Configuring Okta as an Identity Provider

Note: Pivotal Platform is now part of VMware Tanzu. In v1.12 and later, Pivotal Single Sign‑On is named Single Sign‑On for VMware Tanzu.

This topic describes how to set up Okta as your identity provider by configuring SAML integration in both Single Sign‑On for VMware Tanzu and Okta.

Set up SAML in Single Sign‑On

  1. Log into the SSO Operator Dashboard at https://p-identity.YOUR-SYSTEM-DOMAIN using your User Account and Authentication (UAA) administrator credentials. In your VMware Tanzu Application Service for VMs tile in Ops Manager, the Domain settings shows your system domain, and the Credentials tab shows the UAA Admin Credentials.

  2. Select your plan and click Manage Identity Providers on the drop-down menu.

    The information depicted in this screenshot is described in the step above.

  3. Click Configure SAML Service Provider.

    The information depicted in this screenshot is described in the step above.

  4. (Optional) Select Perform signed authentication requests to enforce SSO private key signature and identity provider validation.

    The information depicted in this screenshot is described in the step above.

  5. (Optional) Select Require signed assertions to validate the origin of signed responses.

  6. Click Download Metadata to download the service provider metadata.

  7. Click Save.

  8. Open the downloaded service provider metadata file. You will refer to this file in the next step, when you fill in the SAML settings in Okta.

Set Up SAML in Okta

  1. Sign in as an Okta administrator.

  2. Navigate to your app and click the Sign On tab.

  3. Under Settings, click Edit, and select SAML 2.0.

    The information depicted in this screenshot is described in the step above.

  4. Click the General tab.

  5. Under SAML Settings, click the Edit button followed by the Next button.

    The information depicted in this screenshot is described in the step above.

  6. In the SAML Settings section:

    1. Enter the AssertionConsumerService Location URL from your downloaded service provider metadata into Single sign on URL.
      For example, https://PORTAL-FQDN/saml/SSO/alias/PORTAL-FQDN.
      Where PORTAL-FQDN is the fully qualified domain name (FQDN) for your login portal. The portal FQDN uses the format AUTH-DOMAIN.login.SYSTEM-DOMAIN. You can view the portal FQDN for a plan by logging into the SSO Operator Dashboard, clicking the name of your plan, and selecting Edit Plan.
    2. Enter the FQDN for your login portal into Audience URI (SP Entity ID). This value is available in the downloaded service provider metadata as the entity ID.
    3. Select a Name ID format.
    4. Select an Application username.
  7. (Optional) To configure single logout:

    1. Click Show Advanced Settings.
    2. For Enable Single Logout, select Allow application to initiate single logout.
    3. Enter the SingleLogoutService Location URL from your downloaded service provider metadata into Single Logout URL.
    4. Enter your Auth Domain URL into SP Issuer.
    5. Click Upload Signature Certificate to upload the signature certificate from your downloaded service provider metadata. You will need to copy the X509Certificate information from the downloaded service provider metadata, and reformat it into a valid certificate file to upload.
  8. (Optional) Under Attribute Statements (Optional), specify any attribute statements that you want to map to users in the ID token.

  9. (Optional) Under Group Attribute Statements (Optional), specify any group attribute statements that you want to map to users in the ID token. This is a group that users belong to within Okta.

  10. Click the Next button followed by the Finish button.

  11. Click Identity Provider metadata to download the metadata, or copy and save the link address of the Identity Provider metadata. You will need this Okta metadata for the next step, Configure a Single Sign‑On Service Provider.

    The information depicted in this screenshot is described in the step above.