This topic tells you how to set up the Plan-to-Plan OpenID Connect (OIDC) integration between two Single Sign‑On for VMware Tanzu Application Service service plans, one acting as an identity provider (identity provider plan or IDP) and one acting as a relying party (relying party plan or RP).

Overview

A Plan-to-Plan OIDC integration enables users from the identity provider plan to authenticate into the relying party plan through OIDC.

To set up this integration:

• Overview
• Prerequisites
• Set Up Relying Party Configurations in the Identity Provider Plan
• Set Up the OIDC Identity Provider Configuration in the Relying Party Plan
• Finish Configuration

Prerequisites

You must meet the following prerequisites to set up Plan-to-Plan OIDC integration:

• Your IDP must be visible to your org.
• You must add the IDP as a service instance in a space so you can access the app developer dashboard.

If you have not completed these prerequisites, see Create or Edit Service Plans.

Set Up Relying Party Configurations in the Identity Provider Plan

Follow the instructions below to set up relying party configurations in the identity provider plan.

1. Navigate to Apps Manager.

2. Select the space.

3. Click into the Service tab.

4. Click the service you want to modify.

5. Click Manage.

   

6. Click New App.

7. Type a name in the App Name field.

8. Choose Web App from the list of app types.

9. Type a temporary URL in the Auth Redirect URIs field. You replace this URL after configuring an identity provider on the relying party plan.

10. In the Scopes field, type openid. Optionally, select openid from the list of Auto-Approved Scopes. By adding openid as an automatically approved scope, you prevent users from being prompted to authorize a login from the identity provider.

11. Click Register App. When the app is created successfully, you are prompted to download your app credentials.

    

12. Click Download App Credentials to save the credentials for your app.

    This is the last time you can download your app credentials. VMware recommends that you download the credentials and store them securely.

Set Up the OIDC Identity Provider Configuration in the Relying Party Plan

To set up the OIDC Identity Provider Configuration in the relying party plan, follow the steps below.

1. Follow steps 1–6 in Add an OIDC Provider.
2. If you use a self-signed certificate where the IDP is located, select the Skip SSL Validation checkbox. If you do not use a self-signed certificate, you can leave this box unchecked.
3. Select the Enable Discovery checkbox and type in the Discovery Endpoint URL.
   
   This URL is https://IDP-DOMAIN/.well-known/openid-configuration, where IDP-DOMAIN is the domain setting you enter when you add the IDP service plan you are integrating.
4. Fill in the Relying Party OAuth Client ID with the App Client ID from the previous section.
5. Fill in the Relying Party OAuth Client Secret with the App Secret from the previous section.
6. Confirm that openid is selected as a scope.

Finish Configuration

After you create an app, follow the steps below to finish configuration.

1. Return to the page for the app you created.
2. Click Edit Config. The app configuration screen appears.
   
3. Add an Auth Redirect URL. The URL should read https://RELYING-PARTY-DOMAIN/login/callback/ORIGIN-KEY
   
   Where:
   • RELYING-PARTY-DOMAIN is the domain setting you enter during Relying Party configuration.
   • ORIGIN-KEY is based on the IDP name you set in the SSO Operator Dashboard.
4. Click Save Config.