Note - Effective Feb 2023, the VMware Cloud Services is a default authentication tool for all the new VMware Tanzu CloudHealth platform users. Using the VMware Cloud Services console, you can manage your entire VMware Cloud services portfolio across hybrid and native public clouds, and it provides you with easy access to the Tanzu CloudHealth platform and other VMware Cloud Services products.
Depending on whether you are a new Tanzu CloudHealth user or a new VMware Cloud Services user, there can be differences in the onboarding workflows.
You will receive an invitation email for both workflows with an onboarding link.
Prerequisite
Procedure
Log in to the VMware Cloud Services platform.
If you are a new user of VMware products, by clicking the onboarding link provided in the invitation mail, you are redirected to the VMware Cloud Services login page. Create a VMware Cloud Services account. The first user who creates an Organization gets an Organization Owner role in the VMware Cloud Services platform. See Create VMware Cloud Services Account.
If you already have a VMware account, then log in using your VMware account credentials.
Once the Organization is created, new users invited to join the Organization can have the role that the Organization Administrator or Organization Owner granted them. It is recommended to provide the Organization Member role to new users to limit the Organization access unless they need higher privileges within the Organization.
Select a VMware Cloud Services Organization.
Select an existing Organization or create a new Organization in which you want to onboard the Tanzu CloudHealth service.
Each Organization comes with an Organization ID. If any of the existing Organizations were associated with the Tanzu CloudHealth platform service in the past, and the service was added again to the Organization, in that case, Tanzu CloudHealth automatically reactivates your old Tanzu CloudHealth account, and links it to the VMware Cloud Services Organization ID.
Note that, per the data retention policy, Tanzu CloudHealth retains customer data for 13 months. If the Organization ID is not available in the Tanzu CloudHealth database, Tanzu CloudHealth creates a new account for you and automatically links it to the VMware Cloud Services Organization ID.
a. Click Add Service to Another Org.
b. Click Create Organization.
c. Create your Organization Profile by providing an Organization Name and Address. d. Select Terms of Service and click Continue. e. Accept or Decline the Data Disclosure to Partners approval, click Continue.
You will be redirected to the Tanzu CloudHealth platform.
Prerequisite
If you have an SSO federation setup, new Tanzu CloudHealth users from your company first need to log in to the VMware Cloud Services platform to access the Tanzu CloudHealth services. Once authenticated, they can access the Tanzu CloudHealth platform directly and get into their assigned Tanzu CloudHealth account.
Further, Organization Administrator or Organization Owner can change the user roles in the VMware Cloud Services platform, and the Tanzu CloudHealth administrator can change the Tanzu CloudHealth roles in the Tanzu CloudHealth platform if required.
If you are a new user and do not have a VMware Cloud Services account, you need to create one to use Tanzu CloudHealth services. As part of the onboarding process, you will receive an Onboarding link in your mail id. Click the onboarding link and complete the following steps.
After creating a VMware Cloud Services account, the first user who creates an Organization gets an Organization owner role in the VMware Cloud Services platform.
Pre-requisite
As an Organization owner, you can invite users to your Organization in the VMware Cloud Services platform and grant them access to the Tanzu CloudHealth services platform.
To add new users to the Organization 1. In the Tanzu CloudHealth platform, click the profile name at the top-right corner, and select View Organization. You will be redirected to the Organization page in the VMware Cloud Services platform. 2. From the left menu, click Identity & Access Management > Active Users.
Organization Roles The following Organization roles are available in the VMware Cloud Services platform.
Mandatory Roles | Additional Roles |
---|---|
Organization Administrator | Access Log Auditor |
Organization Member | Billing Read-Only |
Organization Owner | Developer |
Project Administrator | |
Software Installer | |
Support User |
To know more about the VMware Cloud Services Organization and roles, see Before you start with VMware Cloud services.
Service Roles To assign a Service Role, you first need to select a service and then the service- related role.
For Tanzu CloudHealth service, you can assign either a Tanzu CloudHealth Administrator role or A role Managed by Tanzu CloudHealth. In Role Managed by Tanzu CloudHealth, the user will assume a Tanzu CloudHealth role assigned by the Tanzu CloudHealth administrator in the Tanzu CloudHealth platform.
To know more about the roles in the Tanzu CloudHealth platform, see What are Tanzu CloudHealth Roles.
