To configure TKG 2.0 cluster access for OIDC users, you configure the vSphere Namespace with role permissions for external identity provider users and groups.
Configure vSphere Namespace Permissions for External Identity Provider Users and Groups
A TKG 2.0 cluster on
Supervisor is provisioned in a
vSphere Namespace. After you register an external OIDC provider with
Supervisor, you configure the
vSphere Namespace with role permissions for external OIDC provider users and groups. This action creates the role bindings for the external OIDC provider on each TKG 2.0 cluster in that
vSphere Namespace . If the
vSphere Namespace already exists, the role bindings are updated.
Note: Once you have registered an external IDP on a
Supervisor, all TKG 2.0 clusters created on that
Supervisor will be configured automatically with the external IDP via the Pinniped components.
- Register an external identity provider with Supervisor.
- Create a vSphere Namespace for one or more TKG clusters, or select an existing vSphere Namespace.
See Create a vSphere Namespace for Hosting TKG Service Clusters.
- Configure users and roles for the vSphere Namespace.
Select the external OIDC provider as an identity source, and add users and assign roles.
- Select the vSphere Namespace.
- Select .
- Identity Source: Select the external identity provider registered with Supervisor.
The Provider Name you used to register the external IDP should appear in the drop-down menu. If it does not, check the configuration.
- User/Group Search: Type in the user or group name. The text input is a free-form string.
Users and groups from an external identity provider are not synchronized with vCenter Server and cannot be selected. You must type in the string value, usually an email address. There is no prefix, so you can type "[email protected]," for example.
- Role: Assign the user or group to a role by selecting the role, either Can View or Can Edit.
Note: The Owner role is not available for use with an external identity provider.
- Complete the configuration of the vSphere Namespace.