This topic tells you how to integrate Single Sign‑On for VMware Tanzu Application Service with Java and non-Java apps.
Integrate Single Sign‑On with an App
Because Single Sign‑On is based on the OAuth protocol, any app that uses Single Sign‑On must be OAuth-aware.
Java Apps
If you are using Java, use the java-cfenv-boot-pivotal-sso library. For example Spring Boot apps that show how to use Single Sign‑On service libraries to configure an app for OAuth, see the spring-boot-2.3
branch of the Single Sign‑On Service Sample Applications repository in GitHub.
These examples use Spring Boot v2.3 and are only provided to get you started. VMware recommends that you use a supported version of Spring Boot.
After binding the app to a Single Sign‑On service instance, you must restart the app for the new Single Sign‑On configuration to take effect.
Non-Java Apps
To configure non-Java apps for OAuth, supply the following properties as environment variables to your app after you bind the app to a Single Sign‑On service instance. You can view this information on the Next Steps page of the SSO Developer Dashboard.
- App ID, also known as OAuth Client ID
- App Secret, also known as OAuth Client Secret
- OAuth Authorization URL, the endpoint for client authorization
- OAuth Token URL, the endpoint for token retrieval
To validate the token, you must verify the following:
-
The token is a properly signed JSON Web Token with an appropriate public key. The key can be downloaded from the Token Verification Key endpoint specified on the Next Steps page.
-
The value of
aud
in the token matches your App ID. -
The value of
iss
uses the following pattern:https://AUTH-DOMAIN.uaa.YOUR-SYSTEM-DOMAIN/oauth/token
Where
AUTH-DOMAIN
is the Auth Domain you entered in Create or Edit Service Plans. -
The expiry time of the token,
exp
, has not passed.
Login Hints
When you make an authorization code, password or implicit grant request, a login hint can be provided so that the end user is automatically redirected to the appropriate identity provider.
An encoded JSON string containing origin_key
tied to the origin key of an identity provider can be provided as a login hint using login_hint
in a query parameter. For information about login hints, see the Authorization Code Grant in the UAA API documentation.
Content feedback and comments