Using Okta as the identity provider for the management domain vCenter Server allows for identity federation across VCF BOM components.

Configuring identity federation with Okta involves performing tasks in the Okta Admin Console and the SDDC Manager UI. After the users and groups are synced, you can assign permissions in SDDC Manager, vCenter Server, and NSX Manager.
  1. Create an OpenID Connect application for VMware Cloud Foundation in Okta.
  2. Configure Okta as the Identity Provider in the SDDC Manager UI.
  3. Update the Okta OpenID Connect application with the Redirect URI from SDDC Manager.
  4. Create a SCIM 2.0 Application for VMware Cloud Foundation.
  5. Assign Permissions for Okta Users and Groups in SDDC Manager, vCenter Server, and NSX Manager.
Note: If you created isolated VI workload domains that use different SSO domains, you must use the vSphere Client to configure Okta as the identity provider for those SSO domains. When you configure Okta as the identity provider for an isolated workload domain in the vSphere Client, NSX Manager is automatically registered as a relying party. This means that once an Okta user with the necessary permissions has logged in to the isolated VI workload domain vCenter Server, they can directly access the VI workload domain's NSX Manager from the SDDC Manager UI without having to log in again.

Prerequisites

Integrate Active Directory (AD) with Okta. See Manage your Active Directory integration in the Okta documentation for more information.
Note: This is not required if you do not want to integrate with AD or have previously integrated AD and Okta.

Create an OpenID Connect application for VMware Cloud Foundation in Okta

Before you can use Okta as the identity provider in VMware Cloud Foundation, you need to create an OpenID Connect application in Okta and assign users and groups to the OpenID Connect application.

Procedure

  1. Log in to the Okta Admin console and follow the Okta documentation, Create OIDC app integrations, to create an OpenID Connect application.
    When creating the OpenID Connect application in the Create a new app integration wizard:
    • Select OIDC - OpenID Connect as the Sign-in method.
    • Select Native Application as the Application type.
    • Enter an appropriate name for the OpenID Connect application, for example, Okta-VCF-app.
    • In General Settings, leave Authorization Code checked, and check Refresh Token and Resource Owner Password.
    • For now, ignore Sign-in redirect URIs and Sign-out redirect URIs. (you will input these values later.)
    • When selecting how to control access, you can select Skip group assignment for now if you want.
  2. After the OpenID Connect application is created, generate the Client Secret.
    1. Select the General tab.
    2. In Client Credentials, click Edit and for Client Authentication check Client Secret.
    3. For Proof Key for Code Exchange (PKCE), uncheck Require PKCE as additional verification.
    4. Click Save.
      The Client Secret is generated.
    5. Copy both the Client ID and Client Secret and save them for use in creating the Okta identity provider in SDDC Manager.
      Note: SDDC Manager uses the terms Client Identifier and Shared Secret.
  3. Assign users and groups to the OpenID Connect application.
    1. Select the Assignments tab and select Assign to Groups from the Assign drop-down.
    2. Enter the group to search for in the Search field.
    3. Select the group and click Assign.
    4. Search for, select, and assign, other groups as needed.
    5. When done assigning groups, click Done.
      To view the users that have been assigned, click People under Filters on the Assignment page.
      Okta assigns the group(s).

Configure Okta as the Identity Provider in the SDDC Manager UI

You can configure VMware Cloud Foundation to use Okta as an external identity provider, instead of using vCenter Single Sign-On. In this configuration, the external identity provider interacts with the identity source on behalf of vCenter Server.

You can only add one external identity provider to VMware Cloud Foundation. Changing the identity provider from vCenter Single Sign-On to Okta removes any users and groups that you added to VMware Cloud Foundation from AD over LDAP or OpenLDAP identity sources. Users and groups from the system domain (for example, vsphere.local) are not impacted.

This procedure configures Okta as the identity provider for the management domain vCenter Server. The VMware Identity Services information endpoint is replicated to all other vCenter Server nodes that are part of the management domain vCenter Server enhanced linked mode (ELM) group. This means that when a user logs into and is authorized by the management domain vCenter Server, the user is also authorized on any VI workload domain vCenter Server that is part of the same ELM group. If the user logs in to a VI workload domain vCenter Server first, the same holds true.
Note: The Okta configuration information and user/group information is not replicated between vCenter Server nodes in enhanced linked mode. Do not use the vSphere Client to configure Okta as the identity provider for any VI workload domain vCenter Server that is part of the ELM group.

Prerequisites

Okta requirements:
  • You are customer of Okta and have a dedicated domain space. For example: https://your-company.okta.com.
  • To perform OIDC logins and manage user and group permissions, you must create the following Okta applications.
    • An Okta native application with OpenID Connect as the sign-on method. The native application must include the grant types of authorization code, refresh token, and resource owner password.
    • A System for Cross-domain Identity Management (SCIM) 2.0 application with an OAuth 2.0 Bearer Token to perform user and group synchronization between the Okta server and the vCenter Server.

Okta connectivity requirements:

  • vCenter Server must be able to connect to the Okta discovery endpoint, and the authorization, token, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
  • Okta must also be able to connect with vCenter Server to send user and group data for the SCIM provisioning.
Networking requirements:
  • If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Okta server, then use the appropriate publicly accessible URL as the SCIM 2.0 Base Uri.
vSphere and NSX requirements:
  • vSphere 8.0 Update 2 or later.
  • NSX 4.1.2 or later.
Note: If you added vCenter group memberships for any remote AD/LDAP users or groups, vCenter Server attempts to prepare these memberships so that the are compatible with the new identity provider configuration. This preparation process happens automatically at service startup, but it must complete in order to continue with Okta configuration. Click Run Prechecks to check the status of this process before proceeding.

Procedure

  1. Log in to the SDDC Manager UI as a user with the ADMIN role
  2. In the navigation pane, click Administration > Single Sign On.
  3. Click Identity Provider.
  4. Click Change Identity Provider and select OKTA.
    External Providers menu, showing Okta.
  5. Click Next.
  6. In the Prerequisites panel review and confirm the prerequisites.
  7. Click Run Prechecks to ensure that the system is ready to change identity providers.
    If the precheck finds errors, click View Details and take steps to resolve the errors as indicated.
  8. In the Directory Info panel, enter the following information.
    Directory information section of the Connect Identity Provider wizard.
    • Directory Name: Name of the local directory to create on vCenter Server that stores the users and groups pushed from Okta. For example, vcenter-okta-directory.
    • Domain Name(s): Enter the Okta domain names that contain the Okta users and groups you want to synchronize with vCenter Server.

      After you enter your Okta domain name, click the Plus icon (+) to add it. If you enter multiple domain names, specify the default domain.

  9. Click Next.
  10. In the User Provisioning panel, select the duration of the token lifespan and click Next.
    The Okta SCIM 2.0 application uses the token to synchronize the Okta users and groups.
  11. In the OpenID Connect Configuration panel, enter the following information.
    OpenID Connection Configuration section of the Connect Identity Provider wizard.
    • Redirect URIs: Filled in automatically. You give the redirect URI to your Okta administrator for use in creating the OpenID Connect application.
    • Identity Provider Name: Filled in automatically as Okta.
    • Client Identifier: Obtained when you created the OpenID Connect application in Okta. (Okta refers to Client Identifier as the Client ID.)
    • Shared Secret: Obtained when you created the OpenID Connect application in Okta. (Okta refers to Shared Secret as the Client Secret.)
    • OpenID Address: Takes the form https://Okta domain space/oauth2/default/.well-known/openid-configuration.

      For example, if your Okta domain space is example.okta.com, then the OpenID Address is: https://example.okta.com/oauth2/default/.well-known/openid-configuration.

      See https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration for more information.

  12. Click Next.
  13. Review the information and click Finish.

Update the Okta OpenID Connect application with the Redirect URI from SDDC Manager

After you create the Okta identity provider configuration in the SDDC Manager UI, update the Okta OpenID Connect application with the Redirect URI from SDDC Manager.

Prerequisites

Copy the Redirect URI from the SDDC Manager UI.
  1. Log in to the SDDC Manager UI.
  2. In the navigation pane, click Administration > Single Sign On.
  3. Click Identity Provider.
  4. In the OpenID Connect section, copy and save the Redirect URI.
    OpenID Connect section for an Okta identity provider, showing the redirect URI.

Procedure

  1. Log in to the Okta Admin Console.
  2. In the General Settings screen for the OpenID Connect application created, click Edit.
  3. In the Sign-in redirect URIs text box, paste the copied Redirect URI from SDDC Manager.
  4. Click Save.

Create a SCIM 2.0 Application for VMware Cloud Foundation

Creating a SCIM 2.0 application enables you to specify which Active Directory users and groups to push to vCenter Server.

Prerequisites

Copy the Tenant URL and Secret Token from the SDDC Manager UI.
  1. Log in to the SDDC Manager UI.
  2. In the navigation pane, click Administration > Single Sign On.
  3. Click Identity Provider.
  4. In the User Provisioning section, click Generate and then copy and save the Secret Token and Tenant URL.
    User Provisioning section for an Okta identity provider, showing the tenant URL and secret token.

You will use this information in step 4 below.