Invite Redemption
New users should accept the invitation using the invite link and create a VMware Cloud Services account or log in to the VMware Cloud Services platform using their active VMware account credentials.
After the user has successfully logged in to the VMware Cloud Services platform,
After redeeming the invitation, the user name will be added to the Tanzu CloudHealth platform.
See, how to add Users to a User group in the Tanzu CloudHealth platform.
As an Organization owner, you need to link your Organization to your identity provider to grant federated access to all users from your domain.
Pre-requisite
Procedure
Log in to the VMware Cloud Services platform as an Organization owner.
Step 1 – Link the domain name with your Organization
Step 2 – Configure a domain policy
Provide the following information-
Click Save. The domain policy appears in the Grant default roles section.
The domain policy becomes effective immediately after you save the policy, and any user with the saved domain name can log in to the VMware Cloud Services platform using their credentials.
By default, all the users from the configured domain will be assigned an Organization member role. Later Organization Owner can edit the role if required.
Select the policy name in the Grant default roles section to edit the domain policy details and click Edit.
Using the VMware Cloud Services console, you can manage your entire VMware Cloud services portfolio across hybrid and native public clouds, and it provides you with easy access to the Tanzu CloudHealth platform and other VMware Cloud Services products.
In the VMware Cloud Services platform, click your profile name at the top right corner. In this pane, you can see your Organization ID and can change your Organization and User Settings.
Organization Settings View Organization – Click to view the setting of your current Organization. You will be redirected to the VMware Cloud Services > Organization > Details page.
User Settings
To view all the VMware Cloud services you have access to, click the 9-dot menu at the top right corner. Click the service name to switch to a different service.
If you are using FlexOrgs to manage your organizations, follow this procedure to enable SAML SSO. To enable SAML SSO for classic organizations, see Enable SAML SSO for Classic Organizations.
VMware Tanzu CloudHealth allows single sign-on (SSO) as an alternative to username-password-based authentication. If you have in-house identity management or use a different identity provider (IDP), you can authenticate your users using the Security Assertion Markup Language (SAML) protocol.
SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, particularly between an IDP such as Okta, Ping, Azure AD, or ADFS and a service provider such as Auth0 or Tanzu CloudHealth.
An IDP is a software that is built around managing user access. When configured, an IDP sends SAML data to the Tanzu CloudHealth platform. This data is called an assertion, and it must contain the attributes email
, name
, and roles
. The attributes in the assertion allow you to authenticate users in the Tanzu CloudHealth platform. You can authenticate multiple domains with Tanzu CloudHealth through the same IDP.
Tanzu CloudHealth does not support mixed-mode authentication. After you configure SAML SSO through an IDP in the Tanzu CloudHealth platform, you can only invite users through that IDP. You will no longer be able to send user invitations through the Tanzu CloudHealth platform.
In FlexOrgs, you can dynamically map users to user groups based on SSO attributes. You specify the attributes in your Identity Provider (IDP).
This capability allows you to centrally manage users in your IDP. When you change their attributes, users are mapped to different user groups with new permissions.
If you do not want to map users to user groups dynamically, you can invite users manually.
Before you attach attributes for mapping users in your IDP, specify the key-value pair that the user group should look for in the IDP assertion.
Perform these steps in the IDP of your choice that supports SAML SSO.
company.com
: https://cloudhealthtech.auth0.com/login/callback?connection=company-com
company.com
: urn:auth0:cloudhealthtech:company-com
company.com
format. Make sure to enter a space after the domain name.cloudhealth=
to it.When your SSO configuration uses more than one domain, ensure that the TXT record is present for all the domains before validating. Because once a domain is validated, only users from the Claimed Domains will be able to sign in via SSO.
You can configure the session length for your users in the Tanzu CloudHealth platform. The default session length is Until the browser closes. However, it is recommended that you specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.
Explains how to enable SAML SSO through your IDP provider. This is an alternative to username-password-based authentication.
If you are not using FlexOrgs to manage your organizations, follow this procedure to enable SAML SSO. To enable SAML SSO for FlexOrgs, see Enable SAML SSO for FlexOrgs.
Tanzu CloudHealth allows single sign-on (SSO) as an alternative to username-password-based authentication. If you have in-house identity management or use a different identity provider (IDP), you can authenticate your users using the Security Assertion Markup Language (SAML) protocol.
SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, particularly between an IDP such as Okta, Ping, Azure AD, or ADFS and a service provider such as Auth0 or Tanzu CloudHealth.
An IDP is software that is built around managing user access. When configured, an IDP sends SAML data to the Tanzu CloudHealth platform. This data is called an assertion, and it must contain the attributes email
, name
, and roles
. The attributes in the assertion allow you to authenticate users in the Tanzu CloudHealth platform. You can authenticate multiple domains with Tanzu CloudHealth through the same IDP.
Tanzu CloudHealth does not support mixed-mode authentication. After you configure SAML SSO through an IDP in the Tanzu CloudHealth platform, you can only invite users through that IDP. You will no longer be able to send user invitations through the Tanzu CloudHealth platform.
Perform the following steps in the IDP of your choice that supports SAML SSO.
Before you begin, review the users that are listed in your IDP. After configuring SSO, all users in the IDP will have access to Tanzu CloudHealth.
Provide the single sign-on URL, also called an SSO callback, where your domain is company.com
. https://cloudhealthtech.auth0.com/login/callback?connection=company-com
Provide the audience URI, where your domain is company.com
. urn:auth0:cloudhealthtech:company-com
Roles in the Tanzu CloudHealth platform manage the level of access and visibility that users have after they are authenticated.
Configure your IDP to include a roles
attribute with each assertion sent to the Tanzu CloudHealth platform. When a user logs in, Tanzu CloudHealth looks for the roles
attribute in the assertion:
Tanzu CloudHealth does not recognize any attribute name other than roles
. If you name the attribute Roles
or role
, Tanzu CloudHealth rejects those user logins.
Assign one of these default roles as a string. Attribute values are case-sensitive.
Roles Attribute Value | Tanzu CloudHealth Role |
---|---|
cloudhealth-administrator |
Administrator |
cloudhealth-power |
Power user |
cloudhealth-standard |
Standard user |
You can locate the attribute value of a specific custom role in the Tanzu CloudHealth Platform.
Note: Newly-created tenants cannot view the attributes of a role created earlier than the tenant.
Only supported if you are already using Tanzu CloudHealth organizations. Contact Tanzu CloudHealth to enable this capability.
Organizations allow you to manage the visibility of data to users of the Tanzu CloudHealth platform. Using organizations, you can grant multiple stakeholders access to the Tanzu CloudHealth platform without providing them access to data you do not want them to see. For example, you might want to ensure that the Marketing Department can only see the cloud infrastructure that it is using.
You can configure your IDP to include an organization
attribute with each assertion to the Tanzu CloudHealth platform. Configure this attribute for all users. When a user logs in, Tanzu CloudHealth looks for the organization
attribute in the assertion. - If the attribute is found, Tanzu CloudHealth assigns the user to the specified organization. - If the attribute is not found, Tanzu CloudHealth rejects the login.
The value of the organization attribute is the organization ID, which is derived from the lowercased form of the organization name. Any spaces in the organization name are replaced with hyphens. Mixed case portions in the organization name are separated by underscores.
The following examples show how organization IDs are generated in the Tanzu CloudHealth platform:
Organization Name in Tanzu CloudHealth | Organization ID |
---|---|
Finance | chtorg-finance |
Sales and Marketing | chtorg-sales-and-marketing |
EngDept | chtorg-eng_dept |
You can locate the attribute value of a specific organization in the Tanzu CloudHealth Platform.
Some IDPs require the organization ID to begin with the prefix chtorg-
. Contact support for more information regarding your IDP requirements.
Get the following SAML credentials from your IdP. * X.509 Certificate * SAML 2.0 Endpoint
In the Tanzu CloudHealth Platform, from the left menu, select Setup > Admin > SSO Configuration.
From the SSO Provider dropdown, select SAML and provide the following information:
company.com
format. Make sure to enter a space after the domain name.Click Update SSO Configuration. Tanzu CloudHealth generates a DNS token for each domain you provided during SAML SSO configuration. The domains are placed under Pending status.
cloudhealth=
to it.You can configure the session length for your users in the Tanzu CloudHealth platform. The default session length is Until the browser closes. However, it is recommended that you specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.
Provide an AD FS Token Signing Certificate in Base-64 PEM Format and AD FS SSO Sign-In Endpoint to Tanzu CloudHealth.
