This topic explains how to monitor Single Sign‑On for VMware Tanzu Application Service service plans and apps.
Single Sign‑On uses the User Account and Authentication (UAA) service to log security events through Loggregator. UAA security events can be filtered to destinations through a syslog drain. To configure logs to monitor Single Sign‑On plan events, app, and UAA client events you need to obtain the IDs for the corresponding plan or app.
To obtain the identity zone ID for Single Sign‑On plans, do one of the procedures in Monitor Single Sign‑On Plan Events below.
To obtain the client ID for an app or UAA client, do the procedure in Monitor App Events below.
For information about configuring logging in VMware Tanzu Application Service for VMs, see Configuring Logging in VMware Tanzu Application Service for VMs.
For information about UAA security events, see UAA Logging.
All Single Sign‑On service plans are given a unique identity zone ID. You can monitor all events for a plan by filtering UAA generated logs using the plan’s identity zone ID.
You can obtain a list of plans and their corresponding identity zone IDs by doing one of the following:
Before you can use the Single Sign‑On API to monitor plan events, you must:
To use the Single Sign‑On API to obtain plan identity zone IDs, run the following command:
curl -X GET "https://sso-api.SYSTEM-DOMAIN/v1/plans" \ -H "Authorization: Bearer YOUR-TOKEN"
YOUR-TOKEN is the access token you obtained in Create a UAA Identity Zone Admin Client.
For more information, see Single Sign‑On Service Plan Automation API in the Single Sign‑On API documentation.
To use the SSO Operator Dashboard to obtain plan identity zone IDs:
Record the identity zone ID for your plan from the SSO Operator Dashboard URL. The URL looks similar to the one below.
IDENTITY-ZONE-ID is your plan’s identity zone ID.
All apps that use Single Sign‑On have a unique client ID. You can monitor app and UAA client events using the client ID.
To find your app’s client ID: