After installing or upgrading to vSphere 8.0 Update 1 or later, you can configure vCenter Server Identity Provider Federation for Okta as an external identity provider.

vCenter Server supports only one configured external identity provider (one source), and the vsphere.local identity source (local source). You cannot use multiple external identity providers. vCenter Server Identity Provider Federation uses OpenID Connect (OIDC) for user login to vCenter Server.

You can configure privileges using Okta groups and users through global or object permissions in vCenter Server. See the vSphere Security documentation for details about adding permissions.

Prerequisites

Okta requirements:

  • You are using Okta and have a dedicated domain space, for example, https://your-company.okta.com.
  • To perform OIDC logins and manage user and group permissions, you must create the following Okta applications.
    • An Okta native application with OpenID Connect as the sign-on method. The native application must include the grant types of authorization code, refresh token, and resource owner password.
    • A System for Cross-domain Identity Management (SCIM) 2.0 application with an OAuth 2.0 Bearer Token to perform user and group synchronization between the Okta server and the vCenter Server.

    See the VMware knowledge base article at https://kb.vmware.com/s/article/90835.

  • You have identified the Okta users and groups that you want to share with vCenter Server. This sharing is a SCIM operation (not an OIDC operation).

Okta connectivity requirements:

  • vCenter Server must be able to connect to the Okta discovery endpoint, and the authorization, token, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
  • Okta must also be able to connect with vCenter Server to send user and group data for the SCIM provisioning.

vCenter Server requirements:

  • vSphere 8.0 Update 1 or later
  • On the vCenter Server where you want to create the Okta identity source, verify that the VMware Identity Services are activated.
    Note: When you install or upgrade to vSphere 8.0 Update 1 or later, VMware Identity Servers are activated by default. You can use use the vCenter Server Management Interface to confirm the status of the VMware Identity Services. See Stop and Start the VMware Identity Services.

vSphere privileges requirements:

  • You must have the VcIdentityProviders.Manage privilege to create, update, or delete a vCenter Server Identity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the VcIdentityProviders.Read privilege.

Enhanced Linked Mode requirements:

  • You can configure vCenter Server Identity Provider Federation for Okta in an Enhanced Linked Mode configuration. When you configure Okta in an Enhanced Link Mode configuration, you configure the Okta identity provider to use VMware Identity Services on a single vCenter Server system. For example, if your Enhanced Mode Link configuration consists of two vCenter Server systems, only one vCenter Server and its instance of VMware Identity Services is used to communicate with the Okta server. If this vCenter Server system becomes unavailable, you can configure VMware Identity Services on other vCenter Server in the ELM configuration to interact with your Okta server. For more information, see Activation Process for External Identity Providers in Enhanced Linked Mode Configurations.
  • When configuring Okta as an external identity provider, all the vCenter Server systems in an Enhanced Linked Mode configuration must run at least vSphere 8.0 Update 1.

Networking requirements:

  • If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Okta server, then use the appropriate publicly accessible URL as the Base Uri.

Procedure

  1. Create an OpenID Connect application in Okta and assign groups and users to the OpenID Connect application.
    To create the OpenID Connect application and assign groups and users, see the VMware knowledge base article at https://kb.vmware.com/s/article/90835. Follow the steps in the section titled "Create the OpenID Connect Application." After you create the Okta OpenID Connect application, copy the following information from the Okta OpenID Connect application to a file for use when configuring the vCenter Server identity provider in the next step.
    • Client Identifier
    • Client secret (shown as Shared secret in the vSphere Client)
    • Active Directory domain information, or Okta domain information if you are not running Active Directory
  2. To create the identity provider on vCenter Server:
    1. Use the vSphere Client to log in as an administrator to vCenter Server.
    2. Navigate to Home > Administration > Single Sign On > Configuration.
    3. Click Change Provider and select Okta.
      The Configure Main Identity Provider wizard opens.
    4. In the Prerequisites panel, review the Okta and the vCenter Server requirements.
    5. Click Run Prechecks.
      If the precheck finds errors, click View Details and take steps to resolve the errors as indicated.
    6. When the Precheck passes, click the confirmation checkbox then click Next.
    7. In the Directory Information panel, enter the following information.
      • Directory Name: Name of the local directory to create on vCenter Server that stores the users and groups pushed from Okta. For example, vcenter-okta-directory.
      • Domain Name(s): Enter the Okta domain names that contain the Okta users and groups you want to synchronize with vCenter Server.

        After you enter your Okta domain name, click the Plus icon (+) to add it. If you enter multiple domain names, specify the default domain.

    8. Click Next.
    9. In the OpenID Connect panel, enter the following information.
      • Redirect UI: Filled in automatically. You give the redirect UI to your Okta administrator for use in creating the OpenID Connect application.
      • Identity Provider Name: Filled in automatically as Okta.
      • Client Identifier: Obtained when you created the OpenID Connect application in Okta in step 1. (Okta refers to Client Identifier as the Client ID.)
      • Shared Secret: Obtained when you created the OpenID Connect application in Okta in step 1. (Okta refers to Shared Secret as the Client Secret.)
      • OpenID Address: Takes the form https://Okta domain space/oauth2/default/.well-known/openid-configuration.

        For example, if your Okta domain space is example.okta.com, then the OpenID Address is: https://example.okta.com/oauth2/default/.well-known/openid-configuration

        See https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration for more information.

    10. Click Next.
    11. Review the information and click Finish.
      vCenter Server creates the Okta identity provider and displays the configuration information.
    12. If necessary, scroll down and click the Copy icon for the Redirect URI and save it to a file.
      You use the Redirect URI in the Okta OpenID Connection application.
    13. Click the Copy icon for the Tenant URL and save it to a file.
      Note: If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Okta server. After creating the network tunnel, use the appropriate publicly accessible URL as the Base Uri.
    14. Under User Provisioning, click Generate to create the secret token, select the token lifespan from the drop-down, then click Copy to Clipboard. Save the token to a secure location.
      You use the Tenant URL and the token in the Okta SCIM 2.0 application. The Okta SCIM 2.0 application uses the token to synchronize the Okta users and groups into VMware Identity Services. This information is necessary to push Okta users and groups from Okta to vCenter Server.
  3. Return to the VMware knowledge base article at https://kb.vmware.com/s/article/90835 to update the Okta Redirect URI.
    Follow the steps in the section titled "Update the Okta Redirect URI."
  4. To create the SCIM 2.0 application, remain in the VMware knowledge base article at https://kb.vmware.com/s/article/90835.
    Follow the steps in the section titled "Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server."
    When done creating the SCIM 2.0 application as described in the knowledge base article, continue with the next step.
  5. Configure vCenter Server for Okta Authorization.
    You can either assign Okta users to a vCenter Server group or assign inventory-level and global permissions to Okta users. The minimum permission required for logging in is Read-Only.
    To assign Okta users to a group, see Add Members to a vCenter Single Sign-On Group. To assign inventory-level and global permissions to Okta users, see the topic about managing permissions for vCenter Server components in the vSphere Security documentation.
  6. Verify logging in to vCenter Server with an Okta user.