.2
ConfigureApplicationsThistopicexplainshowPivotalCloudFoundry(PCF)developersconfiguretheirappstousetheSingleSign-On(SSO)service,writeSSOintegrationintotheirapps,andusetheSSOAdminClienttomanageconnectionsbetweenSSOidentityproviders,apps,usersandotherresources.
DetermineYourSSOApplicationTypeBeforeyoubindorregisteranapp,youmustdetermineitsSSOapplicationtypeandthecorrespondingOAuthgranttype.
Ifyourappauthenticatesendusers,itsapplicationtypeisWebApp,NativeMobileApp,orSingle-PageJavaScriptApp.Iftheappdoesnotauthenticateendusers,butratheraccessesotherservicesorAPIsonitsownbehalf,thenitstypeisService-to-ServiceApp.
Seethetablebelowtodetermineyourapp’sSSOApplicationTypeandOAuthGrantType:
ApplicationType SSOApplicationType OAuthGrantType
Web WebApp authorization code
NativeMobile,Desktop,orCommandLine NativeMobileApp password (theresourceowner’spassword)
Single-PageJavaScript Single-PageJavaScriptApp implicit
Service-to-Service Service-to-ServiceApp client_credentials
SetUpPCFAppstoUseSSOToconfigureSSOforanapprunninginternallyonPCF,youfirstneedtodeterminetheSSOapplicationtypeoftheappthatwillusetheSSOservice.
ThenyouconfigureyourSSOservicefortheappusingenvironmentvariablesandbindtheapptoanSSOserviceinstance.Thesestepsaredescribedbelow.
ConfigureSSOPropertiesTheSSOservicereadsitsconfigurationpropertiesfromenvironmentvariablesthataresetintheappsthatuseit.ToenableaPCF-hostedapptobindtoanSSOserviceinstance,youmustsetthefollowingenvironmentvariables:
GRANT_TYPE —thetypeofOAuthauthenticationassociatedwiththeSSOApplicationTypeinthetableabove.
SSO_IDENTITY_PROVIDERS —theinternalorexternalidentityprovider(s)fortheapptouse.
YoucansetadditionalenvironmentvariablestofurtherconfigurehowanappusesSSO,asdescribedbelow.Mostoftheseenvironmentvariablesareprefixedwith SSO_ .
TherearetwowaystosettheSSOconfigurationpropertiesforanapp:
Settheenvironmentvariablesmanuallyafteryoudeploytheapp,inAppsManagerorwiththeCloudFoundryCommand-LineInterface(cfCLI).
Includetheconfigsettingsintheapplicationmanifest,sothatPCFbootstrapsthemautomaticallywhenitdeploystheapp.
ManuallyConfigureAppsforSSOForappsalreadydeployedtoPCF,youcansettheir GRANT_TYPE , SSO_IDENTITY_PROVIDERS ,andotherSSOconfigurationenvironmentvariableswiththe cf set-env command,orinAppsManagerasfollows:
Note:TheNativeMobileAppapplicationtypeisintendedonlyforhighly-trustedappssuchascompany-ownedandmanagedapps.
Note:Theseconfigurationsareonlyappliedwhenbindingtotheserviceinstance.A cf push oftheappdoesnotupdatetheconfigurations.Toupdatetheseconfigurations,manuallyupdatethemusingtheSSOdashboardorunbindandrebindtheserviceinstance.IntheSSOsampleapplications ,themanifestbindstheapptoaserviceinstanceontheinitialpushusingthemanifestvalue
services: - sample-instance
.
© Copyright Pivotal Software Inc, 2013-2018 28 1.2
1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN .
2. Navigatetoyourapp.
3. ClicktheEnvVariablestab.
4. ClickAddanEnvVariable.
5. ForVariableNameenterthenameoftheSSOconfigurationpropertythatyouaresetting,suchas GRANT_TYPE .
6. ForValue,enterthepropertyvalue.Forexample,tosetthe GRANT_TYPE propertyforaSingle-PageJavaScriptApp,enter implicit ,whichistheOAuthGrantTypelistedforyourSSOapplicationtypeabove.
7. Bindandrestageyourapp.
BootstrapSSOConfigurationInSSOv1.4.0andlater,youcanincludeSSOconfigurationpropertiesinyourapplicationmanifest,toautomaticallybootstrapthevalueswhenyoubindorrebindtheapptoanSSOserviceinstance.
ThevaluesfromthemanifestautomaticallysavetotheenvironmentvariablesthatconfigureyourappforSSO.BootstrappingSSOconfigurationvaluesfromthemanifesteliminatestheneedtosetenvironmentvariablesafteryoudeployyourapp.
Thissnippetbelowshowshowtoinclude GRANT_TYPE SSO_IDENTITY_PROVIDERS inyourmanifest.
---applications: - name: APPLICATION NAME env: GRANT_TYPE: password SSO_IDENTITY_PROVIDERS: uaa, sample-identity-provider
The GRANT_TYPE propertydefaultsto authorization_code ,forWebAppapplicationtype. SSO_IDENTITY_PROVIDERS defaultsto uaa ,forthePCFinternaluserstore.
Ifyouspecifyyourownscopesandauthorities,considerincludingthefollowingvaluesinyour SSO_SCOPES or SSO_AUTHORITIES propertylist.Thesevaluesarenotaddedyouruser-providedlistbydefault:
openid —forappswith authorization code , password ,and implicit granttype
uaa.resource —forappswith client_credentials granttype
ThetablebelowlistsallSSOpropertiesthatyoucansetinyourapplicationmanifesttobootstrapthevaluesintoyourapp’sSSOclientconfiguration.
AfteranappdeployswithbootstrappedSSOconfigurationvalues,itisreadytobindtoanSSOserviceinstance.
SSOConfigurationPropertiesThetablebelowprovidesdescriptionsanddefaultvaluesforenvironmentvariablesthatappsusetoconfigureSSO.SeetheSSOsampleapplications
fordetails,andthe manifest.yml filesinthesamerepoforexamplesofbootstrappingthesevalues.
PropertyName Description Default
name Nameoftheapp(N/A-RequiredValue)
GRANT_TYPE
AllowedgranttypefortheappthroughtheSSOservice.OnlyonegranttypeperappissupportedbySSO. authorization_code
Note:Theseconfigurationsareonlyappliedwhenbindingtotheserviceinstance.A cf push oftheappdoesnotupdatetheconfigurations.Toupdatetheseconfigurations,manuallyupdatethemusingtheSSOdashboardorunbindandrebindtheserviceinstance.IntheSSOsampleapplications ,themanifestbindstheapptoaserviceinstanceontheinitialpushusingthemanifestvalue
services: - sample-instance
.
© Copyright Pivotal Software Inc, 2013-2018 29 1.2
SSO_IDENTITY_PROVIDERS
AllowedidentityprovidersfortheappthroughtheSSOserviceplan.Thisisacomma-separatedlistofidentityprovideroriginkeys.Theoriginkeysarederivedfromtheidentityprovidernameusingthefollowingrules:
Uppercaselettersareconvertedtolowercaseletters.
Spacesareconvertedtohyphens.
Periodsareconvertedtohyphens.
Forexample,ifyouridentityprovidernameis example.com Provider ,thecorrespondingoriginkeyisexample-com-provider .
uaa
SSO_REDIRECT_URIS
Comma-separatedwhitelistofredirectionURIsallowedfortheapp.Eachvaluemuststartwith http:// orhttps:// .
(Alwaysincludestheapproute)
SSO_SCOPES
Comma-separatedlistofscopesthatbelongtotheappandareregisteredasclientscopeswiththeSSOservice.Thisvalueisignoredforclientcredentialgranttypeapps.
openid
SSO_AUTO_APPROVED_SCOPES
Comma-separatedlistofscopesthattheappisautomaticallyauthorizedwhenactingonbehalfofusersthroughSSOservice.
(Defaultstoexistingscopes/authorities)
SSO_AUTHORITIES
Comma-separatedlistofauthoritiesthatbelongtotheappandareregisteredasclientauthoritieswiththeSSOservice.Privilegedidentityzone/planadministratorscopes,suchas scim.read , idps.write cannotbebootstrappedandmustbeassignedbyzone/planadministrators.Thisvalueisignoredforanygranttypeotherthanclientcredentials.
uaa.resource
SSO_REQUIRED_USER_GROUPS
Comma-separatedlistofgroupsausermusthaveinordertoauthenticatesuccessfullyfortheapp. (Novalue)
SSO_ACCESS_TOKEN_LIFETIME
LifetimeinsecondsfortheaccesstokenissuedtotheappbytheSSOservice. 43200
SSO_REFRESH_TOKEN_LIFETIME
LifetimeinsecondsfortherefreshtokenissuedtotheappbytheSSOservice.2592000(notusedforclientcredentials)
SSO_RESOURCES
Resourcesthattheappwilluseasscopes/authoritiesfortheSSOservicetobecreatedduringbootstrappingiftheydonotalreadyexist.Theinputformatcanbereferencedintheprovidedsamplemanifest.Notethatcurrentlyallpermissionswithinthesametoplevelpermission,suchas todo.read and todo.write ,mustbespecifiedinthesameapplicationmanifest.Currentlyyoucannotspecifyadditionalpermissionsinthesametoplevelpermission,suchas todo.admin ,inadditionalapplicationmanifests.
(Novalue)
SSO_ICON
AppiconthatwillbedisplayednexttotheappnameonthePivotalAccountdashboardifshowonhomepageisenabled.Donotexceed64kb.
(Novalue)
SSO_LAUNCH_URL
ApplaunchURLthatwillbeusedfortheapponthePivotalAccountdashboardifshowonhomepageisenabled. (Applicationroute)
SSO_SHOW_ON_HOME_PAGE
Ifsettotrue,theappwillappearonthePivotalAccountdashboardwiththecorrespondingiconandlaunchURL. True
PropertyName Description Default
Additionalinformationandmanifestexamplesareavailableontheidentitysampleapps .
RemoveSSOConfigurationProperties
YoucanremoveSSOconfigurationpropertiesforanapp,oranyenvironmentvariablessetthrough cf set-env ,AppsManager,orbootstrappingasfollows:
1. Run cf unset-env APP_NAME PROPERTY_NAME .
2. Rebindtheapp.
BindaPCFApp
© Copyright Pivotal Software Inc, 2013-2018 30 1.2
AfteraPCFappisconfiguredforSSO,youcanbindittoanSSOserviceinstanceasfollows:
1. LogintoAppsManagerasaSpaceDeveloper.
2. Selectthespacewhereyourappruns.
3. UnderApplications,clickthenameofyourapp.
4. ClicktheServicestab.
5. ClickBindaService.
6. BindyourapptoaservicetocreateanassociatedOAuthClient.
a. SelectanexistingSSOserviceinstancefromthedrop-downmenuandclickBind.b. Createanewserviceinstance:
i. ClickoraddfromMarketplace.ii. SelecttheSingleSign-OnserviceunderServicesMarketplace.iii. SelectaServicePlan,thenclickSelectthisplan.iv. EnteranInstanceName,selectaspace,selectanapp,thenclickAdd.
7. ClickManageundertheSSOserviceinstancetolaunchtheSSOdashboard.
8. Clickyourapp.
9. SpecifyavalueintheAppLaunchURLfieldthatyouwanttosetastheaddressofyourapp.
10. Uploadanappiconforyourapp.
11. ClickShowonhomepagetodisplaytheappontheUAAorPivotalAccounthomepage.
12. SelectoneormoreIdentityProvidersforyourapp.InternalUserStoreisthedefault.
13. IfyourApplicationTypeis Web App or Single-Page JavaScript App ,enterawhitelistofAuthRedirectURIsbeneathRedirectURIs.TheredirectqueryparameterspecifiedontheOAuthrequestmustmatchtheURIsspecifiedinthislist.Otherwise,SSOrejectstherequest.
14. FortheScopesfield,specifythepermissionsthattheappcanrequestontheuser’sbehalf.Thisfielddefaultsto openid forWeb,NativeMobile,andSingle-PageJavaScriptApps.Thisfielddefaultsto uaa.resource forService-to-ServiceApps.Ifthisappispurelyforauthenticationpurposes,thenthe
openid scopeissufficient.IftheappmakesAPIcallsonbehalfoftheenduser,specifyboththescopesenforcedbytheAPIandthescopestoberequestedbytheapp.