In order to start authenticating via Active Directory Federation Services (AD FS), provide an AD FS Token Signing Certificate in Base-64 PEM Format and AD FS SSO Sign-In Endpoint to Tanzu CloudHealth.
Tanzu CloudHealth will generate an SSO endpoint and contact you to activate and test the connection.
Tanzu CloudHealth does not support mixed-mode authentication. Once you configure SAML SSO through an IdP in the Tanzu CloudHealth Platform, you can only invite users through that IdP. You will no longer be able to send user invitations through the Tanzu CloudHealth Platform.
https://_<yourdomainname>_.com/adfs/ls
.Reach out to the Tanzu CloudHealth Support team (mailto:[email protected]) to create a ticket and provide the following information:
After receiving your ticket, Tanzu CloudHealth Support will provide you an activated metadata URL that contains information for completing the setup.
For example, for a customer called smidgetswidgets.com
sample endpoint data is formatted as follows: - Connection Name - smidgetswidgets-com
- Callback URL - https://cloudhealthtech.com/auth0.com/login/callback?connection=smidgetswidgets-com
- Audience URI - urn:auth0:cloudhealthtech:smidgetswidgets-com
- Metadata - https://cloudhealthtech.auth0.com/samlp/metadata?connection=smidgetswidgets-com
Complete the Add Relying Party Trust wizard as follows:
Claim rules pass information from AD to Tanzu CloudHealth. Complete the Edit Claim Rules wizard as follows:
email
name
Fields are case sensitive. Do not select the prepopulated E-mail Address
option.roles
claim rules. Rules pass Tanzu CloudHealth roles for the users. Ensure that there exist three security groups in AD for each user type: Admin, Power, and Standard.cht-admin
group, then select a group. Ensure that your outgoing claim type is roles
(all lowercase).cloudhealth-power
and cloudhealth-standard
.Result: SSO is active in your account. Users are controlled completely outside of Tanzu CloudHealth via AD security groups.
Configure Tanzu CloudHealth to authenticate your users via Azure Active Directory.
As an alternative to username-password-based authentication, Tanzu CloudHealth allows single sign-on (SSO). You can authenticate your users via Azure Active Directory.
There are two procedures depending on whether you are using FlexOrgs to manage your organizations:
Tanzu CloudHealth does not support mixed-mode authentication. Once you configure Azure AD SSO in the Tanzu CloudHealth Platform, you can only invite users through that IdP. You will no longer be able to send user invitations through the Tanzu CloudHealth Platform.
You are assigned a Global Administrator role in the Active Directory that you want to use for authenticating your users.
In FlexOrgs, you can dynamically map users to user groups based on SSO attributes. You specify the attributes in your Identity Provider (IDP).
This capability allows you to centrally manage users in your IDP. When you change their attributes, users are mapped to different user groups with new permissions.
If you do not want to map users to user groups dynamically, you can invite users manually.
Before you attach attributes for mapping users in your IDP, specify the key-value pair that the user group should look for in the IDP assertion.
You can configure the session length for your users in the Tanzu CloudHealth Platform. The default session length is Until the browser closes. However, the best practice is to specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.
By default, Tanzu CloudHealth provides three roles for Active Directory SSO:
To review the privileges assigned to each role, go to Setup > Admin > Roles in the Tanzu CloudHealth Platform and click the View icon for each role.
If your organization has users whose role does not match any of the default roles, create a custom role as follows:
Result: Tanzu CloudHealth generates an IDP Name for the role.
The IDP Name varies depending on the string you enter in the Name field for the Role. For example:
Role Name | IDP Name |
---|---|
Finance | cloudhealth-finance |
Sales and Marketing | cloudhealth-sales-and-marketing |
EngDept | cloudhealth-eng_dept |
You can configure the session length for your users in the Tanzu CloudHealth Platform. The default session length is Until the browser closes. However, the best practice is to specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.
Configure Tanzu CloudHealth to allow your Google Apps users to log in using their Google Apps account
If your company uses Google Apps, you can configure Tanzu CloudHealth to allow your Google Apps users to log in using their Google Apps account. Tanzu CloudHealth connects to Google Apps via the OAuth protocol. For more information, refer to Using OAuth 2.0 to Access Google APIs.
Tanzu CloudHealth does not support mixed-mode authentication. Once you configure SSO through Google Apps in the Tanzu CloudHealth Platform, you can only invite users through that IdP. You will no longer be able to send user invitations through the Tanzu CloudHealth Platform.
