This topic tells you about concepts important to getting started with Application Single Sign-On (commonly called AppSSO).
Use this topic to learn how to:
After completing these steps, you can proceed with securing a Workload.
You must install AppSSO on your Tanzu Application Platform cluster. For more information, see Install AppSSO.
At the core of AppSSO is the concept of an Authorization Server, outlined by the AuthServer custom resource. Service Operators create those resources to provision running Authorization Servers, which are OpenID Connect Providers. They issue ID Tokens to Client applications, which contain identity information about the end user such as email, first name, last name and so on.
When a Client application uses an AuthServer to authenticate an End-User, the typical steps are:
id_token
ID Tokens are JSON Web Tokens containing standard Claims about the identity of the user (e.g. name, email, etc) and about the token itself (e.g. “expires at”, “audience”, etc.). Here is an example of an id_token
as issued by an Authorization Server:
{
"iss": "https://appsso.example.com",
"sub": "213435498y",
"aud": "my-client",
"nonce": "fkg0-90_mg",
"exp": 1656929172,
"iat": 1656928872,
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"email": "[email protected]",
"roles": [
"developer",
"org-user"
]
}
roles
claim can only be part of an id_token
when user roles are mapped and ‘roles’ scope is requested. For more information about mapping for OpenID Connect, LDAP and SAML, see:
ID Tokens are signed by the AuthServer
, using Token Signature Keys. Client applications may verify their validity using the AuthServer’s public keys.