Scope Description
openid ProvidesaccesstomakeOpenIDConnectrequests
user_attributes Providesaccesstocustomattributesfromanexternalidentityprovider
roles Providesaccesstoexternalgroupsfromanidentityprovider
uaa.resource Providesaccesstothecheck_tokenendpointforservice-to-serviceflows
1. ForAuto-ApprovedScopes,selectanyscopesthattheSSOserviceautomaticallyapproveswhentheappmakesarequestonbehalfofauser.Selectonlyscopespertainingtoappsownedandmanagedbyyourcompany.DonotselectscopesthatpertaintoappsexternaltoPCF.
2. ClickSaveConfig.TheNextStepspageappears,describingtheendpointsrequiredforappintegration.Formoreinformation,seeIntegrateSSOwithAppsbelow.
Note:Ifyouwouldlikeapptodisplayonthehomepage,youmustenteranAppLaunchURLoruploadanappicon.
Note:WhenbindingaPCFapp,aSpaceDevelopercanchoosefrominternalandexternalidentityproviders.IftheSpaceDeveloperselectsmultipleidentityproviders,usersmustselectwhichprovidertousewhentheysignin.Thisoptionisavailableforallapplicationtypesexcept Service-to-Service App .
Note:UnderScopes,youcanselectresourcesdefinedinanyspaceiftheapplicationtypeisa WebApp
, Native MobileApp
,or
Single-Page JavaScriptApp
.Iftheapplicationtypeisa Service-to-ServiceApp
,youcanonlyselectresourcesdefinedwithinthespace.
© Copyright Pivotal Software Inc, 2013-2018 31 1.2
ManageAppConfigurationsviaSSODashboardTheSSOdashboardallowsapplicationdeveloperstoviewtheappconfigurationsandresourcesavailablewithintheirspace.Toaccessthedashboard,firstyoumustcreateaserviceinstanceforyourSpace.ThenyoucanfollowthestepsbelowtomanageyourapplicationconfigurationsviatheSSOdashboard.
1. LogintoAppsManagerasaSpaceDeveloper.
2. Selectthespacewhereyourserviceinstanceislocated.
3. UnderServices,clickManagenexttotheSSOserviceinstance.ThislaunchestheSSOdashboard.
RegisteranExternalApp1. DeterminethetypeoftheappthatwillusetheSSOservice.
2. LogintoAppsManagerasaSpaceDeveloper.
3. Selectthespacewhereyourserviceinstanceislocated.
4. UnderServices,clickManagenexttotheSSOserviceinstance.ThislaunchestheSSOdashboard.
5. ClickNewApp.
6. EnteranAppName.
7. ChooseanapptypeunderSelectanApplicationType.
8. EnteranAppLaunchURLthatspecifiestheaddressofyourapp.
9. Uploadanappiconforyourapp.
10. ClickShowonhomepagetodisplaytheappontheUAAorPivotalAccounthomepage.
11. SelectoneormoreIdentityProvidersforyourapp.InternalUserStoreisthedefault.
12. IfyourApplicationTypeis Web App or Single-Page JavaScript App ,enterawhitelistofAuthRedirectURIsbeneathRedirectURIs.TheredirectqueryparameterspecifiedontheOAuthrequestmustmatchtheURIsspecifiedinthislist.Otherwise,SSOrejectstherequest.
13. FortheScopesfield,specifythepermissionsthattheappcanrequestontheuser’sbehalf.Thisfielddefaultsto openid forWeb,NativeMobile,andSingle-PageJavaScriptApps.Thisfielddefaultsto uaa.resource forService-to-ServiceApps.Ifthisappispurelyforauthenticationpurposes,thenthe
openid scopeissufficient.IftheappmakesAPIcallsonbehalfoftheenduser,youmustspecifyboththescopesenforcedbytheAPIandthescopestoberequestedbytheapp.
Scope Description
openid ProvidesaccesstomakeOpenIDConnectrequests
user_attributes Providesaccesstocustomattributesfromanexternalidentityprovider
roles Providesaccesstoexternalgroupsfromanidentityprovider
uaa.resource Providesaccesstocheck_tokenendpointforservice-to-serviceflows
Note:Todisplaytheapponthehomepage,youmustenteranAppLaunchURLorUploadanappicon.
Note:Whenregisteringanexternally-hostedapp,aSpaceDevelopercanchoosefrominternalandexternalidentityproviders.IftheSpaceDeveloperselectsmultipleidentityproviders,usersmustselectwhichprovidertousewhentheysignin.Thisoptionisavailableforallapplicationtypesexcept Service-to-Service App .
Note:Addthe user_attributes scopetotheclientscopestoreturnuserattributesfromtheIDtoken.
Note:UnderScopes,youcanselectresourcesdefinedinanyspaceiftheapplicationtypeisa Web App , Native Mobile App ,or Single-Page
JavaScript App .Iftheapplicationtypeisa Service-to-Service App ,youcanonlyselectresourcesdefinedwithinthespace.
© Copyright Pivotal Software Inc, 2013-2018 32 1.2
14. ForAuto-ApprovedScopes,selectanyscopesthattheSSOserviceautomaticallyapproveswhentheappmakesarequestonbehalfofauser.Selectonlyscopespertainingtoappsownedandmanagedbyyourcompany.DonotselectscopesthatpertaintoappsexternaltoPCF.
15. ClickCreateApp.TheNextStepspageappears,describingtheendpointsrequiredforappintegration.Formoreinformation,seeIntegrateSSOwithApplicationsbelow.
IntegrateSSOwithanAppBecauseSSOserviceisbasedontheOAuthprotocol,anyappthatusesSSOmustbeOAuth-aware.
JavaAppsIfyouareusingJava,seeSingleSign-OnServiceSampleApplications .ThesearesampleappscreatedusingSpringBoot forallfourapplicationtypes.TheseappsusetheSSOServiceConnector,whichauto-configurestheappforOAuth.AfterbindingtheapptoanSSOserviceinstance,youmustrestarttheappforthenewSSOconfigurationtotakeeffect.
Non-JavaAppsToconfigurenon-JavaappsforOAuth,supplythefollowingpropertiesasenvironmentvariablestoyourappaftertheSSOservicebind.YoucanviewthisinformationontheNextStepspageoftheSSOdashboard.
AppID,alsoknownasOAuthClientID
AppSecret,alsoknownasOAuthClientSecret
OAuthAuthorizationURL,theendpointforclientauthorization
OAuthTokenURL,theendpointfortokenretrieval
Tovalidatethetoken,youmustverifythefollowing:
1. ThetokenisaproperlysignedJSONWebTokenwithanappropriatepublickey.ThekeycanbedownloadedfromtheTokenVerificationKeyendpointspecifiedontheNextStepspage.
2. Thevalueof aud inthetokenmatchesyourAppID.
3. Thevalueof iss matches https://AUTH-DOMAIN.uaa.YOUR-SYSTEM-DOMAIN/oauth/token .
4. Theexpirytimeofthetoken, exp ,hasnotpassed.
CreateAdminClientYoucancreateanadminclienttoperformadministrativefunctions,suchasmanageidentityproviders,apps,users,groups,andresourcesinaspecificzonewhereyoucreatetheclient.
Youmustbeatleastaplanadministratortoperformthesesteps.
Createanadminclientasfollows:
1. LogintoAppsManager.
2. Selectthespacewhereyourserviceinstanceislocated.Thisspecifiesthezoneyoumanageasanadminclient.
3. UnderServices,clicktheSingleSign-Onservice.
4. ClickManagenexttoyourSSOserviceinstancetolaunchtheSSOdashboard.
5. ClickNewApp.
6. EnteranAppName.
7. UnderSelectanApplicationType,selectService-to-ServiceApp.
© Copyright Pivotal Software Inc, 2013-2018 33 1.2
8. ClickSelectScopesandchoosewhatactionstheadminclientcanperformfromthefollowingAdminPermissions:
Scope Description
clients.admin Providessuperuseraccesstocreate,modify,anddeleteclients
clients.read Providesaccesstoreadinformationaboutclients
clients.write Providesaccesstocreateandmodifyclients
scim.create Providesaccesstocreateusers
scim.read Providesaccesstoreadinformationaboutusersandgroupmemberships
scim.write Providesaccesstocreate,modify,anddeleteusersandgroupmemberships
idps.read Providesaccesstoreadinformationaboutidentityproviders
idps.write Providesaccesstocreate,modify,anddeleteidentityproviders
9. ClickCreateApp.
DeleteAppthatUsesSSODeleteaPCFapporanexternalappthatusesSSOasfollows:
DeleteaPCFAppTodeleteanapphostedonPCF:
1. LogintoAppsManagerasaSpaceDeveloper.
2. Selectthespacewhereyourappislocated.
3. UnderApplications,clickthenameofyourapp.
4. OntheApplicationpage,clickDeleteApp.
5. Onthepopup,clickDeletetoconfirmthatyouwanttodeletetheappanditsconfigurationsfromAppsManagerandtheservicedashboard.
DeleteanExternalAppTodeleteanexternalappthatusesSSO:
1. LogintoAppsManagerasaSpaceDeveloper.
2. Selectthespacewhereyourserviceinstanceislocated.
3. UnderServices,clickManagenexttoyourSSOserviceinstancetolaunchtheSSOdashboard.
4. Clickyourapp.
5. ClickDeleteatthebottomofthepage.
6. Onthepopup,clickDeleteApptoconfirmthatyouwanttodeletetheappanditsconfigurations.
Note:DeletinganexternallyhostedappinPCFremovestheappanditsconfigurationsfromtheSSOdashboard.However,itstillexistsonyourhostedplatform.
© Copyright Pivotal Software Inc, 2013-2018 34 1.2
WebAppThistopicdescribestheOAuth2.0AuthorizationCodegranttypesupportedbyPivotalSingleSign-On(SSO).Theauthorizationcodegranttypeisthemostcommonlyusedgranttype.Thisgranttypeisforserver-sideapplications.
OAuth2.0RolesResourceOwner:Apersonorsystemcapableofgrantingaccesstoaprotectedresource.
Application:Aclientthatmakesprotectedrequestsusingtheauthorizationoftheresourceowner.
AuthorizationServer:TheSingleSign-Onserverthatissuesaccesstokenstoclientapplicationsaftersuccessfullyauthenticatingtheresourceowner.
ResourceServer:Theserverthathostsprotectedresourcesandacceptsandrespondstoprotectedresourcerequestsusingaccesstokens.ApplicationsaccesstheserverthroughAPIs.
AuthorizationCodeFlow
1. AccessApplication:Theuseraccessestheapplicationandtriggersauthenticationandauthorization.
2. AuthenticationandRequestAuthorization:Theapplicationpromptstheuserfortheirusernameandpassword.Thefirsttimetheusergoesthroughthisflowfortheapplication,theuserseesanapprovalpage.Onthispage,theusercanchoosepermissionstoauthorizetheapplicationtoaccessresourcesontheirbehalf.
3. AuthenticationandGrantAuthorization:Theauthorizationserverreceivestheauthenticationandauthorizationgrant.
4. SendAuthenticationCode:Aftertheuserauthorizestheapplication,theauthorizationserversendsanauthorizationcodetotheapplication.
5. RequestCodeExchangeforToken:Theapplicationreceivestheauthorizationcodeandrequestsanaccesstokenfromtheauthorizationserver.Thisgivestheapplicationaccesstotheapprovedpermissions.
6. IssueAccessToken:Theauthorizationservervalidatestheauthorizationcodeandissuesanaccesstoken.
7. RequestResourcew/AccessToken:Theapplicationattemptstoaccesstheresourcefromtheresourceserverbypresentingtheaccesstoken.
8. ReturnResource:Iftheaccesstokenisvalid,theresourceserverreturnstheresourcesthattheuserauthorizedtheapplicationtoreceive.
TheresourceserverrunsinPCFunderagivenspaceandorganization.DeveloperssetthepermissionsfortheresourceserverAPIendpoints.Todothis,theycreateresourcesthatcorrespondtoAPIendpointssecuredbytheSingleSign-Onservice.Applicationscanthenaccesstheseresourcesonbehalfofusers.
