This topic tells you how to add an external identity provider to your Single Sign‑On for VMware Tanzu Application Service service plan.

Set up SAML

1. Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN as a Plan Administrator.

2. Select your plan and click Manage Identity Providers on the drop-down menu.

   

3. Click New Identity Provider to create a new identity provider.

   

4. To create a new identity provider, do the following:

   1. Enter an Identity Provider Name.
   2. (Optional) Enter an Identity Provider Description.
   3. Enter the App Federation Metadata Url you obtained from step 7 in Set up SAML in Microsoft Entra ID and click Fetch Metadata.
   4. (Optional) Enter mappings under Advanced SAML Settings > Attribute Mappings.

5. Click Create Identity Provider.

Configure Group Permissions

Note Microsoft Entra ID passes the Object ID of the groups recorded in step 5 of Set up Claims Mapping to the Single Sign‑On plan.

1. Add groups to be propagated from the external identity provider to the ID token by following these steps:

   1. Log in to the SSO Operator Dashboard at https://p-identity.SYSTEM-DOMAIN as a Plan Administrator.
   2. Select your plan and click Manage Identity Providers on the drop-down menu.
   3. Click Group Whitelist next to your identity provider.
   4. Enter the group names.
   5. Click Save Group Whitelist.

2. Map the groups to resources defined in Single Sign‑On by following these steps:

   1. Log in at https://p-identity.SYSTEM-DOMAIN as a Plan Administrator.
   2. Select your plan and click Manage Identity Providers on the drop-down menu.
   3. Click Resource Permissions.
   4. Click New Permissions Mapping and perform the following steps:
      1. Enter a Group Name.
      2. For Select Permissions, select the permissions that the members of the group from the external identity provider should have access to.
      3. Click Save Permissions Mapping.