Upgrade Application Single Sign-On

This topic tells you how to upgrade Application Single Sign-On (commonly called AppSSO).

The AppSSO package is upgraded as part of your TAP package installation.

For migrating your resources in between versions, see the Migration guides.

If you installed the AppSSO package on its own, and not as part of TAP, you can upgrade it individually by running:

tanzu package installed update PACKAGE-INSTALLATION-NAME -p sso.apps.tanzu.vmware.com -v 5.0 --values-file PATH-TO-YOUR-VALUES-YAML -n YOUR-INSTALL-NAMESPACE
Note

You can also upgrade Application Single Sign-On as part of upgrading Tanzu Application Platform as a whole. See Upgrade Tanzu Application Platform for more information.

Migration guides

v3.0.0 to v3.1.0

VMware recommends that you recreate your AuthServers after upgrading your Application Single Sign-On to v3.1.0 with the following changes:

  • Migrate field .spec.identityProviders[*].openid.claimMappings["roles"] to .spec.identityProviders[*].openid.roles.fromUpstream.claim.
  • Migrate field .spec.identityProviders[*].ldap.group.roleAttribute to .spec.identityProviders[*].ldap.roles.fromUpstream.attribute.
  • Migrate field .spec.identityProviders[*].ldap.group.search to .spec.identityProviders[*].ldap.roles.fromUpstream.search.
  • Migrate field .spec.identityProviders[*].saml.claimMappings["roles"] to .spec.identityProviders[*].saml.roles.fromUpstream.attribute.

(Optional) If you plan to run Spring Boot 3 based Workloads, you must perform the following migration tasks in your existing ClientRegistration resources:

  • Migrate .spec.clientAuthenticationMethod values.
  • Migrate the existing value post to client_secret_post or migrate the existing value basic to client_secret_basic.

v2.0.0 to v3.0.0

VMware recommends that you recreate your AuthServers after upgrading your Application Single Sign-On to v3.0.0 with the following changes:

  • Migrate the field .spec.tls.disabled to .spec.tls.deactivated.

v1.0.0 to v2.0.0

VMware recommends that you recreate your AuthServers after upgrading your Application Single Sign-On to v2.0.0 with the following changes:

  • Migrate from .spec.issuerURI to .spec.tls:

    1. Configure one of .spec.tls.{issuerRef, certificateRef, secretRef}. See Issuer URI & TLS for more information.
    2. (Optional) Disable TLS with .spec.tls.disabled.
    3. Remove .spec.issuerURI.
    4. Delete your AuthServer-specific Service and ingress resources.
    5. Apply your AuthServer. You can find its issuer URI in .status.issuerURI.
    6. Update the redirect URIs in your upstream identity providers.

    Application Single Sign-On templates your issuer URI and enables TLS. When using the newer .spec.tls, a custom Service and an ingress resource are no longer required.

    It is not recommended to continue using .spec.issuerURI in Application Single Sign-On v2.0.0. To use .spec.issuerURI in v2.0.0, you must provide a Service and an ingress resource as in v1.0.0.

  • If you use the internalUnsafe identity provider to migrate the existing users by replacing the bcrypt hash through the plaintext equivalent, you can still use the existing bcrypt passwords by prefixing them with {bcrypt}:

    ---
    apiVersion: sso.apps.tanzu.vmware.com/v1alpha1
    kind: AuthServer
    metadata:
     # ...
    spec:
     identityProviders:
       - name: internal
         internalUnsafe:
           users:
             # v1.0
             - username: test-user-1
               password: $2a$10$201z9o/tHlocFsHFTo0plukh03ApBYe4dRiXcqeyRQH6CNNtS8jWK # bcrypt-encoded "password"
               # ...
             # v2.0
             - username: "test-user-1"
               password: "{bcrypt}$2a$10$201z9o/tHlocFsHFTo0plukh03ApBYe4dRiXcqeyRQH6CNNtS8jWK" # same bcrypt hash, with {bcrypt} prefix
             - username: "test-user-2"
               password: "password" # plaintext
     # ...
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon