Operator users with super user permission can set up and configure Single Sign On (SSO) in VeloCloud Orchestrator (VCO). To setup SSO authentication for Operator user, perform the steps on this procedure.

To configure single sign on for an Operator user:


  • Ensure the you have the Operator super user permission.
  • Before setting up the SSO authentication in VCO, make sure that you have set up roles, users, and OpenID connect (OIDC) application for VCO in your preferred identity provider’s website. For more information, see Configure an IDP for Single Sign On.
Note: SSO integration at the Operator management level of a VMware hosted VeloCloud Gateway is reserved for the VMware SD-WAN TechOPS operators. Partners with Operator level access of a hosted orchestrator do not have the option to integrate to an SSO service.


  1. Log in to the VCO application as Operator super user.
  2. Click Orchestrator Authentication.
    The Configure Authentication screen appears.
  3. From the Authentication Mode drop-down menu, select SSO.
  4. From the Identity Provider template drop-down menu, select your preferred Identity Provider (IDP) that you have configured for Single Sign On.
    Note: When you select VMwareCSP as your preferred IDP, ensure to provide your Organization ID in the following format: /csp/gateway/am/api/orgs/<full organization ID>.

    When you sign in to VMware CSP console, you can view the organization ID you are logged into by clicking on your username. A shortened version of the ID is displayed under the organization name. Click the ID to display the full organization ID.

    You can also manually configure your own IDPs by selecting Others from the Identity Provider template drop-down menu.
  5. In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC) configuration URL for your IDP. For example, the URL format for Okta will be: https://{oauth-provider-url}/.well-known/openid-configuration
  6. The VCO application auto-populates endpoint details such as Issuer, Authorization Endpoint, Token Endpoint, and User Information Endpoint for your IDP.
  7. In the Client Id text box, enter the client identifier provided by your IDP.
  8. In the Client Secret text box, enter the client secret code provided by your IDP, that is used by the client to exchange an authorization code for a token.
  9. To determine user’s role in VCO, select one of the options:
    • Use Default Role – Uses the role set up in the VCO, by default. The supported roles are: Operator Superuser, Operator Standard Admin, Operator Support, and Operator Business.
    • Use Identity Provider Roles – Uses the roles set up in the IDP.
  10. On selecting the Use Identity Provider Roles option, in the Role Attribute text box, enter the name of the attribute set in the IDP to return roles.
  11. In the Role Map area, map the IDP-provided roles to each of the VCO roles, separated by using commas.
    Roles in VMware CSP will follow this format: external/<service definition uuid>/<service role name mentioned during service template creation>.
  12. Update the allowed redirect URLs in OIDC provider website with VCO URL (https://<vco>/login/ssologin/openidCallback).
  13. Click Save Changes to save the SSO configuration.
  14. Click Test Configuration to validate the specified OpenID Connect (OIDC) configuration.
    The user is navigated to the IDP website and allowed to enter the credentials. On IDP verification and successful redirect to VCO test call back, a successful validation message appears.


The SSO authentication setup is complete in VCO.

What to do next

Log in to VCO using Single Sign On