Single Sign-On for PCF Documentation

Single Sign-On for PCF®

DocumentationVersion 1.4

Published: 11 March 2019

© 2019 Pivotal Software, Inc. All Rights Reserved.

23689

1013151722242835373839404243535562636471738082838789949697

101103107108112114120122123129131137138139143145152

Table of ContentsTable of ContentsSingle Sign-On OverviewRelease NotesInstallationGetting Started with Single Sign-OnUsing the System PlanManage Service PlansManage Service InstancesConfigure Identity ProvidersIdentity Provider DiscoveryManage UsersConfigure ApplicationsWeb AppNative Mobile AppSingle-Page Javascript AppService-to-Service AppManage ResourcesActive Directory Federation Services Integration Guide OverviewConfigure Active Directory Federation Services as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingAzure Active Directory SAML Integration Guide OverviewConfigure Azure Active Directory as a SAML Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingCA Single Sign-On Integration Guide OverviewConfigure CA Single Sign-On as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingGoogle Cloud Platform OIDC Integration Guide OverviewConfigure GCP as an OIDC Identity ProviderTestingTroubleshootingOkta Integration Guide OverviewConfigure Okta as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingPingFederate Integration Guide OverviewConfigure PingFederate as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshootingPingOne Cloud Integration Guide OverviewConfigure PingOne Cloud as an Identity ProviderConfigure a Single Sign-On Service ProviderTestingTroubleshooting

© Copyright Pivotal Software Inc, 2013-2018 2 1.2

SingleSign-OnOverview

ThistopicprovidesanoverviewoftheSingleSign-On serviceforPivotalCloudFoundry(PCF).

TheSingleSign-Onserviceisanall-in-onesolutionforsecuringaccesstoapplicationsandAPIsonPCF.TheSingleSign-Onserviceprovidessupportfornativeauthentication,federatedsinglesign-on,andauthorization.Operatorscanconfigurenativeauthenticationandfederatedsinglesign-on,forexampleSAML,toverifytheidentitiesofapplicationusers.Afterauthentication,theSingleSign-OnserviceusesOAuth2.0tosecureresourcesorAPIs.

SingleSign-OnTheSingleSign-Onserviceallowsuserstologinthroughasinglesign-onserviceandaccessotherapplicationsthatarehostedorprotectedbytheservice.Thisimprovessecurityandproductivitysinceusersdonothavetologintoindividualapplications.

Developersareresponsibleforselectingtheauthenticationmethodforapplicationusers.TheycanselectnativeauthenticationprovidedbytheUserAccountandAuthentication(UAA)orexternalidentityproviders.UAAisanopensourceidentityserverprojectundertheCloudFoundry(CF)foundationthatprovidesidentitybasedsecurityforapplicationsandAPIs.

SSOsupportsserviceprovider-initiatedauthenticationflowandsinglelogout.Itdoesnotsupportidentityprovider-initiatedauthenticationflow.AllSSOcommunicationtakesplaceoverSSL.

OAuth2.0AuthorizationAfterauthentication,theSingleSign-OnserviceusesOAuth2.0forauthorization.OAuth2.0isanauthorizationframeworkthatdelegatesaccesstoapplicationstoaccessresourcesonbehalfofaresourceowner.

DevelopersdefineresourcesrequiredbyanapplicationboundtoaSingleSign-On(SSO)serviceinstanceandadministratorsgrantresourcepermissions.SeetheConfigureApplicationstopicformoredetails.

ProductSnapshotThefollowingtableprovidesversionandversion-supportinformationaboutSingleSign-On forPCF:

Element Details

Version v1.4.6

Releasedate November9,2017

CompatibleOpsManagerversion(s) v1.11orlater

CompatibleElasticRuntimeversion(s) v1.11orlater

IaaSsupport AWS,GCP,OpenStack,andvSphere

UpgradingtotheLatestVersionConsiderthefollowingcompatibilityinformationbeforeupgradingSingleSign-OnforPCF.PivotalrecommendsupgradingPCFbeforeupgradingSSOtothesupportedversion.Forexample,whenupgradingfromPCFv1.10toPCFv1.11,upgradePCFsothatSSOv1.3isrunningonPCFv1.11,andthenupgradeSSOv1.3toSSOv1.4assoonaspossible.

ElasticRuntimeVersionSupportedUpgradesfromSSOVersions

From To

1.6.x 1.0.1–1.0.25 1.0.26

1.7.x1.0.1–1.0.26

1.1.41.1.0–1.1.3

1.1.0–1.1.4

Note:SingleSign-OnforPCFv1.4isnolongersupported.Thesupportperiodforv1.4hasexpired.Tostayup-to-datewiththelatestsoftwareandsecurityupdates,upgradetoasupportedversion.


https://network.pivotal.io/products/p-identity


1.8.x 1.2.0–1.2.3 1.2.4

1.9.x&1.10.x 1.2.0–1.2.4 1.3.6

1.11.x 1.3.0-1.3.6 1.4.x

1.12.x1.4.1-1.4.6

1.5.31.5.0-1.5.2

2.0.x 1.5.3 1.6.0

2.1.x 1.6.0 1.6.x

SingleSign-OnforPCFInstallation

GettingStartedwithSingleSign-On

UsingtheSystemPlan

ManageServicePlans

ManageServiceInstances

ConfigureIdentityProviders

IdentityProviderDiscovery

ManageUsers

ConfigureApplications

AuthorizationCodeGrantTypeImplicitGrantTypeClientCredentialsGrantTypeResourceOwnerPasswordCredentialsGrantType

ManageResources

ActiveDirectoryFederationServices(ADFS)IntegrationGuideActiveDirectoryFederationServicesIntegrationGuide

ConfigureActiveDirectoryFederationServicesasanIdentityProviderConfigureSSOServiceTestingTroubleshooting

AzureActiveDirectoryIntegrationGuideAzureActiveDirectorySAMLIntegrationGuide

ConfigureAzureActiveDirectoryasaSAMLIdentityProviderConfigureSSOServiceTestingTroubleshooting

Note:TheSingleSign-OnservicetileoperatesinlockstepwithElasticRuntime.TheSSOv1.1.xtilesarecompatiblewithPCFv1.7.x

TheSSOv1.2.xtilesarecompatiblewithPCFv1.8.xandlater



Note:SSOv1.4.1–v1.4.3arenotcompatiblewithPCFv1.12withoutusingtheworkaroundinthecorrespondingKnowledgeBase article.


https://discuss.pivotal.io/hc/en-us/articles/115012480807

CASingleSign-OnIntegrationGuideCASingleSign-OnIntegrationGuide

ConfigureCASingleSign-OnasanIdentityProviderConfigureSSOServiceTestingTroubleshooting

GoogleCloudPlatformOpenIDConnectIntegrationGuideGoogleCloudPlatformOpenIDConnectIntegrationGuide

ConfigureGCPasanOIDCIdentityProviderTestingTroubleshooting

OktaIntegrationGuideOktaIntegrationGuide

ConfigureOktaasanIdentityProviderConfigureSSOServiceTestingTroubleshooting

PingFederateIntegrationGuidePingFederateIntegrationGuide

ConfigurePingFederateasanIdentityProviderConfigureSSOServiceTestingTroubleshooting

PingOneCloudIntegrationGuidePingOneCloudIntegrationGuide

ConfigurePingOneasanIdentityProviderConfigureSSOServiceTestingTroubleshooting

AdditionalInformationReleaseNotes


ReleaseNotes

ViewReleaseNotesforAnotherVersionToviewthereleasenotesforanotherproductversion,selecttheversionfromthedrop-downlistatthetopofthispage.

v1.4.x

v1.4.6ReleaseDate:November9,2017

PCFupdatedstemcellto3445series.ThisisasecurityupgradetobumpUbuntustemcellsforUSN-3420-2:Linuxkernel(XenialHWE)vulnerabilities.

v1.4.5ReleaseDate:October24,2017

Thisreleaseaddressesanissuewithmanagingserviceinstanceswhenmorethan50SpaceDevelopersexistwithinaspace.

v1.4.4ReleaseDate:September27,2017

ThisreleaseaddressestheupgradeissuesfortheSingleSign-OnServicetilewhenlegalfooterlinksareconfigured.

ThisreleaseaddressesaJavaBuildpackissuethatcausesrequiredmemorytoincreaseto1GB.

v1.4.3ReleaseDate:August30,2017

ThisisasecurityupgradethatresolvesthefollowingCVEs:

CVE-2017-8040

CVE-2017-8041

CVE-2017-8044

Additionalinformationcanbefoundathttps://pivotal.io/security .

v1.4.2ReleaseDate:June21,2017

PCFupdatedstemcellto3363series.ThisisasecurityupgradetobumpUbuntustemcellsforUSN-3334-1:Linuxkernel(XenialHWE)vulnerabilities.

v1.4.1ReleaseDate:June15,2017

What’sNew

ApplicationbootstrappingisavailableforappdeveloperstoautomatesandquicklyonboardclientandresourceconfigurationstoSingleSign-On.See


https://pivotal.io/security/cve-2017-8040



https://pivotal.io/security

theSetUpPCFAppstoUseSSO topicformoreinformation.

AdminUserManagementinterfaceenablesplanadministratorstobrowseandmanageusersacrosstheiridentityprovidersthroughasimpleuserinterfaceasopposedtothroughtheUIstohelpimproveproductivity.SeetheManageUserstopicformoreinformation.

OpenIDConnectandLDAPidentityproviderinterfacesarenowavailable.Planadministratorscannowimprovetheirproductivitybyutilizingasimpleuserinterfacetoconfigureandmaintaintheiridentityproviders.SeetheConfigureIdentityProviderstopicformoreinformation.

Youcanallowcustomattributestobemadeavailablethroughthe/userinfoendpointforyourexternalidentityproviders.Thiscanstreamlineuserattributesforyourapplications.Yourapplicationmusthavethe user_attributes tokenoncecustomattributesmappingsand Persist Custom Attributes areconfiguredforyouridentityprovider.

Youcanconfigurerequiredusergroupsthroughbootstrapping.Requireusergroupsaregroupsthatusersmusthaveinordertoauthenticatetoyourapplicationandobtainanaccesstoken.


https://docs.pivotal.io/p-identity/1-4/configure-apps/#internal

InstallationThistopicexplainshowtoinstallSingleSign-On(SSO)forPivotalCloudFoundry.

PrerequisitesPivotalCloudFoundry(OpsManager andElasticRuntime )version1.11orlater.

SSLCertificates.

ApplicationSecurityGroups.

InstallSSOviaOpsManager1. FromPivotalNetwork ,selectaSingleSign-Ontileversionanddownloadtheproductreleasefile.

2. FromtheOpsManagerInstallationDashboard,selecttheImportaProductbuttontouploadtheproductfile.

3. Clicktheplussigniconnexttotheuploadedproducttoaddthisproducttoyourstagingarea.

4. ClickontheSingleSign-Ontiletoenteranyconfigurations.

5. ClickApplyChangestoinstalltheproduct.

UpdateSSLandLoadBalancerYoumustupdatetheSSLcertificateforthedomainslistedbelowforeachplanyoucreate.Dependingonyourinfrastructureandloadbalancer,youmustalsoupdateyourloadbalancerconfigurationforthefollowingdomains:

*.SYSTEM-DOMAIN

*.APPS-DOMAIN

*.login.SYSTEM-DOMAIN

*.uaa.SYSTEM-DOMAIN

ConfigureApplicationSecurityGroupsTheSingleSign-Onservicerequiresthefollowingnetworkconnections:

TCPconnectiontoloadbalancer(s)onport443

TCPandUDPconnectiontoDomainNameServersonport53

(Optional)TCPconnectiontoyourexternalidentityprovideronport80or443

ToenableaccesstotheSingleSign-Onservice,youmustensureyourApplicationSecurityGroupallowsaccesstotheloadbalancer(s)anddomainnameserversthatprovideaccesstoCloudControllerandUAA.Optionally,youcanconfigureaccesstoyourexternalidentityprovidertoreceiveSAMLmetadata.Formoredetailsonhowtosetupapplicationsecuritygroups,seetheApplicationSecurityGroups topic.

Note:TheSingleSign-Onservicetilerequiresanetworkwithonlyonesubnetuntilversion1.3.0.Startingwith1.3.1multiplesubnetsaresupported.

Note:TheSSOIdentityServiceBrokerisdeployedasaPCFapplicationfromaBOSHerrand,andhasnoassociatedBOSHVMsthatrequireselectingacorrespondingnetwork.Ifyouareforcedtoselectanetworkduringinstallation,selecttheDeploymentnetwork,alsoknownasthePASorERTnetwork.


https://network.pivotal.io/products/ops-manager

https://network.pivotal.io/products/elastic-runtime


http://docs.pivotal.io/pivotalcf/1-7/adminguide/app-sec-groups.html

GettingStartedwithSingleSign-OnThistopicoutlinesthestepsforinstallingandconfiguringtheSingleSign-On service.

InstallandSetUpSSOforApplications1. InstallSingleSign-OnviaOpsManager.

2. Createaserviceplan.TheSingleSign-Onserviceisamulti-tenantservice,andaserviceplancorrespondstoatenant.Thisallowsanenterprisetosegregateusersorenvironmentsusingplans.Eachserviceplanisaccessibleatatenant-specificURLintheformat https://AUTH-DOMAIN.login.SYSTEM-

DOMAIN .

3. Createaserviceinstance.SingleSign-Onserviceplanscanprovidesinglesign-oncapabilitiesforapplicationsinvariousspaces.Aserviceinstanceletsyoubindanapplicationtoaserviceplan.

4. Configureanidentityprovider.InadditiontotheInternalUserStore,youcanconfigureexternalidentityproviderstoprovidesinglesign-ontoapplications.

5. Configureyourapplications .SingleSign-OnsupportsbothPivotalCloudFoundry-hostedapplicationsaswellasexternallyhostedapplications.YourapplicationsmustbeabletorequestanOAuthorOpenIDConnecttoken.

6. Createresourcesforyourapplications.IfyourregisteredapplicationsneedtomakeexternalAPIcalls,youcanassigntheAPIendpointsasresourcespermittedfortheapplication.Thiswillwhitelisttheendpointsforusebytheapplicationorclient.

SSOUserRolesAuser’sroledetermineswhichpartsofanSSOconfigurationitcanmanage.SSOusestheexistinguserrolesPCFAdministratorandSpaceDeveloper,aswellasaSSO-specificPlanAdministratorrole.Thischartshowsthemanagementpermissionsforeachrole.