Enable Admin API access for your domain and create Google Groups for each Tanzu CloudHealth role.
Navigate to the Groups page. Add a group for each of the default Tanzu CloudHealth roles (Administrator, Power User, Standard).
The group names are case-sensitive and must match those listed here.
cloudhealth-administrator
cloudhealth-power
cloudhealth-standard
Once these groups have been created, you can dynamically add and remove users from Tanzu CloudHealth roles by adding or removing them from these groups.A user should only be a member of one Tanzu CloudHealth group. Users that do no belong to a group cannot access the Tanzu CloudHealth Platform. Group membership changes take up to 24 hours to propagate through Google Apps.
Within Tanzu CloudHealth, custom roles can be defined. Each custom role within
Tanzu CloudHealth is assigned an IDP name. The IDP Name is used when creating
groups that map to roles in your identity provider. For more information on custom roles, see Creating Custom Role.
cloudhealth-<IDP NAME>
.From the SSO Provider dropdown, select Google Apps and provide the following information:
company.com
format. Click Update SSO Configuration. Click the link in the message to grant Tanzu CloudHealth access to your company directory.
You can configure the session length for your users in the Tanzu CloudHealth Platform. The default session length is Until the browser closes. However, the best practice is to specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.
Configure Okta SSO to authenticate users into the Tanzu CloudHealth Platform
Tanzu CloudHealth does not support mixed-mode authentication. After you configure SAML SSO through an identity provider (IDP) in the Tanzu CloudHealth platform, you can only invite users through that IDP. You will no longer be able to send user invitations through the Tanzu CloudHealth platform.
Use the information in this section to configure the SAML app you created. For more details about items in the configure SAML settings menu, visit the Okta help.
In these examples, replace the variable <domain-com>
in these examples with the connection name that you are using. For example, if the domain name was mydomain.com
, the corresponding connection name would be mydomain-com
.
https://cloudhealthtech.auth0.com/login/callback?connection=<domain-com>
urn:auth0:cloudhealthtech:<domain-com>
name
Unspecified
user.firstName + " " + user.lastName
email
Unspecified
user.email
roles
Unspecified
Starts With
cloudhealth-
Configure groups that will pass your Tanzu CloudHealth roles via SSO. For instructions on how to create groups, see the Okta help.
Create three Okta groups to map to the default Tanzu CloudHealth roles using exactly the name and spelling below:
cloudhealth-standard
cloudhealth-power
cloudhealth-administrator
Also create Okta groups for any additional custom roles you have configured in Tanzu CloudHealth. To add custom roles, add cloudhealth- before the IDP role name. You can find the IDP name for a custom role by going to https://apps.cloudhealthtech.com/roles. For example, for an IDP named tech-support
, the corresponding group name in Okta is cloudhealth-tech-support
.
Get the following SAML credentials from your IDP.
company.com
format.Go to your domain provider, and add the DNS token as a TXT token to the domain. Tanzu CloudHealth uses the TXT token to validate the domain. This process can take up to 72 hours. Validated tokens appear in the Claimed Domains section.
After the domain is validated, all users who are listed in the IDP will have access to the Tanzu CloudHealth Platform. Users cannot sign into the Tanzu CloudHealth Platform using their existing credentials.
You can configure the session length for your users in the Tanzu CloudHealth Platform. The default session length is Until the browser closes. However, the best practice is to specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.
Configure OneLogin single sign-on to authenticate users into the Tanzu CloudHealth Platform
Tanzu CloudHealth does not support mixed-mode authentication. After you configure SAML SSO through an IdP in the Tanzu CloudHealth Platform, you can only invite users through that IdP. You will no longer be able to send user invitations through the Tanzu CloudHealth Platform.
Create a Tanzu CloudHealth application in OneLogin by creating a SAML Test Connector (IdP w/attr) app in OneLogin. For help setting up the SAML test connector, see the OneLogin documentation.
Next, configure the application you just made using the following settings:
Replace the variable <domain-com>
in these examples with the connection name that you are using. For example, if the domain name were company.com
, the corresponding connection name would be company-com
.
urn:auth0:cloudhealthtech:<domain-com>
https://cloudhealthtech.auth0.com/samlp/metadata?connection=<domain-com>
https://cloudhealthtech.auth0.com/login/callback?connection=<domain-com>
Add two additional parameters by clicking Add Parameter.
Field name: roles
Flags: Enable Include in SAML assertion
Click Save. Open the new field from the list of parameters.
For Value, select User Roles and click Save.
Field name: name
Flags: Enable Include in SAML assertion
Click Save. Then reopen it from the list of parameters.
Ensure you have the following parameters:
SAML Test Connector (IdP w/attr) Field | Value |
---|---|
E-mail (attribute) | |
Email (SAML NameID) | |
First Name (Attribute) | First Name |
Last Name (Attribute) | Last Name |
Member of (Groups) (Attribute) | MemberOf |
PersonImmutableID | - No default - |
roles | User Roles |
Get the following SAML credentials from your IdP:
Configure the OneLogin roles that will pass your Tanzu CloudHealth roles via SSO.
Create three new roles (case-sensitive):
cloudhealth-standard
cloudhealth-power
cloudhealth-administrator
Add the recently created Tanzu CloudHealth OneLogin App to each role.
OneLogin groups for custom Tanzu CloudHealth roles also begin with
cloudhealth-
, with the IdP name of the custom role being entered after the-
. The IdP name for the custom role can be found by viewing the role in Tanzu CloudHealth athttps://apps.cloudhealthtech.com/roles
.
From the SSO Provider dropdown, select SAML and provide the following information:
company.com
format.Click Update SSO Configuration. Tanzu CloudHealth generates a DNS token for each domain you provided during SAML SSO configuration. The domains are placed under Pending status.
Go to your domain provider, and add the DNS token as a TXT token to the domain. Tanzu CloudHealth uses the TXT token to validate the domain. This process can take up to 72 hours. Validated tokens appear in the Claimed Domains section.
After the domain is validated, all users who are listed in the IDP will have access to the Tanzu CloudHealth Platform. Users cannot sign into the Tanzu CloudHealth Platform using their existing credentials.
You can configure the session length for your users in the Tanzu CloudHealth Platform. The default session length is Until the browser closes. However, the best practice is to specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.
This section lists common SSO errors, and how to resolve them.
The user should verify from their identity provider that they are passing across a value that matches the IdP name of a configured role.
For example, the pre-configured Administrator role requires a role value in the user’s assertion that matches the Administrator’s role name of Tanzu CloudHealth-administrator.
The way a role is passed differs based on the identity provider:
cloudhealth-
are passed as roles in the user’s assertion when signing in through SSO. Confirm the user’s group membership in Okta, and ensure that they belong to the correct cloudhealth-
group.The key/value pair is set by the user. To confirm that the user is passing the correct value, from Tanzu CloudHealth, go to Setup > Admin > User Groups and open the user group the user should be assigned to. Check that the SSO key/value section under the Details tab matches the expected value.
For example, UserGroup A has the following SSO key and SSO value pair in Tanzu CloudHealth: Department - Finance. Within the IdP, open the user’s account and confirm that the value found under the Department field matches the value in the Details tab for the user group.
Users can also be manually assigned to user groups or automatically assigned through SSO. You can manually assign a user when the correct values are not being passed from the IdP.
To manually assign a user, go to Setup > Admin > User Groups in Tanzu CloudHealth and open the user group the user should be assigned to. From the Members tab, select Add members. The next time the user signs in, they are assigned to the user group, given a role document, and access to Flex Orgs as defined in the user group’s Assignment tab.
Error Message: Your user has not been assigned an organization If you get the error Your user has not been assigned an organization, it may be due to a mismatched value between the identity provider and Tanzu CloudHealth. Cause: The User-Organization Association setting has not been configured under Setup > Admin > Single Sign On. Resolution: When the User-Organization Association setting is disabled, the identity provider is expected to pass a value in the Organization attribute that matches the IdP name of an Organization found in Tanzu CloudHealth under Setup > Admin > Organizations. Ensure that the values match on both the IdP and Tanzu CloudHealth. If the attribute has not been configured, enable this setting so new users are added to the Default Organization. You can then add and remove users as needed.
User Cannot Sign In If your user previously used the same email address with a different tenant in Tanzu CloudHealth, they may be unable to sign in. Cause: User records within Tanzu CloudHealth remain even after removing a user from an SSO configuration or tenant. Resolution: Contact Tanzu CloudHealth Support to confirm that a duplicate user record exists, and archive the duplicate so the user can access the new tenant.