Users cannot log in to VCFA using Okta OIDC integration
Article ID: 411198
Updated On:
Products
Issue/Introduction
After configuring Okta as an OpenID Connect (OIDC) Identity Provider for VMware Cloud Foundation - Automation (VCFA), users are unable to log in. The authentication process fails, and users are returned to the login screen.
Environment
VCF Automation
Okta as an OIDC Identity Provider
Cause
This issue occurs when the OIDC provider configuration in VCFA does not include the $groups$ scope. The $groups$ scope is required to request the user's group membership information from Okta during the login process. Without this scope, VCFA cannot receive the necessary claims to map the user to an authorized role, causing the login to fail.
Resolution
Resolution
To resolve this issue, you must add the groups scope to your OIDC provider configuration within the VCF Automation (VCFA) portal. There are two paths to access this setting:
Path A: From the Organization Portal
- Log into the affected VCF Automation Organization Portal.
- Navigate to Administer > Connections > Identity Providers.
- Select the OIDC tab.
- Click EDIT for your existing Okta OIDC provider configuration.
- Click Next until you reach the Scopes section.
- In the Scopes field, add
groupsto the list. Scopes are space-delimited (e.g.,openid email profile groups). - In the Claims Mapping section, verify that the Groups claim is mapped to the corresponding attribute from Okta (typically
groups). - Click Save to apply the changes.
Path B: From the Provider Management Portal
- Log into the VCF Automation Provider Portal.
- Navigate to Organizations and select the affected organization.
- Click Launch Organization Portal.
- From this point, follow steps 2 through 8 from Path A above to edit the OIDC provider and add the
groupsscope.
After saving the updated configuration, users belonging to the appropriate Okta groups should be able to log in to VCF Automation successfully.
Feedback