Managementaccessbyrole PCFAdministrator PlanAdministrator SpaceDeveloper

Serviceplans X

Serviceinstances X X X

Identityproviders X X

Applications X X X

Resources X X X

UsingSSOforPivotalCloudFoundryComponentsInadditiontoapplications,SSOsupportssinglesign-onforcomponentsofPivotalCloudFoundry,includingOpsManagerandAppsManager.ThisallowsusersalreadymanagedinanexternalidentityprovidertosignintoPivotalservices.RefertothefollowingpagesforinstructionsonconfiguringSSOtoenableusersinanexternalidentitystoretoaccessPCFcomponents:

OpsManager,onAmazonWebServices ,vSphere ,orOpenStack

AppsManager



https://docs.pivotal.io/p-identity/1-4/configure-apps/

http://docs.pivotal.io/pivotalcf/customizing/cloudform-om-config.html#idp

http://docs.pivotal.io/pivotalcf/customizing/vsphere-config.html#idp

http://docs.pivotal.io/pivotalcf/customizing/openstack-om-config.html#idp

http://docs.pivotal.io/pivotalcf/opsguide/auth-sso.html

UsingtheSystemPlanThistopicexplainshowtousethesystemplanfortheSingleSign-On(SSO)serviceforPivotalCloudFoundry(PCF).Thesystemplanisthedefaultplanmeantfordeveloperapps,notend-userapps.

SSOforPCFcomeswithadefault system planthathasthefollowingfeatures:

Read-only

Minimalconfigurationoptions

Notdeletable

Allowsdeveloper-levelaccesstosystemcomponentslikeElasticRuntimeanditsAPIs

AvailableonlytoPCFadministrators

Restrictingthevisibilityofthissystemplantoasingle,developer-appsonlyorgsecuressystemcomponents,followingtheprincipleofleastprivilege.

Examplesofdeveloperappsincludescriptsorpipelinesthatpushotherappsandservices.AnyappthatusestheCloudFoundryAPIisadeveloperapp.

SystemPlanBestPracticePivotalrecommendsconfiguringyourorgsandSSOplansasfollowstopreventanyonefromapplyingthesystemplantoend-userapps:

1. Restrictalldeveloperappstoasingleorg.

2. Makethesystemplanvisibleonlytothedeveloper-appsorg.

3. ConfigureotherorgswithSSOserviceplansoftheirown.

Developerscanthenself-registertheirdevelopersappsinthedeveloper-appsorgforusebyotherdevelopers.

Administrators:ConfiguretheSystemPlanforanOrgPCFadministratorsfollowthestepsbelowtoenablethesystemplanandprovideaccesstoappdevelopers:

1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.InyourElasticRuntimetileinOpsManager,theDomainsettingsshowyoursystemdomain,andtheCredentialstabshowstheUAAAdminCredentials.

2. NavigatetotheSystemPlanandenabletheplanintherelevantorg(s).


Developers:CreateaSystemPlanInstanceforyourAppFollowthestepsbelowtocreateandusethe system serviceplanwithyourdeveloperapps.

1. FollowthestepstoCreateaServiceInstanceofSSO.


2. IfyourapprunsonPCF,bindtheapplicationwiththeserviceinstanceyoucreated.SeetheBindanApplicationHostedonPCF topicformoreinformation.

3. IfyourappisapipelineorascriptthatrunsexternaltoPCFbutcallsPCFAPIs,dothefollowing:

a. FollowtheinstructionstoRegisteranExternalApplication andusetheguidelinesbelow:

ChooseNativeAppforyourapplicationtype.Intheappconfiguration,setavaluefortheRefreshtokenlifetimebasedonyourusecaseforautomatedaccess.

b. Togiveyouryourpipelineorscriptaccesstoyourresourceswithoutyourpresence,embedarefreshtokeninsteadofhardcodingyourcredentials:

i. Run uaac token sso get .ii. Attheprompts,entertheClientIDandSecretfromtheNextStepssectionoftheSSOdashboard.CopytheauthenticationURLfromthe

commandoutput.iii. PastetheauthenticationURLintoabrowser,andloginusingyourUAAAdminCredentials.iv. CopytheTemporaryAuthenticationCodefromthebrowserintotheUAACtofinishtheauthentication.v. Run uaac context .vi. Copythevalueoftherefreshtokenandusethatinyourcodetogetanewtokenbasedonyourclientidandsecretusingthestandard

OAuthrefreshtokenflowasdescribedintheUAAAPIdocumentation .

Developers:RevokeSystemPlanAccessforanExternalAppTorevokesystemplanaccessfromanappthatisexternaltoPCFandisregisteredwiththesystemplantoaccessPCFcomponents,dooneofthefollowing:

RegeneratetheAppSecret

Deletetheapp


https://docs.pivotal.io/p-identity/1-4/configure-apps/#bind

https://docs.pivotal.io/p-identity/1-4/configure-apps/#register

http://docs.cloudfoundry.org/api/uaa/#refresh-token

ManageServicePlansThistopicdescribeshowPivotalCloudFoundry(PCF)AdministratorsmanageSingleSign-Onserviceplans.

SingleSign-Onisamulti-tenantservice,whichenablesadeploymenttohostmultipletenantsasserviceplans.Eachserviceplancanhaveitsownadministrators,applicationsandusers.Thisletsenterprisessegregateaccessbyusingseparateplans.Forexample,thefollowingtenantsmightrequireseparateplans:

Businessunitsandgeographicallocations

Employees,consumers,andpartners

Development,staging,andproductioninstances

AdministratorscancreatenewSingleSign-OnserviceplansatanytimefromtheSSOdashboard.

CreateorEditServicePlansYoucanusetheSSOdashboardtocreateandconfigureserviceplansatanytime.

1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.

2. ClickNewPlanontheSSOdashboardtocreateanewSingleSign-Onserviceplan.

Note:Youmustcreateatleastoneplanforanyservicebeforeyourapplicationscanuseit.


3. EnteraPlanName.

4. EnteraDescriptiontoappearasaplanfeatureintheServicesMarketplace.

5. EnteranAuthDomaintobetheURLwhereusersauthenticatetoaccessapplicationscoveredbytheserviceplan.

6. EnteranInstanceNametoappearontheloginpageandinotheruser-facingcontent,suchasemailcommunications.

7. AddPlanAdministrators.Theseuserscanviewtheplanandmanageidentityproviders.

8. UnderOrgVisibility,selectwhichorganizationsinyourPivotalCloudFoundrydeploymentshouldhaveaccesstoyourSingleSign-Onserviceplan.Ifyoudonotselectanyorganizations,theplanwillnotbeavailableforuseanditwillnotbedisplayedintheServicesMarketplace.

9. ClickCreatePlan.YournewplanappearsintheServicesMarketplaceintheorganizationsyouhaveselected.UsersinthoseorganizationsviewtheplaneitherinAppsManagerorthroughtheCFCLIbyentering cf marketplace inaterminalwindow.

DeleteServicePlans1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin

yourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.

2. Selectthenameoftheplanyouwanttodelete,andclickEditPlaninthedrop-downmenu.

3. SelectDeleteatthebottomofthepage.

4. Inthepopupthatappears,clickDeletePlantoconfirmthatyouwanttodeletetheplan.

ConfigureaTokenPolicyAccesstokenscarryinformationaboutusersandclientstoserversthatmanageresources.Serversuseaccesstokenstodeterminewhethertheclientisauthorizedornot.Accesstokenstypicallyhaveashort-livedexpirationtime.Refreshtokenscarryinformationnecessarytoretrieveanewaccesstokenafteranexistingaccesstokenexpires.Refreshtokenstypicallyhavealongerexpirationtimethanaccesstokens.

1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.

2. Selectthenameoftheplanyouwanttoconfigureatokenpolicyfor,andclickConfigureinthedrop-downmenu.

3. EnterthenumberofsecondsforAccessTokenExpirationorselectUseSystemDefault.

4. EnterthenumberofsecondsforRefreshTokenExpirationorselectUseSystemDefault.

5. ClickSave.

Note:Thisactioncannotbeundone.DeletingaSingleSign-OnserviceplanremovesfromtheSSOdatabasealloftheconfigurations,identityproviders,users,applicationconfigurationsandresourcesassociatedwiththeplan.Italsodeletestheassociatedserviceinstancesandservicebindings.Youmustrebindanyapplicationsboundtothedeletedserviceinstancestonewserviceinstances.

Note:TheSingleSign-Onserviceallowsadministratorstooverridethedefaultexpiryofaccesstokens(12hours)andrefreshtokens(30days)byzone.


ManageServiceInstancesThistopicdescribeshowSpaceDeveloperscreateaninstanceofaSingleSign-Onserviceplanintheirspaceandbindittoanapplication.

CreateServiceInstances1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN asaSpaceDeveloper.

2. Navigatetotheorganizationthattheserviceplanisenabledfor.

3. SelectMarketplaceandselecttheSingleSign-Onserviceyouwanttocreateaninstanceof.

4. ChooseyourserviceplanandclickSelectthisplan.

5. IntheConfigureInstancebox,enteranInstanceName.

1. FromtheAddtoSpacedrop-downmenu,chooseaspacefortheinstance.Thisspacehostsyourapplication.Thedefaultis development .

2. FromtheBindtoAppdrop-downmenu,chooseanapplicationtobindtheserviceinstanceto.Thisoptiondefaultsto [do not bind] .Ifyoudonotbindtheinstancetoanapp,youcanbinditatalatertime.

3. ClickAddtocreatetheserviceinstance.

DeleteServiceInstances1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN asaSpaceDeveloper.

2. Navigatetotheorganizationandspacethatcontaintheserviceinstanceyouwanttodelete.

3. UnderServicesinthespacepage,findyourserviceinstanceandclickDelete.

4. ClickDeleteonthepop-uptoconfirmthatyouwanttodeletetheserviceinstanceandservicebindings.

Note:Thisactioncannotbeundone.DeletingaSingleSign-Onserviceinstancedeletestheconfigurationsontheserviceinstance,aswellasthe


associatedservicebindings.Youmustbindanyapplicationsboundtothedeletedserviceinstancetoanewserviceinstance.


ConfigureIdentityProvidersThistopicdescribeshowPivotalCloudFoundry(PCF)administratorsconfigureaSingleSign-On(SSO)serviceplantomanageuseraccesstoPCFapps,foruserswithaccountsintheinternaluserstoreorwithexternalidentityproviders.

ConfigureInternalUserStore1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.

FindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.

2. ClicktheplannameandselectManageIdentityProvidersfromthedrop-downmenu.

3. ClickInternalUserStoreandselectEditProviderfromthedrop-downmenu.

4. (Optional)UnderAuthenticationPolicyselectoneofthefollowing:

DisableInternalAuthentication:Thisoptionpreventsauthenticationagainsttheinternaluserstore.Youmusthaveatleastoneexternalidentityproviderconfigured.

DisableUserManagement:Thisoptionpreventsallusers,includingadministrators,fromperformingactionsoninternalusers.

5. UnderPasswordPolicySettings,selectUseRecommendedSettings,UseDefaultSettings,orentercustomsettingsinthefieldsbelow.

6. ClickSaveIdentityProvider.

AddInternalUsersFromtheCommandLineYoucanusetheInternalUsersadminpanetosendinvitationstousers,sothattheycanaddthemselvestotheinternaluserstore.Butyoucannotusetheadminpanetoaddusersdirectly.

Tocreatenewinternaluseraccountsdirectly,supplyingtheuser’sname,emailaddressandotherinfo,usetheUAACommandLineInterface(UAAC)asfollows:

1. IfyoudonotalreadyhavetheUAACinstalled,run gem install cf-uaac inaterminalwindow.

2. Createanadminclient thatcanmanageusersintheServicePlan.Includethefollowingscopesfortheclient:

clients.admin

scim.read

scim.write

3. RecordtheAppIDandAppSecret.TheseareusedasyourclientIDandclientsecret.

4. TargettheauthdomainofyourSSOserviceplan.ThisistheURLyouprovidedwhencreatingaServicePlanintheSSOdashboard.

$ uaac target https://YOUR-AUTH-DOMAIN.login.YOUR-SYSTEM-DOMAIN

5. FetchtheAppIDtokenfortheadminclientcreatedabove.

$ uaac token client get ADMIN-CLIENT-IDClient secret:

6. Whenpromptedwith Client secret ,entertheAppSecretadminclientsecretrecordedabove.

7. Addnewusersbyprovidingtheuser’semailaddress,username,andpassword.

Note:TheloginpagedoesnotincludetheEmailandPasswordfieldsifyouselectthisoption.

Note:TheloginpagedoesnotincludeCreateAccountandResetPasswordlinksifyouselectthisoption.


https://docs.pivotal.io/p-identity/1-4/configure-apps/#admin

$ uaac user add --emails [email protected] name: YOUR-USERPassword: ****Verify password: ****user account successfully added

8. (Optional)Youcanalsocreategroupsandadduserstothem.

$ uaac group addGroup name: YOUR-GROUPmetaversion: 0created: 2016-02-19T23:17:17.000Zlastmodified: 2016-02-19T23:17:17.000Zschemas: urn:scim:schemas:core:1.0id: 8725b5fd-8da2-4cfc-89b1-c57048f089c2displayname: YOUR-GROUP

Toaddamembertoyournewgroup,usethefollowingcommand.

$ uaac member add YOUR-GROUP YOUR-USER

DefinePasswordPolicyfortheInternalUserStoreAdministratorscandefinethepasswordpolicyforSSOusersintheinternaluserstore.Thepasswordpolicyenforcesrulesthatrestrictthekindsofpasswordsuserscancreate.



3. ClickInternalUserStoreandselectEditProviderfromthedrop-downmenu.

4. ConfigurethefollowingunderthePasswordComplexitysection:

MinLength:Specifytheminimumpasswordlength.Uppercase:Specifytheminimumnumberofuppercasecharactersrequiredinapassword.Lowercase:Specifytheminimumnumberoflowercasecharactersrequiredinapassword.SpecialCharacters:Specifytheminimumnumberofspecialcharactersrequiredinapassword.Numerals:Specifytheminimumnumberofnumericcharactersrequiredinapassword.

5. ConfigurethefollowingundertheLockoutPolicysection:

FailuresAllowed:Specifythenumberoffailedloginattemptsallowedperhourbeforeauserislockedout.LockoutPeriod:Specifythenumberofsecondsauserislockedoutforafterexcessivefailedloginattempts.PasswordExpires:Specifythenumberofmonthspasswordsarevalidforbeforeusersneedstoenteranewpassword.

6. ClickSaveIdentityProvider.

ConfigureServiceProviderSAMLSettingsForeachplan,theSingleSign-OnserviceallowsyoutoconfigureSAMLsettingswhenSAMLisusedforexchangingauthenticationandauthorizationdatabetweentheidentityproviderandtheserviceprovider.TheSSOserviceprovidestheabilitytosignauthenticationrequestsandrequiresignedassertionsfromtheexternalidentityprovider.



3. ClickConfigureSAMLServiceProvider.

4. Configurethefollowingsettings:


Performsignedauthenticationrequests:Theserviceprovidersignsrequestssenttotheexternalidentityprovider.Requiresignedassertions:Theserviceproviderrequiresthatresponsesfromtheexternalidentityprovideraresigned.