© Copyright Pivotal Software Inc, 2013-2018 35 1.2
© Copyright Pivotal Software Inc, 2013-2018 36 1.2
NativeMobileAppForNativeMobileandDesktopapplications,PivotalSingleSign-On(SSO)supportstheResourceOwnerPasswordOAuth2.0granttype.Thispasswordgranttypeisforhighlytrustedapplicationswhereresourceownerssharetheircredentialsdirectlywiththeapplication.
OAuth2.0RolesThefollowingrolesareavailableinanOAuth2.0scenario:
ResourceOwner:Apersonorsystemcapableofgrantingaccesstoaprotectedresource.
Application:Aclientthatmakesprotectedrequestsusingtheauthorizationoftheresourceowner.
AuthorizationServer:TheSingleSign-Onserverthatissuesaccesstokenstoclientapplicationsaftersuccessfullyauthenticatingtheresourceowner.
ResourceServer:Theserverthathostsprotectedresourcesandacceptsandrespondstoprotectedresourcerequestsusingaccesstokens.ApplicationsaccesstheserverthroughAPIs.
NativeMobileAppFlowThefollowingdiagramshowstheauthenticationflowusedbymobileapps.Inthisscenario,theapplicationisbackedbyaresourceserverandbotharesecuredbytheUAAauthorizationserver.
1. Authenticatew/UsernameandPassword:Theuserauthenticateswiththeapplicationusingtheirusernameandpassword.
2. SendUsername/Password:Theapplicationsendstheusernameandpasswordtotheauthorizationserverforvalidation.
3. IssueAccessToken:Theauthorizationservervalidatestheusernameandpasswordandissuesanaccesstoken.
4. RequestResourcew/AccessToken:Theapplicationattemptstoaccesstheresourcefromtheresourceserverbypresentingtheaccesstoken.
5. ReturnResource:Iftheaccesstokenisvalid,theresourceserverreturnstheresourcesthattheuserauthorizedtheapplicationtoreceive.
TheresourceserverrunsinPCFunderagivenspaceandorganization.DeveloperssetthepermissionsfortheresourceserverAPIendpoints.Todothis,theycreateresourcesthatcorrespondtoAPIendpointssecuredbytheSingleSign-Onservice.Applicationscanthenaccesstheseresourcesonbehalfofusers.
© Copyright Pivotal Software Inc, 2013-2018 37 1.2
Single-PageJavascriptAppThistopicdescribestheOAuth2.0implicitgranttypesupportedbyPivotalSingleSign-On(SSO).Theimplicitgranttypeisforapplicationswithaclientsecretthatisnotguaranteedtobeconfidential.
OAuth2.0RolesResourceOwner:Apersonorsystemcapableofgrantingaccesstoaprotectedresource.
Application:Aclientthatmakesprotectedrequestsusingtheauthorizationoftheresourceowner.
AuthorizationServer:TheSingleSign-Onserverthatissuesaccesstokenstoclientapplicationsaftersuccessfullyauthenticatingtheresourceowner.
ResourceServer:Theserverthathostsprotectedresourcesandacceptsandrespondstoprotectedresourcerequestsusingaccesstokens.ApplicationsaccesstheserverthroughAPIs.
ImplicitFlow
1. AccessApplication:Theuseraccessestheapplicationandtriggersauthenticationandauthorization.
2. AuthenticationandRequestAuthorization:Theapplicationpromptstheuserfortheirusernameandpassword.Thefirsttimetheusergoesthroughthisflowfortheapplication,theuserseesanapprovalpage.Onthispage,theusercanchoosepermissionstoauthorizetheapplicationtoaccessresourcesontheirbehalf.
3. AuthenticationandGrantAuthorization:Theauthorizationserverreceivestheauthenticationandauthorizationgrant.
4. IssueAccessToken:TheauthorizationservervalidatestheauthorizationcodeandreturnsanaccesstokenwiththeredirectURL.
5. RequestResourcew/AccessTokenin:TheapplicationattemptstoaccesstheresourcefromtheresourceserverbypresentingtheaccesstokenintheURL.
6. ReturnResource:Iftheaccesstokenisvalid,theresourceserverreturnstheresourcesthattheuserauthorizedtheapplicationtoreceive.
TheresourceserverrunsinPCFunderagivenspaceandorganization.DeveloperssetthepermissionsfortheresourceserverAPIendpoints.Todothis,theycreateresourcesthatcorrespondtoAPIendpointssecuredbytheSingleSign-Onservice.Applicationscanthenaccesstheseresourcesonbehalfofusers.
© Copyright Pivotal Software Inc, 2013-2018 38 1.2
Service-to-ServiceAppForService-to-Serviceapplications,PivotalSingleSign-On(SSO)supportstheClientCredentialsOAuth2.0granttype.Theclientcredentialsgranttypeisforapplicationsthatcanrequestanaccesstokenandaccessresourcesonitsown.ThisisoftenthecasewhenthereareservicesthatcallAPIswithoutusers.
OAuth2.0ActorsApplication:Aclientthatmakesprotectedrequestsusingtheauthorizationoftheresourceowner.
AuthorizationServer:TheSingleSign-Onserverthatissuesaccesstokenstoclientapplicationsaftersuccessfullyauthenticatingtheresourceowner.
ResourceServer:Theserverthathostsprotectedresourcesandacceptsandrespondstoprotectedresourcerequestsusingaccesstokens.ApplicationsaccesstheserverthroughAPIs.
ClientCredentialsFlow
1. Authenticatew/ClientIDandSecret:TheapplicationauthenticateswiththeauthorizationserverusingitsclientIDandclientsecret.
2. IssueAccessToken:TheauthorizationservervalidatestheclientIDandclientsecretandissuesanaccesstoken.
3. RequestResourcew/AccessToken:Theapplicationattemptstoaccesstheresourcefromtheresourceserverbypresentingtheaccesstoken.
4. ReturnResource:Iftheaccesstokenisvalid,theresourceserverreturnstheresourcestotheapplication.
TheresourceserverrunsinPCFunderagivenspaceandorganization.DeveloperssetthepermissionsfortheresourceserverAPIendpoints.Todothis,theycreateresourcesthatcorrespondtoAPIendpointssecuredbytheSingleSign-Onservice.Administratorscancreateadminclientstoperformautomatedmanagementactionswithoutauser.SeeCreateAdminClient.
© Copyright Pivotal Software Inc, 2013-2018 39 1.2
ManageResourcesThistopicdescribeshowaSpaceDeveloperdefinesresourcesrequiredbyanappboundtoaSingleSign-On(SSO)serviceinstanceandhowanadministratorgrantsresourcepermissions.
Inthistopic,resourcesaretheAPIendpointsthatusersandappsneedtoretrieveinformationfromaresourceserver.Afteranadministratorcreatesresources,theyassigntheresourcestousersandapps.Userscanthengrantappsaccesstotheresources,forexampletoqueryAPIendpointsontheirbehalf.
Becausedevelopersknowwhatendpointsexistfortheirapps,theyareresponsibleforcreatingresources.
CreateorEditResourcesIfanapprequiresaccesstospecificresourcessuchasAPIendpoints,permissionsforthoseresourcesmustbeeitherbootstrappedfromtheapplicationmanifestordefinedbytheSpaceDeveloperintheSSOdashboard.
Tobootstrapresourcesfromthemanifest,followtheinstructionsintheSSOSampleApplicationsrepo .
TocreateresourcesintheSSODashboard:
1. LogintoAppsManagerasaSpaceDeveloper.
2. Selectthespacewhereyourserviceinstanceislocated.
3. UnderServices,clickManagenexttoyourSSOserviceinstancetolaunchtheSSOdashboard.
4. ClicktheResourcestab.
5. ClickNewResource.
6. EnteraResourceName.
7. CreatePermissionsthattheOAuthclientforyourappneedstoaccessfromtheresourceserver.
a. EnteroneormoreAttributesorActionsforeachpermission.b. EnteraDescriptionforeachpermission.
8. ClickSaveResource.Theadministratormustcreateresourcepermissionssothatuserscanaccesstheresource.Formoreinformation,seeCreateorEditResourcePermissionsbelow.
DeleteResources1. LogintoAppsManagerasaSpaceDeveloper.
2. ClicktheManagelinkundertheSSOserviceinstancetolaunchtheservicedashboard.
3. ClicktheResourcestab.
4. Clicktheresourcetodelete.
5. ClickDeleteatthebottomofthepage.
6. Onthepopup,clickDeleteResourcetodeletetheresource.
Note:SpaceDeveloperscreateresourceswithinaspace.SpaceDevelopersonlyseetheresourcescreatedinthespacestheyhaveaccesstoandcanonlyassignthosetotheappsinthosespaces.
Note:Deletingaresourceremovesitfromthepermissionmappingsandfromtheapp.Youmustreconfiguretheupdatedpermissionsinbothareas.
© Copyright Pivotal Software Inc, 2013-2018 40 1.2
CreateorEditResourcePermissionsAfteraSpaceDeveloperdefinesresourcesrequiredbyanapp,anadministratormustgrantaccesstothoseresources.SSOallowsadministratorstomapgroupsofusersfromtheidentityprovidertotheresourcepermissionsdefinedbytheSpaceDeveloper.
Onceresourcepermissionsmappingsareconfigured,whenauserauthenticatesandobtainsatoken,theuser’sgroupmembershipswillautomaticallybemappedintoscopesthataredirectlyincludedinthetoken.
1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickthenameoftheexternalidentityprovideryouwanttodefinepermissionsforandselectResourcePermissionsfromthedrop-downmenu.
4. ClickNewPermissionsMapping.
5. EnteraGroupName.
6. ClickSelectPermissionstochoosethepermissionsthatusersinthegroupshouldhaveaccessto.
7. ClickSavePermissionsMapping.
DeleteResourcePermissions1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.
YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickonthenameoftheexternalidentityprovideryouwanttodefinepermissionsforandselectResourcePermissionsfromthedrop-downmenu.
4. Clickthegroupnameoftheresourcepermissionyouwanttodelete.
5. ClickDeleteatthebottomofthepage.
6. Onthepopup,clickDeletePermissionsMappingtodeletetheresource.
AboutSpaceProtectionforResourcesOAuth2.0providestheconceptofascopeinordertolimittheamountofaccessthatisgrantedtoanaccesstoken.Ascopeistheintersectionofauser’sgroupsandaclient’sscopes.
Forausertogainaccesstoaresource,theymustmeetthefollowingconditions,whichcanonlybesetupbyplanadministrators:
Theusermustbeassignedtheresourceasagroup.Forinformationonhowtodothis,seeManageUsers.
Theusermustaccessanappthathastheresourceassignedasascope.
Appdeveloperscanassignscopestoanyappthatisnotaservice-to-serviceapp.But,onlyplanadministratorscanassignscopestousers.
Whenassigningaresourceasascopeforaservice-to-serviceapp,appdeveloperscanonlyassignresourcestheyhavecreatedwithintheirownspace.Onlyanplanadministratorcanassignascopefromanotherspacetoaservice-to-serviceapp.
Note:GroupswithunsupportedcharactersinPermissionMappingsarenoteditable.
Note:GroupswithunsupportedcharactersinPermissionMappingsarenoteditable.
© Copyright Pivotal Software Inc, 2013-2018 41 1.2
ActiveDirectoryFederationServicesIntegrationGuideOverviewActiveDirectoryFederationServices(ADFS)isastandards-basedservicethatsecurelysharesidentityinformationbetweenapplications.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenADFSastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).
SSOsupportsserviceprovider-initiatedauthenticationflowandsinglelogout.Itdoesnotsupportidentityprovider-initiatedauthenticationflow.AllSSOcommunicationtakesplaceoverSSL.
PrerequisitesTointegrateADFSwithPivotalCloudFoundry(PCF),youneedthefollowing:
Pivotal
PCF,version1.7.0orlater
SingleSign-On,version1.1.0orlater
ActiveDirectoryFederationServices
ActiveDirectoryFederationServicessubscription
AuserwithAdministrativeprivileges
ActiveDirectoryFederationServicesIntegrationGuide
ConfiguringADFSwithSSOCompletebothstepsbelowtointegrateyourdeploymentwithADFSandSSO.
