Using Okta as the identity provider for the management domain vCenter Server allows for identity federation across VCF BOM components.
- Create an OpenID Connect application for VMware Cloud Foundation in Okta.
- Configure Okta as the Identity Provider in the SDDC Manager UI.
- Update the Okta OpenID Connect application with the Redirect URI from SDDC Manager.
- Create a SCIM 2.0 Application for VMware Cloud Foundation.
- Assign Permissions for Okta Users and Groups in SDDC Manager, vCenter Server, and NSX Manager.
Prerequisites
Create an OpenID Connect application for VMware Cloud Foundation in Okta
Before you can use Okta as the identity provider in VMware Cloud Foundation, you need to create an OpenID Connect application in Okta and assign users and groups to the OpenID Connect application.
Procedure
Configure Okta as the Identity Provider in the SDDC Manager UI
You can configure VMware Cloud Foundation to use Okta as an external identity provider, instead of using vCenter Single Sign-On. In this configuration, the external identity provider interacts with the identity source on behalf of vCenter Server.
You can only add one external identity provider to VMware Cloud Foundation. Changing the identity provider from vCenter Single Sign-On to Okta removes any users and groups that you added to VMware Cloud Foundation from AD over LDAP or OpenLDAP identity sources. Users and groups from the system domain (for example, vsphere.local) are not impacted.
Prerequisites
- You are customer of Okta and have a dedicated domain space. For example: https://your-company.okta.com.
- To perform OIDC logins and manage user and group permissions, you must create the following Okta applications.
- An Okta native application with OpenID Connect as the sign-on method. The native application must include the grant types of authorization code, refresh token, and resource owner password.
- A System for Cross-domain Identity Management (SCIM) 2.0 application with an OAuth 2.0 Bearer Token to perform user and group synchronization between the Okta server and the vCenter Server.
Okta connectivity requirements:
- vCenter Server must be able to connect to the Okta discovery endpoint, and the authorization, token, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
- Okta must also be able to connect with vCenter Server to send user and group data for the SCIM provisioning.
- If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Okta server, then use the appropriate publicly accessible URL as the SCIM 2.0 Base Uri.
- vSphere 8.0 Update 2 or later.
- NSX 4.1.2 or later.
Procedure
Update the Okta OpenID Connect application with the Redirect URI from SDDC Manager
After you create the Okta identity provider configuration in the SDDC Manager UI, update the Okta OpenID Connect application with the Redirect URI from SDDC Manager.
Prerequisites
- Log in to the SDDC Manager UI.
- In the navigation pane, click .
- Click Identity Provider.
- In the OpenID Connect section, copy and save the Redirect URI.
Procedure
- Log in to the Okta Admin Console.
- In the General Settings screen for the OpenID Connect application created, click Edit.
- In the Sign-in redirect URIs text box, paste the copied Redirect URI from SDDC Manager.
- Click Save.
Create a SCIM 2.0 Application for VMware Cloud Foundation
Creating a SCIM 2.0 application enables you to specify which Active Directory users and groups to push to vCenter Server.
Prerequisites
- Log in to the SDDC Manager UI.
- In the navigation pane, click .
- Click Identity Provider.
- In the User Provisioning section, click Generate and then copy and save the Secret Token and Tenant URL.
You will use this information in step 4 below.
Procedure
Assign Okta Users and Groups as Administrators in SDDC Manager, vCenter Server, and NSX Manager
After you have succesfully configured Okta and synced its users and groups, you can add users and groups as administrators in SDDC Manager, vCenter Server , and NSX Manager. This enables admin users to sign in to one product UI (for example, SDDC Manager) and not be prompted for credentials again when signing in to another product UI (for example, NSX Manager).
Procedure
- Add Okta users/groups as administrators in SDDC Manager.
- In the SDDC Manager UI, click .
- Click Users and Groups and then click + User or Group.
- Select one or more users or group by clicking the check box next to the user or group.
You can either search for a user or group by name, or filter by user type or domain.Note: Okta users and groups appear in the domain(s) that you specified when you configured Okta as the identity provider in the SDDC Manager UI.
- Select the ADMIN role for each user and group.
- Scroll down to the bottom of the page and click Add.
- Add Okta users/groups as administrators in vCenter Server.
- Log in to the vSphere Client as a local administrator.
- Select Administration and click Global Permissions in the Access Control area.
- Click Add.
- From the Domain drop-down menu, select the domain for the user or group.
- Enter a name in the Search box.
The system searches user names and group names.
- Select a user or group.
- Select Administrator from the Role drop-down menu.
- Select the Propagate to children check box.
- Click OK.
- Verify logging in to SDDC Manager with an Okta user.
- Log out of the SDDC Manager UI.
- Click Sign in with Okta.
- Enter a username and password and click Sign In.
- Verify logging in to vCenter Server with an Okta user.
- Log out of the vSphere Client.
- Click Sign in with Okta.
- Add Okta users/groups as administrators in NSX Manager.
- Log in to NSX Manager.
- Navigate to
. - On the User Role Assignment tab, click Add Role for OpenID Connect User.
- Select vcenter-idp-federation from the drop-down menu and then enter text to search for and select an Okta user or group.
- Click Set in the Roles column.
- Click Add Role.
- Select Enterprise Admin from the drop-down menu and click Add.
- Click Apply.
- Click Save.
- Verify logging in to NSX Manager with an Okta user.
- Log out of NSX Manager.
- Click Sign in with vCenter-IPD-Federation.