This topic tells you how to set up the Plan-to-Plan OpenID Connect (OIDC) integration between two Single Sign‑On for VMware Tanzu Application Service service plans, one acting as an identity provider (identity provider plan or IDP) and one acting as a relying party (relying party plan or RP).


A Plan-to-Plan OIDC integration enables users from the identity provider plan to authenticate into the relying party plan through OIDC.

To set up this integration:

  1. Meet the prerequisites
  2. Set up relying party configurations in the identity provider plan
  3. Set up the OIDC Identity Provider Configuration in the Relying Party Plan
  4. Finish the configuration


You must meet the following prerequisites to set up Plan-to-Plan OIDC integration:

  • Your IDP must be visible to your org.
  • You must add the IDP as a service instance in a space so you can access the app developer dashboard.

If you have not completed these prerequisites, see Create or Edit Service Plans.

Set Up Relying Party Configurations in the Identity Provider Plan

Follow the instructions below to set up relying party configurations in the identity provider plan.

  1. Navigate to Apps Manager.

  2. Select the space.

  3. Click into the Service tab.

  4. Click the service you want to modify.

  5. Click Manage.

    The Single Sign-On service in Apps Manager.
There is a row of tabs across the top of the pane labeled Overview, Plan, and Settings. To the right of the tabs are links for
Docs, Support, and Manage. The Manage link is highlighted.

  6. Click New App.

  7. Type a name in the App Name field.

  8. Choose Web App from the list of app types.

  9. Type a temporary URL in the Auth Redirect URIs field. You replace this URL after configuring an identity provider on the relying party plan.

  10. In the Scopes field, type openid. Optionally, select openid from the list of Auto-Approved Scopes. By adding openid as an automatically approved scope, you prevent users from being prompted to authorize a login from the identity provider.

  11. Click Register App. When the app is created successfully, you are prompted to download your app credentials.

    The Download App Credentials dialog box,
which has fields that contain the App ID and the obscured App Secret.
Below the app secret field is the Show App Secret button.
Text below these fields reads this is the last time these App Credentials will be available for download.'
At the bottom of the box is the Download App Credentials button.

  12. Click Download App Credentials to save the credentials for your app.

    Caution This is the last time you can download your app credentials. VMware recommends that you download the credentials and store them securely.

Set Up the OIDC Identity Provider Configuration in the Relying Party Plan

To set up the OIDC Identity Provider Configuration in the relying party plan, follow the steps below.

  1. Follow steps 1–6 in Add an OIDC Provider.
  2. If you use a self-signed certificate where the IDP is located, select the Skip SSL Validation checkbox. If you do not use a self-signed certificate, you can leave this box unchecked.
  3. Select the Enable Discovery checkbox and type in the Discovery Endpoint URL.

    This URL is https://IDP-DOMAIN/.well-known/openid-configuration, where IDP-DOMAIN is the domain setting you enter when you add the IDP service plan you are integrating.
  4. Fill in the Relying Party OAuth Client ID with the App Client ID from the previous section.
  5. Fill in the Relying Party OAuth Client Secret with the App Secret from the previous section.
  6. Confirm that openid is selected as a scope.

Finish Configuration

After you create an app, follow the steps below to finish configuration.

  1. Return to the page for the app you created.
  2. Click Edit Config. The app configuration screen appears.
    The page for an example app in Apps Manager.
  The Edit Config button is at the top of the page and is highlighted. Below that are fields containing
  the App ID and App Secret.
  3. Add an Auth Redirect URL. The URL should read https://RELYING-PARTY-DOMAIN/login/callback/ORIGIN-KEY

    • RELYING-PARTY-DOMAIN is the domain setting you enter during Relying Party configuration.
    • ORIGIN-KEY is based on the IDP name you set in the SSO Operator Dashboard.
  4. Click Save Config.
check-circle-line exclamation-circle-line close-line
Scroll to top icon