5. ClickSavetosavetheconfigurations.

6. ClickDownloadMetadata.

AddanExternalIdentityProviderSeethefollowingsetsofinstructionsforhowtoconfiguretheSSOservicetouseexternalidentityprovidersthatsupportSAML2.0,OpenIDConnect(OIDC),andLDAP.

AddaSAMLProvider1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin



3. ClickNewIdentityProvider.

4. EnteranIdentityProviderName.

5. Select SAML 2.0 astheIdentityProviderType.

6. EnteraDescription.ThisisdisplayedtoSpaceDeveloperswhentheyselectanidentityproviderfortheirapp.

7. Entertheexternalidentityprovidermetadatainoneofthefollowingways:

Option1:ProvidetheIdentityProviderMetadataURLandclickFetchMetadata.Option2:ClickUploadIdentityProviderMetadatatouploadXMLmetadatathatyoudownloadedfromyourexternalidentityprovider.

8. ConfigureanyUserAttributestopropagatefromtheidentityprovidertotheserviceprovider.Theseattributescanincludeemailaddresses,firstorlastnames,orexternalgroups.TheyaresenttoappsviaOpenIDtokens,alongwithanyotherstoreduserinformationissuedbytheSingleSign-Onservice.

SelectaUserSchemeAttributefromthedrop-downmenu.EnteraSAMLAttributeNamewiththecorrespondingattributefromtheincomingSAMLassertion.

9. ConfigureanyCustomAttributestopropagatefromtheidentityprovidertotheserviceprovider.TheseattributesaresenttoappsviaOpenIDtokensissuedbytheSingleSign-Onservice.

EnteraCustomAttributeName.EnteraSAMLAttributeNamewiththecorrespondingattributefromtheincomingSAMLassertion.

10. (Optional)CheckPersistCustomAttributesifyouwanttoexposecustomuserattributesthroughthe /userinfo endpoint.Yourappmustalsohavethe user_attributes scopeassignedinorderforthecustomattributestoappear.

11. ClickCreateIdentityProvidertosavetheidentityprovider.

AddanOIDCProvider1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin


Note:IfyouchoosetouploadtheIdentityProviderMetadataasanXMLfile,youwillbeunabletousetheFetchMetadataoptiontoupdateyourIdentityProvidermetadatalater.IfmetadatachangesontheIdentityProviderside,youwillhavetomanuallyre-uploadthemasanupdatedXMLfile.

Note:ToconfiguretheserviceproviderSAMLsettings,suchasthesigningofauthenticationrequestsandincomingassertions,clickonConfigureSAMLServiceProviderontheIdentityProviderspage.






6. Select OpenID Connect astheIdentityProviderType.

7. EntertheexternalOpenIDConnect(OIDC)identityprovidermetadatainoneofthefollowingways:

Option1:SelecttheEnableDiscoverycheckbox,providetheDiscoveryEndpointURL,RelyingPartyOAuthClientID,andRelyingPartyOAuthClientSecretandclickFetchScopes.Option2:CleartheEnableDiscoverycheckboxandprovidetheAuthorizationEndpointURL,TokenEndpointURL,TokenKey(URL),RelyingPartyOAuthClientID,andRelyingPartyOAuthClientSecret.

8. SelecttheapplicableScopesfortheOIDCidentityprovider.


SelectaUserSchemeAttributefromthedrop-downmenu.EnteranIDTokenAttributeNamewiththecorrespondingattributefromtheincomingOIDCIDtoken.


EnteraCustomAttributeName.EnteranIDTokenAttributeNamewiththecorrespondingattributefromtheincomingOIDCIDtoken.



AddanLDAPIdentityProviderWhenintegratingwithanexternalidentityproviderforLDAP,authenticationbecomeschained.Anauthenticationattemptwithauser’scredentialsisfirstattemptedagainsttheinternaluserstorebeforetheexternalLDAPidentityprovider.Toavoidusernamecollision,donotbootstraporcreateusersintheUAAdirectly.YoumayonlyhaveoneLDAPexternalidentityproviderperserviceplan.






6. Select LDAP astheIdentityProviderType.YoumayonlyhaveoneLDAPproviderperServicePlan.

7. EntertheexternalLDAPidentityproviderconfigurations:

a. EntertheHostnameandPort.b. SelecttheapplicableSecurityprotocol.c. SelecttheapplicableReferral.d. EntertheUserDNandBindPasswordforyourLDAPserviceaccount.e. UndertheUserssection,entertheSearchBase.f. UndertheUserssection,youmayalsoenterinSearchFilter(Optional).g. UndertheUserssection,youmayselectJustinTimeProvisioning.Ifthisoptionisenabled,userswillbecreatedatlogintime.Ifthisoptionis

notenabled,usersmustbecreatedpriortobeingabletologin.h. UndertheGroupssection,youmayenterinentertheSearchBase(optional)andSearchFilter(optional)inordertoassociateLDAPgroups

withyouruser.Ifyouwishtousethe memberOf attributeonuserobjects,youcanenterinthevalue memberOf astheSearchBaseinsteadof


anLDAPpathforagroupOU,andtheSearchFiltervaluewillbeignored.


SelectaUserSchemeAttributefromthedrop-downmenu.EnteranLDAPAttributeNamewiththecorrespondingattributefromLDAP.


EnteraCustomAttributeName.EnteranLDAPAttributeNamewiththecorrespondingattributefromLDAP.



DeleteanExternalIdentityProvider1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin



3. Clickonthenameofyourexternalidentityprovider.

4. ClickDeleteatthebottomofthepage.

5. Inthepopupthatappears,clickDeleteIdentityProvidertoconfirmthatyouwanttodeletetheidentityprovider,alongwithallofitsconfigurations.

ConfigureGroupWhitelistforanExternalIdentityProviderAnadministratorcanincludegroupsfromanexternalidentityproviderinaGroupWhitelist.ThelistofgroupsinthewhitelistpropagatesintheIDtokenwhenauserauthenticatesthroughanexternalidentityprovider.AnappcanthenretrievefromtheIDtokenthelistofexternalgroupsthattheuserbelongsto.Anadministratorcanusethesegroupstoassignpermissionsbygroupratherthanindividualusers.

Formoredetailsonhowtocreateresourcepermissionmappings,seeCreateorEditResourcePermissions.



3. ClickonthenameofyourexternalidentityproviderandselectGroupWhitelistfromthedrop-downmenu.

4. Addagroupnamefromyourexternalidentityprovider.

5. ClickSaveGroupWhitelist.

Note:Deletinganexternalidentityproviderdeletesallofitsconfigurations.Userswillnolongerbeabletoauthenticateusingtheexternalidentityprovider.Thisactioncannotbeundone.

Note:ForanapptoretrieveaGroupWhitelistcontainingexternalgroups,theappmustrequestthe roles scope,andtheGroupWhitelistmustlisttheexternalgroup.


IdentityProviderDiscoveryThistopicdescribesIdentityProvider(IdP)DiscoveryandhowtoconfigureitforyourPivotalCloudFoundry(PCF)appsthatusetheSingleSign-On(SSO)service.

WhatitDoesIfuserswithdifferentemaildomainsaccessthesamePCFapp,youcanconfigureSSOtoauthenticatethemthroughdifferentidentityproviders.

Inthissituation,IdPDiscoverystreamlinestheloginexperiencebyautomaticallyredirectingtheusertotheirownIdPandshieldingthemfromseeingtheIdPsofotherappusers.

Whenauserlogsintoanapp,anaccountchooserautofillstheiremailaddressfromanypreviouslogin,orpresentsachoiceiftheyhaveloggedinfrommorethanoneaccount.Userscanaddorremoveaccountsfromtheaccountchooser.

ExampleAsanexample,consideranappusedbyacompany @company.com anditscompetingsuppliers @supplier-1.com and @supplier-2.com .WithIdPDiscovery,usersfromallthreecompaniescanloginfromthesamepage,anddonothavetoseeorchoosefromalistofloginoptionsthatcoversallthedomains.IdPDiscoveryascertainseachuser’sIdPfromtheiremaildomain.

EnableIdPDiscoveryIdPDiscoveryisassociatedwithaserviceplan,andconfiguredfortheappsboundtoinstancesofthatplan.ToenableIdPDiscoveryforaserviceplanandtheappsthatuseit,youmustbeaPCFAdministratororaPlanAdministrator.

1. EnableIdPDiscoveryfortheSSOServicePlaninstancethatyourappisboundto:

a. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.

b. ClicktheplannameandselectConfigureundertheplanmenu.c. SelectthecheckboxundertheIdentityProviderDiscoverysectionandclickSave.


2. ClicktheplannameandselectManageIdentityProvidersundertheplanmenu.

3. EntertheEmaildomainsyouwanttoincludeasacomma-separatedlistundertheconfigurationpagefortheidentityproviderplan.

4. InAppsManager,navigatetoyourspace,opentheServicetab,andselectyourserviceinstance.

5. ClicktheManagelinkundertheservicename,andedittheappconfigurationbyselectingtherequiredIdentityProviders.


ManageUsersThistopicdescribeshowaPivotalCloudFoundry(PCF)PlanAdministratorusestheSingleSign-On(SSO)servicetomanageuseraccesstoPCFapps,foruserswithaccountsintheinternaluserstoreorwithexternalidentityproviders.

ManageUsersinanInternalUserStoreTheSSOservicehasanInternalUsersadminpanethatletsyoumanageuseraccountsinPCF’sinternaluserstore:inviteanddeleteusers,requestuserstoresettheirpasswords,andupdateuserattributesandpermissions.

ToopentheInternalUserspane:

1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.FindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.


3. ClickInternalUserStoreandselectInternalUsersfromthedrop-downmenu.Thisbringsyoutotheadminscreen.

FromtheInternalUserspane,youcan:

InviteusersbyclickingInviteUser,enteringtheiremailaddress,andclickingSendInvite.

SearchexistingusersbyenteringavalueintothesearchbarandclickingSearch.Enteringablankvaluereturnsallusersintheserviceplan’sinternaluserstore.


ResendaninvitetoanunverifieduserbyselectingthecheckboxnexttotheirusernameandclickingResendInvite.

AskaverifiedusertoresettheirpasswordbyselectingthecheckboxnexttotheirusernameandclickingResetPassword.

DeleteauserbyselectingthecheckboxnexttotheirusernameandclickingDeleteUser.

Viewinformationaboutauserbyclickingtheirusername.

UpdateauserprofileincludingtheirEmail,FirstName,LastName,andPhoneNumberbyenteringtheupdatedvaluesandclickingSaveUser.

ViewuserpermissionsbyclickingthePermissionstab.

UpdateuserpermissionsbyselectingthecorrespondingpermissionsandclickingSaveUser.

ManageUsersfromanExternalIdentityProviderForeachexternalidentityproviderthattheSSOserviceconnectsto,ausersadminpane(example:OktaSSOUsers)letsyoubrowse,delete,andupdatePCFpermissionsforuseraccountsfromexternalidentityproviders.

Toopentheexternalidentityproviderusersadminpane:



3. ClicktheexternalidentityprovideryouwanttomanageandselecttheUserschoicefortheproviderfromthedrop-downmenu.Thisbringsyoutotheusersadminpane.

Fromtheexternalidentityproviderusersadminpane,youcan:

SearchexistingusersbyenteringavalueintothesearchbarandclickingSearch.Enteringablankvaluereturnsallusersintheserviceplan’sinternal


userstore.

DeleteauserbyselectingthecheckboxnexttotheirusernameandclickingDeleteUser.

Viewinformationaboutauserbyclickingtheirusername.

ViewuserpermissionsbyclickingthePermissionstab.

UpdateuserpermissionsbyselectingthecorrespondingpermissionsandclickingSaveUser.

ManageUserswiththeUAACLI(UAAC)YoumayalsousetheUAACLI(UAAC)tomanageusersfortheSSOservice.Youcanusethisapproachtoprogramaticallycreatenewinternalusersorassigngroups(scopes)toanyuser(whetherinternalorexternal).Theseoperationsrequireadministrativeaccessthroughanadminclientthatmustbeconfiguredbyanadministratorfortheserviceplan.

Note:ClientsandGroupsforSSOshouldbecreateddirectlythroughtheSSOUIorthroughapplicationmanifestbootstrapping.DonotcreatethesethroughUAAC,asadditionalmetadataisrequiredfortheirusagebySSO.


1. InstalltheUAACLI, uaac .

$ gem install cf-uaac

2. Usethe uaac target AUTH-DOMAIN commandtotargetyourserviceplan.AuthDomainsettingyouenteredwhenyoucreatedtheserviceplan.

$ uaac target my-auth-domain.login.example.com

3. RecordtheAppIDandAppSecretfromyouradminclientcreatedusingthestepshere .Youwillneedtogiveyouradminclient scim.read toreaduserinformation.Youcangiveyouradminclienteither scim.write tocreateusersandmodifygroup(scope)membershipsor scim.create toonlycreateusers.

4. Run uaac token client get ADMIN-APP-ID -s ADMIN-APP-SECRET toauthenticateandobtainanaccesstokenfortheadminclientforyourserviceplan.Replace ADMIN-APP-ID withyourAppIDand ADMIN-APP-SECRET withyourAppSecret.UAACstoresthetokenin ~/.uaac.yml .

$ uaac token client get MyAdminAppId -s MyAdminAppSecret

5. Usethe uaac contexts commandtodisplaytheusersandapplicationsauthorizedbyyourserviceplan,andthepermissionsgrantedtoeachuserandapplication.Checkthatyouhavethesufficient scim.write or scim.create permissionsunderthe scope section.

$ uaac contexts

[1]*[admin] client_id: MyAdminAppId access_token: aBcdEfg0hIJKlm123.e token_type: bearer expires_in: 43200 scope: scim.read scim.write jti: 91b3-abcd1233

6. Runthefollowingcommandtocreateanewinternaluser: uaac user add NEW-USERNAME -p NEW-PASSWORD --emails NEW-EMAIL Replace NEW-USERNAME , NEW-PASSWORD ,and NEW-EMAIL withappropriateinformation.

$ uaac user add Adam -p newSecretPassword --emails [email protected]

7. Run uaac member add GROUP USERNAME toaddanygrouptoanyuser(internalorexternal).Replace GROUP and USERNAME withappropriateinformation.

$ uaac member add my-app.my-scope Adam

8. Run uaac member delete GROUP USERNAME todeleteanygroupfromtoanyuser(internalorexternal).Replace GROUP and USERNAME withappropriateinformation.

$ uaac member delete my-app.my-scope Adam


https://docs.pivotal.io/p-identity/1-4/configure-apps/#admin

ConfigureApplicationsThistopicexplainshowPivotalCloudFoundry(PCF)developersconfiguretheirappstousetheSingleSign-On(SSO)service,writeSSOintegrationintotheirapps,andusetheSSOAdminClienttomanageconnectionsbetweenSSOidentityproviders,apps,usersandotherresources.

DetermineYourSSOApplicationTypeBeforeyoubindorregisteranapp,youmustdetermineitsSSOapplicationtypeandthecorrespondingOAuthgranttype.

Ifyourappauthenticatesendusers,itsapplicationtypeisWebApp,NativeMobileApp,orSingle-PageJavaScriptApp.Iftheappdoesnotauthenticateendusers,butratheraccessesotherservicesorAPIsonitsownbehalf,thenitstypeisService-to-ServiceApp.

Seethetablebelowtodetermineyourapp’sSSOApplicationTypeandOAuthGrantType:

ApplicationType SSOApplicationType OAuthGrantType

Web WebApp authorization code

NativeMobile,Desktop,orCommandLine NativeMobileApp password (theresourceowner’spassword)

Single-PageJavaScript Single-PageJavaScriptApp implicit

Service-to-Service Service-to-ServiceApp client_credentials

SetUpPCFAppstoUseSSOToconfigureSSOforanapprunninginternallyonPCF,youfirstneedtodeterminetheSSOapplicationtypeoftheappthatwillusetheSSOservice.

ThenyouconfigureyourSSOservicefortheappusingenvironmentvariablesandbindtheapptoanSSOserviceinstance.Thesestepsaredescribedbelow.

ConfigureSSOPropertiesTheSSOservicereadsitsconfigurationpropertiesfromenvironmentvariablesthataresetintheappsthatuseit.ToenableaPCF-hostedapptobindtoanSSOserviceinstance,youmustsetthefollowingenvironmentvariables:

GRANT_TYPE —thetypeofOAuthauthenticationassociatedwiththeSSOApplicationTypeinthetableabove.

SSO_IDENTITY_PROVIDERS —theinternalorexternalidentityprovider(s)fortheapptouse.

YoucansetadditionalenvironmentvariablestofurtherconfigurehowanappusesSSO,asdescribedbelow.Mostoftheseenvironmentvariablesareprefixedwith SSO_ .

TherearetwowaystosettheSSOconfigurationpropertiesforanapp:

Settheenvironmentvariablesmanuallyafteryoudeploytheapp,inAppsManagerorwiththeCloudFoundryCommand-LineInterface(cfCLI).

Includetheconfigsettingsintheapplicationmanifest,sothatPCFbootstrapsthemautomaticallywhenitdeploystheapp.

ManuallyConfigureAppsforSSOForappsalreadydeployedtoPCF,youcansettheir GRANT_TYPE , SSO_IDENTITY_PROVIDERS ,andotherSSOconfigurationenvironmentvariableswiththe cf set-env command,orinAppsManagerasfollows:

Note:TheNativeMobileAppapplicationtypeisintendedonlyforhighly-trustedappssuchascompany-ownedandmanagedapps.

Note:Theseconfigurationsareonlyappliedwhenbindingtotheserviceinstance.A cf push oftheappdoesnotupdatetheconfigurations.Toupdatetheseconfigurations,manuallyupdatethemusingtheSSOdashboardorunbindandrebindtheserviceinstance.IntheSSOsampleapplications ,themanifestbindstheapptoaserviceinstanceontheinitialpushusingthemanifestvalue

services: - sample-instance

.


https://github.com/pivotal-cf/identity-sample-apps

http://cli.cloudfoundry.org/en-US/cf/set-env.html

1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN .

2. Navigatetoyourapp.

3. ClicktheEnvVariablestab.

4. ClickAddanEnvVariable.

5. ForVariableNameenterthenameoftheSSOconfigurationpropertythatyouaresetting,suchas GRANT_TYPE .

6. ForValue,enterthepropertyvalue.Forexample,tosetthe GRANT_TYPE propertyforaSingle-PageJavaScriptApp,enter implicit ,whichistheOAuthGrantTypelistedforyourSSOapplicationtypeabove.

7. Bindandrestageyourapp.

BootstrapSSOConfigurationInSSOv1.4.0andlater,youcanincludeSSOconfigurationpropertiesinyourapplicationmanifest,toautomaticallybootstrapthevalueswhenyoubindorrebindtheapptoanSSOserviceinstance.

ThevaluesfromthemanifestautomaticallysavetotheenvironmentvariablesthatconfigureyourappforSSO.BootstrappingSSOconfigurationvaluesfromthemanifesteliminatestheneedtosetenvironmentvariablesafteryoudeployyourapp.

Thissnippetbelowshowshowtoinclude GRANT_TYPE SSO_IDENTITY_PROVIDERS inyourmanifest.

---applications: - name: APPLICATION NAME env: GRANT_TYPE: password SSO_IDENTITY_PROVIDERS: uaa, sample-identity-provider

The GRANT_TYPE propertydefaultsto authorization_code ,forWebAppapplicationtype. SSO_IDENTITY_PROVIDERS defaultsto uaa ,forthePCFinternaluserstore.

Ifyouspecifyyourownscopesandauthorities,considerincludingthefollowingvaluesinyour SSO_SCOPES or SSO_AUTHORITIES propertylist.Thesevaluesarenotaddedyouruser-providedlistbydefault:

openid —forappswith authorization code , password ,and implicit granttype

uaa.resource —forappswith client_credentials granttype

ThetablebelowlistsallSSOpropertiesthatyoucansetinyourapplicationmanifesttobootstrapthevaluesintoyourapp’sSSOclientconfiguration.

AfteranappdeployswithbootstrappedSSOconfigurationvalues,itisreadytobindtoanSSOserviceinstance.

SSOConfigurationPropertiesThetablebelowprovidesdescriptionsanddefaultvaluesforenvironmentvariablesthatappsusetoconfigureSSO.SeetheSSOsampleapplications

fordetails,andthe manifest.yml filesinthesamerepoforexamplesofbootstrappingthesevalues.

PropertyName Description Default

name Nameoftheapp(N/A-RequiredValue)

GRANT_TYPE

AllowedgranttypefortheappthroughtheSSOservice.OnlyonegranttypeperappissupportedbySSO. authorization_code

Note:Theseconfigurationsareonlyappliedwhenbindingtotheserviceinstance.A cf push oftheappdoesnotupdatetheconfigurations.Toupdatetheseconfigurations,manuallyupdatethemusingtheSSOdashboardorunbindandrebindtheserviceinstance.IntheSSOsampleapplications ,themanifestbindstheapptoaserviceinstanceontheinitialpushusingthemanifestvalue

services: - sample-instance

.




SSO_IDENTITY_PROVIDERS

AllowedidentityprovidersfortheappthroughtheSSOserviceplan.Thisisacomma-separatedlistofidentityprovideroriginkeys.Theoriginkeysarederivedfromtheidentityprovidernameusingthefollowingrules:

Uppercaselettersareconvertedtolowercaseletters.

Spacesareconvertedtohyphens.

Periodsareconvertedtohyphens.

Forexample,ifyouridentityprovidernameis example.com Provider ,thecorrespondingoriginkeyisexample-com-provider .

uaa

SSO_REDIRECT_URIS

Comma-separatedwhitelistofredirectionURIsallowedfortheapp.Eachvaluemuststartwith http:// orhttps:// .

(Alwaysincludestheapproute)

SSO_SCOPES

Comma-separatedlistofscopesthatbelongtotheappandareregisteredasclientscopeswiththeSSOservice.Thisvalueisignoredforclientcredentialgranttypeapps.

openid

SSO_AUTO_APPROVED_SCOPES

Comma-separatedlistofscopesthattheappisautomaticallyauthorizedwhenactingonbehalfofusersthroughSSOservice.

(Defaultstoexistingscopes/authorities)

SSO_AUTHORITIES

Comma-separatedlistofauthoritiesthatbelongtotheappandareregisteredasclientauthoritieswiththeSSOservice.Privilegedidentityzone/planadministratorscopes,suchas scim.read , idps.write cannotbebootstrappedandmustbeassignedbyzone/planadministrators.Thisvalueisignoredforanygranttypeotherthanclientcredentials.

uaa.resource

SSO_REQUIRED_USER_GROUPS

Comma-separatedlistofgroupsausermusthaveinordertoauthenticatesuccessfullyfortheapp. (Novalue)

SSO_ACCESS_TOKEN_LIFETIME

LifetimeinsecondsfortheaccesstokenissuedtotheappbytheSSOservice. 43200

SSO_REFRESH_TOKEN_LIFETIME

LifetimeinsecondsfortherefreshtokenissuedtotheappbytheSSOservice.2592000(notusedforclientcredentials)

SSO_RESOURCES

Resourcesthattheappwilluseasscopes/authoritiesfortheSSOservicetobecreatedduringbootstrappingiftheydonotalreadyexist.Theinputformatcanbereferencedintheprovidedsamplemanifest.Notethatcurrentlyallpermissionswithinthesametoplevelpermission,suchas todo.read and todo.write ,mustbespecifiedinthesameapplicationmanifest.Currentlyyoucannotspecifyadditionalpermissionsinthesametoplevelpermission,suchas todo.admin ,inadditionalapplicationmanifests.

(Novalue)

SSO_ICON

AppiconthatwillbedisplayednexttotheappnameonthePivotalAccountdashboardifshowonhomepageisenabled.Donotexceed64kb.

(Novalue)

SSO_LAUNCH_URL

ApplaunchURLthatwillbeusedfortheapponthePivotalAccountdashboardifshowonhomepageisenabled. (Applicationroute)

SSO_SHOW_ON_HOME_PAGE

Ifsettotrue,theappwillappearonthePivotalAccountdashboardwiththecorrespondingiconandlaunchURL. True

PropertyName Description Default

Additionalinformationandmanifestexamplesareavailableontheidentitysampleapps .

RemoveSSOConfigurationProperties

YoucanremoveSSOconfigurationpropertiesforanapp,oranyenvironmentvariablessetthrough cf set-env ,AppsManager,orbootstrappingasfollows:

1. Run cf unset-env APP_NAME PROPERTY_NAME .

2. Rebindtheapp.

BindaPCFApp



AfteraPCFappisconfiguredforSSO,youcanbindittoanSSOserviceinstanceasfollows:

1. LogintoAppsManagerasaSpaceDeveloper.

2. Selectthespacewhereyourappruns.

3. UnderApplications,clickthenameofyourapp.

4. ClicktheServicestab.

5. ClickBindaService.

6. BindyourapptoaservicetocreateanassociatedOAuthClient.

a. SelectanexistingSSOserviceinstancefromthedrop-downmenuandclickBind.b. Createanewserviceinstance:

i. ClickoraddfromMarketplace.ii. SelecttheSingleSign-OnserviceunderServicesMarketplace.iii. SelectaServicePlan,thenclickSelectthisplan.iv. EnteranInstanceName,selectaspace,selectanapp,thenclickAdd.

7. ClickManageundertheSSOserviceinstancetolaunchtheSSOdashboard.

8. Clickyourapp.

9. SpecifyavalueintheAppLaunchURLfieldthatyouwanttosetastheaddressofyourapp.

10. Uploadanappiconforyourapp.

11. ClickShowonhomepagetodisplaytheappontheUAAorPivotalAccounthomepage.

12. SelectoneormoreIdentityProvidersforyourapp.InternalUserStoreisthedefault.

13. IfyourApplicationTypeis Web App or Single-Page JavaScript App ,enterawhitelistofAuthRedirectURIsbeneathRedirectURIs.TheredirectqueryparameterspecifiedontheOAuthrequestmustmatchtheURIsspecifiedinthislist.Otherwise,SSOrejectstherequest.

14. FortheScopesfield,specifythepermissionsthattheappcanrequestontheuser’sbehalf.Thisfielddefaultsto openid forWeb,NativeMobile,andSingle-PageJavaScriptApps.Thisfielddefaultsto uaa.resource forService-to-ServiceApps.Ifthisappispurelyforauthenticationpurposes,thenthe

openid scopeissufficient.IftheappmakesAPIcallsonbehalfoftheenduser,specifyboththescopesenforcedbytheAPIandthescopestoberequestedbytheapp.

Scope Description

openid ProvidesaccesstomakeOpenIDConnectrequests

user_attributes Providesaccesstocustomattributesfromanexternalidentityprovider

roles Providesaccesstoexternalgroupsfromanidentityprovider

uaa.resource Providesaccesstothecheck_tokenendpointforservice-to-serviceflows

1. ForAuto-ApprovedScopes,selectanyscopesthattheSSOserviceautomaticallyapproveswhentheappmakesarequestonbehalfofauser.Selectonlyscopespertainingtoappsownedandmanagedbyyourcompany.DonotselectscopesthatpertaintoappsexternaltoPCF.

2. ClickSaveConfig.TheNextStepspageappears,describingtheendpointsrequiredforappintegration.Formoreinformation,seeIntegrateSSOwithAppsbelow.

Note:Ifyouwouldlikeapptodisplayonthehomepage,youmustenteranAppLaunchURLoruploadanappicon.

Note:WhenbindingaPCFapp,aSpaceDevelopercanchoosefrominternalandexternalidentityproviders.IftheSpaceDeveloperselectsmultipleidentityproviders,usersmustselectwhichprovidertousewhentheysignin.Thisoptionisavailableforallapplicationtypesexcept Service-to-Service App .

Note:UnderScopes,youcanselectresourcesdefinedinanyspaceiftheapplicationtypeisa WebApp

, Native MobileApp

,or

Single-Page JavaScriptApp

.Iftheapplicationtypeisa Service-to-ServiceApp

,youcanonlyselectresourcesdefinedwithinthespace.


ManageAppConfigurationsviaSSODashboardTheSSOdashboardallowsapplicationdeveloperstoviewtheappconfigurationsandresourcesavailablewithintheirspace.Toaccessthedashboard,firstyoumustcreateaserviceinstanceforyourSpace.ThenyoucanfollowthestepsbelowtomanageyourapplicationconfigurationsviatheSSOdashboard.


2. Selectthespacewhereyourserviceinstanceislocated.

3. UnderServices,clickManagenexttotheSSOserviceinstance.ThislaunchestheSSOdashboard.

RegisteranExternalApp1. DeterminethetypeoftheappthatwillusetheSSOservice.



4. UnderServices,clickManagenexttotheSSOserviceinstance.ThislaunchestheSSOdashboard.

5. ClickNewApp.

6. EnteranAppName.

7. ChooseanapptypeunderSelectanApplicationType.

8. EnteranAppLaunchURLthatspecifiestheaddressofyourapp.

9. Uploadanappiconforyourapp.

10. ClickShowonhomepagetodisplaytheappontheUAAorPivotalAccounthomepage.

11. SelectoneormoreIdentityProvidersforyourapp.InternalUserStoreisthedefault.

12. IfyourApplicationTypeis Web App or Single-Page JavaScript App ,enterawhitelistofAuthRedirectURIsbeneathRedirectURIs.TheredirectqueryparameterspecifiedontheOAuthrequestmustmatchtheURIsspecifiedinthislist.Otherwise,SSOrejectstherequest.