1. ConfigureActiveDirectoryFederationServicesasanIdentityProvider
2. ConfigureaSingleSign-OnServiceProvider
TestingandTroubleshootingTesting
Troubleshooting
Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic.
© Copyright Pivotal Software Inc, 2013-2018 42 1.2
ConfigureActiveDirectoryFederationServicesasanIdentityProviderThistopicdescribeshowtosetupActiveDirectoryFederationServices(ADFS)asyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andADFS.
SetUpSAMLinPCF1. LogintotheSingleSign-On(SSO)dashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickConfigureSAMLServiceProvider.
4. (Optional)SelectPerformsignedauthenticationrequeststoenforceSSOprivatekeysignatureandidentityprovidervalidation.
5. (Optional)SelectRequiresignedassertionstovalidatetheoriginofsignedresponses.
6. ClickDownloadMetadatatodownloadtheserviceprovidermetadata.
7. ClickSave.
SetUpSAMLinActiveDirectoryFederationServices1. OpentheADFSManagementconsole.
2. ClickAddRelyingPartyTrust…intheActionspane.
3. OntheWelcomestep,clickStart.
© Copyright Pivotal Software Inc, 2013-2018 43 1.2
4. SelectImportdataabouttherelyingpartyfromafile,enterthepathtothedownloadedserviceprovidermetadata,andclickNext.
5. EnteranameforDisplaynameandclickNext.
© Copyright Pivotal Software Inc, 2013-2018 44 1.2
6. Leavethedefaultmulti-factorauthenticationselectionandclickNext.
7. SelectPermitalluserstoaccessthisrelyingpartyandclickNext.
© Copyright Pivotal Software Inc, 2013-2018 45 1.2
8. ReviewyoursettingsandclickNext.
9. ClickClosetofinishthewizard.
10. Theclaimruleeditorshouldopenbydefault.Ifitdoesnot,selectyourRelyingPartyTrustandclickEditClaimRules…intheActionspane.
11. Createtwoclaimrulesbyfollowingthesesteps:
a. ClickAddRule.b. SelectSendLDAPAttributesasClaimsforClaimruletemplateandclickNext.
c. EnteraClaimrulename.d. SelectActiveDirectoryforAttributestore.e. SelectE-Mail-AddressesforLDAPAttributeandselectE-mailAddressforOutgoingClaimType.
© Copyright Pivotal Software Inc, 2013-2018 46 1.2
f. ClickFinish.
g. ClickAddRule.h. SelectTransformanIncomingClaimforClaimruletemplateandclickNext.
i. EnteraClaimrulename.j. SelectE-MailAddressforIncomingclaimtype.k. SelectNameIDforOutgoingclaimtypel. SelectEmailforOutgoingnameIDformat.
m. ClickFinish.
© Copyright Pivotal Software Inc, 2013-2018 47 1.2
12. Double-clickonthenewRelyingPartyTrusttoopentheproperties.
13. SelecttheEncryptiontabandclickRemovetoremovetheencryptioncertificate.
14. SelecttheAdvancedtabandselecttheSHAalgorithmfortheSecurehashalgorithmthatmatchestheSHAAlgorithmconfiguredforPCFElasticRuntime .
© Copyright Pivotal Software Inc, 2013-2018 48 1.2
15. (Optional)Ifyouareusingaself-signedcertificate,disableCRLchecksbyfollowingthesesteps:
a. OpenWindowsPowershellasanAdministrator.b. Executethefollowingcommand:
> set-ADFSRelyingPartyTrust -TargetName "< Relying Party Trust >" -SigningCertificateRevocationCheck None
16. (Optional)Ifyouareusingaself-signedcertificate,addittotheADFStruststore.ObtaintheOpsManagercertificatefromhttps://OPS_MANAGER_IP/api/v0/security/root_ca_certificate andaddthisCAcertificatetotheADFStruststore,soADFScantrustthe“ServiceProviderKey
Certificate”certificatesignedbyOpsManagerROOTCA.
17. (Optional)TospecifyanyapplicationorgroupattributesthatyouwanttomaptousersintheIDtoken,clickEditClaimRules…andconfigureSendLDAPAttributesasClaims.Formoreinformation,seethenextsection.
SettingUpGroupsinSAMLfromADFS1. Right-clickyourRelyingPartyTrustandselectEditClaimRules….
2. SelectAddRule.
3. SelectSendGroupMembershipasaClaimandclickNext.
Note:PriortoPCFv1.10,steps13and14arerequiredasallPCFcomponents(includingSSOtile)havecertificatesaresignedbyaninternalCA.InPCFv1.10+,customerscanuploadtheirownCAcertificatetoPCF.
© Copyright Pivotal Software Inc, 2013-2018 49 1.2
4. EntertheClaimrulename.
5. ClickBrowsetoselectyourUser’sgroup.
6. SelectGroupasyourOutgoingclaimtype.
7. SetyourOutgoingclaimvaluetomatchyourgroup’sname.
8. ClickFinish.
9. TosavetheseconfigurationsandusethedefaultSAMLassertionof http://schemas.xmlsoap.org/claims/Group ,clickOK.Ifyouwanttopasstheclaimsassertionasacustomvalue “groups” intheSAMLassertion,continuetotheprocedurebelow.
CreateCustomValue“groups”
© Copyright Pivotal Software Inc, 2013-2018 50 1.2
1. SelectyournewlycreatedruleandclickEditRule.
2. ClickViewRuleLanguage.
3. CopythetextintheClaimrulelanguagefieldtoanotepadorotherlocation.Youneedthistextforthenextsteps.
4. ExittheEditRulemenu.SelecttheruleyoujustaddedandclickRemoveRule.
5. ClickAddRule.
6. SelectSendClaimsUsingaCustomRule.
7. Pasteinthetextyoupreviouslycopiedinstep3fromtheremovedrule.Editthe Type sothatitonlysays “groups” .
© Copyright Pivotal Software Inc, 2013-2018 51 1.2
8. ClickOKtofinishmakingyourchangesandsavethechangesyoumade.
© Copyright Pivotal Software Inc, 2013-2018 52 1.2
ConfigureaSingleSign-OnServiceProviderThistopicdescribeshowtoaddanexternalidentityprovidertoyourPivotalSingleSign-On(SSO)serviceplan.
DownloadIdentityProviderMetadata1. DownloadthemetadatafromyourActiveDirectoryFederationServicesserveratthefollowingURL:
https://YOUR-ADFS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml
SettingupSAML1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickNewIdentityProvidertocreateanewidentityprovider.
4. Tocreateanewidentityprovider,performthefollowingsteps:
a. EnteranidentityprovidernameinIdentityProviderName.
© Copyright Pivotal Software Inc, 2013-2018 53 1.2
b. (Optional)EnteradescriptioninIdentityProviderDescription.c. ClickSAMLFileMetadata(optional),thenclickUploadIdentityProviderMetadatatouploadyourmetadataXML.d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.
5. ClickCreateIdentityProvider.
6. ClickResourcePermissions.
7. ClickNewPermissionsMappingandperformthefollowingsteps:
a. EnteraGroupName.b. ForSelectPermissions,selectthepermissionstogranttothemembersofthegroupfromtheexternalidentityprovider.
8. Navigatetotheidentityproviderlist.
9. ClickGroupWhitelistandenterthegroupnamesfromtheexternalidentityproviderthatshouldbepropagatedintheIDtoken.
CreateAttributeMappingsforSAMLGroupsUnderUserAttributes,maptheUserSchemaAttributeof “external_groups” totheAttributeNamevalueof “groups” .IfyoudidnotperformthestepstocustomizetheSAMLassertionvalue,use “http://schemas.xmlsoap.org/claims/Group” astheAttributeNameinstead.
AnattributemappingwithacustomizedSAMLassertionvaluelookslikethis:
Anattributemappingwithanon-customizedSAMLassertionvaluelookslikethis:
GroupsnowshowupfromtheSAMLassertionasclaims.Youcanpullthesevaluesfromtheuser’sstoredcustomattributesusingthe roles scopeontheIDtokenorthroughtheuserinfoendpoint,ormapthesetopermissionsusingResourcePermissionsmappings.Formoreinformation,seetheCreateorEditResourcePermissionssectionofManageResources .
© Copyright Pivotal Software Inc, 2013-2018 54 1.2
TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandActiveDirectoryFederationServices(ADFS).Anadministratorcantestbothserviceproviderandidentityproviderconnections.
TestYourServiceProviderConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorganizationandspacewhereyourapplicationislocated.
2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplication.ClickontheserviceinstanceandclickManage.
3. UndertheAppstab,clickyourapplication.
© Copyright Pivotal Software Inc, 2013-2018 55 1.2
4. UnderIdentityProviders,selecttheADFSidentityprovider.
5. ReturntoAppsManagerandclickontheURLbelowyourapplicationtoberedirectedtotheidentityprovidertoauthenticate.
© Copyright Pivotal Software Inc, 2013-2018 56 1.2
6. Clickthelink.
7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignin.
8. Theapplicationasksforauthorizationtothenecessaryscopes.ClickAuthorize.
© Copyright Pivotal Software Inc, 2013-2018 57 1.2
9. TheaccesstokenandIDtokendisplays.
© Copyright Pivotal Software Inc, 2013-2018 58 1.2
TestYourIdentityProviderConnection
1. SignintoADFS.
Note:SSOdoesnotsupportidentityprovider-initiatedflowintoapplications,butitdoesredirecttheusertotheUserAccountandAuthentication(UAA)pagetoselectapplicationsassignedtotheuser.
© Copyright Pivotal Software Inc, 2013-2018 59 1.2
2. Navigatetoyourapplicationandclickit.
3. Youareredirectedtothepagethatlistsapplicationsyouhaveaccessto.
TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofADFSaswell.
1. Signintothesampleapplication.InformationabouttheaccessandIDtokendisplays,aswellasthe“Whatdoyouwanttodo?”section.
2. Under“Whatdoyouwanttodo?”,clickLogout.
3. YouareloggedoutandredirectedtotheADFSloginpage.
© Copyright Pivotal Software Inc, 2013-2018 60 1.2
© Copyright Pivotal Software Inc, 2013-2018 61 1.2
TroubleshootingThistopicdescribeshowtoresolveerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenActiveDirectoryFederationServicesandPivotalSingleSign-On(SSO).
EventViewer1. NavigatetoAdministrativeTools.
2. LaunchEventViewer.
3. Examineanyerrorsanditsdetailstodiagnoseproblems.
© Copyright Pivotal Software Inc, 2013-2018 62 1.2
AzureActiveDirectorySAMLIntegrationGuideOverviewThisdocumentationintroduceshowtosetupAzureActiveDirectory(AzureAD)withSecurityAssertionMarkupLanguage(SAML)astheidentityproviderfortheSingleSign-OnservicerunningonPivotalCloudFoundry(PCF).
AzureActiveDirectory(AzureAD)isMicrosoft’smulti-tenantcloudbaseddirectoryandidentitymanagementservice.
ForhowtosetupAzureADwithOpenIDConnect(OIDC),seeAzureActiveDirectoryOIDCIntegrationGuide .
PrerequisitesTointegrateAzureADwithPivotalCloudFoundry®(PCF),youneed:
Pivotal
PCF,version1.7.0orlater.
SingleSign-On,version1.1.0orlater.
AzureActiveDirectory
AzureActiveDirectorysubscription.
Auserwithadminprivileges.
AzureADIntegrationGuide
ConfiguringAzureADwithSSOCompletebothstepsbelowtointegrateyourdeploymentwithAzureADandSSO.
1. ConfigureAzureADasaSAMLIdentityProvider
2. ConfigureaSingleSign-OnServiceProvider
TestingandTroubleshootingTesting
Troubleshooting
Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic.
© Copyright Pivotal Software Inc, 2013-2018 63 1.2
ConfigureAzureActiveDirectoryasaSAMLIdentityProviderThistopicdescribeshowtosetupAzureActiveDirectory(AD)asyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry®(PCF)andAzureAD.
