I have configured workspace one access using method mentioned in article but getting error while launching session:

this horizon server expects to get your logon credentials from application or server not directly through client login screen

VMware Workspace ONE is an intelligence-driven digital workspace platform that enables you to simply and securely deliver and manage any app on any device, anywhere. The VMware Workspace ONE Access is part of the VMware Workspace ONE solution. Workspace ONE Access delivers multifactor authentication (MFA), conditional access, and single sign-on (SSO), and acts as an intermediary to other identity stores and providers to quickly and securely implement application and device strategies.

Vmware Workspace One Access Connector 22.05 Download

Download 🔥 https://urloso.com/2y5yLQ 🔥

10- Select the port group for this appliance and click Next. As shown in the first image of this post, It is better to set up the appliance in the DMZ network and set up the connectors in the internal network to access the resources.

Until Horizon DaaS 9.1.2 only Identity Manager connector 19.03.0.1 could be used to access the Virtual Apps Collections however Identity Manager connector 19.03.0.1 has been out of general support since 2022-08-31. As of September 27th Workspace ONE Access connector 22.09 has been released (release notes). This version supports Virtual Apps Collections on Horizon DaaS 9.1.4 (released October 2022). Horizon DaaS 9.1.4 and Workspace ONE Access connector 22.09 will create a supported environment again.

In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. \r\n\r\nWorkspace ONE is designed to provide a management platform that allows IT administrators to centrally control end user\u2019s mobile devices, cloud-hosted virtual desktops, and applications from the cloud or from an on-premises deployment.\r\n\r\n\r\nIn this documentation, Workspace ONE is the identity provider and integrated in it is VMware Tanzu as the pinniped supervisor.\r\n\r\nWorkspace ONE configuration \r\n\r\n \r\n\r\n\r\nRequirements\r\n\r\n\r\n\r\nDeploy and configure VMware Workspace ONE Access. If needed, refer to the documentation for more information on Workspace ONE Access.\r\n\r\n\r\n \r\n\r\n\r\nInstall and configure Workspace ONE Access connector on a Windows server joined to the domain (for integrating with Active Directory and making use of features such as Directory Sync, User Auth, Kerberos Auth, or Virtual App services).\r\n\r\n\r\n \r\n\r\n\r\nClick on the Access Connector installer file.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nAccept the EULA.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nSelect all the components listed and click Next.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nBrowse to the json file generated from Workspace ONE Access, and add the connector screen.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nSelect the Custom Installation option.\r\n\r\n\r\n\r\n\r\n \r\n\r\n \r\n\r\n\r\nIf connection between the connector virtual machine (VM) and Workspace ONE Access occurs via proxy servers, select the proxy box and provide the details. Otherwise, click Next, with Enable Proxy unchecked.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nConfigure syslog, if available.\r\n\r\n\r\n\r\n\r\n \r\n\r\n \r\n\r\n\r\nIf using Citrix multi-site aggregation, provide the required cofiguration details.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nProvide the root certificate authority (CA) of the Workspace ONE Access appliance.\r\n\r\n\r\n\r\n\r\n \r\n\r\n \r\n\r\n\r\nSelect the default ports and click Next.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nIf you have certificate for Kerberos Auth services, select the certificate. Otherwise, leave the box unchecked and click Next to use the self-signed certificate.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\n\r\n\r\nSelect any domain user\/service account part of the domain that is being integrated with Workspace ONE Access using the following connector instance.\r\n\r\n\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nClick Install to complete the connector installation.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nOnce the installation is complete, you should see the connector displayed in Workspace ONE Access UI console.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nOnce the connector is updated in the Workspace ONE Access UI, create the directory.