An error occurs when setting up an OpenID Connect (OIDC) Single Sign-On (SSO) connection with vSphere vCenter due to a misconfigured OpenID configuration URL. To resolve this issue, configure the correct OpenID Metadata URL for the Okta organization in vSphere vCenter.

Could not create indirect identity provider: Failed to create identity provider with IDP name Okta

• Okta Identity Engine (OIE)
• Okta Classic Engine
• vSphere vCenter
• Single Sign-On (SSO)
• OpenID Connect (OIDC)

A misconfiguration of the well-known OpenID configuration URL value in the vSphere vCenter Identity Provider settings causes this error.

How is the vCenter OIDC SSO configuration error resolved?

For this specific OIDC SSO integration, the Service Provider requests the well-known OpenID configuration URL for Okta. Configure the correct well-known OpenID configuration URL for the selected authorization server by selecting one of the provided options.

• Using the Org Authorization Server: https://<okta_domain>/.well-known/openid-configuration
• Using a Custom Authorization Server: https://<okta_domain>/oauth2/<authorization_server_id>/.well-known/openid-configuration

What additional details are required to ensure a successful OIDC SSO connection to vSphere vCenter?

Ensure a successful OIDC SSO connection to vSphere vCenter by verifying the required application settings in Okta.

• Confirm that a Native OIDC application exists in Okta.
• Ensure that the Authorization Code, Refresh Token, and Resource Owner Password grant types are enabled for the OIDC Native application.
• Disable Proof Key for Code Exchange (PKCE).

Related References

• How to Find the Okta OpenID Connect Well-Known URL | Okta Support Center
• Configure vCenter Server Identity Provider Federation for Okta | VMware
• vSphere vCenter SCIM 2.0 Okta Provisioning Error | Okta Support Center