Procedure

  1. Log in to the Okta Admin Console.
  2. Browse the app catalog for SCIM 2.0 Test App (OAuth Bearer Token), and click Add Integration.
    Note: The word "Test" is of Okta's choosing. The SCIM application you create using this "Test" template is of production quality.
  3. Use the following settings when creating the SCIM 2.0 application:
    • Enter an appropriate name for the SCIM 2.0 application, such as VCF SCIM 2.0 app.
    • In the General settings · Required page, leave Automatically log in when user lands on login page checked.
    • In the Sign-on Options page:
      • For Sign-on methods, leave SAML 2.0 checked.
      • For Credential Details:
        • Application username format: Select AD SAM Account name.
        • Update application username on: Leave Create and update selected.
        • Password reveal: Leave Allow users to securely see their password selected.
  4. Assign users and groups to the SCIM 2.0 application to push from your Active Directory to vCenter Server:
    1. In the Okta SCIM 2.0 application, under Provisioning, click Configure API integration.
    2. Check the Enable API integration checkbox.
    3. Enter the SCIM 2.0 Base Url and OAuth Bearer Token.
      SDDC Manager calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer Token the "Secret Token."
      Note: If you have a network tunnel between the vCenter Server system and the Okta server, then use the appropriate publicly accessible URL as the Base Url.
    4. Leave Import Groups selected.
    5. To verify the SCIM credentials, click Test API Credentials.
    6. Click Save.
  5. Provision users.
    1. Click the Provisioning tab and select To App, then click Edit.
    2. Check Create Users, Update User Attributes, and Deactivate Users.
    3. Do not check Sync Password.
    4. Click Save.
  6. Make assignments.
    1. Click the Assignments tab and select Assign to Groups from the Assign drop-down.
    2. Enter the group to search for in the Search field.
    3. Select the group and click Assign.
    4. If necessary, enter attribute information, then click Save and Go Back.
    5. Search for, and select and assign, other groups as needed.
    6. When done assigning groups, click Done.
    7. Under Filters, select People and Groups to view the users and groups assigned.
  7. Click the Push Groups tab and select an options from the Push Groups drop-down menu.
    • Find groups by name: Select this option to locate groups by name.
    • Find groups by rule: Select this option to create a search rule that pushes matching groups to the app.
    Note: Unless you uncheck the Push group memberships immediately check box, the selected membership is pushed immediately, and the Push Status shows Active. For more information, see Enable Group Push in the Okta documentation.

Assign Okta Users and Groups as Administrators in SDDC Manager, vCenter Server, and NSX Manager

After you have succesfully configured Okta and synced its users and groups, you can add users and groups as administrators in SDDC Manager, vCenter Server , and NSX Manager. This enables admin users to sign in to one product UI (for example, SDDC Manager) and not be prompted for credentials again when signing in to another product UI (for example, NSX Manager).

Procedure

  1. Add Okta users/groups as administrators in SDDC Manager.
    1. In the SDDC Manager UI, click Administration > Single Sign On.
    2. Click Users and Groups and then click + User or Group.
      An image showing the add user or group button.
    3. Select one or more users or group by clicking the check box next to the user or group.
      You can either search for a user or group by name, or filter by user type or domain.
      Note: Okta users and groups appear in the domain(s) that you specified when you configured Okta as the identity provider in the SDDC Manager UI.
    4. Select the ADMIN role for each user and group.
      The Choose Role drop-down menu.
    5. Scroll down to the bottom of the page and click Add.
  2. Add Okta users/groups as administrators in vCenter Server.
    1. Log in to the vSphere Client as a local administrator.
    2. Select Administration and click Global Permissions in the Access Control area.
      The Global Permissions menu.
    3. Click Add.
    4. From the Domain drop-down menu, select the domain for the user or group.
    5. Enter a name in the Search box.
      The system searches user names and group names.
    6. Select a user or group.
    7. Select Administrator from the Role drop-down menu.
    8. Select the Propagate to children check box.
      The Add Permission dialog box.
    9. Click OK.
  3. Verify logging in to SDDC Manager with an Okta user.
    1. Log out of the SDDC Manager UI.
    2. Click Sign in with Okta.
      The Sign In With Okta button.
    3. Enter a username and password and click Sign In.
      The sign in screen for Okta.
  4. Verify logging in to vCenter Server with an Okta user.
    1. Log out of the vSphere Client.
    2. Click Sign in with Okta.
      The Sign In With Okta button.
  5. Add Okta users/groups as administrators in NSX Manager.
    1. Log in to NSX Manager.
    2. Navigate to System > User Management .
      The User Management menu.
    3. On the User Role Assignment tab, click Add Role for OpenID Connect User.
      User Role Assignment for User Management.
    4. Select vcenter-idp-federation from the drop-down menu and then enter text to search for and select an Okta user or group.
    5. Click Set in the Roles column.
    6. Click Add Role.
    7. Select Enterprise Admin from the drop-down menu and click Add.
      The Set Roles/Scope dialog box.
    8. Click Apply.
    9. Click Save.
  6. Verify logging in to NSX Manager with an Okta user.
    1. Log out of NSX Manager.
    2. Click Sign in with vCenter-IPD-Federation.
      The Sign In With vCenter-IDP-Federation button.