Configuring Azure Active Directory as a SAML Identity Provider

Note: As of v1.8, Enterprise PKS has been renamed to VMware Tanzu Kubernetes Grid Integrated Edition. Some screenshots in this documentation do not yet reflect the change.

Page last updated:

This topic explains how to configure single sign-on (SSO) between Azure Active Directory (Azure AD) and VMware Tanzu Kubernetes Grid Integrated Edition.

Prerequisites

To configure Azure AD to designate Tanzu Kubernetes Grid Integrated Edition as a service provider, you must have an Azure AD Global Administrator account.

Configure SAML in Azure AD

To configure Azure AD as a SAML identity provider for Tanzu Kubernetes Grid Integrated Edition, do the following:

  1. Log in to Azure AD as a Global Administrator.

  2. Navigate to Azure Active Directory.

  3. Under Create, click Enterprise application.

    Enterprise application button

  4. Under Add your own app, select Non-gallery application. Enter a Name and click Add.

  5. Navigate to Azure Active Directory > Enterprise applications.

    Enterprise applications tab

  6. Click your app and then click Single sign-on.

    Single sign-on tab

  7. Under Select a single sign-on method, select SAML.

    Single sign-on pane

  8. Under Set up Single Sign-On with SAML, click the pencil icon for Basic SAML Configuration.

    Basic SAML Configuration button

  9. Configure the following fields:

    Field Instructions
    Identifier (Entity ID) Enter TKGI-API:8443.
    For example:
    api.tkgi.example.com:8443
    Reply URL Enter https://TKGI-API:8443/saml/SSO/alias/TKGI-API:8443.
    For example:
    https://api.tkgi.example.com:8443/saml/SSO/alias/api.tkgi.example.com:8443
    Sign on URL Enter https://TKGI-API:8443/saml/SSO/alias/TKGI-API:8443.
    For example:
    https://api.tkgi.example.com:8443/saml/SSO/alias/api.tkgi.example.com:8443

    Note: VMware recommends that you use the default settings for the fields that are not referenced in the above table.

  10. Click the pencil icon for User Attributes & Claims. Basic SAML Configuration button

  11. Configure your user attributes and claims by doing the procedures in How to: Customize claims issued in the SAML token for enterprise applications in the Microsoft Azure documentation. By default, Tanzu Kubernetes Grid Integrated Edition uses the EmailAddress name identifier format.

  12. Configure your group attributes and claims by doing the procedures in the Configure group claims for SAML applications using SSO configuration section of Configure group claims for applications with Azure Active Directory (Public Preview) in the Microsoft Azure documentation.

  13. Under SAML Signing Certificate, copy and save the link address for App Federation Metadata Url or download Federation Metadata XML. You use the Azure AD metadata to configure SAML in the Tanzu Kubernetes Grid Integrated Edition tile. For more information, see Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider. SAML Signing Certificate pane


Please send any feedback you have to pks-feedback@pivotal.io.