\r\n\r\n\r\n\r\n\r\nIf needed, refer to this documentation for details on installing Workspace ONE Access Connector.\r\n\r\n \r\n\r\n\r\nPerform the following configurations on Workspace ONE Access to create the OpenID Connect (OIDC) Client to be able to integrate with the Tanzu Kubernetes Grid cluster on vSphere.\r\n\r\n\r\n \r\n\r\n\r\nLog in to the Workspace ONE Access admin console and navigate to Resources. Select Web Apps from the righthand menu and click NEW.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nSpecify a Name to the new web app and click NEXT.\r\n\r\n\r\n \r\n\r\n\r\n\r\n\r\nFrom the configuration screen\r\n\r\n\r\n\r\nSpecify the Authentication type \u2013 OpenID Connect\r\nSpecify the Target URL \u2013 This should be the NSX Load Balancer (LB) URL\/IP for the pinniped supervisor service running in the Tanzu Kubernetes Grid cluster on vSphere.\r\n\r\n\r\n \r\n\r\nSyntax: https:\/\/[lb Ip address]\/callback\r\n\r\n \r\n\r\nNote: If the Tanzu Kubernetes Grid cluster is not yet created, any IP address could be specified here and updated later, once the cluster is deployed and a LB IP is assigned to the pinniped service.\r\n\r\n\r\n\r\n \r\n\r\n\r\nRedirect URL \u2013 List the same URL mentioned for the Target URL\r\nEnter a Name for ClientID \r\n\r\n\r\nNote: This ClientID will be used in the pinniped configured in the Tanzu Kubernetes Grid cluster on vSphere.\r\n\r\n\r\nThe client secret can be created as specified below on any machine.\r\n\r\n\r\n\r\n\r\n\r\nMake sure the toggle buttons for Open in Workspace ONE Web and Show in User Portal are disabled. Click Next.\r\n\r\n\r\n\r\n\r\n\r\nAssign an access policy from the drop-down menu or select the default policy.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nClick Save, then Assign.\r\nAssign the web app now created to the users\/groups synced in Workspace ONE Access using the connector installed previously.\r\n\r\n\r\nNote: Make sure to select Deployment Type as Automatic, when the web app is assigned to users.\r\n\r\n\r\nConfigure Remote App Access in the Workspace ONE Access console with the following steps.\r\n\r\n\r\n \r\n\r\n\r\n In the Workspace ONE Access console navigate to Settings > Remote App Access, then click the newly created web app.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nOn the screen that has opened, click Edit next to Scope in the OAuth 2 Client section.\r\n\r\n\r\n\r\n\r\n\r\n Select the following scope option check boxes.\r\n\r\n\r\n\r\nEmail\r\nProfile\r\nUser\r\nNAPPS\r\nOpenID\r\nGroup\r\n\r\n\r\n\r\nClick Save.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nClick Next to navigate to Client Configuration. On this screen, uncheck the box for Prompt users for access.\r\nEnsure the token type is set to Bearer and update\/redirect the URL with the correct IP LB for the pinniped supervisor.\r\n\r\n\r\n \r\n\r\n\r\n\r\n \r\n\r\nClick Save.\r\n\r\n \r\n\r\n\r\nAssign the web app to Users Synced.\r\n\r\n\r\n \r\n\r\n\r\nClick Accounts, then navigate to Users.\r\nDouble-click on the username and select the Application Tab.\r\nClick Assign and select the web app you created in the previous step.\r\nEnsure you have the Deployment Type set to Automatic. The same is applicable for User Groups.\r\n\r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n\r\nNext, we\u2019ll need the root CA of Workspace ONE.\r\n\r\n\r\n\r\nLog in to the Workspace ONE Access virtual appliance management UI (https:\/\/:8443).\r\n\r\n\r\n \r\n\r\n\r\n\r\n\r\nNavigate to Install SSL Certificates.\r\nUnder Server Certificate select Auto Generate Certificate (self-signed). You should now see the location from which you can download the root CA.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nFor an alternate way to obtain the root CA for the VIDM appliance, follow the next steps. Otherwise, skip ahead to Tanzu Kubernetes Grid cluster configuration.\r\n\r\n\r\n\r\nFrom any machines with OpenSSL installed, run the following command:\r\n\r\n\r\n\r\n\r\n\r\n\t\r\n\topenssl s_client -connect [Ip\/fqdn of ws1 appliance]:443\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\n\r\n \r\n\r\n\r\nCopy the root CA from the output of the above command and save it in a notepad file.\r\nYou will need to convert this certificate from a base64-encoded format to use for OIDC integration.