Connecting Enterprise PKS to a SAML Identity Provider
Page last updated:
Warning: VMware Enterprise PKS v1.6 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic describes how to connect VMware Enterprise PKS to a SAML identity provider (IdP).
User Account and Authentication (UAA), the identity management service for Enterprise PKS, can authenticate users either through its internal user account store or external authentication mechanisms such as an LDAP server or a SAML IdP.
To enable an internal user account store for UAA, you select Internal UAA in the Enterprise PKS tile > UAA.
If you want to connect Enterprise PKS to a SAML IdP, you must integrate the UAA server with your SAML IdP by following the instructions in Integrate UAA with a SAML IdP below. This enables UAA to delegate authentication to your SAML IdP.
Before you configure a SAML IdP in the Enterprise PKS tile, you must configure your IdP to designate Enterprise PKS as a service provider (SP).
See the table below for information about industry-standard SAML IdPs and how to integrate them with Enterprise PKS:
|Solution Name||Integration Guide|
|Okta Single Sign-On||Configuring Okta as a SAML Identity Provider|
|Azure Active Directory||Configuring Azure Active Directory as a SAML Identity Provider|
To integrate UAA with a SAML IdP:
In Enterprise PKS > UAA, under Configure your UAA user account store with either internal or external authentication mechanisms, select SAML Identity Provider.
For Provider Name, enter a unique name you create for the IdP. This name can include only alphanumeric characters, +, _, and -. You must not change this name after deployment because all external users use it to link to the provider.
For Display Name, enter a display name for your provider. This display name appears as a link on your Pivotal login page, which you can access at
Retrieve the metadata from your IdP. You recorded your IdP metadata when you configured your IdP to designate Enterprise PKS as a SP. See Prerequisites above.
Enter your IdP metadata into either the Provider Metadata or the Provider Metadata URL fields:
- If your IdP exposes a metadata URL, enter it in Provider Metadata URL.
- If your IdP does not expose a metadata URL, paste the XML you retrieved into Provider Metadata.
Note: Pivotal recommends that you use the Provider Metadata URL rather than Provider Metadata because the metadata can change. You need to select only one of the above configurations. If you configure both, your IdP defaults to the (OR) Provider Metadata URL.
For Name ID Format, select the name identifier format for your SAML IdP. This translates to
usernamein Enterprise PKS. The default is
For First Name Attribute and Last Name Attribute, enter the attribute names in your SAML database that correspond to the first and last names in each user record. This field is case sensitive.
For Email Attribute, enter the attribute name in your SAML assertion that corresponds to the email address in each user record, for example,
EmailID. This field is case sensitive.
For External Groups Attribute, enter the attribute name in your SAML database for your user groups. This field is case sensitive. To map the groups from the SAML assertion to admin roles in PKS, see Grant Enterprise PKS Access to an External SAML Group in Managing Enterprise PKS Users with UAA.
By default, all SAML authentication requests from Enterprise PKS are signed. To change this, disable Sign Authentication Requests and configure your IdP to verify SAML authentication requests.
To validate the signature for the incoming SAML assertions, enable Required Signed Assertions and configure your IdP to send signed SAML assertions.
For Signature Algorithm, choose an algorithm from the dropdown to use for signed requests and assertions. The default value is
- If you do not need to configure any other settings in the Enterprise PKS tile, return to the Ops Manager Installation Dashboard and click Review Pending Changes > Apply Changes.
- If you need to configure any other settings in the Enterprise PKS tile, return to the Installing Enterprise PKS topic for your IaaS and follow the instructions for the pane you want to configure:
For information about creating Enterprise PKS roles and managing Kubernetes cluster access, see:
Please send any feedback you have to firstname.lastname@example.org.