VMware Cloud Foundation 5.1

5.2 5.1 5.0 4.5
Français Italiano 日本語 English

Configure Okta as the Identity Provider in the SDDC Manager UI

You can configure
to use Okta as an external identity provider, instead of using vCenter Single Sign-On. In this configuration, the external identity provider interacts with the identity source on behalf of vCenter Server.
Okta requirements:
  • You are customer of Okta and have a dedicated domain space. For example:
    https://your-company.okta.com
    .
  • To perform OIDC logins and manage user and group permissions, you must create the following Okta applications.
    • An Okta native application with OpenID Connect as the sign-on method. The native application must include the grant types of authorization code, refresh token, and resource owner password.
    • A System for Cross-domain Identity Management (SCIM) 2.0 application with an OAuth 2.0 Bearer Token to perform user and group synchronization between the Okta server and the vCenter Server.
Okta connectivity requirements:
  • vCenter Server must be able to connect to the Okta discovery endpoint, and the authorization, token, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
  • Okta must also be able to connect with vCenter Server to send user and group data for the SCIM provisioning.
Networking requirements:
  • If your network is not publicly available, you must create a network tunnel between your vCenter Server system and your Okta server, then use the appropriate publicly accessible URL as the SCIM 2.0 Base Uri.
vSphere and NSX requirements:
  • vSphere 8.0 Update 2 or later.
  • NSX 4.1.2 or later.
If you added vCenter group memberships for any remote AD/LDAP users or groups, vCenter Server attempts to prepare these memberships so that the are compatible with the new identity provider configuration. This preparation process happens automatically at service startup, but it must complete in order to continue with Okta configuration. Click
Run Prechecks
 to check the status of this process before proceeding.
You can only add one external identity provider to
. Changing the identity provider from vCenter Single Sign-On to Okta removes any users and groups that you added to
from AD over LDAP or OpenLDAP identity sources. Users and groups from the system domain (for example,
vsphere.local
) are not impacted.
This procedure configures Okta as the identity provider for the management domain
. The VMware Identity Services information endpoint is replicated to all other vCenter Server nodes that are part of the management domain
enhanced linked mode (ELM) group. This means that when a user logs into and is authorized by the management domain
, the user is also authorized on any VI workload domain
that is part of the same ELM group. If the user logs in to a VI workload domain
first, the same holds true.
The Okta configuration information and user/group information is not replicated between
nodes in enhanced linked mode. Do not use the
to configure Okta as the identity provider for any VI workload domain
that is part of the ELM group.
  1. Log in to the
    as a user with the ADMIN role
  2. In the navigation pane, click
    Administration
    Single Sign On
    .
  3. Click
    Identity Provider
    .
  4. Click
    Change Identity Provider
     and select
    OKTA
    .
    External Providers menu, showing Okta.
  5. Click
    Next
    .
  6. In the
    Prerequisites
     panel review and confirm the prerequisites.
  7. Click
    Run Prechecks
     to ensure that the system is ready to change identity providers.
    If the precheck finds errors, click
    View Details
     and take steps to resolve the errors as indicated.
  8. In the
    Directory Info
     panel, enter the following information.
    Directory information section of the Connect Identity Provider wizard.
    • Directory Name: Name of the local directory to create on vCenter Server that stores the users and groups pushed from Okta. For example,
      vcenter-okta-directory
      .
    • Domain Name(s): Enter the Okta domain names that contain the Okta users and groups you want to synchronize with vCenter Server.
      After you enter your Okta domain name, click the Plus icon (+) to add it. If you enter multiple domain names, specify the default domain.
  9. Click
    Next
    .
  10. In the
    User Provisioning
     panel, select the duration of the token lifespan and click
    Next
    .
    The Okta SCIM 2.0 application uses the token to synchronize the Okta users and groups.
  11. In the
    OpenID Connect Configuration
     panel, enter the following information.
    OpenID Connection Configuration section of the Connect Identity Provider wizard.
    • Redirect URIs: Filled in automatically. You give the redirect URI to your Okta administrator for use in creating the OpenID Connect application.
    • Identity Provider Name: Filled in automatically as
      Okta
      .
    • Client Identifier: Obtained when you created the OpenID Connect application in Okta. (Okta refers to Client Identifier as the Client ID.)
    • Shared Secret: Obtained when you created the OpenID Connect application in Okta. (Okta refers to Shared Secret as the Client Secret.)
    • OpenID Address: Takes the form
      https://Okta domain space/oauth2/default/.well-known/openid-configuration
      .
      For example, if your Okta domain space is
      example.okta.com
      , then the OpenID Address is:
      https://example.okta.com/oauth2/default/.well-known/openid-configuration
      .
  12. Click
    Next
    .
  13. Review the information and click
    Finish
    .

Content feedback and comments