SetupSAMLinPCF1. LogintotheSingleSign-On(SSO)dashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickConfigureSAMLServiceProvider.
4. (Optional)SelectPerformsignedauthenticationrequeststoenforceSSOprivatekeysignatureandidentityprovidervalidation.
5. (Optional)SelectRequiresignedassertionstovalidatetheoriginofsignedresponses.
6. ClickDownloadMetadatatodownloadtheserviceprovidermetadata.
7. ClickSave.
SetupSAMLinAzureActiveDirectory1. SignintoAzureADat https://manage.windowsazure.com asanadministrator.
2. NavigatetotheapplicationsdashboardbyclickingonyourdirectoryandtheApplicationstab.
3. ClicktheAddbuttontoaddanewapplication.
© Copyright Pivotal Software Inc, 2013-2018 64 1.2
4. SelectAddanapplicationmyorganizationisdeveloping.
5. EntertheNameandTypefortheapplication.
© Copyright Pivotal Software Inc, 2013-2018 65 1.2
6. EntertheSign-OnURLandAppIDURIfortheapplication.
7. Clicktheapplicationandconfigurethefollowingproperties:
© Copyright Pivotal Software Inc, 2013-2018 66 1.2
a. EntertheapplicationName.b. Enterthe AssertionConsumerService Location URL fromyourdownloadedserviceprovidermetadataintoSign-OnURL.Forexample,
https://AUTH-DOMAIN/saml/SSO/alias/AUTH-DOMAIN .c. ConfiguretheapplicationLogo,ApplicationisMulti-TenantandUserAssignmentRequiredtoAccessAppproperties.d. Enteryour Auth Domain URL intoAppIDURI.e. Enterthe AssertionConsumerService Location URL fromyourdownloadedserviceprovidermetadataintoReplyURL.
© Copyright Pivotal Software Inc, 2013-2018 67 1.2
8. ClicktheSavebutton.
© Copyright Pivotal Software Inc, 2013-2018 68 1.2
9. ClickViewEndpointsanddownloadtheFederationMetadataDocument.
SetupClaimsMapping1. Toenableuserattributemappings,granttheapplicationthefollowingpermissionstoWindowsAzureActiveDirectory:
a. Readdirectorydata.b. Readallgroups.c. Readallusers’fullprofilesorReadallusers’basicprofiles.
© Copyright Pivotal Software Inc, 2013-2018 69 1.2
2. Topassgroupmembershipclaimstotheapplication,performthefollowingsteps:
a. ClickManageManifest.b. ClickDownloadManifestfollowedbyDownloadmanifest.c. Locate groupMembershipClaims andsetthevaluetoeither:
SecurityGroup -Groupsclaimwillcontainidentifiersofallsecuritygroupsofwhichtheuserisamember.All -Groupsclaimwillcontaintheidentifiersofallsecuritygroupsanddistributionlistsofwhichtheuserisamember.
d. ClickManageManifest.e. ClickUploadManifestandselectthemodifiedmanifest.
© Copyright Pivotal Software Inc, 2013-2018 70 1.2
ConfigureaSingleSign-OnServiceProviderThistopicdescribeshowtoaddanexternalidentityprovidertoyourPivotalSingleSign-On(SSO)serviceplan.
SettingupSAML1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickNewIdentityProvidertocreateanewidentityprovider.
4. Tocreateanewidentityprovider,performthefollowingsteps:
a. EnteranidentityprovidernameintoIdentityProviderName.b. (Optional)EnteradescriptionintoIdentityProviderDescription.c. ClickSAMLFileMetadata(optional)follwedbyclickingtheUploadIdentityProviderMetadatabuttontouploadyourmetadataXML.
Note:TheSingleSign-OndoesnotsupportDOSfileformatimports.Convertthefileinoneofthefollowingways:
Option1:Execute dos2unix onthemetadatafile.
© Copyright Pivotal Software Inc, 2013-2018 71 1.2
d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.
5. ClickCreateIdentityProvider.
ConfigureGroupPermissions1. AddgroupstobepropagatedfromtheexternalidentityprovidertotheIDtokenbyfollowingthesesteps:
a. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.b. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.c. ClickGroupWhitelistnexttoyouridentityprovider.d. Enterthegroupnames.e. ClickSaveGroupWhitelist.
2. MapthegroupstoresourcesdefinedintheSSOservicebyfollowingthesesteps:
a. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.b. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.c. ClickResourcePermissions.d. ClickNewPermissionsMappingandperformthefollowingsteps:
i. EnteraGroupName.ii. ForSelectPermissions,selectthepermissionsthatthemembersofthegroupfromtheexternalidentityprovidershouldhaveaccessto.iii. ClickSavePermissionsMapping.
Option2:CreateaUnixfile,thencopyandpastethecontentsfromthedownloadedmetadatafiletothenewlycreatedfile.
© Copyright Pivotal Software Inc, 2013-2018 72 1.2
TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandAzureActiveDirectory.Anadministratorcantestbothserviceproviderandidentityproviderconnections.
TestYourServiceProviderConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorganizationandspacewhereyourapplicationislocated.
2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplication.ClickontheserviceinstanceandclickManage.
3. UndertheAppstab,clickyourapplication.
© Copyright Pivotal Software Inc, 2013-2018 73 1.2
4. UnderIdentityProviders,selecttheAzureADidentityprovider.
5. ReturntoAppsManagerandclickontheURLbelowyourapplicationtoberedirectedtotheidentityprovidertoauthenticate.
© Copyright Pivotal Software Inc, 2013-2018 74 1.2
6. Clickthelink.
7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignIn.
8. Theapplicationasksforauthorizationtothenecessaryscopes.ClickAuthorize.
© Copyright Pivotal Software Inc, 2013-2018 75 1.2
9. TheaccesstokenandIDtokendisplays.
© Copyright Pivotal Software Inc, 2013-2018 76 1.2
TestYourIdentityProviderConnection
1. SignintoAzureAD.
Note:SSOdoesnotsupportidentityprovider-initiatedflowintoapplications,butitdoesredirecttheusertotheUserAccountandAuthentication(UAA)pagetoselectapplicationsassignedtotheuser.
© Copyright Pivotal Software Inc, 2013-2018 77 1.2
2. Navigatetoyourapplicationandclickit.
3. Youareredirectedtothepagethatlistsapplicationsyouhaveaccessto.
TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofAzureADaswell.
1. Signintothesampleapplication.InformationabouttheaccessandIDtokendisplays,aswellasthe“Whatdoyouwanttodo?”section.
2. Under“Whatdoyouwanttodo?”,clickLogout.
3. YouareloggedoutandredirectedtotheAzureADloginpage.
© Copyright Pivotal Software Inc, 2013-2018 78 1.2
© Copyright Pivotal Software Inc, 2013-2018 79 1.2
TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenAzureActiveDirectoryandPivotalSingleSign-On(SSO).
AppIDNotFound
Symptom:
Explanations:TheAppIDURIismisconfiguredonAzureAD.
ReplyURLDoesNotMatch
Symptom:
Explanation:TheReplyURLismisconfiguredonAzureAD.
MissingNameID
© Copyright Pivotal Software Inc, 2013-2018 80 1.2
Symptom:
Explanation:Theidentityprovidermetadatahasthe RoleDescriptor elementsorismissingconfigurationsforNameID.SeeConfigureIdentityProviderMetadata.
© Copyright Pivotal Software Inc, 2013-2018 81 1.2
CASingleSign-OnIntegrationGuideOverviewCASingleSign-On(formallyknownasCASiteMinder)isaWebAccessManagementsystemthatsupportsadvancedauthentication,risk-basedsecuritypolicies,andfederatedidentities.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenCASingleSign-OnastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).
SSOsupportsserviceprovider-initiatedauthenticationflowandsinglelogout.Itdoesnotsupportidentityprovider-initiatedauthenticationflow.AllSSOcommunicationtakesplaceoverSSL.
PrerequisitesTointegrateCASingleSign-OnwithPivotalCloudFoundry(PCF),youneedthefollowing:
Pivotal
PCF,version1.7.0orlater
SingleSign-On,version1.1.0orlater
CASingleSign-On
CASingleSign-On12.52
ASignedCertificatebyaCertificateAuthority
CASingleSign-OnIntegrationGuide
ConfiguringCASingleSign-OnwithSSOCompletebothstepsbelowtointegrateyourdeploymentwithCASingleSign-OnandSSO.
1. ConfigureCASingleSign-OnasanIdentityProvider
2. ConfigureaSingleSign-OnServiceProvider
TestingandTroubleshootingTesting
Troubleshooting
Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic..
© Copyright Pivotal Software Inc, 2013-2018 82 1.2
ConfigureCASingleSign-OnasanIdentityProviderThistopicdescribeshowtosetupCASingleSign-OnasyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andCASingleSign-On.
SetupSAMLinPCF1. LogintotheSingleSign-On(SSO)dashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickConfigureSAMLServiceProvider.
4. (Optional)SelectPerformsignedauthenticationrequeststoenforceSSOprivatekeysignatureandidentityprovidervalidation.
5. (Optional)SelectRequiresignedassertionstovalidatetheoriginofsignedresponses.
6. ClickDownloadMetadatatodownloadtheserviceprovidermetadata.
7. ClickSave.
SetupSAMLinCASingleSign-On1. SigninasaCASingleSign-Onadministrator.
2. ClicktheFederationtab.
3. ClickontheEntitieslink.
4. ClicktheCreateEntitybuttonandperformthefollowingsteps:
a. SelectLocalforEntityLocation.b. SelectSAML2IDPforNewEntityType.
© Copyright Pivotal Software Inc, 2013-2018 83 1.2
c. ClicktheNextbutton.
5. IntheEntitiessection,performthefollowingsteps:
a. EnteranEntityID.b. EnteranEntityName.c. EnteraDescription.d. Enterthefully-qualifieddomainnameforyourCASingleSign-OnastheBaseURL.e. SelectorimportaSigningPrivateKeyAlias.f. SelectaNameIDformat.g. ClicktheNextbutton.
6. ConfirmtheEntityDetailsandclicktheFinishbutton.
7. ClicktheFederationtab.
8. ClickontheEntitieslink.
9. ClicktheImportMetadatabuttonandperformthefollowingsteps:
a. ClickBrowseandselectthedownloadedmetadataforMetadatafile.b. SelectRemoteEntityforImportAs.c. SelectCreateNewforOperation.d. ClicktheNextbutton.
10. IntheSelectEntityDefinedinMetadataFilesection,performthefollowingsteps:
a. EnteranEntityName.b. ClicktheNextbutton.
11. IntheSelectKeyEntriestoImportsection,performthefollowingsteps:
a. EnteranAlias.b. ClicktheNextbutton.
12. ConfirmtheEntityDetailsandclicktheFinishbutton.
13. ClickontheFederationtab.
14. ClickCreatePartnershipandselectSAML2IDP->SP.
15. IntheConfigurePartnershipsection,performthefollowingsteps:
© Copyright Pivotal Software Inc, 2013-2018 84 1.2
a. EnteraPartnershipName.b. EnteraDescription.c. SelectapreviouslycreatedlocalentityforLocalIDP.d. SelectapreviouslycreatedremoteentityforRemoteSP.e. EnteraSkewTime.f. AddanyUserDirectories.g. ClicktheNextbutton.
16. ConfigureFederationUsersbyaddingtheusersyouwanttoincludeinthepartnershipandclickNext.
17. IntheAssertionConfigurationsection,performthefollowingsteps:
a. SelectaNameIDFormat.b. SelectUserAttributeastheNameIDType.c. Enter mail astheValue.d. (Optional)UnderAssertionAttributes,specifyanyapplicationorgroupattributesthatyouwanttomaptousersintheIDtoken.
e. ClicktheNextbutton.
18. IntheSSOandSLOsection,performthefollowingsteps:
a. EntertheAuthenticationURL.b. SelectHTTP-PostforSSOBinding.c. SelectBothIDPandSPinitiatedforTransactionsAllowed.d. ClicktheNextbutton.
Note:Thevalueforsendingauser’sgroupsisFMATTR:SM_USERGROUPS.
