This topic tells you the steps for installing and configuring Single Sign‑On for VMware Tanzu Application Service.
Install and Set Up Single Sign‑On for Apps
Install Single Sign‑On using Tanzu Operations Manager.
Create a Service Plan. Single Sign‑On is a multi-tenant service and a service plan corresponds to a tenant. This enables an enterprise to separate users or environments using plans. Each service plan is accessible at a tenant-specific URL in the format
. -
Create a Service Instance. Single Sign‑On plans can provide single sign-on capabilities for applications in various spaces. A service instance lets you bind an application to a service plan.
Configure an Identity Provider. In addition to the Internal User Store, you can configure External Identity Providers to provide single sign-on to applications.
Configure Your Applications. Single Sign‑On supports VMware Tanzu Application Service for VMs apps as well as externally hosted apps. Your applications must be able to request an OAuth or OpenID Connect token.
Create Resources for Your Applications. If your registered applications need to make external API calls, you can assign the API endpoints as resources permitted for the application. This adds the endpoints to an allowlist for use by the application or client.
Single Sign‑On User Roles
User roles determine the parts of a Single Sign‑On configuration that a user can view or manage. Single Sign‑On uses the following user roles:
- Tanzu Operations Manager Administrators, who can manage service plans, service instances, identity providers (IdPs), apps, and resources. This is a Tanzu Operations Manager user role.
- Plan Administrators, who can manage service instances, IdPs, apps, and resources. This is a user role that is specific to Single Sign‑On.
- Space Developers, who can manage service instances, apps, and resources. This is an Tanzu Operations Manager user role.
- Space Auditors, who can view service instances, apps, and resources. They cannot edit any configurations. This is an Tanzu Operations Manager user role.
The following table shows the permissions for each role:
Access by role | Tanzu Operations Manager Administrator | Plan Administrator | Space Developer | Space Auditor |
Service plans | M | |||
Service instances | M | M | M | V |
Identity providers | M | M | ||
Applications | M | M | M | V |
Resources | M | M | M | V |
Legend: M = Manage, V = View |
Using Single Sign‑On Components
In addition to apps, Single Sign‑On supports single sign-on for components of VMware Tanzu Application Service for VMs, including Tanzu Operations Manager and Apps Manager. This enables users already managed in an external IdP to sign into VMware Tanzu services.
Refer to the following pages for instructions on configuring Single Sign‑On to enable users in an external identity store to access VMware Tanzu Application Service for VMs components:
Tanzu Operations Manager, on Amazon Web Services (AWS), vSphere, or OpenStack
Content feedback and comments