To establish a relying party trust between vCenter Server and an Okta server, establish identifying information and a shared secret between them. Create an OpenID Connect application in Okta. The OpenID Connect application specifies the vCenter Server redirect URIs that must be invoked during authorization code flows; and a client identifier and shared secret that vCenter Server uses to communicate with the Okta server. To push the Active Directory users and groups in the Okta domain to the vCenter Server that manages vCenter Server objects, also create a SCIM 2.0 application.

Please follow the below mentioned steps to:

1. Integrate your Active Directory with Okta.
2. Create an OIDC application in Okta and assign groups and users to that application.
3. Create a SCIM 2.0 application in Okta.
4. Push Okta users and groups to vCenter Server.

Use this KB article in conjunction with Configure vCenter Server Identity Provider Federation for Okta.

Integrate your Active Directory with Okta

If the Active Directory and Okta were integrated previously, or to use the users and groups provided by Okta, skip this step and go to Create the OpenID Connect Application.

To integrate the Active Directory with Okta, please refer to Manage your Active Directory integration for more information.

Create the OpenID Connect Application

Log in to the Okta Admin console and follow the Okta documentation, Create OIDC app integrations, to create an OpenID Connect application. When creating the OpenID Connect application in the Create a new app integration wizard:

• Select OIDC - OpenID Connect as the Sign-in method.
• Select Native Application as the Application type.
• Enter an appropriate name for the OpenID Connect application, for example, Okta-vCenter-app.
• In General Settings, leave Authorization Code checked, and check Refresh Token and Resource Owner Password.
• For now, ignore Sign-in redirect URIs and Sign-out redirect URIs. (Input these values later.)
• When selecting how to control access, you can select Skip group assignment for now if you want.

After creating the OpenID Connect application:

1. Select the General tab.
2. In Client Credentials, click Edit, and for Client Authentication check Client Secret.
3. For Proof Key for Code Exchange (PKCE), uncheck Require PKCE as additional verification.
4. Click Save.

5. Copy both the Client ID and Client Secret and save them for use in creating the Okta identity provider on the vCenter Server system.

To assign groups and users to the OpenID Connect application:

1. Select the Assignments tab and select Assign to Groups from the Assign drop-down.
2. Enter the group to search for in the Search field.
3. Select the group and click Assign.
4. Search for, and select and assign, other groups as needed.
5. When done assigning groups, click Done.

Okta assigns the group(s).

6. To view the users that have been assigned, click People under Filters on the Assignment page.

vCenter Server Okta Identity Provider Creation

To add the identity provider in vCenter Server for Okta, go to Configure vCenter Server Identity Provider Federation for Okta and start with Step 2.

When you are done adding the Okta identity provider in vCenter Server, return to this KB article and continue with Update the Okta Redirect URI.

Update the Okta Redirect URI

After you create the Okta identity provider configuration on vCenter Server, you update the Okta OpenID Connect application with the Redirect URI that you copy from the Okta Identity Provider Configuration page in vCenter Server.

In the Okta Admin console:

1. In the General Settings screen for the OpenID Connect application created, click Edit.
2. In the Sign-in redirect URIs text box, paste the copied Redirect URI from vCenter Server.
3. Click Save.

Create the SCIM 2.0 Application and Push Users and Groups to vCenter Server

Creating a SCIM 2.0 application enables you to specify which Active Directory users and groups to push to vCenter Server.

To create the SCIM 2.0 application, log in to the Okta Admin console, browse the app catalog for SCIM 2.0 Test App (OAuth Bearer Token), and click Add Integration.

Note: The word "Test" is of Okta's choosing. The SCIM application you create using this "Test" template is of production quality.

1. When creating the SCIM 2.0 application:

• Enter an appropriate name for the SCIM 2.0 application, such as vCenter Server SCIM 2.0 app.
• In the General settings · Required page, leave Automatically log in when user lands on login page checked.
• In the Sign-on Options page:
• For Sign-on methods, leave SAML 2.0 checked.
• For Credential Details:
• Application username format: Select AD SAM Account name.
• Update application username on: Leave Create and update selected.
• Password reveal: Leave Allow users to securely see their password selected.

2. To assign users and groups to the SCIM 2.0 application to push from your Active Directory to vCenter Server:

a. In the Okta SCIM 2.0 application, under Provisioning, click Configure API integration.
b. Check the Enable API integration checkbox.
c. Enter the SCIM 2.0 Base Url and OAuth Bearer Token.

You previously copied items from the vCenter Server Identity Provider page. vCenter Server calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer Token the "Secret Token."
Note: If the network is not publicly available, create a network tunnel between the vCenter Server system and the Okta server, then use the appropriate publicly accessible URL as the Base Uri.

d. Leave Import Groups selected.
e. To verify the SCIM credentials, click Test API Credentials.
f. Click Save.

3. To provision users:

a. Select the Provisioning tab and select To App, then click Edit.
b. Check Create Users, Update User Attributes, and Deactivate Users.
c. Do not check Sync Password.
d. Click Save.

4. To make assignments:

a. Select the Assignments tab and select Assign to Groups from the Assign drop-down.
b. Enter the group to search for in the Search field.
c. Select the group and click Assign.
d. If necessary, enter attribute information, then click Save and Go Back.
e. Search for, and select and assign, other groups as needed.
f. When done assigning groups, click Done.
g. Under Filters, select People and Groups to view the users and groups assigned.

5. To push groups:

• Select the Push Groups tab and select one of these options from the Push Groups pull-down:
• Find groups by name: Select this option to locate groups by name.
• Find groups by rule: Select this option to create a search rule that pushes matching groups to the app.

Unless you uncheck the Push group memberships immediately check box, the selected membership is pushed immediately, and the Push Status shows Active. For more information, see Enable Group Push.

Authorize Okta Users

To authorizing Okta users to log into vCenter Server, return to Configure vCenter Server Identity Provider Federation for Okta, Step 5 and complete setting up the Okta identity provider by assigning group membership. You can then assign and permissions (inventory-level and global) to the Okta users.