\r\n\r\nTo convert to base64-encoded format:\r\n\r\n\r\n\r\n\r\ncat [name to root ca file] | base64 | tr -d \u2018\\n\u2019 > [output file name]\r\n\r\n \r\n\r\n\uf0b7 Tanzu Kubernetes Grid cluster configuration\r\n\r\n \r\n\r\n\r\nFor new management of Tanzu Kubernetes Grid clusters follow these steps:\r\n\r\nIf management of the Tanzu Kubernetes Grid cluster is to be created using the cluster YAML file, then refer to this documentation.\r\n\r\n\r\n\r\n\r\nUpdate the values related to OIDC in the YAML file as specified below:\r\n\r\n\r\n\r\n\r\n\t\r\n\tIDENTITY_MANAGEMENT_TYPE: oidc\r\n\r\n\tOIDC_IDENTITY_PROVIDER_CLIENT_ID: \r\n\r\n\tOIDC_IDENTITY_PROVIDER_CLIENT_SECRET: \r\n\r\n\tOIDC_IDENTITY_PROVIDER_GROUPS_CLAIM: group_names\r\n\r\n\tOIDC_IDENTITY_PROVIDER_ISSUER_URL: https:\/\/\/SAAS\/auth\r\n\r\n\tOIDC_IDENTITY_PROVIDER_SCOPES: openId,email,user,profile,group\r\n\r\n\tOIDC_IDENTITY_PROVIDER_USERNAME_CLAIM: email\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\nUse \u201ctanzu management-cluster create -f \u201d to create the management cluster.\r\n\r\nUse \u201ctanzu cluster create -f \u201d to create workload clusters.\r\n\r\n\r\nIf the management Tanzu Kubernetes Grid cluster is to be created using the Tanzu installer, then review this documentation.\r\n\r\n\r\nIn the cluster creation wizard under the Identity Management section, select OIDC and provide the required details as shared.\r\n\r\n\r\nAfter creating the management Tanzu Kubernetes Grid cluster, follow the steps in the Enable and Configure Identity Management in an Existing Deployment of this documentation. To update the pinniped secret file to add the CA of the Workspace ONE Access appliance for the key: \u201cupstream_oidc_tls_ca_data\u201d under the pinniped section.\r\nTo get the CA of Workspace ONE, refer the Workspace ONE configuration section above.\r\n\r\n\r\n \r\n\r\n\r\nFor existing management Tanzu Kubernetes Grid clusters, the same secret file can be updated with the OIDC details.\r\n\r\n\r\nIf needed, refer to the Enable and Configure Identity Management in an Existing Deployment section of this documentation.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nWorkload Tanzu Kubernetes Grid clusters\r\n\r\nAny workload clusters that you create when you enable identity management in the management cluster are automatically configured to use the same identity management service.\r\nBefore you create workload cluster, remember to unset the variables (e.g., \u201c_TKG_CLUSTER_FORCE_ROLE\u201d) you might have set while updating the management cluster with identity management\r\n\r\n\r\n\r\n\r\n \r\n\r\n\uf0b7 How to test\r\n\r\n \r\n\r\n\r\n\r\n\r\n\t\r\n\t\r\n\tWorkspace ONE will have two domains named vmware.com (ActiveDirectory1) and tlglab.net (ActiveDirectory2).\r\n\tThe following Linux VMs must be created for testing:\r\n\t\r\n\tBootstrap \u2013 For creating Tanzu clusters, and where the kubeconfig file resides\r\n\tJumpbox \u2013 A VM that will log a user into the Tanzu clusters\r\n\t\r\n\t\r\n\t\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\nFor the management Tanzu Kubernetes Grid cluster\r\n\r\n\r\n\r\n\r\n\t\r\n\t\r\n\tLog in to the bootstrap machine and create clusterrolebinding for the user.\r\n\t\r\n\r\n\tkubectl create clusterrolebinding --clusterrole cluster-admin --user \r\n\r\n\t\r\n\tCreate the management kubeconfig file.\r\n\t\r\n\r\n\ttanzu management-cluster kubeconfig get --export-file \r\n\r\n\t\r\n\tSCP this kubeconfig file to the Jumpbox.\r\n\tLog in to the Jumpbox machine and clear the contexts and current-context sections from .config\/tanzu\/config-ng.yaml.\r\n\tClear the server and current sections from .config\/tanzu\/config.yaml. Also, delete everything under .config\/tanzu\/pinniped directory.\r\n\tClear the cache from the browser to be used.\r\n\tLog in to the management cluster from the Jumpbox machine.\r\n\t\r\n\r\n\ttanzu login --endpoint https:\/\/:6443 --name \r\n\r\n\t\r\n\tCopy the link and paste to the browser to get the authentication code.\r\n\tTry accessing the cluster as per the role-based access control (RBAC) created and it should be successful.\r\n\t\r\n\r\n\t \r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\nFor the workload Tanzu Kubernetes Grid cluster\r\n\r\n\r\n\r\n\r\n\t\r\n\t\r\n\tLog in to the bootstrap machine and create clusterrolebinding for the user.\r\n\t\r\n\r\n\tkubectl create clusterrolebinding --clusterrole cluster-admin \u2013user \r\n\r\n\t\r\n\tCreate the workload kubeconfig file.\r\n\t\r\n\r\n\ttanzu cluster kubeconfig get --export-file \r\n\r\n\t\r\n\tSCP this kubeconfig file to the Jumpbox.