© Copyright Pivotal Software Inc, 2013-2018 85 1.2
19. IntheSignatureandEncryptionsection,performthefollowingsteps:
a. SelectyourkeyaliasforSigningPrivateKeyAlias.b. SelectyourcertificatealiasforVerificationCertificateAlias.c. ClicktheNextbutton.
20. ConfirmthePartnershipDetailsandclicktheFinishbutton.
21. ClicktheActionbuttonandclickActivate.
22. ClicktheActionbuttonandclickExportMetadata.
© Copyright Pivotal Software Inc, 2013-2018 86 1.2
ConfigureaSingleSign-OnServiceProviderThistopicdescribeshowtoaddanexternalidentityprovidertoyourPivotalSingleSign-On(SSO)serviceplan.
SettingupSAML1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickNewIdentityProvidertocreateanewidentityprovider.
4. Tocreateanewidentityprovider,performthefollowingsteps:
a. EnteranidentityprovidernameinIdentityProviderName.b. (Optional)EnteradescriptioninIdentityProviderDescription.c. ClickSAMLFileMetadata(optional)followedbyclickingtheUploadIdentityProviderMetadatabuttontouploadyourmetadataXML.d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.
5. ClickCreateIdentityProvider.
6. ClickResourcePermissions.
© Copyright Pivotal Software Inc, 2013-2018 87 1.2
7. ClickNewPermissionsMappingandperformthefollowingsteps:
a. EnteraGroupName.b. ForSelectPermissions,selectthepermissionsthatthemembersofthegroupfromtheexternalidentityprovidershouldhaveaccessto.
8. Navigatetotheidentityproviderlist.
9. ClickGroupWhitelistandenterthegroupnamesfromtheexternalidentityproviderthatshouldbepropagatedintheIDtoken.
© Copyright Pivotal Software Inc, 2013-2018 88 1.2
TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandCASingleSign-On.Anadministratorcantestbothserviceproviderandidentityproviderconnections.
TestYourServiceProviderConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorganizationandspacewhereyourapplicationislocated.
2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplication.SelecttheserviceinstanceandclickManage.
3. UndertheAppstab,clickyourapplication.
© Copyright Pivotal Software Inc, 2013-2018 89 1.2
4. UnderIdentityProviders,selecttheCASingleSign-Onidentityprovider.
5. ReturntoAppsManagerandclickontheURLbelowyourapplicationtoberedirectedtotheidentityprovidertoauthenticate.
© Copyright Pivotal Software Inc, 2013-2018 90 1.2
6. Clickthelink.
7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignOn.
8. Theapplicationasksforauthorizationtothenecessaryscopes.ClickAuthorize.
9. TheaccesstokenandIDtokendisplays.
© Copyright Pivotal Software Inc, 2013-2018 91 1.2
TestYourIdentityProviderConnection
1. SignintoCASingleSign-On.
Note:SSOdoesnotsupportidentityprovider-initiatedflowintoapplications,butitdoesredirecttheusertotheUserAccountandAuthentication(UAA)pagetoselectapplicationsassignedtotheuser.
© Copyright Pivotal Software Inc, 2013-2018 92 1.2
2. Navigatetoyourapplicationandclickit.
3. Youareredirectedtothepagethatlistsapplicationsyouhaveaccessto.
TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofCASingleSign-Onaswell.
1. Signintothesampleapplication.InformationabouttheaccessandIDtokendisplays,aswellasthe“Whatdoyouwanttodo?”section.
2. Under“Whatdoyouwanttodo?”,clickLogout.
3. YouareloggedoutandredirectedtotheCASingleSign-Onloginpage.
© Copyright Pivotal Software Inc, 2013-2018 93 1.2
TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenPingOneCloudandPivotalSingleSign-On(SSO).
CASingleSign-OnPartnershipisInactive
Symptom:
Explanations:TheCASingleSign-OnisinactiveinCASingleSign-On.
ServiceProviderEntityIDMisconfigured
Symptom:
Explanation:TheserviceproviderEntityIDismisconfiguredinCASingleSign-On.
IncomingSAMLmessageisinvalid
Symptom:
Explanation:TheidentityproviderEntityIDismisconfiguredinCASingleSign-OnorinPCFSingleSign-On.
TheNameIDFormatwasmisconfiguredinCASingleSign-On
AssertionConsumerServiceURLMisconfigured
Symptom:
© Copyright Pivotal Software Inc, 2013-2018 94 1.2
Explanation:TheserviceproviderAssertionConsumerService(ACS)ismisconfiguredinCASingleSign-On.
AudienceFieldMisconfigured
Symptom:
Explanation:TheserviceproviderAudienceFieldismisconfiguredinCASingleSign-On.
ExpiredCertificate
Symptom:
Explanation:ThecertificatehasexpiredinCASingleSign-On.
IdentityProviderSSOURLMisconfigured
Symptom:
Explanation:TheidentityproviderSSOURLismisconfiguredinPCFSingleSign-On.
© Copyright Pivotal Software Inc, 2013-2018 95 1.2
GoogleCloudPlatformOIDCIntegrationGuideOverviewThisdocumentationdescribeshowtosetupthePivotalCloudFoundry(PCF)SingleSign-OnservicetouseGoogleCloudPlatform(GCP)asanOpenIDConnect(OIDC)identityprovider.
GCPletsyoubuildandhostapplicationsandwebsites,storedata,andanalyzedataonGoogle’sscalableinfrastructure.
PrerequisitesTointegrateGoogleCloudPlatformasasinglesign-onidentityproviderforPCFapps,youneed:
Pivotal
PCFv1.11.0orlaterSSOv1.4.1orlaterinstalledonyourPCFdeploymentAnSSOserviceplanconfiguredwithplanadministratorswhomanageitandorgstouseit.Forhelpconfiguringplans,seeManageServicePlans.
GoogleCloudPlatform
AnactiveGoogleCloudprojectAGCPuseraccountwithprojecteditororhigherprivileges
IntegrateGoogleCloudPlatformOIDCforSSOCompletethestepbelowtosetupGCPasanOIDCidentityproviderfortheSSOservice.
1. ConfigureGCPasanOIDCIdentityProvider
TestandTroubleshootTesting
Troubleshooting
© Copyright Pivotal Software Inc, 2013-2018 96 1.2
ConfigureGCPasanOIDCIdentityProviderThistopicdescribeshowtosetupGoogleCloudPlatform(GCP)asanidentityproviderforaSingleSign-On(SSO)serviceplanbyconfiguringOpenIDConnect(OIDC)integrationinbothPivotalCloudFoundry(PCF)andGCP.
GenerateGCPClientCredentials1. LogintoyourGoogleCloudPlatformconsole.
2. UndertheCredentialstab,clickCreatecredentials>OAuthclientID.
3. Intheconfigurationpanethatappears,selectWebapplicationunderApplicationtypeandenteranyName.UnderRestrictions,leaveAuthorizedJavaScriptOriginsblankandforAuthorizedredirectURIsenteraredirectURIoftheform https://AUTH_DOMAIN/login/callback/ORIGIN_KEY ,where:
AUTH_DOMAIN isthefullURLgeneratedbasedontheAuthDomainsettingyouenteredwhenyoucreatedtheserviceplanthatyouareintegratingwithGCP.ORIGIN_KEY isbasedontheIdentityProviderNameyousetintheSSOdashboardinSetUpOIDCIdentityProviderinSSObelow.Thisvalue
shouldhavenospacesoruppercaseletters.Youmightneedtochangethisvaluelater.
© Copyright Pivotal Software Inc, 2013-2018 97 1.2
4. ClickCreateandrecordtheclientIDandclientsecretgenerated.YouwillenterthesevaluesasyourRelyingPartyOAuthClientIDandRelyingPartyOAuthClientSecretintheSSOdashboardinSetUpOIDCIdentityProviderinSSObelow.
SetUpOIDCIdentityProviderinSSO1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin
yourElasticRuntimetileinOpsManagerundertheCredentialstab.
© Copyright Pivotal Software Inc, 2013-2018 98 1.2
2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.
3. ClickNewIdentityProvider.
4. EnteranIdentityProviderName.ThisvalueinalllowercasewithdashesreplacingspacesbecomesyourOriginKey.Forexample, Example Google
Origin becomes example-google-origin .IfyoudidnotenterthisforyourOAuthClient’sauthorizedredirectURIs,gobackandeditthevalueinGoogleCloudPlatform.
5. EnteraDescription.Spacedevelopersseethisdescriptionwhentheyselectanidentityproviderfortheirapp.
6. SelectOpenIDConnectastheIdentityProvidertype.
7. MakesuretheEnableDiscoverycheckboxisselected,toenableOIDCdiscovery.
8. ForDiscoveryEndpointURL,enter https://accounts.google.com/.well-known/openid-configuration .
9. ClickFetchScopes.
10. EnteryourRelyingPartyOAuthClientIDandRelyingPartyOAuthClientSecretfromtheGenerateGCPClientCredentialsabove.
11. Makesurethat openid and email areselectedasscopes.Youcanselectadditionalscopesifyouwant.
© Copyright Pivotal Software Inc, 2013-2018 99 1.2
12. UnderAdvancedSettings>UserAttributes,map user_name to email .ThisenablesSSOtoidentifytheauthenticateduser.
13. (Optional)Configureadditionalattributemappings.
14. ClickCreateIdentityProvidertosaveyoursettings.
15. (Optional)Enableidentityproviderdiscoveryfortheserviceplan.
© Copyright Pivotal Software Inc, 2013-2018 100 1.2
TestingThistopicdescribeshowaPivotalCloudFoundry(PCF)administratorcantesttheOpenIDConnect(OIDC)connectionbetweentheSingleSign-On(SSO)serviceandGoogleCloudPlatform.
TestYourSingleSign-OnConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorgandspacewhereyourappislocated.
2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapp.
3. SelecttheserviceinstanceandclickManage.
4. UndertheAppstab,selectyourapp.
5. UnderIdentityProviders,selecttheGCPidentityprovider.Removeanyotheridentityproviders.
© Copyright Pivotal Software Inc, 2013-2018 101 1.2
6. ReturntoAppsManagerandclicktheURLlistedbelowyourapptoaccessyourapplication.
7. Navigatetoyourlogin.Youwillberedirectedtotheidentityprovidertoauthenticate.
8. Ontheidentityprovidersign-inpage,enteryourcredentialsandsignin.
9. Iftheapppromptsforauthorizationtothenecessaryscopes,clickAuthorize.
Ifyouarenowloggedintoyourapp,yourGCPOIDCtoSSOconnectionworks.
© Copyright Pivotal Software Inc, 2013-2018 102 1.2
TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenGoogleCloudPlatform(GCP)OpenIDConnect(OIDC)andPivotalSingleSign-On(SSO).
NoLinkforOIDC
Symptom:
Explanation:IncorrectorunavailablediscoveryURL.Nolinkwillappearontheloginpage.
NoOAuthClientFound
Symptom:
© Copyright Pivotal Software Inc, 2013-2018 103 1.2
Explanation:IncorrectOAuthClientIDconfigured.
Unauthorized
Symptom:
Explanation:IncorrectOAuthclientsecretconfigured.
RedirectURIMismatch
© Copyright Pivotal Software Inc, 2013-2018 104 1.2
Symptom:
Explanation:IncorrectauthorizationredirectURIonOAuthClient.
EmptyUsername
Symptom:
Explanation:user_name attributewasnotmappedto email .
Unabletomapclaimtoausername
© Copyright Pivotal Software Inc, 2013-2018 105 1.2
Symptom:
Explanation:Thescopefor“email”wasnotconfigured.Selectthe“email”scopeinyouridentityproviderconfigurations.
© Copyright Pivotal Software Inc, 2013-2018 106 1.2
OktaIntegrationGuideOverviewOktaisanenterpriseidentitymanagementandsinglesign-onservicethatintegrateswithapplicationsinthecloud,on-premises,oronamobiledevice.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenOktaastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).
SSOsupportsserviceprovider-initiatedauthenticationflowandsinglelogout.Itdoesnotsupportidentityprovider-initiatedauthenticationflow.AllSSOcommunicationtakesplaceoverSSL.
PrerequisitesTointegrateOktawithPivotalCloudFoundry(PCF),youneed:
Pivotal
PCF,version1.7.0orlater.