13. FortheScopesfield,specifythepermissionsthattheappcanrequestontheuser’sbehalf.Thisfielddefaultsto openid forWeb,NativeMobile,andSingle-PageJavaScriptApps.Thisfielddefaultsto uaa.resource forService-to-ServiceApps.Ifthisappispurelyforauthenticationpurposes,thenthe

openid scopeissufficient.IftheappmakesAPIcallsonbehalfoftheenduser,youmustspecifyboththescopesenforcedbytheAPIandthescopestoberequestedbytheapp.

Scope Description

openid ProvidesaccesstomakeOpenIDConnectrequests

user_attributes Providesaccesstocustomattributesfromanexternalidentityprovider

roles Providesaccesstoexternalgroupsfromanidentityprovider

uaa.resource Providesaccesstocheck_tokenendpointforservice-to-serviceflows

Note:Todisplaytheapponthehomepage,youmustenteranAppLaunchURLorUploadanappicon.

Note:Whenregisteringanexternally-hostedapp,aSpaceDevelopercanchoosefrominternalandexternalidentityproviders.IftheSpaceDeveloperselectsmultipleidentityproviders,usersmustselectwhichprovidertousewhentheysignin.Thisoptionisavailableforallapplicationtypesexcept Service-to-Service App .

Note:Addthe user_attributes scopetotheclientscopestoreturnuserattributesfromtheIDtoken.

Note:UnderScopes,youcanselectresourcesdefinedinanyspaceiftheapplicationtypeisa Web App , Native Mobile App ,or Single-Page

JavaScript App .Iftheapplicationtypeisa Service-to-Service App ,youcanonlyselectresourcesdefinedwithinthespace.


14. ForAuto-ApprovedScopes,selectanyscopesthattheSSOserviceautomaticallyapproveswhentheappmakesarequestonbehalfofauser.Selectonlyscopespertainingtoappsownedandmanagedbyyourcompany.DonotselectscopesthatpertaintoappsexternaltoPCF.

15. ClickCreateApp.TheNextStepspageappears,describingtheendpointsrequiredforappintegration.Formoreinformation,seeIntegrateSSOwithApplicationsbelow.

IntegrateSSOwithanAppBecauseSSOserviceisbasedontheOAuthprotocol,anyappthatusesSSOmustbeOAuth-aware.

JavaAppsIfyouareusingJava,seeSingleSign-OnServiceSampleApplications .ThesearesampleappscreatedusingSpringBoot forallfourapplicationtypes.TheseappsusetheSSOServiceConnector,whichauto-configurestheappforOAuth.AfterbindingtheapptoanSSOserviceinstance,youmustrestarttheappforthenewSSOconfigurationtotakeeffect.

Non-JavaAppsToconfigurenon-JavaappsforOAuth,supplythefollowingpropertiesasenvironmentvariablestoyourappaftertheSSOservicebind.YoucanviewthisinformationontheNextStepspageoftheSSOdashboard.

AppID,alsoknownasOAuthClientID

AppSecret,alsoknownasOAuthClientSecret

OAuthAuthorizationURL,theendpointforclientauthorization

OAuthTokenURL,theendpointfortokenretrieval

Tovalidatethetoken,youmustverifythefollowing:

1. ThetokenisaproperlysignedJSONWebTokenwithanappropriatepublickey.ThekeycanbedownloadedfromtheTokenVerificationKeyendpointspecifiedontheNextStepspage.

2. Thevalueof aud inthetokenmatchesyourAppID.

3. Thevalueof iss matches https://AUTH-DOMAIN.uaa.YOUR-SYSTEM-DOMAIN/oauth/token .

4. Theexpirytimeofthetoken, exp ,hasnotpassed.

CreateAdminClientYoucancreateanadminclienttoperformadministrativefunctions,suchasmanageidentityproviders,apps,users,groups,andresourcesinaspecificzonewhereyoucreatetheclient.

Youmustbeatleastaplanadministratortoperformthesesteps.

Createanadminclientasfollows:

1. LogintoAppsManager.

2. Selectthespacewhereyourserviceinstanceislocated.Thisspecifiesthezoneyoumanageasanadminclient.

3. UnderServices,clicktheSingleSign-Onservice.

4. ClickManagenexttoyourSSOserviceinstancetolaunchtheSSOdashboard.

5. ClickNewApp.

6. EnteranAppName.

7. UnderSelectanApplicationType,selectService-to-ServiceApp.



https://projects.spring.io/spring-boot/

8. ClickSelectScopesandchoosewhatactionstheadminclientcanperformfromthefollowingAdminPermissions:

Scope Description

clients.admin Providessuperuseraccesstocreate,modify,anddeleteclients

clients.read Providesaccesstoreadinformationaboutclients

clients.write Providesaccesstocreateandmodifyclients

scim.create Providesaccesstocreateusers

scim.read Providesaccesstoreadinformationaboutusersandgroupmemberships

scim.write Providesaccesstocreate,modify,anddeleteusersandgroupmemberships

idps.read Providesaccesstoreadinformationaboutidentityproviders

idps.write Providesaccesstocreate,modify,anddeleteidentityproviders

9. ClickCreateApp.

DeleteAppthatUsesSSODeleteaPCFapporanexternalappthatusesSSOasfollows:

DeleteaPCFAppTodeleteanapphostedonPCF:


2. Selectthespacewhereyourappislocated.

3. UnderApplications,clickthenameofyourapp.

4. OntheApplicationpage,clickDeleteApp.

5. Onthepopup,clickDeletetoconfirmthatyouwanttodeletetheappanditsconfigurationsfromAppsManagerandtheservicedashboard.

DeleteanExternalAppTodeleteanexternalappthatusesSSO:



3. UnderServices,clickManagenexttoyourSSOserviceinstancetolaunchtheSSOdashboard.

4. Clickyourapp.


6. Onthepopup,clickDeleteApptoconfirmthatyouwanttodeletetheappanditsconfigurations.

Note:DeletinganexternallyhostedappinPCFremovestheappanditsconfigurationsfromtheSSOdashboard.However,itstillexistsonyourhostedplatform.


WebAppThistopicdescribestheOAuth2.0AuthorizationCodegranttypesupportedbyPivotalSingleSign-On(SSO).Theauthorizationcodegranttypeisthemostcommonlyusedgranttype.Thisgranttypeisforserver-sideapplications.

OAuth2.0RolesResourceOwner:Apersonorsystemcapableofgrantingaccesstoaprotectedresource.

Application:Aclientthatmakesprotectedrequestsusingtheauthorizationoftheresourceowner.

AuthorizationServer:TheSingleSign-Onserverthatissuesaccesstokenstoclientapplicationsaftersuccessfullyauthenticatingtheresourceowner.

ResourceServer:Theserverthathostsprotectedresourcesandacceptsandrespondstoprotectedresourcerequestsusingaccesstokens.ApplicationsaccesstheserverthroughAPIs.

AuthorizationCodeFlow

1. AccessApplication:Theuseraccessestheapplicationandtriggersauthenticationandauthorization.

2. AuthenticationandRequestAuthorization:Theapplicationpromptstheuserfortheirusernameandpassword.Thefirsttimetheusergoesthroughthisflowfortheapplication,theuserseesanapprovalpage.Onthispage,theusercanchoosepermissionstoauthorizetheapplicationtoaccessresourcesontheirbehalf.

3. AuthenticationandGrantAuthorization:Theauthorizationserverreceivestheauthenticationandauthorizationgrant.

4. SendAuthenticationCode:Aftertheuserauthorizestheapplication,theauthorizationserversendsanauthorizationcodetotheapplication.

5. RequestCodeExchangeforToken:Theapplicationreceivestheauthorizationcodeandrequestsanaccesstokenfromtheauthorizationserver.Thisgivestheapplicationaccesstotheapprovedpermissions.

6. IssueAccessToken:Theauthorizationservervalidatestheauthorizationcodeandissuesanaccesstoken.

7. RequestResourcew/AccessToken:Theapplicationattemptstoaccesstheresourcefromtheresourceserverbypresentingtheaccesstoken.

8. ReturnResource:Iftheaccesstokenisvalid,theresourceserverreturnstheresourcesthattheuserauthorizedtheapplicationtoreceive.

TheresourceserverrunsinPCFunderagivenspaceandorganization.DeveloperssetthepermissionsfortheresourceserverAPIendpoints.Todothis,theycreateresourcesthatcorrespondtoAPIendpointssecuredbytheSingleSign-Onservice.Applicationscanthenaccesstheseresourcesonbehalfofusers.



NativeMobileAppForNativeMobileandDesktopapplications,PivotalSingleSign-On(SSO)supportstheResourceOwnerPasswordOAuth2.0granttype.Thispasswordgranttypeisforhighlytrustedapplicationswhereresourceownerssharetheircredentialsdirectlywiththeapplication.

OAuth2.0RolesThefollowingrolesareavailableinanOAuth2.0scenario:

ResourceOwner:Apersonorsystemcapableofgrantingaccesstoaprotectedresource.




NativeMobileAppFlowThefollowingdiagramshowstheauthenticationflowusedbymobileapps.Inthisscenario,theapplicationisbackedbyaresourceserverandbotharesecuredbytheUAAauthorizationserver.

1. Authenticatew/UsernameandPassword:Theuserauthenticateswiththeapplicationusingtheirusernameandpassword.

2. SendUsername/Password:Theapplicationsendstheusernameandpasswordtotheauthorizationserverforvalidation.

3. IssueAccessToken:Theauthorizationservervalidatestheusernameandpasswordandissuesanaccesstoken.





Single-PageJavascriptAppThistopicdescribestheOAuth2.0implicitgranttypesupportedbyPivotalSingleSign-On(SSO).Theimplicitgranttypeisforapplicationswithaclientsecretthatisnotguaranteedtobeconfidential.

OAuth2.0RolesResourceOwner:Apersonorsystemcapableofgrantingaccesstoaprotectedresource.




ImplicitFlow

1. AccessApplication:Theuseraccessestheapplicationandtriggersauthenticationandauthorization.

2. AuthenticationandRequestAuthorization:Theapplicationpromptstheuserfortheirusernameandpassword.Thefirsttimetheusergoesthroughthisflowfortheapplication,theuserseesanapprovalpage.Onthispage,theusercanchoosepermissionstoauthorizetheapplicationtoaccessresourcesontheirbehalf.

3. AuthenticationandGrantAuthorization:Theauthorizationserverreceivestheauthenticationandauthorizationgrant.

4. IssueAccessToken:TheauthorizationservervalidatestheauthorizationcodeandreturnsanaccesstokenwiththeredirectURL.

5. RequestResourcew/AccessTokenin:TheapplicationattemptstoaccesstheresourcefromtheresourceserverbypresentingtheaccesstokenintheURL.




Service-to-ServiceAppForService-to-Serviceapplications,PivotalSingleSign-On(SSO)supportstheClientCredentialsOAuth2.0granttype.Theclientcredentialsgranttypeisforapplicationsthatcanrequestanaccesstokenandaccessresourcesonitsown.ThisisoftenthecasewhenthereareservicesthatcallAPIswithoutusers.

OAuth2.0ActorsApplication:Aclientthatmakesprotectedrequestsusingtheauthorizationoftheresourceowner.



ClientCredentialsFlow

1. Authenticatew/ClientIDandSecret:TheapplicationauthenticateswiththeauthorizationserverusingitsclientIDandclientsecret.

2. IssueAccessToken:TheauthorizationservervalidatestheclientIDandclientsecretandissuesanaccesstoken.


4. ReturnResource:Iftheaccesstokenisvalid,theresourceserverreturnstheresourcestotheapplication.

TheresourceserverrunsinPCFunderagivenspaceandorganization.DeveloperssetthepermissionsfortheresourceserverAPIendpoints.Todothis,theycreateresourcesthatcorrespondtoAPIendpointssecuredbytheSingleSign-Onservice.Administratorscancreateadminclientstoperformautomatedmanagementactionswithoutauser.SeeCreateAdminClient.


ManageResourcesThistopicdescribeshowaSpaceDeveloperdefinesresourcesrequiredbyanappboundtoaSingleSign-On(SSO)serviceinstanceandhowanadministratorgrantsresourcepermissions.

Inthistopic,resourcesaretheAPIendpointsthatusersandappsneedtoretrieveinformationfromaresourceserver.Afteranadministratorcreatesresources,theyassigntheresourcestousersandapps.Userscanthengrantappsaccesstotheresources,forexampletoqueryAPIendpointsontheirbehalf.

Becausedevelopersknowwhatendpointsexistfortheirapps,theyareresponsibleforcreatingresources.

CreateorEditResourcesIfanapprequiresaccesstospecificresourcessuchasAPIendpoints,permissionsforthoseresourcesmustbeeitherbootstrappedfromtheapplicationmanifestordefinedbytheSpaceDeveloperintheSSOdashboard.

Tobootstrapresourcesfromthemanifest,followtheinstructionsintheSSOSampleApplicationsrepo .

TocreateresourcesintheSSODashboard:



3. UnderServices,clickManagenexttoyourSSOserviceinstancetolaunchtheSSOdashboard.

4. ClicktheResourcestab.

5. ClickNewResource.

6. EnteraResourceName.

7. CreatePermissionsthattheOAuthclientforyourappneedstoaccessfromtheresourceserver.

a. EnteroneormoreAttributesorActionsforeachpermission.b. EnteraDescriptionforeachpermission.

8. ClickSaveResource.Theadministratormustcreateresourcepermissionssothatuserscanaccesstheresource.Formoreinformation,seeCreateorEditResourcePermissionsbelow.

DeleteResources1. LogintoAppsManagerasaSpaceDeveloper.

2. ClicktheManagelinkundertheSSOserviceinstancetolaunchtheservicedashboard.

3. ClicktheResourcestab.

4. Clicktheresourcetodelete.


6. Onthepopup,clickDeleteResourcetodeletetheresource.

Note:SpaceDeveloperscreateresourceswithinaspace.SpaceDevelopersonlyseetheresourcescreatedinthespacestheyhaveaccesstoandcanonlyassignthosetotheappsinthosespaces.

Note:Deletingaresourceremovesitfromthepermissionmappingsandfromtheapp.Youmustreconfiguretheupdatedpermissionsinbothareas.



CreateorEditResourcePermissionsAfteraSpaceDeveloperdefinesresourcesrequiredbyanapp,anadministratormustgrantaccesstothoseresources.SSOallowsadministratorstomapgroupsofusersfromtheidentityprovidertotheresourcepermissionsdefinedbytheSpaceDeveloper.

Onceresourcepermissionsmappingsareconfigured,whenauserauthenticatesandobtainsatoken,theuser’sgroupmembershipswillautomaticallybemappedintoscopesthataredirectlyincludedinthetoken.



3. ClickthenameoftheexternalidentityprovideryouwanttodefinepermissionsforandselectResourcePermissionsfromthedrop-downmenu.

4. ClickNewPermissionsMapping.

5. EnteraGroupName.

6. ClickSelectPermissionstochoosethepermissionsthatusersinthegroupshouldhaveaccessto.

7. ClickSavePermissionsMapping.

DeleteResourcePermissions1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUserAccountandAuthentication(UAA)administratorcredentials.

