This topic tells you how to set up the Plan-to-Plan OpenID Connect (OIDC) integration between two Single Sign‑On for VMware Tanzu Application Service service plans, one acting as an identity provider (identity provider plan or IDP) and one acting as a relying party (relying party plan or RP).
A Plan-to-Plan OIDC integration enables users from the identity provider plan to authenticate into the relying party plan through OIDC.
To set up this integration:
You must meet the following prerequisites to set up Plan-to-Plan OIDC integration:
If you have not completed these prerequisites, see Create or Edit Service Plans.
Follow the instructions below to set up relying party configurations in the identity provider plan.
Navigate to Apps Manager.
Select the space.
Click into the Service tab.
Click the service you want to modify.
Click New App.
Type a name in the App Name field.
Choose Web App from the list of app types.
Type a temporary URL in the Auth Redirect URIs field. You replace this URL after configuring an identity provider on the relying party plan.
In the Scopes field, type
openid. Optionally, select
openid from the list of Auto-Approved Scopes. By adding
openid as an automatically approved scope, you prevent users from being prompted to authorize a login from the identity provider.
Click Register App. When the app is created successfully, you are prompted to download your app credentials.
Click Download App Credentials to save the credentials for your app.
Caution This is the last time you can download your app credentials. VMware recommends that you download the credentials and store them securely.
To set up the OIDC Identity Provider Configuration in the relying party plan, follow the steps below.
IDP-DOMAIN is the domain setting you enter when you add the IDP service plan you are integrating.
openid is selected as a scope.
After you create an app, follow the steps below to finish configuration.
RELYING-PARTY-DOMAIN is the domain setting you enter during Relying Party configuration.
ORIGIN-KEY is based on the IDP name you set in the SSO Operator Dashboard.