Configuring Okta as a SAML Identity Provider

Note: As of v1.8, Enterprise PKS has been renamed to VMware Tanzu Kubernetes Grid Integrated Edition. Some screenshots in this documentation do not yet reflect the change.

Page last updated:

This topic explains how to configure single sign-on (SSO) between Okta and VMware Tanzu Kubernetes Grid Integrated Edition.

Prerequisites

To configure Okta to designate Tanzu Kubernetes Grid Integrated Edition as a service provider, you must have the following:

  • An Okta Single-Sign On admin account
  • An app with SAML 2.0 enabled in Okta

Configure SAML in Okta

To configure Okta as a SAML identity provider for Tanzu Kubernetes Grid Integrated Edition, do the following:

  1. Log in to Okta as an admin.

  2. Navigate to your app and click Sign On.

  3. Under Settings, click Edit, and select SAML 2.0.

  4. Click the General tab.

  5. Under SAML Settings, click the Edit button followed by the Next button.

  6. Configure the fields as follows:

    Field Instructions
    Single sign on URL Enter https://TKGI-API:8443/saml/SSO/alias/TKGI-API:8443.
    For example: https://api.tkgi.example.com:8443/saml/SSO/alias/api.tkgi.example.com:8443
    Use this for Recipient URL and Destination URL Ensure this checkbox is enabled.
    Audience URI (SP Entity ID) Enter TKGI-API:8443.
    For example: api.tkgi.example.com:8443
    Name ID format Select a name identifier format. By default, Tanzu Kubernetes Grid Integrated Edition uses EmailAddress.
    Attribute Statements Enter any attribute statements that you want to map to users in the ID token.
    In Tanzu Kubernetes Grid Integrated Edition you can define first name, last name, and email attributes.
    Group Attribute Statements Enter any group attribute statements that you want to map to users in the ID token. In Okta, these are groups that users belong to. You can use filters to define which groups are passed to Tanzu Kubernetes Grid Integrated Edition.

    Note: VMware recommends using the default settings for the fields that are not referenced in the above table.

  7. Click the Next button followed by the Finish button.

  8. (Optional) If you want to enable multi-factor authentication (MFA), you can add a SSO policy rule to your app. To enable MFA, do the procedure in Add Sign On policies for applications in the Okta documentation.

  9. Click Identity Provider metadata to download the metadata, or copy and save the link address of the Identity Provider metadata.

  10. Use the Okta metadata you retrieved in the above step to configure SAML in the Tanzu Kubernetes Grid Integrated Edition tile. See Connecting Tanzu Kubernetes Grid Integrated Edition to a SAML Identity Provider.


Please send any feedback you have to pks-feedback@pivotal.io.