YoucanfindthesecredentialsinyourPivotalElasticRuntimetileinOpsManagerundertheCredentialstab.


3. ClickonthenameoftheexternalidentityprovideryouwanttodefinepermissionsforandselectResourcePermissionsfromthedrop-downmenu.

4. Clickthegroupnameoftheresourcepermissionyouwanttodelete.


6. Onthepopup,clickDeletePermissionsMappingtodeletetheresource.

AboutSpaceProtectionforResourcesOAuth2.0providestheconceptofascopeinordertolimittheamountofaccessthatisgrantedtoanaccesstoken.Ascopeistheintersectionofauser’sgroupsandaclient’sscopes.

Forausertogainaccesstoaresource,theymustmeetthefollowingconditions,whichcanonlybesetupbyplanadministrators:

Theusermustbeassignedtheresourceasagroup.Forinformationonhowtodothis,seeManageUsers.

Theusermustaccessanappthathastheresourceassignedasascope.

Appdeveloperscanassignscopestoanyappthatisnotaservice-to-serviceapp.But,onlyplanadministratorscanassignscopestousers.

Whenassigningaresourceasascopeforaservice-to-serviceapp,appdeveloperscanonlyassignresourcestheyhavecreatedwithintheirownspace.Onlyanplanadministratorcanassignascopefromanotherspacetoaservice-to-serviceapp.

Note:GroupswithunsupportedcharactersinPermissionMappingsarenoteditable.

Note:GroupswithunsupportedcharactersinPermissionMappingsarenoteditable.


ActiveDirectoryFederationServicesIntegrationGuideOverviewActiveDirectoryFederationServices(ADFS)isastandards-basedservicethatsecurelysharesidentityinformationbetweenapplications.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenADFSastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).


PrerequisitesTointegrateADFSwithPivotalCloudFoundry(PCF),youneedthefollowing:

Pivotal

PCF,version1.7.0orlater

SingleSign-On,version1.1.0orlater

ActiveDirectoryFederationServices

ActiveDirectoryFederationServicessubscription

AuserwithAdministrativeprivileges

ActiveDirectoryFederationServicesIntegrationGuide

ConfiguringADFSwithSSOCompletebothstepsbelowtointegrateyourdeploymentwithADFSandSSO.

1. ConfigureActiveDirectoryFederationServicesasanIdentityProvider

2. ConfigureaSingleSign-OnServiceProvider

TestingandTroubleshootingTesting

Troubleshooting

Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic.


ConfigureActiveDirectoryFederationServicesasanIdentityProviderThistopicdescribeshowtosetupActiveDirectoryFederationServices(ADFS)asyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andADFS.

SetUpSAMLinPCF1. LogintotheSingleSign-On(SSO)dashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.

2. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.


4. (Optional)SelectPerformsignedauthenticationrequeststoenforceSSOprivatekeysignatureandidentityprovidervalidation.

5. (Optional)SelectRequiresignedassertionstovalidatetheoriginofsignedresponses.

6. ClickDownloadMetadatatodownloadtheserviceprovidermetadata.

7. ClickSave.

SetUpSAMLinActiveDirectoryFederationServices1. OpentheADFSManagementconsole.

2. ClickAddRelyingPartyTrust…intheActionspane.

3. OntheWelcomestep,clickStart.


4. SelectImportdataabouttherelyingpartyfromafile,enterthepathtothedownloadedserviceprovidermetadata,andclickNext.

5. EnteranameforDisplaynameandclickNext.


6. Leavethedefaultmulti-factorauthenticationselectionandclickNext.

7. SelectPermitalluserstoaccessthisrelyingpartyandclickNext.


8. ReviewyoursettingsandclickNext.

9. ClickClosetofinishthewizard.

10. Theclaimruleeditorshouldopenbydefault.Ifitdoesnot,selectyourRelyingPartyTrustandclickEditClaimRules…intheActionspane.

11. Createtwoclaimrulesbyfollowingthesesteps:

a. ClickAddRule.b. SelectSendLDAPAttributesasClaimsforClaimruletemplateandclickNext.

c. EnteraClaimrulename.d. SelectActiveDirectoryforAttributestore.e. SelectE-Mail-AddressesforLDAPAttributeandselectE-mailAddressforOutgoingClaimType.


f. ClickFinish.

g. ClickAddRule.h. SelectTransformanIncomingClaimforClaimruletemplateandclickNext.

i. EnteraClaimrulename.j. SelectE-MailAddressforIncomingclaimtype.k. SelectNameIDforOutgoingclaimtypel. SelectEmailforOutgoingnameIDformat.

m. ClickFinish.


12. Double-clickonthenewRelyingPartyTrusttoopentheproperties.

13. SelecttheEncryptiontabandclickRemovetoremovetheencryptioncertificate.

14. SelecttheAdvancedtabandselecttheSHAalgorithmfortheSecurehashalgorithmthatmatchestheSHAAlgorithmconfiguredforPCFElasticRuntime .


http://docs.pivotal.io/pivotalcf/opsguide/auth-sso.html#configure-saml

15. (Optional)Ifyouareusingaself-signedcertificate,disableCRLchecksbyfollowingthesesteps:

a. OpenWindowsPowershellasanAdministrator.b. Executethefollowingcommand:

> set-ADFSRelyingPartyTrust -TargetName "< Relying Party Trust >" -SigningCertificateRevocationCheck None

16. (Optional)Ifyouareusingaself-signedcertificate,addittotheADFStruststore.ObtaintheOpsManagercertificatefromhttps://OPS_MANAGER_IP/api/v0/security/root_ca_certificate andaddthisCAcertificatetotheADFStruststore,soADFScantrustthe“ServiceProviderKey

Certificate”certificatesignedbyOpsManagerROOTCA.

17. (Optional)TospecifyanyapplicationorgroupattributesthatyouwanttomaptousersintheIDtoken,clickEditClaimRules…andconfigureSendLDAPAttributesasClaims.Formoreinformation,seethenextsection.

SettingUpGroupsinSAMLfromADFS1. Right-clickyourRelyingPartyTrustandselectEditClaimRules….

2. SelectAddRule.

3. SelectSendGroupMembershipasaClaimandclickNext.

Note:PriortoPCFv1.10,steps13and14arerequiredasallPCFcomponents(includingSSOtile)havecertificatesaresignedbyaninternalCA.InPCFv1.10+,customerscanuploadtheirownCAcertificatetoPCF.


4. EntertheClaimrulename.

5. ClickBrowsetoselectyourUser’sgroup.

6. SelectGroupasyourOutgoingclaimtype.

7. SetyourOutgoingclaimvaluetomatchyourgroup’sname.

8. ClickFinish.

9. TosavetheseconfigurationsandusethedefaultSAMLassertionof http://schemas.xmlsoap.org/claims/Group ,clickOK.Ifyouwanttopasstheclaimsassertionasacustomvalue “groups” intheSAMLassertion,continuetotheprocedurebelow.

CreateCustomValue“groups”


1. SelectyournewlycreatedruleandclickEditRule.

2. ClickViewRuleLanguage.

3. CopythetextintheClaimrulelanguagefieldtoanotepadorotherlocation.Youneedthistextforthenextsteps.

4. ExittheEditRulemenu.SelecttheruleyoujustaddedandclickRemoveRule.

5. ClickAddRule.

6. SelectSendClaimsUsingaCustomRule.

7. Pasteinthetextyoupreviouslycopiedinstep3fromtheremovedrule.Editthe Type sothatitonlysays “groups” .


8. ClickOKtofinishmakingyourchangesandsavethechangesyoumade.


ConfigureaSingleSign-OnServiceProviderThistopicdescribeshowtoaddanexternalidentityprovidertoyourPivotalSingleSign-On(SSO)serviceplan.

DownloadIdentityProviderMetadata1. DownloadthemetadatafromyourActiveDirectoryFederationServicesserveratthefollowingURL:

https://YOUR-ADFS-HOSTNAME/federationmetadata/2007-06/federationmetadata.xml

SettingupSAML1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.


3. ClickNewIdentityProvidertocreateanewidentityprovider.

4. Tocreateanewidentityprovider,performthefollowingsteps:

a. EnteranidentityprovidernameinIdentityProviderName.


b. (Optional)EnteradescriptioninIdentityProviderDescription.c. ClickSAMLFileMetadata(optional),thenclickUploadIdentityProviderMetadatatouploadyourmetadataXML.d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.

5. ClickCreateIdentityProvider.

6. ClickResourcePermissions.

7. ClickNewPermissionsMappingandperformthefollowingsteps:

a. EnteraGroupName.b. ForSelectPermissions,selectthepermissionstogranttothemembersofthegroupfromtheexternalidentityprovider.

8. Navigatetotheidentityproviderlist.

9. ClickGroupWhitelistandenterthegroupnamesfromtheexternalidentityproviderthatshouldbepropagatedintheIDtoken.

CreateAttributeMappingsforSAMLGroupsUnderUserAttributes,maptheUserSchemaAttributeof “external_groups” totheAttributeNamevalueof “groups” .IfyoudidnotperformthestepstocustomizetheSAMLassertionvalue,use “http://schemas.xmlsoap.org/claims/Group” astheAttributeNameinstead.

AnattributemappingwithacustomizedSAMLassertionvaluelookslikethis:

Anattributemappingwithanon-customizedSAMLassertionvaluelookslikethis:

GroupsnowshowupfromtheSAMLassertionasclaims.Youcanpullthesevaluesfromtheuser’sstoredcustomattributesusingthe roles scopeontheIDtokenorthroughtheuserinfoendpoint,ormapthesetopermissionsusingResourcePermissionsmappings.Formoreinformation,seetheCreateorEditResourcePermissionssectionofManageResources .


https://docs.pivotal.io/p-identity/1-5/manage-resources.html#create-resource-perm

TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandActiveDirectoryFederationServices(ADFS).Anadministratorcantestbothserviceproviderandidentityproviderconnections.

TestYourServiceProviderConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorganizationandspacewhereyourapplicationislocated.

2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplication.ClickontheserviceinstanceandclickManage.

3. UndertheAppstab,clickyourapplication.


4. UnderIdentityProviders,selecttheADFSidentityprovider.

5. ReturntoAppsManagerandclickontheURLbelowyourapplicationtoberedirectedtotheidentityprovidertoauthenticate.


6. Clickthelink.

7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignin.

8. Theapplicationasksforauthorizationtothenecessaryscopes.ClickAuthorize.


9. TheaccesstokenandIDtokendisplays.


TestYourIdentityProviderConnection

1. SignintoADFS.

Note:SSOdoesnotsupportidentityprovider-initiatedflowintoapplications,butitdoesredirecttheusertotheUserAccountandAuthentication(UAA)pagetoselectapplicationsassignedtotheuser.


2. Navigatetoyourapplicationandclickit.

3. Youareredirectedtothepagethatlistsapplicationsyouhaveaccessto.

TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofADFSaswell.

1. Signintothesampleapplication.InformationabouttheaccessandIDtokendisplays,aswellasthe“Whatdoyouwanttodo?”section.

2. Under“Whatdoyouwanttodo?”,clickLogout.

3. YouareloggedoutandredirectedtotheADFSloginpage.



TroubleshootingThistopicdescribeshowtoresolveerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenActiveDirectoryFederationServicesandPivotalSingleSign-On(SSO).

EventViewer1. NavigatetoAdministrativeTools.

2. LaunchEventViewer.

3. Examineanyerrorsanditsdetailstodiagnoseproblems.


AzureActiveDirectorySAMLIntegrationGuideOverviewThisdocumentationintroduceshowtosetupAzureActiveDirectory(AzureAD)withSecurityAssertionMarkupLanguage(SAML)astheidentityproviderfortheSingleSign-OnservicerunningonPivotalCloudFoundry(PCF).

AzureActiveDirectory(AzureAD)isMicrosoft’smulti-tenantcloudbaseddirectoryandidentitymanagementservice.

ForhowtosetupAzureADwithOpenIDConnect(OIDC),seeAzureActiveDirectoryOIDCIntegrationGuide .

PrerequisitesTointegrateAzureADwithPivotalCloudFoundry®(PCF),youneed:

Pivotal

PCF,version1.7.0orlater.

SingleSign-On,version1.1.0orlater.

AzureActiveDirectory

AzureActiveDirectorysubscription.

Auserwithadminprivileges.

AzureADIntegrationGuide

ConfiguringAzureADwithSSOCompletebothstepsbelowtointegrateyourdeploymentwithAzureADandSSO.

1. ConfigureAzureADasaSAMLIdentityProvider



Troubleshooting



https://docs.pivotal.io/p-identity/1-4/azure-oidc/

ConfigureAzureActiveDirectoryasaSAMLIdentityProviderThistopicdescribeshowtosetupAzureActiveDirectory(AD)asyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry®(PCF)andAzureAD.

SetupSAMLinPCF1. LogintotheSingleSign-On(SSO)dashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.






7. ClickSave.

SetupSAMLinAzureActiveDirectory1. SignintoAzureADat https://manage.windowsazure.com asanadministrator.

2. NavigatetotheapplicationsdashboardbyclickingonyourdirectoryandtheApplicationstab.

3. ClicktheAddbuttontoaddanewapplication.


4. SelectAddanapplicationmyorganizationisdeveloping.

5. EntertheNameandTypefortheapplication.


6. EntertheSign-OnURLandAppIDURIfortheapplication.

7. Clicktheapplicationandconfigurethefollowingproperties:


a. EntertheapplicationName.b. Enterthe AssertionConsumerService Location URL fromyourdownloadedserviceprovidermetadataintoSign-OnURL.Forexample,

https://AUTH-DOMAIN/saml/SSO/alias/AUTH-DOMAIN .c. ConfiguretheapplicationLogo,ApplicationisMulti-TenantandUserAssignmentRequiredtoAccessAppproperties.d. Enteryour Auth Domain URL intoAppIDURI.e. Enterthe AssertionConsumerService Location URL fromyourdownloadedserviceprovidermetadataintoReplyURL.


8. ClicktheSavebutton.


9. ClickViewEndpointsanddownloadtheFederationMetadataDocument.

SetupClaimsMapping1. Toenableuserattributemappings,granttheapplicationthefollowingpermissionstoWindowsAzureActiveDirectory:

a. Readdirectorydata.b. Readallgroups.c. Readallusers’fullprofilesorReadallusers’basicprofiles.


2. Topassgroupmembershipclaimstotheapplication,performthefollowingsteps:

a. ClickManageManifest.b. ClickDownloadManifestfollowedbyDownloadmanifest.c. Locate groupMembershipClaims andsetthevaluetoeither:

SecurityGroup -Groupsclaimwillcontainidentifiersofallsecuritygroupsofwhichtheuserisamember.All -Groupsclaimwillcontaintheidentifiersofallsecuritygroupsanddistributionlistsofwhichtheuserisamember.

d. ClickManageManifest.e. ClickUploadManifestandselectthemodifiedmanifest.







a. EnteranidentityprovidernameintoIdentityProviderName.b. (Optional)EnteradescriptionintoIdentityProviderDescription.c. ClickSAMLFileMetadata(optional)follwedbyclickingtheUploadIdentityProviderMetadatabuttontouploadyourmetadataXML.

Note:TheSingleSign-OndoesnotsupportDOSfileformatimports.Convertthefileinoneofthefollowingways:

Option1:Execute dos2unix onthemetadatafile.


d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.


ConfigureGroupPermissions1. AddgroupstobepropagatedfromtheexternalidentityprovidertotheIDtokenbyfollowingthesesteps:

a. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.b. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.c. ClickGroupWhitelistnexttoyouridentityprovider.d. Enterthegroupnames.e. ClickSaveGroupWhitelist.

2. MapthegroupstoresourcesdefinedintheSSOservicebyfollowingthesesteps:

a. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN asaPlanAdministrator.b. SelectyourplanandclickManageIdentityProvidersonthedrop-downmenu.c. ClickResourcePermissions.d. ClickNewPermissionsMappingandperformthefollowingsteps:

i. EnteraGroupName.ii. ForSelectPermissions,selectthepermissionsthatthemembersofthegroupfromtheexternalidentityprovidershouldhaveaccessto.iii. ClickSavePermissionsMapping.

Option2:CreateaUnixfile,thencopyandpastethecontentsfromthedownloadedmetadatafiletothenewlycreatedfile.


TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandAzureActiveDirectory.Anadministratorcantestbothserviceproviderandidentityproviderconnections.





4. UnderIdentityProviders,selecttheAzureADidentityprovider.



6. Clickthelink.

7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignIn.






1. SignintoAzureAD.





TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofAzureADaswell.



3. YouareloggedoutandredirectedtotheAzureADloginpage.



TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenAzureActiveDirectoryandPivotalSingleSign-On(SSO).

AppIDNotFound

Symptom:

Explanations:TheAppIDURIismisconfiguredonAzureAD.

ReplyURLDoesNotMatch

Symptom:

Explanation:TheReplyURLismisconfiguredonAzureAD.

MissingNameID


Symptom:

Explanation:Theidentityprovidermetadatahasthe RoleDescriptor elementsorismissingconfigurationsforNameID.SeeConfigureIdentityProviderMetadata.


CASingleSign-OnIntegrationGuideOverviewCASingleSign-On(formallyknownasCASiteMinder)isaWebAccessManagementsystemthatsupportsadvancedauthentication,risk-basedsecuritypolicies,andfederatedidentities.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenCASingleSign-OnastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).


PrerequisitesTointegrateCASingleSign-OnwithPivotalCloudFoundry(PCF),youneedthefollowing:

Pivotal

PCF,version1.7.0orlater

SingleSign-On,version1.1.0orlater

CASingleSign-On

CASingleSign-On12.52

ASignedCertificatebyaCertificateAuthority

CASingleSign-OnIntegrationGuide

ConfiguringCASingleSign-OnwithSSOCompletebothstepsbelowtointegrateyourdeploymentwithCASingleSign-OnandSSO.

1. ConfigureCASingleSign-OnasanIdentityProvider



Troubleshooting

Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic..


ConfigureCASingleSign-OnasanIdentityProviderThistopicdescribeshowtosetupCASingleSign-OnasyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andCASingleSign-On.







7. ClickSave.

SetupSAMLinCASingleSign-On1. SigninasaCASingleSign-Onadministrator.

2. ClicktheFederationtab.

3. ClickontheEntitieslink.

4. ClicktheCreateEntitybuttonandperformthefollowingsteps:

a. SelectLocalforEntityLocation.b. SelectSAML2IDPforNewEntityType.


c. ClicktheNextbutton.

5. IntheEntitiessection,performthefollowingsteps:

a. EnteranEntityID.b. EnteranEntityName.c. EnteraDescription.d. Enterthefully-qualifieddomainnameforyourCASingleSign-OnastheBaseURL.e. SelectorimportaSigningPrivateKeyAlias.f. SelectaNameIDformat.g. ClicktheNextbutton.

6. ConfirmtheEntityDetailsandclicktheFinishbutton.

7. ClicktheFederationtab.

8. ClickontheEntitieslink.

9. ClicktheImportMetadatabuttonandperformthefollowingsteps:

a. ClickBrowseandselectthedownloadedmetadataforMetadatafile.b. SelectRemoteEntityforImportAs.c. SelectCreateNewforOperation.d. ClicktheNextbutton.

10. IntheSelectEntityDefinedinMetadataFilesection,performthefollowingsteps:

a. EnteranEntityName.b. ClicktheNextbutton.

11. IntheSelectKeyEntriestoImportsection,performthefollowingsteps:

a. EnteranAlias.b. ClicktheNextbutton.

12. ConfirmtheEntityDetailsandclicktheFinishbutton.

13. ClickontheFederationtab.

14. ClickCreatePartnershipandselectSAML2IDP->SP.

15. IntheConfigurePartnershipsection,performthefollowingsteps:


a. EnteraPartnershipName.b. EnteraDescription.c. SelectapreviouslycreatedlocalentityforLocalIDP.d. SelectapreviouslycreatedremoteentityforRemoteSP.e. EnteraSkewTime.f. AddanyUserDirectories.g. ClicktheNextbutton.

16. ConfigureFederationUsersbyaddingtheusersyouwanttoincludeinthepartnershipandclickNext.

17. IntheAssertionConfigurationsection,performthefollowingsteps:

a. SelectaNameIDFormat.b. SelectUserAttributeastheNameIDType.c. Enter mail astheValue.d. (Optional)UnderAssertionAttributes,specifyanyapplicationorgroupattributesthatyouwanttomaptousersintheIDtoken.

e. ClicktheNextbutton.

18. IntheSSOandSLOsection,performthefollowingsteps:

a. EntertheAuthenticationURL.b. SelectHTTP-PostforSSOBinding.c. SelectBothIDPandSPinitiatedforTransactionsAllowed.d. ClicktheNextbutton.

Note:Thevalueforsendingauser’sgroupsisFMATTR:SM_USERGROUPS.


19. IntheSignatureandEncryptionsection,performthefollowingsteps:

a. SelectyourkeyaliasforSigningPrivateKeyAlias.b. SelectyourcertificatealiasforVerificationCertificateAlias.c. ClicktheNextbutton.

20. ConfirmthePartnershipDetailsandclicktheFinishbutton.

21. ClicktheActionbuttonandclickActivate.

22. ClicktheActionbuttonandclickExportMetadata.







a. EnteranidentityprovidernameinIdentityProviderName.b. (Optional)EnteradescriptioninIdentityProviderDescription.c. ClickSAMLFileMetadata(optional)followedbyclickingtheUploadIdentityProviderMetadatabuttontouploadyourmetadataXML.d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.





a. EnteraGroupName.b. ForSelectPermissions,selectthepermissionsthatthemembersofthegroupfromtheexternalidentityprovidershouldhaveaccessto.




TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandCASingleSign-On.Anadministratorcantestbothserviceproviderandidentityproviderconnections.


2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplication.SelecttheserviceinstanceandclickManage.



4. UnderIdentityProviders,selecttheCASingleSign-Onidentityprovider.



6. Clickthelink.

7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignOn.





1. SignintoCASingleSign-On.





TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofCASingleSign-Onaswell.



3. YouareloggedoutandredirectedtotheCASingleSign-Onloginpage.


TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenPingOneCloudandPivotalSingleSign-On(SSO).

CASingleSign-OnPartnershipisInactive

Symptom:

Explanations:TheCASingleSign-OnisinactiveinCASingleSign-On.

ServiceProviderEntityIDMisconfigured

Symptom:

Explanation:TheserviceproviderEntityIDismisconfiguredinCASingleSign-On.

IncomingSAMLmessageisinvalid

Symptom:

Explanation:TheidentityproviderEntityIDismisconfiguredinCASingleSign-OnorinPCFSingleSign-On.

TheNameIDFormatwasmisconfiguredinCASingleSign-On

AssertionConsumerServiceURLMisconfigured

Symptom:


Explanation:TheserviceproviderAssertionConsumerService(ACS)ismisconfiguredinCASingleSign-On.

AudienceFieldMisconfigured

Symptom:

Explanation:TheserviceproviderAudienceFieldismisconfiguredinCASingleSign-On.

ExpiredCertificate

Symptom:

Explanation:ThecertificatehasexpiredinCASingleSign-On.

IdentityProviderSSOURLMisconfigured

Symptom:

Explanation:TheidentityproviderSSOURLismisconfiguredinPCFSingleSign-On.


GoogleCloudPlatformOIDCIntegrationGuideOverviewThisdocumentationdescribeshowtosetupthePivotalCloudFoundry(PCF)SingleSign-OnservicetouseGoogleCloudPlatform(GCP)asanOpenIDConnect(OIDC)identityprovider.

GCPletsyoubuildandhostapplicationsandwebsites,storedata,andanalyzedataonGoogle’sscalableinfrastructure.

PrerequisitesTointegrateGoogleCloudPlatformasasinglesign-onidentityproviderforPCFapps,youneed:

Pivotal

PCFv1.11.0orlaterSSOv1.4.1orlaterinstalledonyourPCFdeploymentAnSSOserviceplanconfiguredwithplanadministratorswhomanageitandorgstouseit.Forhelpconfiguringplans,seeManageServicePlans.

GoogleCloudPlatform

AnactiveGoogleCloudprojectAGCPuseraccountwithprojecteditororhigherprivileges

IntegrateGoogleCloudPlatformOIDCforSSOCompletethestepbelowtosetupGCPasanOIDCidentityproviderfortheSSOservice.

1. ConfigureGCPasanOIDCIdentityProvider

TestandTroubleshootTesting

Troubleshooting


ConfigureGCPasanOIDCIdentityProviderThistopicdescribeshowtosetupGoogleCloudPlatform(GCP)asanidentityproviderforaSingleSign-On(SSO)serviceplanbyconfiguringOpenIDConnect(OIDC)integrationinbothPivotalCloudFoundry(PCF)andGCP.

GenerateGCPClientCredentials1. LogintoyourGoogleCloudPlatformconsole.

2. UndertheCredentialstab,clickCreatecredentials>OAuthclientID.

3. Intheconfigurationpanethatappears,selectWebapplicationunderApplicationtypeandenteranyName.UnderRestrictions,leaveAuthorizedJavaScriptOriginsblankandforAuthorizedredirectURIsenteraredirectURIoftheform https://AUTH_DOMAIN/login/callback/ORIGIN_KEY ,where:

AUTH_DOMAIN isthefullURLgeneratedbasedontheAuthDomainsettingyouenteredwhenyoucreatedtheserviceplanthatyouareintegratingwithGCP.ORIGIN_KEY isbasedontheIdentityProviderNameyousetintheSSOdashboardinSetUpOIDCIdentityProviderinSSObelow.Thisvalue

shouldhavenospacesoruppercaseletters.Youmightneedtochangethisvaluelater.


4. ClickCreateandrecordtheclientIDandclientsecretgenerated.YouwillenterthesevaluesasyourRelyingPartyOAuthClientIDandRelyingPartyOAuthClientSecretintheSSOdashboardinSetUpOIDCIdentityProviderinSSObelow.

SetUpOIDCIdentityProviderinSSO1. LogintotheSSOdashboardat https://p-identity.YOUR-SYSTEM-DOMAIN usingyourUAAadministratorcredentials.Youcanfindthesecredentialsin

yourElasticRuntimetileinOpsManagerundertheCredentialstab.




4. EnteranIdentityProviderName.ThisvalueinalllowercasewithdashesreplacingspacesbecomesyourOriginKey.Forexample, Example Google

Origin becomes example-google-origin .IfyoudidnotenterthisforyourOAuthClient’sauthorizedredirectURIs,gobackandeditthevalueinGoogleCloudPlatform.

5. EnteraDescription.Spacedevelopersseethisdescriptionwhentheyselectanidentityproviderfortheirapp.

6. SelectOpenIDConnectastheIdentityProvidertype.

7. MakesuretheEnableDiscoverycheckboxisselected,toenableOIDCdiscovery.

8. ForDiscoveryEndpointURL,enter https://accounts.google.com/.well-known/openid-configuration .

9. ClickFetchScopes.

10. EnteryourRelyingPartyOAuthClientIDandRelyingPartyOAuthClientSecretfromtheGenerateGCPClientCredentialsabove.

11. Makesurethat openid and email areselectedasscopes.Youcanselectadditionalscopesifyouwant.


12. UnderAdvancedSettings>UserAttributes,map user_name to email .ThisenablesSSOtoidentifytheauthenticateduser.

13. (Optional)Configureadditionalattributemappings.

14. ClickCreateIdentityProvidertosaveyoursettings.

15. (Optional)Enableidentityproviderdiscoveryfortheserviceplan.


TestingThistopicdescribeshowaPivotalCloudFoundry(PCF)administratorcantesttheOpenIDConnect(OIDC)connectionbetweentheSingleSign-On(SSO)serviceandGoogleCloudPlatform.

TestYourSingleSign-OnConnection1. LogintoAppsManagerat https://apps.YOUR-SYSTEM-DOMAIN andnavigatetotheorgandspacewhereyourappislocated.

2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapp.

3. SelecttheserviceinstanceandclickManage.

4. UndertheAppstab,selectyourapp.

5. UnderIdentityProviders,selecttheGCPidentityprovider.Removeanyotheridentityproviders.


6. ReturntoAppsManagerandclicktheURLlistedbelowyourapptoaccessyourapplication.

7. Navigatetoyourlogin.Youwillberedirectedtotheidentityprovidertoauthenticate.

8. Ontheidentityprovidersign-inpage,enteryourcredentialsandsignin.

9. Iftheapppromptsforauthorizationtothenecessaryscopes,clickAuthorize.

Ifyouarenowloggedintoyourapp,yourGCPOIDCtoSSOconnectionworks.


TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenGoogleCloudPlatform(GCP)OpenIDConnect(OIDC)andPivotalSingleSign-On(SSO).

NoLinkforOIDC

Symptom:

Explanation:IncorrectorunavailablediscoveryURL.Nolinkwillappearontheloginpage.

NoOAuthClientFound

Symptom:


Explanation:IncorrectOAuthClientIDconfigured.

Unauthorized

Symptom:

Explanation:IncorrectOAuthclientsecretconfigured.

RedirectURIMismatch


Symptom:

Explanation:IncorrectauthorizationredirectURIonOAuthClient.

EmptyUsername

Symptom:

Explanation:user_name attributewasnotmappedto email .

Unabletomapclaimtoausername


Symptom:

Explanation:Thescopefor“email”wasnotconfigured.Selectthe“email”scopeinyouridentityproviderconfigurations.


OktaIntegrationGuideOverviewOktaisanenterpriseidentitymanagementandsinglesign-onservicethatintegrateswithapplicationsinthecloud,on-premises,oronamobiledevice.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenOktaastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).


