VMware SD-WAN Orchestrator Single Sign-On powered by Okta

In this article I would like to describe how to integrate the Okta into the SD-WAN Orchestrator and using
Single Sign On (SSO) with different user types.

VMware SD-WAN Orchestrator provides centralized, enterprise-wide installation, configuration, and real time monitoring, in addition to orchestrating the data flow through the cloud network.

Prerequisites

  • We need to have an Okta admin user.
  • And we need to have a the Enterprise super user permission in the SD-WAN Orchestrator customer tenant.

Configure Okta for Single Sign On

Let us first create a new Application in Okta.

Select OIDC – OpenID Connect as the Sign-in method, Web Application as the Application type click Next to continue.

In the General Settings section enter a name for your application and also select Refresh Token for the Grant type.

In the Sign-in redirect URIs text box, enter the redirect URL that your SD-WAN Orchestrator application uses as the callback endpoint.
You can find this one in the Global SettingsAuthentication menu in your SD-WAN Orchestrator.

Now we need to note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in SD-WAN Orchestrator.

Since we don’t want every user to get enterprise super admin rights we will configure a Groups claim filter.
To set up this click the Sign On tab and under the OpenID Connect ID Token area, and the click Edit.

In this setup I am using use a basic filter Groups claim filter, this can be adapted to the respective use cases and needs.
Please do not forget to select the right Issuer here your Okta URL.

In the last step we now can assign groups to our SD-WAN Orchestrator Application.
On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or Assign to People.
In my example, I have already created two Okta groups.

How to configure Single Sign On for Operator User

In the next part we will now focus on the SD-WAN Orchestrator configuration.
We need to log in as Enterprise super user with our credentials, click on the Global Settings menu in the Drop-down Menu.

In the Global Settings menu, click now on Enterprise Settings and set up a Domain name for your enterprise.
Important:Before enabling SSO authentication for the SD-WAN Orchestrator this needs to be set up!

Within the User Management menu, click on the Authentication tab, then from the Authentication Mode drop-down menu, we need to select Single Sign-On and from the Identity Provider Template we select Okta.

In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC) configuration URL for our Okta Tenant.
For example https://{your-okta-url}/.well-known/openid-configuration

The nice thing here is that the SD-WAN Orchestrator application auto-populates endpoint details such as Issuer, Authorization Endpoint, Token Endpoint, and User Information Endpoint.

In the Client Id and Client Secret text box, enter the client identifier provided by your our Okta tenant.

To determine user’s role in SD-WAN Orchestrator we will use the Use Identity Provider Roles so our groups created in Okta.
Remember that we’ve created the two groups superuser and readonly in the previous section in our Okta tenant.

In the last step we will UPDATE and TEST our configuration via this button here.

You will be redirected to Okta and need to log in with you user.

If everything is configured properly, you should see the following successful SSO Configuration Test message.

Single Sign On Demo(s)

Now let’ have a look at how this is looking like in real life. In this short video we will see a login in with a read only user.

Read Only User Access

f our users are logging in with administrative rights we can configure based on Okta Authentications policies and its rules additional factors for authentication.
In this video we are leveraging Okta Verify as a second factor.

Super User Access

Within the SD-WAN Orchestrator we can now see which users have logged in

Leave a Reply