When fetching user name from Okta OIDC in NSX manager, user name has appended domain name twice
search cancel

When fetching user name from Okta OIDC in NSX manager, user name has appended domain name twice

book

Article ID: 378298

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • VMware NSX 4.0.x and 4.1.x
  • Okta OIDC is used for user authentication
  • While fetching User/User Group name from NSX Manager UI (System -> System -> User Management -> User Role Assignment -> select ADD PRINCIPAL IDENTITY), user will come up in format username@domain@domain

Environment

 VMware NSX 4.x 

Cause

Under some circumstances, Okta can be configured to return the entire AD UserPrincipalName (e.g. [email protected]) in the userName property returned in SCIM search results, and WorkspaceOne Broker returns these as well in its SCIM search results.

NSX unconditionally appends the domain to the userName, so this causes usernames like [email protected]@example.com to end up in role binding configurations on NSX.

Resolution

This issue is resolved in VMware NSX 4.2.0 and higher.