• Logging into vCenter after configuring Okta as an Identity Provider (IdP) in VCF using SAML and Just-In-Time (JIT) provisioning fails with the following error message "Unable to login because you do not have permission on any vCenter Server systems connected to this client"
• The vCenter Server UI log confirms that the SAML token was retrieved successfully, yet the login was denied due to missing permissions.
  
  /var/log/vmware/vsphere-ui/vsphere_client_virgo.log

[YYYY-MM-DDThh:mm:ss] [INFO ] agw-token-acq101             70016673 ###### 200094 com.vmware.identity.token.impl.SamlTokenImpl                      SAML token for SubjectNameId [[email protected], format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
[YYYY-MM-DDThh:mm:ss] [INFO ] agw-token-acq101             70016673 ###### 200094 com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl           Successfully acquired token for user: {Name: user_name, Domain: domain.com}

[YYYY-MM-DDThh:mm:ss] [ERROR] linkedVcGroup-pool-27890     70016673 105279 200094 com.vmware.vise.util.concurrent.ExecutorUtil                      A task crashed: com.vmware.vise.vim.commons.vcservice.impl.LinkedVcGroupImpl$1@112788d1 java.util.concurrent.ExecutionException: (vim.fault.NoPermission) {
   faultCause = null,
   faultMessage = null,
   object = ManagedObjectReference: type = Folder, value = group-d1, serverGuid = ########-####-####-####-##########,
   privilegeId = System.View,
   missingPrivileges = (vim.fault.EntityPrivileges) [
      (vim.fault.EntityPrivileges) {
         dynamicType = null,
         dynamicProperty = null,
         entity = ManagedObjectReference: type = Folder, value = group-d1, serverGuid = ########-####-####-####-##########,
         privilegeIds = (STRING) [
            System.View
         ]
      }
   ]
}

Caused by: com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.

• Authentication fails for users who are members of the group.
• The login functions properly when permission is applied directly to the individual user account in vCenter, indicating the group membership information is not being successfully passed or interpreted by vCenter SSO.

VMware Cloud Foundation 9.x

• The Okta Identity Provider is not successfully passing the Group Claim in the SAML response. This is typically due to an incorrectly configured "Group Attribute Statement" in the Okta SAML application settings, where the filter (Regex) is incorrect.
• VCF's vCenter SSO system relies on a specific SAML attribute (Group Claim) to identify the user's group memberships during the Just-In-Time (JIT) provisioning process. If this claim is absent or uses an attribute that is not recognized or populated by Okta, vCenter receives the user's token but does not receive the list of groups the user belongs to.
• Without group membership data, vCenter cannot map the user to the pre-provisioned groups, resulting in the "No Permission" error.

Engage Okta Support to investigate the below in attribute statements: 

• Group Attribute Statements: Ensure the "Name" field matches the "Group Attribute" configured in vCenter.
• Filter Configuration: Set the filter to "Matches regex" and use a valid expression to ensure the relevant groups are included in the assertion.

• Steps to configure Okta as an Identity Provider using SAML : Configure Okta as an Identity Provider Using SAML
• Isolation testing can be performed using a SAML tracer to determine if the fault lies with the vCenter configuration or the Okta response : Test SAML app implementation with SAML-tracer