PrerequisitesTointegrateOktawithPivotalCloudFoundry(PCF),youneed:

Pivotal



Okta

Okta,version2016.07orlater.

AuserwithApplicationAdminprivileges.

OktaIntegrationGuide

ConfiguringOktawithSSOCompletebothstepsbelowtointegrateyourdeploymentwithOktaandSSO.

1. ConfigureOktaasanIdentityProvider



Troubleshooting



ConfigureOktaasanIdentityProviderThistopicdescribeshowtosetupOktaasyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andOkta.







7. ClickSave.

8. Openthedownloadedserviceprovidermetadatafile.Youwillrefertothisfileinthenextstep,whenyoufillintheSAMLsettingsinOkta.

SetUpSAMLinOkta1. SigninasanOktaadministrator.

2. NavigatetoyourappandclicktheSignOntab.

3. UnderSettings,clickEdit,andselectSAML2.0.


4. ClicktheGeneraltab.

5. UnderSAMLSettings,clicktheEditbuttonfollowedbytheNextbutton.


6. IntheSAMLSettingssection:

a. Enterthe AssertionConsumerService Location URL fromyourdownloadedserviceprovidermetadataintoSinglesignonURL.Forexample, https://AUTH-DOMAIN/saml/SSO/alias/AUTH-DOMAIN .

b. EnteryourAuthDomainURLintoAudienceURI(SPEntityID).YoucanviewtheAuthDomainforaplanbyloggingintotheSSOdashboard,clickingthenameofyourplan,andselectingEditPlan.Forexample, https://AUTH-DOMAIN.login.SYSTEM-DOMAIN .ThisvalueisalsoavailableinthedownloadedserviceprovidermetadataastheentityID.

c. SelectaNameIDformat.d. SelectanApplicationusername.

7. (Optional)Toconfiguresinglelogout:

a. ClickShowAdvancedSettings.b. ForEnableSingleLogout,selectAllowapplicationtoinitiatesinglelogout.c. Enterthe SingleLogoutService Location URL fromyourdownloadedserviceprovidermetadataintoSingleLogoutURL.


d. Enteryour Auth Domain URL intoSPIssuer.e. ClickUploadSignatureCertificatetouploadthesignaturecertificatefromyourdownloadedserviceprovidermetadata.Youwillneedtocopy

the X509Certificate informationfromthedownloadedserviceprovidermetadata,andreformatitintoavalidcertificatefiletoupload.

8. (Optional)UnderAttributeStatements(Optional),specifyanyattributestatementsthatyouwanttomaptousersintheIDtoken.

9. (Optional)UnderGroupAttributeStatements(Optional),specifyanygroupattributestatementsthatyouwanttomaptousersintheIDtoken.ThisisagroupthatusersbelongtowithinOkta.

10. ClicktheNextbuttonfollowedbytheFinishbutton.

11. ClickIdentityProvidermetadatatodownloadthemetadata,orcopyandsavethelinkaddressoftheIdentityProvidermetadata.YouwillneedthisOktametadataforthenextstep,ConfigureaSingleSign-OnServiceProvider.







a. EnteranidentityprovidernameintoIdentityProviderName.b. (Optional)EnteradescriptionintoIdentityProviderDescription.c. SpecifyIdentityProviderMetadatafromStep11oftheConfigureOktaasanIdentityProvidertopic.

i. Option1:EnteryourInputIdentityProviderMetadataURLandFetchMetadatatofetchyouridentityprovidermetadatafromanendpoint.

ii. Option2:ClickSAMLFileMetadata(optional)touploadyourmetadataXMLmanually.

d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.









TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandOktaservices.Anadministratorcantestbothserviceproviderandidentityproviderconnections.


2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplicationandclickManage.



4. UnderIdentityProviders,selecttheOktaidentityprovider.


6. Clickthelink.


7. Ontheidentityprovidersign-inpage,enteryourcredentialsandclickSignIn.





1. SignintoOkta.



2. Navigatetotheapplicationtileandclickit.


TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofOktaaswell.



3. YouareloggedoutandredirectedtotheOktaloginpage.



TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenOktaandPivotalSingleSign-On(SSO).

PageNotFound

Symptom:

Explanations:TheOktainstanceisinactive.

TheRecipientURLismisconfiguredinOkta.

TheidentityproviderSSOURLismisconfiguredintheSSOplansettings.

NoValidAssertion

Symptom:


Explanations:TheserviceproviderEntityIDismisconfiguredinOkta.

TheDestinationURLismisconfiguredinOkta.

WebpageNotAvailable

Symptom:

Explanation:TheSSOURLismisconfiguredinOkta.

MetadataNotFound

Symptom:

Explanation:TheidentityproviderEntityIDismisconfiguredintheSSOplansettings.


PingFederateIntegrationGuideOverviewPingFederateisafederationserverthatprovidesidentitymanagement,singlesign-on,andAPIsecurityfortheenterprise.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenPingFederateastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).


PrerequisitesTointegratePingFederatewithPivotalCloudFoundry(PCF),youneed:

Pivotal



Ping

PingFederate

AuserwithAdministratorprivileges.

PingFederateIntegrationGuide

ConfiguringPingFederatewithSSOCompletebothstepsbelowtointegrateyourdeploymentwithPingFederateandSSO.

1. ConfigurePingFederateasanIdentityProvider



Troubleshooting



ConfigurePingFederateasanIdentityProviderThistopicdescribeshowtosetupPingFederateasyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andPingFederate.


2. SelectyourplanandchooseManageIdentityProvidersfromthedrop-downmenu.





7. ClickSave.

SetupSAMLinPingFederate

ConfiguretheConnection1. SigninasaPingFederateadministrator.

2. NavigatetoyouridentityproviderconfigurationsbyclickingontheIDPConfigurationtab.

3. UnderSPConnections,clicktheCreateNewbutton.


4. SelecttheBrowserSSOProfilesconnectiontemplateontheConnectionTypetabandclickNext.

5. SelectBrowserSSOontheConnectionOptionstabandclickNext.

6. SelectFileasthemethodforimportingmetadataandclickChoosefiletochoosetheSSOmetadataontheImportMetadatatab.ClickNext.

7. ReviewtheinformationontheMetadataSummarytabandclickNext.

8. EnsurethatthePartner’sEntityID,ConnectionName,andBaseURLfieldspre-populatebasedonthemetadata.ClickNext.


ConfigureBrowserSSO1. ClickConfigureBrowserSSOontheBrowserSSOtab.

2. SelecttheIdP-InitiatedSSOandSP-InitiatedSSOoptionsontheSAMLProfilestabandclickNext.

3. EnteryourdesiredassertionvaliditytimefromontheAssertionLifetimetabandclickNext.

4. (Optional)SelectIdP-InitiatedSLOandSP-InitiatedSLOoptionsifyouwishtoenforceSingleLogout.

AssertionCreation1. ClickConfigureAssertionCreationontheAssertionCreationtab.

2. ChoosetheStandardoptionontheIdentityMappingtabandclickNext.

3. SelectaSubjectNameFormatfortheSAML_SUBJECTontheAttributeContracttabandclickNext.

4. ClickMapNewAdapterInstanceontheAuthenticationSourceMappingtab.

5. SelectanAdapterInstanceandclickNext.Theadaptermustincludetheuser’semailaddress.


6. SelecttheUseonlytheadaptercontractvaluesintheSAMLassertionoptionontheMappingMethodtabandclickNext.

7. SelectyouradapterinstanceastheSourceandtheemailastheValueontheAttributeContractFullfillmenttabandclickNext.

8. (Optional)SelectanyauthorizationconditionsyouwouldlikeontheIssuanceCriteriatabandclickNext.

9. ClickDoneontheSummarytab.

10. ClickNextontheAuthenticationSourceMappingtab.



12. ClickNextontheAssertionCreationtab.

ProtocolSettings1. ClickConfigureProtocolSettingsontheProtocolSettingstab.

2. SelectPOSTforBindingandspecifythesinglesign-onendpointurlintheEndpointURLfieldontheAssertionConsumerServiceURLtab.ClickNext

3. SelectPOSTontheAllowableSAMLBindingstabandclickNext.

4. SelectyourdesiredsignaturepoliciesforassertionsontheSignaturePolicytabandclickNext.

5. SelectyourdesiredencryptionpolicyforassertionsontheEncryptionPolicytabandclickNext.

6. ClickDoneontheProtocolSettingsSummarytab.

7. ClickDoneontheBrowserSSOSummarytab.

ConfigureCredentials1. ClickConfigureCredentialsontheCredentialstab.

2. SelecttheSigningCertificatetousewiththeSingleSign-OnserviceandselectIncludethecertificateinthesignatureelement.ClickNext.



4. ClickNextontheCredentialstab.

5. SelectActivefortheConnectionStatusontheActivation&SummarytabandclickSave.

6. ClickManageAllunderSPConnections.

7. ClickExportMetadataforthedesiredserviceproviderconnection.

8. ChooseaSigningCertificateontheMetadataSigningtabandclickNext.

9. ClickExportontheExport&SummarytabandclickDone.




2. SelectyourplanandchooseManageIdentityProvidersfromthedrop-downmenu.



a. EnteranidentityprovidernameintoIdentityProviderName.b. (Optional)EnteradescriptionintoIdentityProviderDescription.c. ClickSAMLFileMetadata(optional),thenclicktheUploadIdentityProviderMetadatabuttontouploadyourmetadataXML.d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.







9. ClickGroupWhitelistandenterthegroupnamesfromtheexternalidentityprovidertopropagateintheIDtokenwhenauserauthenticates.


TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandPingFederate.Anadministratorcantestbothserviceproviderandidentityproviderconnections.


2. UnderServices,locatetheserviceinstanceoftheSingleSign-On(SSO)planboundtoyourapplication.ClicktheserviceinstanceandthenclickManage.



4. UnderIdentityProviders,selectthePingFederateidentityprovider.a

5. ReturntoAppsManagerandclicktheURLbelowyourapplicationtoauthenticatewiththeidentityprovider.


6. ClickthelinktoLoginviaAuthCodeGrantType.



9. ViewtheaccesstokenandIDtoken.



1. SignintoPingFederate.




3. Viewthelistofapplicationsyouhaveaccessto.

TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofPingFederateaswell.


2. UnderWhatdoyouwanttodo?,clickLogout.

3. EnsurethatyouareloggedoutandredirectedtothePingFederateloginpage.



TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenPingFederateandPivotalSingleSign-On(SSO).

Error

Symptom:

Explanations:ConnectionStatusisdisabledonPingFederate.

TheserviceproviderEntityIDismisconfiguredonPingFederate.

TheidentityproviderSingleSign-OnURLismisconfiguredintheSSOplansettings.

MetadataNotFound

Symptom:



PingOneCloudIntegrationGuideOverviewPingOneCloudisanidentity-as-a-servicesolutionthatdeliverssecuresinglesign-ontoSaaS,legacyandwebapplications.Thisdocumentationdescribeshowtoconfigureasinglesign-onpartnershipbetweenPingOneCloudastheIdentityProvider(IdP)andtheSingleSign-OnService(SSO)forPivotalCloudFoundryastheServiceProvider(SP).


PrerequisitesTointegratePingOneCloudwithPivotalCloudFoundry(PCF),youneed:

Pivotal



PingOneCloud

PingOneCloud

AuserwithApplicationAdminprivileges.

PingOneCloudIntegrationGuide

ConfiguringPingOneCloudwithSSOCompletebothstepsbelowtointegrateyourdeploymentwithPingOneCloudandSSO.

1. ConfigurePingOneCloudasanIdentityProvider



Troubleshooting

Note:ToconfigureSAML,youmusthavetheSingleSign-OnservicebrokerinstalledonyourPCFdeployment.Youneedtocreateaplan,grantanyplanadministrators,andspecifyanyorganizationsthisplanshouldbetheauthenticationauthorityfor.Forhelpconfiguringplans,seetheManageServicePlanstopic..


ConfigurePingOneCloudasanIdentityProviderThistopicdescribeshowtosetupPingOneCloudasyouridentityproviderbyconfiguringSAMLintegrationinbothPivotalCloudFoundry(PCF)andPingOneCloud.







7. ClickSave.

SetupSAMLinPingOneCloud1. SigninasaPingOneCloudadministrator.

2. NavigatetoyourapplicationbyclickingontheApplicationstab.

3. ClicktheAddApplicationbuttonandchooseNewSAMLApplication.


4. EntertheApplicationName,ApplicationDescription,CategoryandanyGraphics.

5. ClicktheContinuetoNextStepbuttontoconfigureSAML.


6. IntheApplicationConfigurationsection,performthefollowingsteps:

a. SelectIhavetheSAMLconfiguration.b. ForSAMLMetadata,clickDownloadtodownloadtheidentityprovidermetadata.c. ForProtocalVersion,selectSAMLv2.0.d. ForUploadMetadata,clickSelectFileandselecttheserviceprovidermetadata.e. ClicktheContinuetoNextStepbutton.

7. (Optional)UnderSSOAttributeMapping,specifyanyapplicationorgroupattributesthatyouwanttomaptousersintheIDtoken.


8. ClicktheSave&PublishbuttonfollowedbytheFinishbutton.







a. EnteranidentityprovidernameintoIdentityProviderName.b. (Optional)EnteradescriptionintoIdentityProviderDescription.c. ClickSAMLFileMetadata(optional)follwedbyclickingtheUploadIdentityProviderMetadatabuttontouploadyourmetadataXML.d. (Optional)UnderAdvancedSAMLSettings,clickAttributeMappingstoenterthemappings.









TestingThistopicdescribeshowanadministratorcantesttheconnectionbetweenSSOandPingOneCloud.Anadministratorcantestbothserviceproviderandidentityproviderconnections.





4. UnderIdentityProviders,selectthePingOneidentityprovider.



6. Clickthelink.







1. SignintoPingOne.





TestYourSingleSign-OffTestsinglesign-offtoensurethatwhenuserslogoutoftheapplication,theyareloggedoutofPingOneaswell.



3. YouareloggedoutandredirectedtothePingOneloginpage.



TroubleshootingThistopicdescribeshowtoresolvecommonerrorsthatarisewhenconfiguringasinglesign-onpartnershipbetweenPingOneCloudandPivotalSingleSign-On(SSO).

Error

Symptom:

Explanations:SingleSign-OnisdisabledonPingOne.

TheserviceproviderEntityIDismisconfiguredonPingOne.

TheidentityproviderSingleSign-OnURLismisconfiguredintheSSOplansettings.

Somethingwentamiss

Symptom:

Explanation:TheserviceproviderAssertionConsumerService(ACS)ismisconfiguredonPingOne.


MetadataNotFound

Symptom:


MissingNameID

Symptom:

Explanation:TheidentityprovidermetadataismissingconfigurationsforNameID.SeeConfigureIdentityProviderMetadata.


Documents

Single Sign-On for PCF Documentation