This topic describes how to connect VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)
to a SAML identity provider (IdP).

Overview

User Account and Authentication (UAA), the identity management service for Tanzu Kubernetes Grid Integrated Edition, can authenticate users either through its internal user account store or external authentication mechanisms such as an LDAP server or a SAML IdP.

To connect Tanzu Kubernetes Grid Integrated Edition to a SAML IdP:

  1. Configure your SAML IdP. For more information, see Configure a SAML IdP below.
  2. Integrate the UAA server with your SAML IdP by enabling UAA to delegate authentication to your SAML IdP. For more information, see Integrate UAA with the SAML IdP below. This enables UAA to delegate authentication to your SAML IdP.

Configure a SAML IdP

You must configure a SAML IdP to designate Tanzu Kubernetes Grid Integrated Edition as a service provider (SP) before configuring the SAML IdP in the Tanzu Kubernetes Grid Integrated Edition tile.

See the table below for information about industry-standard SAML IdPs and how to integrate them with Tanzu Kubernetes Grid Integrated Edition:


Solution Name Integration Guide
Okta Single Sign-On Configuring Okta as a SAML Identity Provider
Azure Active Directory Configuring Azure Active Directory as a SAML Identity Provider

Integrate UAA with the SAML IdP

To integrate UAA with your SAML IdP:

  1. In the Tanzu Kubernetes Grid Integrated Edition tile, click UAA.
  2. Under Configure your UAA user account store with either internal or external authentication mechanisms, select SAML Identity Provider.

    SAML Fields 1

  3. For Provider Name, enter a unique name you create for the IdP. This name can include only alphanumeric characters, +, _, and -. You must not change this name after deployment because all external users use it to link to the provider.

  4. For Display Name, enter a display name for your provider. This display name appears as a link on your Ops Manager login page, which you can access at https://TKGI-API:8443/login.

    SAML provider display name

  5. To directly authenticate users with the configured external identity provider, enable Default Identity Provider.

  6. To automatically bypass displaying the scope approval screen when logging in to the TKGI CLI, enable Enable tkgi cli automatic approval.

  7. To automatically bypass displaying the scope approval screen for the tkgi get-credentials cli command, enable Enable cluster client tkgi cli automatic approval.

  8. Retrieve the metadata from your IdP. You recorded your IdP metadata when you configured your IdP to designate Tanzu Kubernetes Grid Integrated Edition as a SP. See Prerequisites above.

  9. Enter your IdP metadata into either the Provider Metadata or the Provider Metadata URL fields:

    • If your IdP exposes a metadata URL, enter it in Provider Metadata URL.
    • If your IdP does not expose a metadata URL, paste the XML you retrieved into Provider Metadata.

    Note: VMware recommends that you use the Provider Metadata URL rather than Provider Metadata because the metadata can change. You need to select only one of the above configurations. If you configure both, your IdP defaults to the (OR) Provider Metadata URL.

  10. For Name ID Format, select the name identifier format for your SAML IdP. This translates to username in Tanzu Kubernetes Grid Integrated Edition. The default is Email Address.

    SAML Fields 2

  11. For First Name Attribute and Last Name Attribute, enter the attribute names in your SAML database that correspond to the first and last names in each user record. This field is case sensitive.

  12. For Email Attribute, enter the attribute name in your SAML assertion that corresponds to the email address in each user record, for example, EmailID. This field is case sensitive.

  13. For External Groups Attribute, enter the attribute name in your SAML database for your user groups. This field is case sensitive. To map the groups from the SAML assertion to admin roles in TKGI, see Grant Tanzu Kubernetes Grid Integrated Edition Access to an External SAML Group in Managing Tanzu Kubernetes Grid Integrated Edition Users with UAA.

  14. By default, all SAML authentication requests from Tanzu Kubernetes Grid Integrated Edition are signed. To change this, deactivate Sign Authentication Requests and configure your IdP to verify SAML authentication requests.

  15. To validate the signature for the incoming SAML assertions, enable Required Signed Assertions and configure your IdP to send signed SAML assertions.

  16. For Signature Algorithm, choose an algorithm from the dropdown to use for signed requests and assertions. The default value is SHA256.

  17. Click Save.

Complete Your Tile Configuration

Next Steps

For information about creating Tanzu Kubernetes Grid Integrated Edition roles and managing Kubernetes cluster access, see:

check-circle-line exclamation-circle-line close-line
Scroll to top icon