Configuring Okta as a SAML Identity Provider

Page last updated:

Warning: VMware Enterprise PKS v1.6 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic explains how to configure single sign-on (SSO) between Okta and VMware Enterprise PKS.


To configure Okta to designate Enterprise PKS as a service provider, you must have the following:

  • An Okta Single-Sign On admin account
  • An app with SAML 2.0 enabled in Okta

Configure SAML in Okta

To configure Okta as a SAML identity provider for Enterprise PKS, do the following:

  1. Log in to Okta as an admin.

  2. Navigate to your app and click Sign On.

  3. Under Settings, click Edit, and select SAML 2.0.

  4. Click the General tab.

  5. Under SAML Settings, click the Edit button followed by the Next button.

  6. Configure the fields as follows:

    Field Instructions
    Single sign on URL Enter https://PKS-API:8443/saml/SSO/alias/PKS-API:8443.
    For example:
    Use this for Recipient URL and Destination URL Ensure this checkbox is enabled.
    Audience URI (SP Entity ID) Enter PKS-API:8443.
    For example:
    Name ID format Select a name identifier format. By default, Enterprise PKS uses EmailAddress.
    Attribute Statements Enter any attribute statements that you want to map to users in the ID token.
    In Enterprise PKS you can define first name, last name, and email attributes.
    Group Attribute Statements Enter any group attribute statements that you want to map to users in the ID token. In Okta, these are groups that users belong to. You can use filters to define which groups are passed to Enterprise PKS.

    Note: Pivotal recommends using the default settings for the fields that are not referenced in the above table.

  7. Click the Next button followed by the Finish button.

  8. (Optional) If you want to enable multi-factor authentication (MFA), you can add a SSO policy rule to your app. To enable MFA, do the procedure in Add Sign On policies for applications in the Okta documentation.

  9. Click Identity Provider metadata to download the metadata, or copy and save the link address of the Identity Provider metadata.

  10. Use the Okta metadata you retrieved in the above step to configure SAML in the Enterprise PKS tile. See Connecting Enterprise PKS to a SAML Identity Provider.

Please send any feedback you have to