1almx (1almx) asked a question.
LDAPS with VMware vCenter ( VMware on AWS)
Hello.
My company is using OKTA. We have our base of users.
We would like to integrate this with the VMware Center component to use those users to login to this VMware component.
We wanted use for this LDAPS functionality.
I received from my internal support some LDAP parameter to connect this OKTA service to public (whitelisted only for OKTA service) Center but we have problems with the connections.
If that kind of connectivity should works or was tested by OKTA ?
Anything related to LDAP Interface ?
https://help.okta.com/en/prod/Content/Topics/Directory/LDAP-interface-main.htm
Okta connects with an LDAP interface. You can add one by going to the Admin Console, go to Directory > Directory Integrations and then click the Add LDAP Interface button.
Here is one article if you need help in determining if it is working:
https://support.okta.com/help/s/article/How-to-verify-if-Okta-LDAP-interface-is-working?language=en_US
I will add my two cents here, FWIW. We are facing the same issue - we want to point vCenter to the Okta interface. The identity source has been setup and we can enumerate users from Okta, however, we cannot actually login to the vCenter web gui. I can even see in the logs that the request is coming to Okta and being allowed by the new authentication/sign-on policy, but it fails on the vCenter side.
As I have found with a couple others on the internet, the issue seems to be that the full Okta username is not being sent to Okta. vCenter appears to evaluate the login request and then send only the non-domain qualified username (eg. samaccountname) to Okta. When the FQDN is used on the vCenter side, vCenter does not send the request to Okta; however, if I used xxx.okta.com\username, the request DOES get sent to Okta.
The main issue may be the fact that the Okta domain does not match the actual user domain suffix .. in other words, xxx.okta.com does not match user@domain.com. So, you when logging into vCenter you either need to identify the Identity Source and then use the simple user name (ie. xxx.okta.com\username), which does not work because Okta will not match the username OR put in the FQDN for the user (ie. username@domain.com), which also does not work because then the request doesn't get sent to Okta at all because the Okta domain doesn't match the user's domain. It would be ideal if we could enter xxx.okta.com\username@domain.com into vCenter, but that format is not supported.
Any other thoughts? Ultimately, we want this functionality in order to use Okta MFA for vCenter .. which I think is something most Okta users will need in the future.
After a support case with both Okta and VMware I finally got this working. The problem was that vCenter doesn't understand LDAP usernames where the username is an email (has an @ sign in it).
I went into the Okta Profile Editor and modified the Okta Username (`login`) and removed the Format Restriction that required it to be an email. (Beware, this could break any other integration you might have with Okta) After that, users could go to the vCenter web UI and enter "<okta-username>@<vcenter-ldap-integration-domain-field>" or "<vcenter-ldap-integration-domain-field>/<okta-username>"