SingleSign-On,version1.1.0orlater.
Okta
Okta,version2016.07orlater.
AuserwithApplicationAdminprivileges.
OktaIntegrationGuide
ConfiguringOktawithSSOCompletebothstepsbelowtointegrateyourdeploymentwithOktaandSSO.
1. ConfigureOktaasanIdentityProvider
2. ConfigureaSingleSign-OnServiceProvider
TestingandTroubleshootingTesting
Troubleshooting
Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic.
© Copyright Pivotal Software Inc, 2013-2018 107 1.2
ConfigureOktaasanIdentityProviderThistopicdescribeshowtosetupOktaasyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andOkta.
SetupSAMLinPCF1. LogintotheSingleSign-On(SSO)dashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickConfigureSAMLServiceProvider.
4. (Optional)SelectPerformsignedauthenticationrequeststoenforceSSOprivatekeysignatureandidentityprovidervalidation.
5. (Optional)SelectRequiresignedassertionstovalidatetheoriginofsignedresponses.
6. ClickDownloadMetadatatodownloadtheserviceprovidermetadata.
7. ClickSave.
8. Openthedownloadedserviceprovidermetadatafile.Youwillrefertothisfileinthenextstep,whenyoufillintheSAMLsettingsinOkta.
SetUpSAMLinOkta1. SigninasanOktaadministrator.
2. NavigatetoyourappandclicktheSignOntab.
3. UnderSettings,clickEdit,andselectSAML2.0.
© Copyright Pivotal Software Inc, 2013-2018 108 1.2
4. ClicktheGeneraltab.
5. UnderSAMLSettings,clicktheEditbuttonfollowedbytheNextbutton.
© Copyright Pivotal Software Inc, 2013-2018 109 1.2
6. IntheSAMLSettingssection:
a. Enterthe AssertionConsumerService Location URL fromyourdownloadedserviceprovidermetadataintoSinglesignonURL.Forexample, https://AUTH-DOMAIN/saml/SSO/alias/AUTH-DOMAIN .
b. EnteryourAuthDomainURLintoAudienceURI(SPEntityID).YoucanviewtheAuthDomainforaplanbyloggingintotheSSOdashboard,clickingthenameofyourplan,andselectingEditPlan.Forexample, https://AUTH-DOMAIN.login.SYSTEM-DOMAIN .ThisvalueisalsoavailableinthedownloadedserviceprovidermetadataastheentityID.
c. SelectaNameIDformat.d. SelectanApplicationusername.
7. (Optional)Toconfiguresinglelogout:
a. ClickShowAdvancedSettings.b. ForEnableSingleLogout,selectAllowapplicationtoinitiatesinglelogout.c. Enterthe SingleLogoutService Location URL fromyourdownloadedserviceprovidermetadataintoSingleLogoutURL.
© Copyright Pivotal Software Inc, 2013-2018 110 1.2
d. Enteryour Auth Domain URL intoSPIssuer.e. ClickUploadSignatureCertificatetouploadthesignaturecertificatefromyourdownloadedserviceprovidermetadata.Youwillneedtocopy
the X509Certificate informationfromthedownloadedserviceprovidermetadata,andreformatitintoavalidcertificatefiletoupload.
8. (Optional)UnderAttributeStatements(Optional),specifyanyattributestatementsthatyouwanttomaptousersintheIDtoken.
9. (Optional)UnderGroupAttributeStatements(Optional),specifyanygroupattributestatementsthatyouwanttomaptousersintheIDtoken.ThisisagroupthatusersbelongtowithinOkta.
10. ClicktheNextbuttonfollowedbytheFinishbutton.
11. ClickIdentityProvidermetadatatodownloadthemetadata,orcopyandsavethelinkaddressoftheIdentityProvidermetadata.YouwillneedthisOktametadataforthenextstep,ConfigureaSingleSign-OnServiceProvider.
© Copyright Pivotal Software Inc, 2013-2018 111 1.2
ConfigureaSingleSign-OnServiceProviderThistopicdescribeshowtoaddanexternalidentityprovidertoyourPivotalSingleSign-On(SSO)serviceplan.
SettingupSAML1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickNewIdentityProvidertocreateanewidentityprovider.
4. Tocreateanewidentityprovider,performthefollowingsteps:
a. EnteranidentityprovidernameintoIdentityProviderName.b. (Optional)EnteradescriptionintoIdentityProviderDescription.c. SpecifyIdentityProviderMetadatafromStep11oftheConfigureOktaasanIdentityProvidertopic.
i. Option1:EnteryourInputIdentityProviderMetadataURLandFetchMetadatatofetchyouridentityprovidermetadatafromanendpoint.
ii. Option2:ClickSAMLFileMetadata(optional)touploadyourmetadataXMLmanually.
d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.
5. ClickCreateIdentityProvider.
© Copyright Pivotal Software Inc, 2013-2018 112 1.2
6. ClickResourcePermissions.
7. ClickNewPermissionsMappingandperformthefollowingsteps:
a. EnteraGroupName.b. ForSelectPermissions,selectthepermissionsthatthemembersofthegroupfromtheexternalidentityprovidershouldhaveaccessto.
8. Navigatetotheidentityproviderlist.
9. ClickGroupWhitelistandenterthegroupnamesfromtheexternalidentityproviderthatshouldbepropagatedintheIDtoken.
© Copyright Pivotal Software Inc, 2013-2018 113 1.2
TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandOktaservices.Anadministratorcantestbothserviceproviderandidentityproviderconnections.
TestYourServiceProviderConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorganizationandspacewhereyourapplicationislocated.
2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplicationandclickManage.
3. UndertheAppstab,clickyourapplication.
© Copyright Pivotal Software Inc, 2013-2018 114 1.2
4. UnderIdentityProviders,selecttheOktaidentityprovider.
5. ReturntoAppsManagerandclickontheURLbelowyourapplicationtoberedirectedtotheidentityprovidertoauthenticate.
6. Clickthelink.
© Copyright Pivotal Software Inc, 2013-2018 115 1.2
7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignIn.
8. Theapplicationasksforauthorizationtothenecessaryscopes.ClickAuthorize.
9. TheaccesstokenandIDtokendisplays.
© Copyright Pivotal Software Inc, 2013-2018 116 1.2
TestYourIdentityProviderConnection
1. SignintoOkta.
Note:SSOdoesnotsupportidentityprovider-initiatedflowintoapplications,butitdoesredirecttheusertotheUserAccountandAuthentication(UAA)pagetoselectapplicationsassignedtotheuser.
© Copyright Pivotal Software Inc, 2013-2018 117 1.2
2. Navigatetotheapplicationtileandclickit.
3. Youareredirectedtothepagethatlistsapplicationsyouhaveaccessto.
TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofOktaaswell.
1. Signintothesampleapplication.InformationabouttheaccessandIDtokendisplays,aswellasthe“Whatdoyouwanttodo?”section.
2. Under“Whatdoyouwanttodo?”,clickLogout.
3. YouareloggedoutandredirectedtotheOktaloginpage.
© Copyright Pivotal Software Inc, 2013-2018 118 1.2
© Copyright Pivotal Software Inc, 2013-2018 119 1.2
TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenOktaandPivotalSingleSign-On(SSO).
PageNotFound
Symptom:
Explanations:TheOktainstanceisinactive.
TheRecipientURLismisconfiguredinOkta.
TheidentityproviderSSOURLismisconfiguredintheSSOplansettings.
NoValidAssertion
Symptom:
© Copyright Pivotal Software Inc, 2013-2018 120 1.2
Explanations:TheserviceproviderEntityIDismisconfiguredinOkta.
TheDestinationURLismisconfiguredinOkta.
WebpageNotAvailable
Symptom:
Explanation:TheSSOURLismisconfiguredinOkta.
MetadataNotFound
Symptom:
Explanation:TheidentityproviderEntityIDismisconfiguredintheSSOplansettings.
© Copyright Pivotal Software Inc, 2013-2018 121 1.2
PingFederateIntegrationGuideOverviewPingFederateisafederationserverthatprovidesidentitymanagement,singlesign-on,andAPIsecurityfortheenterprise.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenPingFederateastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).
SSOsupportsserviceprovider-initiatedauthenticationflowandsinglelogout.Itdoesnotsupportidentityprovider-initiatedauthenticationflow.AllSSOcommunicationtakesplaceoverSSL.
PrerequisitesTointegratePingFederatewithPivotalCloudFoundry(PCF),youneed:
Pivotal
PCF,version1.7.0orlater.
SingleSign-On,version1.1.0orlater.
Ping
PingFederate
AuserwithAdministratorprivileges.
PingFederateIntegrationGuide
ConfiguringPingFederatewithSSOCompletebothstepsbelowtointegrateyourdeploymentwithPingFederateandSSO.
1. ConfigurePingFederateasanIdentityProvider
2. ConfigureaSingleSign-OnServiceProvider
TestingandTroubleshootingTesting
Troubleshooting
Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic.
© Copyright Pivotal Software Inc, 2013-2018 122 1.2
ConfigurePingFederateasanIdentityProviderThistopicdescribeshowtosetupPingFederateasyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andPingFederate.
SetupSAMLinPCF1. LogintotheSingleSign-On(SSO)dashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandchooseManageIdentityProvidersfromthedrop-downmenu.
3. ClickConfigureSAMLServiceProvider.
4. (Optional)SelectPerformsignedauthenticationrequeststoenforceSSOprivatekeysignatureandidentityprovidervalidation.
5. (Optional)SelectRequiresignedassertionstovalidatetheoriginofsignedresponses.
6. ClickDownloadMetadatatodownloadtheserviceprovidermetadata.
7. ClickSave.
SetupSAMLinPingFederate
ConfiguretheConnection1. SigninasaPingFederateadministrator.
2. NavigatetoyouridentityproviderconfigurationsbyclickingontheIDPConfigurationtab.
3. UnderSPConnections,clicktheCreateNewbutton.
© Copyright Pivotal Software Inc, 2013-2018 123 1.2
4. SelecttheBrowserSSOProfilesconnectiontemplateontheConnectionTypetabandclickNext.
5. SelectBrowserSSOontheConnectionOptionstabandclickNext.
6. SelectFileasthemethodforimportingmetadataandclickChoosefiletochoosetheSSOmetadataontheImportMetadatatab.ClickNext.
7. ReviewtheinformationontheMetadataSummarytabandclickNext.
8. EnsurethatthePartner’sEntityID,ConnectionName,andBaseURLfieldspre-populatebasedonthemetadata.ClickNext.
© Copyright Pivotal Software Inc, 2013-2018 124 1.2
ConfigureBrowserSSO1. ClickConfigureBrowserSSOontheBrowserSSOtab.
2. SelecttheIdP-InitiatedSSOandSP-InitiatedSSOoptionsontheSAMLProfilestabandclickNext.
3. EnteryourdesiredassertionvaliditytimefromontheAssertionLifetimetabandclickNext.
4. (Optional)SelectIdP-InitiatedSLOandSP-InitiatedSLOoptionsifyouwishtoenforceSingleLogout.
AssertionCreation1. ClickConfigureAssertionCreationontheAssertionCreationtab.
2. ChoosetheStandardoptionontheIdentityMappingtabandclickNext.
3. SelectaSubjectNameFormatfortheSAML_SUBJECTontheAttributeContracttabandclickNext.
4. ClickMapNewAdapterInstanceontheAuthenticationSourceMappingtab.
5. SelectanAdapterInstanceandclickNext.Theadaptermustincludetheuser’semailaddress.
© Copyright Pivotal Software Inc, 2013-2018 125 1.2
6. SelecttheUseonlytheadaptercontractvaluesintheSAMLassertionoptionontheMappingMethodtabandclickNext.
7. SelectyouradapterinstanceastheSourceandtheemailastheValueontheAttributeContractFullfillmenttabandclickNext.
8. (Optional)SelectanyauthorizationconditionsyouwouldlikeontheIssuanceCriteriatabandclickNext.
9. ClickDoneontheSummarytab.
10. ClickNextontheAuthenticationSourceMappingtab.
11. ClickDoneontheSummarytab.
© Copyright Pivotal Software Inc, 2013-2018 126 1.2
12. ClickNextontheAssertionCreationtab.
ProtocolSettings1. ClickConfigureProtocolSettingsontheProtocolSettingstab.
