This topic tells you how to upgrade Application Single Sign-On (commonly called AppSSO).
The AppSSO
package is upgraded as part of your TAP
package installation.
For migrating your resources in between versions, see the Migration guides.
If you installed the AppSSO
package on its own, and not as part of TAP
, you can upgrade it individually by running:
tanzu package installed update PACKAGE-INSTALLATION-NAME -p sso.apps.tanzu.vmware.com -v 5.0 --values-file PATH-TO-YOUR-VALUES-YAML -n YOUR-INSTALL-NAMESPACE
NoteYou can also upgrade Application Single Sign-On as part of upgrading Tanzu Application Platform as a whole. See Upgrade Tanzu Application Platform for more information.
VMware recommends that you recreate your AuthServers
after upgrading your Application Single Sign-On to v3.1.0
with the following changes:
.spec.identityProviders[*].openid.claimMappings["roles"]
to .spec.identityProviders[*].openid.roles.fromUpstream.claim
..spec.identityProviders[*].ldap.group.roleAttribute
to .spec.identityProviders[*].ldap.roles.fromUpstream.attribute
..spec.identityProviders[*].ldap.group.search
to .spec.identityProviders[*].ldap.roles.fromUpstream.search
..spec.identityProviders[*].saml.claimMappings["roles"]
to .spec.identityProviders[*].saml.roles.fromUpstream.attribute
.(Optional) If you plan to run Spring Boot 3 based Workload
s, you must perform the following migration tasks in your existing ClientRegistration
resources:
.spec.clientAuthenticationMethod
values.post
to client_secret_post
or migrate the existing value basic
to client_secret_basic
.VMware recommends that you recreate your AuthServers
after upgrading your Application Single Sign-On to v3.0.0
with the following changes:
.spec.tls.disabled
to .spec.tls.deactivated
.VMware recommends that you recreate your AuthServers
after upgrading your Application Single Sign-On to v2.0.0
with the following changes:
Migrate from .spec.issuerURI
to .spec.tls
:
.spec.tls.{issuerRef, certificateRef, secretRef}
. See Issuer URI & TLS for more information..spec.tls.disabled
..spec.issuerURI
.AuthServer
-specific Service
and ingress resources.AuthServer
. You can find its issuer URI in .status.issuerURI
.Application Single Sign-On templates your issuer URI and enables TLS. When using the newer .spec.tls
, a custom Service
and an ingress resource are no longer required.
It is not recommended to continue using .spec.issuerURI
in Application Single Sign-On v2.0.0
. To use .spec.issuerURI
in v2.0.0
, you must provide a Service
and an ingress resource as in v1.0.0
.
If you use the internalUnsafe
identity provider to migrate the existing users by replacing the bcrypt hash through the plaintext equivalent, you can still use the existing bcrypt passwords by prefixing them with {bcrypt}
:
---
apiVersion: sso.apps.tanzu.vmware.com/v1alpha1
kind: AuthServer
metadata:
# ...
spec:
identityProviders:
- name: internal
internalUnsafe:
users:
# v1.0
- username: test-user-1
password: $2a$10$201z9o/tHlocFsHFTo0plukh03ApBYe4dRiXcqeyRQH6CNNtS8jWK # bcrypt-encoded "password"
# ...
# v2.0
- username: "test-user-1"
password: "{bcrypt}$2a$10$201z9o/tHlocFsHFTo0plukh03ApBYe4dRiXcqeyRQH6CNNtS8jWK" # same bcrypt hash, with {bcrypt} prefix
- username: "test-user-2"
password: "password" # plaintext
# ...