Setting up SSO with Okta in VCF5.1

2023-11

0. Pre-Req

Okta requirements

vCenter Server and Other Requirements

1. Configuring SCIM 2.0 Application in Okta

1.1 Create the SCIM 2.0 Test App (OAuth Bearer Token) Application

Untitled

Browse the app catalog for SCIM 2.0 Test App (OAuth Bearer Token), and click Add Integration.

Untitled

Use the following settings when creating the SCIM 2.0 application:
- Enter an appropriate name for the SCIM 2.0 application
- In the General settings · Required page, leave Automatically log in when user lands on login page checked.
- In the Sign-on Options page:
  - For Sign-on methods, leave SAML 2.0 checked.
  - For Credential Details:
    - Application username format: Select AD SAM Account name.
    <aside> 💡 Please note that, as of now, the supported format for Application username is solely the AD SAM account name.
    
    </aside>
    - Update application username on: Leave Create and update selected.
    - Password reveal: Leave Allow users to securely see their password selected.

Untitled

<aside> 💡 Please note that we can only continue the following configuration in Section 1.2 and 1.3 until we have completed all configurations in section 3.

</aside>

1.2 SCIM 2.0 API Integration

Assign users and groups to the SCIM 2.0 application to push from your Active Directory to vCenter Server:
1. In the Okta SCIM 2.0 application, under Provisioning, click Configure API integration.
2. Check the Enable API integration checkbox.
3. Enter the SCIM 2.0 Base Url and OAuth Bearer Token.
  
  SDDC Manager calls the SCIM 2.0 Base Url the "Tenant URL," and the OAuth Bearer Token the "Secret Token."

Because my vCenter is an internal system, I uses an Internet accessible HAProxy as reverse proxy to forward the SCIM user provisioning requests from Okta to vCenter. The HAProxy’s domain name is haproxy01.davidwzhang.cloud so I have changed the original base URL to the following.

<https://haproxy01.davidwzhang.cloud/usergroup/t/CUSTOMER/scim/v2>