Configuring Azure Active Directory as a SAML Identity Provider

Page last updated:

Warning: VMware Enterprise PKS v1.6 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic explains how to configure single sign-on (SSO) between Azure Active Directory (Azure AD) and VMware Enterprise PKS.


To configure Azure AD to designate Enterprise PKS as a service provider, you must have an Azure AD Global Administrator account.

Configure SAML in Azure AD

To configure Azure AD as a SAML identity provider for Enterprise PKS, do the following:

  1. Log in to Azure AD as a Global Administrator.

  2. Navigate to Azure Active Directory.

  3. Under Create, click Enterprise application.

    Enterprise application button

  4. Under Add your own app, select Non-gallery application. Enter a Name and click Add.

  5. Navigate to Azure Active Directory > Enterprise applications.

    Enterprise applications tab

  6. Click your app and then click Single sign-on.

    Single sign-on tab

  7. Under Select a single sign-on method, select SAML.

    Single sign-on pane

  8. Under Set up Single Sign-On with SAML, click the pencil icon for Basic SAML Configuration.

    Basic SAML Configuration button

  9. Configure the following fields:

    Field Instructions
    Identifier (Entity ID) Enter PKS-API:8443.
    For example:
    Reply URL Enter https://PKS-API:8443/saml/SSO/alias/PKS-API:8443.
    For example:
    Sign on URL Enter https://PKS-API:8443/saml/SSO/alias/PKS-API:8443.
    For example:

    Note: Pivotal recommends that you use the default settings for the fields that are not referenced in the above table.

  10. Click the pencil icon for User Attributes & Claims. Basic SAML Configuration button

  11. Configure your user attributes and claims by doing the procedures in How to: Customize claims issued in the SAML token for enterprise applications in the Microsoft Azure documentation. By default, Enterprise PKS uses the EmailAddress name identifier format.

  12. Configure your group attributes and claims by doing the procedures in the Configure group claims for SAML applications using SSO configuration section of Configure group claims for applications with Azure Active Directory (Public Preview) in the Microsoft Azure documentation.

  13. Under SAML Signing Certificate, copy and save the link address for App Federation Metadata Url or download Federation Metadata XML. You use the Azure AD metadata to configure SAML in the Enterprise PKS tile. For more information, see Connecting Enterprise PKS to a SAML Identity Provider. SAML Signing Certificate pane

Please send any feedback you have to