2. SelectPOSTforBindingandspecifythesinglesign-onendpointurlintheEndpointURLfieldontheAssertionConsumerServiceURLtab.ClickNext
3. SelectPOSTontheAllowableSAMLBindingstabandclickNext.
4. SelectyourdesiredsignaturepoliciesforassertionsontheSignaturePolicytabandclickNext.
5. SelectyourdesiredencryptionpolicyforassertionsontheEncryptionPolicytabandclickNext.
6. ClickDoneontheProtocolSettingsSummarytab.
7. ClickDoneontheBrowserSSOSummarytab.
ConfigureCredentials1. ClickConfigureCredentialsontheCredentialstab.
2. SelecttheSigningCertificatetousewiththeSingleSign-OnserviceandselectIncludethecertificateinthesignatureelement.ClickNext.
© Copyright Pivotal Software Inc, 2013-2018 127 1.2
3. ClickDoneontheSummarytab.
4. ClickNextontheCredentialstab.
5. SelectActivefortheConnectionStatusontheActivation&SummarytabandclickSave.
6. ClickManageAllunderSPConnections.
7. ClickExportMetadataforthedesiredserviceproviderconnection.
8. ChooseaSigningCertificateontheMetadataSigningtabandclickNext.
9. ClickExportontheExport&SummarytabandclickDone.
© Copyright Pivotal Software Inc, 2013-2018 128 1.2
ConfigureaSingleSign-OnServiceProviderThistopicdescribeshowtoaddanexternalidentityprovidertoyourPivotalSingleSign-On(SSO)serviceplan.
SettingupSAML1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandchooseManageIdentityProvidersfromthedrop-downmenu.
3. ClickNewIdentityProvider.
4. Tocreateanewidentityprovider,performthefollowingsteps:
a. EnteranidentityprovidernameintoIdentityProviderName.b. (Optional)EnteradescriptionintoIdentityProviderDescription.c. ClickSAMLFileMetadata(optional),thenclicktheUploadIdentityProviderMetadatabuttontouploadyourmetadataXML.d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.
5. ClickCreateIdentityProvider.
6. ClickResourcePermissions.
© Copyright Pivotal Software Inc, 2013-2018 129 1.2
7. ClickNewPermissionsMappingandperformthefollowingsteps:
a. EnteraGroupName.b. ForSelectPermissions,selectthepermissionsthatthemembersofthegroupfromtheexternalidentityprovidershouldhaveaccessto.
8. Navigatetotheidentityproviderlist.
9. ClickGroupWhitelistandenterthegroupnamesfromtheexternalidentityprovidertopropagateintheIDtokenwhenauserauthenticates.
© Copyright Pivotal Software Inc, 2013-2018 130 1.2
TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandPingFederate.Anadministratorcantestbothserviceproviderandidentityproviderconnections.
TestYourServiceProviderConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorganizationandspacewhereyourapplicationislocated.
2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplication.ClicktheserviceinstanceandthenclickManage.
3. UndertheAppstab,clickyourapplication.
© Copyright Pivotal Software Inc, 2013-2018 131 1.2
4. UnderIdentityProviders,selectthePingFederateidentityprovider.a
5. ReturntoAppsManagerandclicktheURLbelowyourapplicationtoauthenticatewiththeidentityprovider.
© Copyright Pivotal Software Inc, 2013-2018 132 1.2
6. ClickthelinktoLoginviaAuthCodeGrantType.
7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignOn.
8. Theapplicationasksforauthorizationtothenecessaryscopes.ClickAuthorize.
9. ViewtheaccesstokenandIDtoken.
© Copyright Pivotal Software Inc, 2013-2018 133 1.2
TestYourIdentityProviderConnection
1. SignintoPingFederate.
Note:SSOdoesnotsupportidentityprovider-initiatedflowintoapplications,butitdoesredirecttheusertotheUserAccountandAuthentication(UAA)pagetoselectapplicationsassignedtotheuser.
© Copyright Pivotal Software Inc, 2013-2018 134 1.2
2. Navigatetoyourapplicationandclickit.
3. Viewthelistofapplicationsyouhaveaccessto.
TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofPingFederateaswell.
1. Signintothesampleapplication.InformationabouttheaccessandIDtokendisplays,aswellasthe“Whatdoyouwanttodo?”section.
2. UnderWhatdoyouwanttodo?,clickLogout.
3. EnsurethatyouareloggedoutandredirectedtothePingFederateloginpage.
© Copyright Pivotal Software Inc, 2013-2018 135 1.2
© Copyright Pivotal Software Inc, 2013-2018 136 1.2
TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenPingFederateandPivotalSingleSign-On(SSO).
Error
Symptom:
Explanations:ConnectionStatusisdisabledonPingFederate.
TheserviceproviderEntityIDismisconfiguredonPingFederate.
TheidentityproviderSingleSign-OnURLismisconfiguredintheSSOplansettings.
MetadataNotFound
Symptom:
Explanation:TheidentityproviderEntityIDismisconfiguredintheSSOplansettings.
© Copyright Pivotal Software Inc, 2013-2018 137 1.2
PingOneCloudIntegrationGuideOverviewPingOneCloudisanidentity-as-a-servicesolutionthatdeliverssecuresinglesign-ontoSaaS,legacyandwebapplications.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenPingOneCloudastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).
SSOsupportsserviceprovider-initiatedauthenticationflowandsinglelogout.Itdoesnotsupportidentityprovider-initiatedauthenticationflow.AllSSOcommunicationtakesplaceoverSSL.
PrerequisitesTointegratePingOneCloudwithPivotalCloudFoundry(PCF),youneed:
Pivotal
PCF,version1.7.0orlater.
SingleSign-On,version1.1.0orlater.
PingOneCloud
PingOneCloud
AuserwithApplicationAdminprivileges.
PingOneCloudIntegrationGuide
ConfiguringPingOneCloudwithSSOCompletebothstepsbelowtointegrateyourdeploymentwithPingOneCloudandSSO.
1. ConfigurePingOneCloudasanIdentityProvider
2. ConfigureaSingleSign-OnServiceProvider
TestingandTroubleshootingTesting
Troubleshooting
Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic..
© Copyright Pivotal Software Inc, 2013-2018 138 1.2
ConfigurePingOneCloudasanIdentityProviderThistopicdescribeshowtosetupPingOneCloudasyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andPingOneCloud.
SetupSAMLinPCF1. LogintotheSingleSign-On(SSO)dashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickConfigureSAMLServiceProvider.
4. (Optional)SelectPerformsignedauthenticationrequeststoenforceSSOprivatekeysignatureandidentityprovidervalidation.
5. (Optional)SelectRequiresignedassertionstovalidatetheoriginofsignedresponses.
6. ClickDownloadMetadatatodownloadtheserviceprovidermetadata.
7. ClickSave.
SetupSAMLinPingOneCloud1. SigninasaPingOneCloudadministrator.
2. NavigatetoyourapplicationbyclickingontheApplicationstab.
3. ClicktheAddApplicationbuttonandchooseNewSAMLApplication.
© Copyright Pivotal Software Inc, 2013-2018 139 1.2
4. EntertheApplicationName,ApplicationDescription,CategoryandanyGraphics.
5. ClicktheContinuetoNextStepbuttontoconfigureSAML.
© Copyright Pivotal Software Inc, 2013-2018 140 1.2
6. IntheApplicationConfigurationsection,performthefollowingsteps:
a. SelectIhavetheSAMLconfiguration.b. ForSAMLMetadata,clickDownloadtodownloadtheidentityprovidermetadata.c. ForProtocalVersion,selectSAMLv2.0.d. ForUploadMetadata,clickSelectFileandselecttheserviceprovidermetadata.e. ClicktheContinuetoNextStepbutton.
7. (Optional)UnderSSOAttributeMapping,specifyanyapplicationorgroupattributesthatyouwanttomaptousersintheIDtoken.
© Copyright Pivotal Software Inc, 2013-2018 141 1.2
8. ClicktheSave&PublishbuttonfollowedbytheFinishbutton.
© Copyright Pivotal Software Inc, 2013-2018 142 1.2
ConfigureaSingleSign-OnServiceProviderThistopicdescribeshowtoaddanexternalidentityprovidertoyourPivotalSingleSign-On(SSO)serviceplan.
SettingupSAML1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.
2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.
3. ClickNewIdentityProvidertocreateanewidentityprovider.
4. Tocreateanewidentityprovider,performthefollowingsteps:
a. EnteranidentityprovidernameintoIdentityProviderName.b. (Optional)EnteradescriptionintoIdentityProviderDescription.c. ClickSAMLFileMetadata(optional)follwedbyclickingtheUploadIdentityProviderMetadatabuttontouploadyourmetadataXML.d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.
5. ClickCreateIdentityProvider.
6. ClickResourcePermissions.
© Copyright Pivotal Software Inc, 2013-2018 143 1.2
7. ClickNewPermissionsMappingandperformthefollowingsteps:
a. EnteraGroupName.b. ForSelectPermissions,selectthepermissionsthatthemembersofthegroupfromtheexternalidentityprovidershouldhaveaccessto.
8. Navigatetotheidentityproviderlist.
9. ClickGroupWhitelistandenterthegroupnamesfromtheexternalidentityproviderthatshouldbepropagatedintheIDtoken.
© Copyright Pivotal Software Inc, 2013-2018 144 1.2
TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandPingOneCloud.Anadministratorcantestbothserviceproviderandidentityproviderconnections.
TestYourServiceProviderConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorganizationandspacewhereyourapplicationislocated.
2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplication.ClickontheserviceinstanceandclickManage.
3. UndertheAppstab,clickyourapplication.
© Copyright Pivotal Software Inc, 2013-2018 145 1.2
4. UnderIdentityProviders,selectthePingOneidentityprovider.
5. ReturntoAppsManagerandclickontheURLbelowyourapplicationtoberedirectedtotheidentityprovidertoauthenticate.
© Copyright Pivotal Software Inc, 2013-2018 146 1.2
6. Clickthelink.
7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignOn.
8. Theapplicationasksforauthorizationtothenecessaryscopes.ClickAuthorize.
© Copyright Pivotal Software Inc, 2013-2018 147 1.2
9. TheaccesstokenandIDtokendisplays.
© Copyright Pivotal Software Inc, 2013-2018 148 1.2
TestYourIdentityProviderConnection
1. SignintoPingOne.
Note:SSOdoesnotsupportidentityprovider-initiatedflowintoapplications,butitdoesredirecttheusertotheUserAccountandAuthentication(UAA)pagetoselectapplicationsassignedtotheuser.
© Copyright Pivotal Software Inc, 2013-2018 149 1.2
2. Navigatetoyourapplicationandclickit.
3. Youareredirectedtothepagethatlistsapplicationsyouhaveaccessto.
TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofPingOneaswell.
1. Signintothesampleapplication.InformationabouttheaccessandIDtokendisplays,aswellasthe“Whatdoyouwanttodo?”section.
2. Under“Whatdoyouwanttodo?”,clickLogout.
3. YouareloggedoutandredirectedtothePingOneloginpage.
© Copyright Pivotal Software Inc, 2013-2018 150 1.2
© Copyright Pivotal Software Inc, 2013-2018 151 1.2
TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenPingOneCloudandPivotalSingleSign-On(SSO).
Error
Symptom:
Explanations:SingleSign-OnisdisabledonPingOne.
TheserviceproviderEntityIDismisconfiguredonPingOne.
TheidentityproviderSingleSign-OnURLismisconfiguredintheSSOplansettings.
Somethingwentamiss
Symptom:
Explanation:TheserviceproviderAssertionConsumerService(ACS)ismisconfiguredonPingOne.
© Copyright Pivotal Software Inc, 2013-2018 152 1.2
MetadataNotFound
Symptom:
Explanation:TheidentityproviderEntityIDismisconfiguredintheSSOplansettings.
MissingNameID
Symptom:
Explanation:TheidentityprovidermetadataismissingconfigurationsforNameID.SeeConfigureIdentityProviderMetadata.
© Copyright Pivotal Software Inc, 2013-2018 153 1.2