Okta as an identity provider has been configured and permissions set on a namespace by adding an AD Group (configured for in Okta) via the vCenter UI Workload Management.

Following 'tanzu login' and then running command 'tanzu cluster list --namespace <namespace>' the following error is observed.

Tanzu login command as below:

tanzu login --endpoint https://##.###.###.### --insecure-skip-tls-verify --name <context-name>

Then check the cluster list as per below:

tanzu cluster list --namespace <namespace>

When Group is set on the namespace below error would be displayed.

Error: unable to retrieve combined cluster info: unable to get list of clusters: failed to list *v1beta1.ClusterList: clusters.cluster.x-k8s.io is forbidden: User "[email protected]" cannot list resource "clusters" in API group "cluster.x-k8s.io" in the namespace "<namespace>"
Cause Identification

vCenter - 8U3g build-24853646
Esxi - VMware ESXi 8U3g build-24859861
VKS Version VKS 3.3.3-embedded
Supervisor - v1.30.10+vmware.1-fips

The Group name was not being pulled correctly because on vCenter side under identity providers from Configure/Supervisor 'groups' needed to be added to the Additional Scopes section like below:

                Additional Scopes : groups, email

The wcpauthproxy logs showed below:

2026-04-02T##:##:##.##########Z stderr F 2026/04/02 ##:##:## Request header is modified with X-Remote-User <[email protected]> and X-Remote-Group  for URL /version?timeout=32s from 127.0.0.1:516722026-04-02T##:##:##.##########Z stderr F 2026/04/02 ##:##:## Request header is modified with X-Remote-User <[email protected]> and X-Remote-Group  for URL /apis/cluster.x-k8s.io/v1beta1 from <localhost>:#####

Note - that 'X-Remote-Group  for URL' appears to have 2 spaces between '..-Group' and 'for' showing that the Group had not been pulled from Okta.


This was confirmed by checking the ~/.config/pinniped/credentials.yaml on Linux/macOS or the equivalent AppData path on Windows. The customer had a file named sessions.yaml where groups was empty. 

   id:
      claims:
        at_hash: ...
        aud:
        - pinniped-cli
        auth_time: ##########
        azp: pinniped-cli
        exp: ...
        groups: []
        iat: ##########
        iss: https://##.###.###.###/wcp/pinniped
        jti: ...
        nonce: ...
        rat: ...
        sub: https://...
        username: <[email protected]>
      expiryTimestamp: "2026-03-23T##:##:##Z"

Note - the groups: was empty [].

Follow each of the below to confirm configuration has been configure as per these documents.

Configure an External Identity Provider for VKS Clusters

Register an External Identity Provider with Supervisor

Configure vSphere Namespace Permissions for External Identity Provider Users and Groups

For the Groups to work Additional Scopes needs groups to be added.

Additional Settings

Additional Scopes must have groups added so that Groups configured in the Workload Management in vCenter will have permissions to the Namespaces configured for.