A TKG 2.0 cluster on Supervisor is provisioned in a vSphere Namespace. After you register an external OIDC provider with Supervisor, you configure the vSphere Namespace with role permissions for external OIDC provider users and groups. This action creates the role bindings for the external OIDC provider on each TKG 2.0 cluster in that vSphere Namespace . If the vSphere Namespace already exists, the role bindings are updated.

1. Register an external identity provider with Supervisor.

   See Register an External IDP with Supervisor.

2. Create a vSphere Namespace for one or more TKG clusters, or select an existing vSphere Namespace.

   See Create a vSphere Namespace for Hosting TKG Service Clusters.

3. Configure users and roles for the vSphere Namespace.
   Select the external OIDC provider as an identity source, and add users and assign roles.

   1. Select the vSphere Namespace.
   2. Select Permissions > Add Permissions.
   3. Identity Source: Select the external identity provider registered with Supervisor.

      The Provider Name you used to register the external IDP should appear in the drop-down menu. If it does not, check the configuration.

   4. User/Group Search: Type in the user or group name. The text input is a free-form string.

      Users and groups from an external identity provider are not synchronized with vCenter Server and cannot be selected. You must type in the string value, usually an email address. There is no prefix, so you can type "[email protected]," for example.

   5. Role: Assign the user or group to a role by selecting the role, either Can View or Can Edit.
      Note: The Owner role is not available for use with an external identity provider.
4. Complete the configuration of the vSphere Namespace.

   See Configure a vSphere Namespace for TKG Service Clusters.