VMware vSphere

Has anyone successfully configured OKTA as an IDP in vCenter 8u2?  After walking through the documentation, it fails with the following error

Could not create indirect identity provider: Failed to create identity provider with IDP name Okta for tenant customer

We have deleted everything on the OKTA side 3 times and recreated it...it fails consistently with that error.

Does anyone know where the logs for this are stored on the VCSA?

Were you able to figure this out? I'm in the same situation with the same error. 

I think it's because the vCenter doesn't trust the certificate that the Okta endpoint is using, but I can't import the DigiCert Root CA to get it to trust the Okta endpoint.

Has anyone successfully configured OKTA as an IDP in vCenter 8u2?  After walking through the documentation, it fails with the following error

Could not create indirect identity provider: Failed to create identity provider with IDP name Okta for tenant customer

We have deleted everything on the OKTA side 3 times and recreated it...it fails consistently with that error.

Does anyone know where the logs for this are stored on the VCSA?

Yes, we figured it out. Our issue was the following:

The vmware documentation says the OpenID Address should be this: https://example.okta.com/oauth2/default/.well-known/openid-configuration

In our case, it needed to be this https://example.okta.com/.well-known/openid-configuration

We had to open a case with OKTA support to figure that out.  Once we had that, the configuration completed successfully.   We are still having some goofy issues with the SCIM app and how it provisions users, still working through those.

Were you able to figure this out? I'm in the same situation with the same error. 

I think it's because the vCenter doesn't trust the certificate that the Okta endpoint is using, but I can't import the DigiCert Root CA to get it to trust the Okta endpoint.

Has anyone successfully configured OKTA as an IDP in vCenter 8u2?  After walking through the documentation, it fails with the following error

Could not create indirect identity provider: Failed to create identity provider with IDP name Okta for tenant customer

We have deleted everything on the OKTA side 3 times and recreated it...it fails consistently with that error.

Does anyone know where the logs for this are stored on the VCSA?

THANK YOU! That new URL got me over the hump and I was able to get the integration working after a bit more troubleshooting. (had to get a trusted certificate on the vcenter and expose it to Okta's servers as well). 

I've got the user/group provisioning working in my environment as well. I had to strip out special characters from the display name field, but those were the only errors I was seeing during SCIM push.

Thanks again for the tip- I'm off and running now. Appreciate it!

Yes, we figured it out. Our issue was the following:

The vmware documentation says the OpenID Address should be this: https://example.okta.com/oauth2/default/.well-known/openid-configuration

In our case, it needed to be this https://example.okta.com/.well-known/openid-configuration

We had to open a case with OKTA support to figure that out.  Once we had that, the configuration completed successfully.   We are still having some goofy issues with the SCIM app and how it provisions users, still working through those.

Were you able to figure this out? I'm in the same situation with the same error. 

I think it's because the vCenter doesn't trust the certificate that the Okta endpoint is using, but I can't import the DigiCert Root CA to get it to trust the Okta endpoint.

Has anyone successfully configured OKTA as an IDP in vCenter 8u2?  After walking through the documentation, it fails with the following error

Could not create indirect identity provider: Failed to create identity provider with IDP name Okta for tenant customer

We have deleted everything on the OKTA side 3 times and recreated it...it fails consistently with that error.

Does anyone know where the logs for this are stored on the VCSA?

Glad i could help.  Out of curiosity, how did you expose your vCenter to OTKA?  We tried doing a NAT and that didnt work. Ultimately, we used Azure Application Proxy.

THANK YOU! That new URL got me over the hump and I was able to get the integration working after a bit more troubleshooting. (had to get a trusted certificate on the vcenter and expose it to Okta's servers as well). 

I've got the user/group provisioning working in my environment as well. I had to strip out special characters from the display name field, but those were the only errors I was seeing during SCIM push.

Thanks again for the tip- I'm off and running now. Appreciate it!

Yes, we figured it out. Our issue was the following:

The vmware documentation says the OpenID Address should be this: https://example.okta.com/oauth2/default/.well-known/openid-configuration

In our case, it needed to be this https://example.okta.com/.well-known/openid-configuration

We had to open a case with OKTA support to figure that out.  Once we had that, the configuration completed successfully.   We are still having some goofy issues with the SCIM app and how it provisions users, still working through those.

Were you able to figure this out? I'm in the same situation with the same error. 

I think it's because the vCenter doesn't trust the certificate that the Okta endpoint is using, but I can't import the DigiCert Root CA to get it to trust the Okta endpoint.

Has anyone successfully configured OKTA as an IDP in vCenter 8u2?  After walking through the documentation, it fails with the following error

Could not create indirect identity provider: Failed to create identity provider with IDP name Okta for tenant customer

We have deleted everything on the OKTA side 3 times and recreated it...it fails consistently with that error.

Does anyone know where the logs for this are stored on the VCSA?

Has anyone successfully configured OKTA as an IDP in vCenter 8u2?  After walking through the documentation, it fails with the following error

Could not create indirect identity provider: Failed to create identity provider with IDP name Okta for tenant customer

We have deleted everything on the OKTA side 3 times and recreated it...it fails consistently with that error.

Does anyone know where the logs for this are stored on the VCSA?