This topic describes how to set up the Single Sign‑On for VMware Tanzu Application Service to integrate a Single Sign‑On service plan as an OpenID Connect (OIDC) identity provider.

Service plans are represented in User Access and Administration (UAA) as identity zones. UAA provides the ability to integrate any two UAAs with one acting as the relying party and the other acting as the identity provider. This includes identity zones within the same multi-tenant UAA, as well as separate UAA instances, such as the Bosh UAA, Ops Manager UAA, or a standalone UAA (provided they are on a version that has OIDC implemented).

This topic explains how you can perform the integration from one Single Sign‑On service plan to another using Single Sign‑On.


To integrate Plan-to-Plan OIDC with Single Sign‑On, you must have the following:

  • An active Single Sign‑On service plan. This plan act as an identity provider.
  • A second active Single Sign‑On service plan. This plan act as the relying party.
  • A user with admin privileges.

Note: To configure OIDC according to these steps, you must have the Single Sign‑On service broker installed in your deployment. You need to create a plan, add any plan administrators, and specify any organizations for which this plan should be the authentication authority. For help configuring plans, see Managing Service Plans.

Integrating a Plan-to-Plan OIDC for Single Sign‑On

Complete this process to set up Plan-to-Plan OIDC integration for the Single Sign‑On service. For more information, see Configuring Plan-to-Plan OIDC Integrations.

Testing the OIDC Connection

After you have configured the Plan-to-Plan OIDC integration for Single Sign‑On, you can test it to confirm it works. For more information, see Testing.


For information about common configuration problems and error states, see Troubleshooting.

check-circle-line exclamation-circle-line close-line
Scroll to top icon