\r\n\tLog in to the Jumpbox machine and clear the contexts and current-context sections from .config\/tanzu\/config-ng.yaml.\r\n\tClear the server and current sections from .config\/tanzu\/config.yaml. Also, delete everything under .config\/tanzu\/pinniped directory.\r\n\tClear the cache from the browser to be used.\r\n\tLog in to the management cluster from the Jumpbox machine.\r\n\t\r\n\r\n\ttanzu login --endpoint https:\/\/:6443 --name \r\n\r\n\t\r\n\tCopy the link and paste to the browser to get the authentication code.\r\n\tChange the context to a workload cluster.\r\n\t\r\n\r\n\tkubectl config use-context --kubeconfig=\r\n\r\n\t\r\n\t Context-name can be retrieved from the workload-kubeconfig file that has been SCP.\r\n\tTry accessing the cluster as per the RBAC created and it should be successful.\r\n\t\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\nNote: If you also have the groups in Workspace ONE and you want to give access to that group, then create clusterrolebinding with the group email ID and follow the same steps.\r\n\r\n \r\n\r\n\r\nMultiple ADs\r\n\r\n\r\nIn this documentation, we have completed an integration of Tanzu with Workspace ONE, however, we must point out that this is for the use of multiple ADs in Workspace ONE.\r\n\r\nTherefore, we can say that we have tested not only the integration of Tanzu with Workspace ONE, but also tested the access of clusters by the users present in multiple ADs in Workspace ONE.\r\n\r\n \r\n\r\nLAB Details\r\n\r\n\r\n\r\n\r\n\t\r\n\tProduct specifications\r\n\t\r\n\t\r\n\tVMware NSX-T\r\n\t\r\n\t\r\n\t3.2.1.2\r\n\t\r\n\r\n\r\n\t\r\n\tTanzu Kubernetes Grid on vSphere\r\n\t\r\n\t\r\n\t2.1.0\r\n\t\r\n\r\n\r\n\t\r\n\tAVI Load Balancer\r\n\t\r\n\t\r\n\t21.1.4\r\n\t\r\n\r\n\r\n\t\r\n\tVMware vCenter Server\r\n\t\r\n\t\r\n\t7.0 Update 3h\r\n\t\r\n\r\n\r\n\t\r\n\tVMware ESXi \r\n\t\r\n\t\r\n\t7.0 Update 3g\r\n\t\r\n\r\n\r\n\t\r\n\tWorkspace ONE Access\r\n\t\r\n\t\r\n\t22.0.9.2\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n","#format":"full_html","#langcode":"en"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":2},"field_tags":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":3},"field_url":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":4},"field_content":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":5},"field_cc_category":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":6},"field_cc_level":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":7},"field_cc_operating_system":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":8},"field_cc_phase":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":9},"field_cc_product":{"#theme":"field","#title":"Product","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_cc_product","#field_type":"entity_reference","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"entity_reference_label","#is_multiple":true,"#third_party_settings":[],"0":{"#type":"link","#title":"Tanzu Kubernetes Grid","#url":{},"#options":{"entity_type":"taxonomy_term","entity":{},"language":{}},"#entity":{},"#cache":{"tags":["taxonomy_term:9148"],"contexts":["user.permissions"],"max-age":-1}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":10},"field_cc_solution":{"#theme":"field","#title":"Solution","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_cc_solution","#field_type":"entity_reference","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"entity_reference_label","#is_multiple":true,"#third_party_settings":[],"0":{"#type":"link","#title":"Tanzu","#url":{},"#options":{"entity_type":"taxonomy_term","entity":{},"language":{}},"#entity":{},"#cache":{"tags":["taxonomy_term:9145"],"contexts":["user.permissions"],"max-age":-1}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":11},"field_cc_type":{"#theme":"field","#title":"Type","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_cc_type","#field_type":"entity_reference","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"entity_reference_label","#is_multiple":true,"#third_party_settings":[],"0":{"#type":"link","#title":"Blog","#url":{},"#options":{"entity_type":"taxonomy_term","entity":{},"language":{}},"#entity":{},"#cache":{"tags":["taxonomy_term:641"],"contexts":["user.permissions"],"max-age":-1}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":12},"field_cc_use_case":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":13},"field_co_author":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":14