xppvn (xppvn) asked a question.
Hi all,
I am currently facing challenges with integrating my vCenter, which is not publicly accessible, with Okta. This limitation has prompted me to explore alternative solutions that do not require exposing my vCenter to the public.
One potential solution I have considered is the Okta Provisioning Agent (https://help.okta.com/en-us/content/topics/provisioning/opp/opp-main.htm?cshid=ext_OPP_configure). I have reviewed the deployment documentation available at Okta Provisioning Agent Documentation. However, I am unclear on whether this solution can facilitate integration with vCenter, or perhaps the documentation did not explicitly address this scenario.
Should the Okta on-premises agent prove unsuitable for this purpose, I am keen to understand any alternative solutions that may exist. My objective is to achieve a seamless integration without compromising the private accessibility of my vCenter.
I would greatly appreciate your guidance on how to proceed under these circumstances, particularly regarding the use of the Okta Provisioning Agent with vCenter or any other recommended solutions.
Thank you for your attention to this matter. I look forward to your advice.
Best regards,
Piotr
The provisioning agent is just for setting up your own SCIM server. This would not help you with authentication services.
The bottom line is that Okta needs to be able to communicate with the app in order to fulfill authentication requests. Okta provides a list of their IPs here, which would be the solution to your problem. You wouldn't need to open your VCenter up completely to the internet, but could just whitelist the Okta IPs.
The only other solution I could think of if you didn't want Okta traffic going directly to your VCenter is to set up a jump-host where you can route your traffic. But I don't have the answer to how exactly that would be done.
Hey Nick,
vCenter can reach OKAT SCIM, however, OKTA cannot find my vCenter back, and whitelisting IPs won't resolve the issue.