},"field_cc_audience":{"#theme":"field","#title":"Audience","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_cc_audience","#field_type":"entity_reference","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"entity_reference_label","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"link","#title":"Customer","#url":{},"#options":{"entity_type":"taxonomy_term","entity":{},"language":{}},"#entity":{},"#cache":{"tags":["taxonomy_term:2719"],"contexts":["user.permissions"],"max-age":-1}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":15},"field_cc_internal":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":16},"field_associated_content":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":17},"links":{"#lazy_builder":["Drupal\\node\\NodeViewBuilder::renderLinks",["5913","full","en",false,null]],"#weight":18},"field_search_content":{"#theme":"field","#title":"Search Content","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_search_content","#field_type":"text_with_summary","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"text_default","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"processed_text","#text":"In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration Author: Pramita Gautam, Kalyaan Krushna Codadu In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. Workspace ONE is designed to provide a management platform that allows IT administrators to centrally control end user\u2019s mobile devices, cloud-hosted virtual desktops, and applications from the cloud or from an on-premises deployment. In this documentation, Workspace ONE is the identity provider and integrated in it is VMware Tanzu as the pinniped supervisor. Workspace ONE configuration Requirements Deploy and configure VMware Workspace ONE Access. If needed, refer to the documentation for more information on Workspace ONE Access. Install and configure Workspace ONE Access connector on a Windows server joined to the domain (for integrating with Active Directory and making use of features such as Directory Sync, User Auth, Kerberos Auth, or Virtual App services). Click on the Access Connector installer file. Accept the EULA. Select all the components listed and click Next. Browse to the json file generated from Workspace ONE Access, and add the connector screen. Select the Custom Installation option. If connection between the connector virtual machine (VM) and Workspace ONE Access occurs via proxy servers, select the proxy box and provide the details. Otherwise, click Next, with Enable Proxy unchecked. Configure syslog, if available. If using Citrix multi-site aggregation, provide the required cofiguration details. Provide the root certificate authority (CA) of the Workspace ONE Access appliance. Select the default ports and click Next. If you have certificate for Kerberos Auth services, select the certificate. Otherwise, leave the box unchecked and click Next to use the self-signed certificate. Select any domain user\/service account part of the domain that is being integrated with Workspace ONE Access using the following connector instance. Click Install to complete the connector installation. Once the installation is complete, you should see the connector displayed in Workspace ONE Access UI console. Once the connector is updated in the Workspace ONE Access UI, create the directory. If needed, refer to this documentation for details on installing Workspace ONE Access Connector. Perform the following configurations on Workspace ONE Access to create the OpenID Connect (OIDC) Client to be able to integrate with the Tanzu Kubernetes Grid cluster on vSphere. Log in to the Workspace ONE Access admin console and navigate to Resources. Select Web Apps from the righthand menu and click NEW. Specify a Name to the new web app and click NEXT. From the configuration screen Specify the Authentication type \u2013 OpenID Connect Specify the Target URL \u2013 This should be the NSX Load Balancer (LB) URL\/IP for the pinniped supervisor service running in the Tanzu Kubernetes Grid cluster on vSphere. Syntax: https:\/\/[lb Ip address]\/callback Note: If the Tanzu Kubernetes Grid cluster is not yet created, any IP address could be specified here and updated later, once the cluster is deployed and a LB IP is assigned to the pinniped service. Redirect URL \u2013 List the same URL mentioned for the Target URL Enter a Name for ClientID Note: This ClientID will be used in the pinniped configured in the Tanzu Kubernetes Grid cluster on vSphere. The client secret can be created as specified below on any machine. Make sure the toggle buttons for Open in Workspace ONE Web and Show in User Portal are disabled. Click Next. Assign an access policy from the drop-down menu or select the default policy. Click Save, then Assign. Assign the web app now created to the users\/groups synced in Workspace ONE Access using the connector installed previously. Note: Make sure to select Deployment Type as Automatic, when the web app is assigned to users. Configure Remote App Access in the Workspace ONE Access console with the following steps. In the Workspace ONE Access console navigate to Settings > Remote App Access, then click the newly created web app. On the screen that has opened, click Edit next to Scope in the OAuth 2 Client section. Select the following scope option check boxes. Email Profile User NAPPS OpenID Group Click Save. Click Next to navigate to Client Configuration. On this screen, uncheck the box for Prompt users for access. Ensure the token type is set to Bearer and update\/redirect the URL with the correct IP LB for the pinniped supervisor. Click Save. Assign the web app to Users Synced. Click Accounts, then navigate to Users. Double-click on the username and select the Application Tab. Click Assign and select the web app you created in the previous step. Ensure you have the Deployment Type set to Automatic. The same is applicable for User Groups. Next, we\u2019ll need the root CA of Workspace ONE. Log in to the Workspace ONE Access virtual appliance management UI (https:\/\/:8443). Navigate to Install SSL Certificates. Under Server Certificate select Auto Generate Certificate (self-signed). You should now see the location from which you can download the root CA. For an alternate way to obtain the root CA for the VIDM appliance, follow the next steps. Otherwise, skip ahead to Tanzu Kubernetes Grid cluster configuration. From any machines with OpenSSL installed, run the following command: openssl s_client -connect [Ip\/fqdn of ws1 appliance]:443 Copy the root CA from the output of the above command and save it in a notepad file. You will need to convert this certificate from a base64-encoded format to use for OIDC integration. To convert to base64-encoded format: cat [name to root ca file] | base64 | tr -d \u2018\\n\u2019 > [output file name] \uf0b7 Tanzu Kubernetes Grid cluster configuration For new management of Tanzu Kubernetes Grid clusters follow these steps: If management of the Tanzu Kubernetes Grid cluster is to be created using the cluster YAML file, then refer to this documentation. Update the values related to OIDC in the YAML file as specified below: IDENTITY_MANAGEMENT_TYPE: oidc OIDC_IDENTITY_PROVIDER_CLIENT_ID: OIDC_IDENTITY_PROVIDER_CLIENT_SECRET: OIDC_IDENTITY_PROVIDER_GROUPS_CLAIM: group_names OIDC_IDENTITY_PROVIDER_ISSUER_URL: https:\/\/\/SAAS\/auth OIDC_IDENTITY_PROVIDER_SCOPES: openId,email,user,profile,group OIDC_IDENTITY_PROVIDER_USERNAME_CLAIM: email Use \u201ctanzu management-cluster create -f \u201d to create the management cluster. Use \u201ctanzu cluster create -f \u201d to create workload clusters. If the management Tanzu Kubernetes Grid cluster is to be created using the Tanzu installer, then review this documentation. In the cluster creation wizard under the Identity Management section, select OIDC and provide the required details as shared. After creating the management Tanzu Kubernetes Grid cluster, follow the steps in the Enable and Configure Identity Management in an Existing Deployment of this documentation. To update the pinniped secret file to add the CA of the Workspace ONE Access appliance for the key: \u201cupstream_oidc_tls_ca_data\u201d under the pinniped section. To get the CA of Workspace ONE, refer the Workspace ONE configuration section above. For existing management Tanzu Kubernetes Grid clusters, the same secret file can be updated with the OIDC details. If needed, refer to the Enable and Configure Identity Management in an Existing Deployment section of this documentation. Workload Tanzu Kubernetes Grid clusters Any workload clusters that you create when you enable identity management in the management cluster are automatically configured to use the same identity management service. Before you create workload cluster, remember to unset the variables (e.g., \u201c_TKG_CLUSTER_FORCE_ROLE\u201d) you might have set while updating the management cluster with identity management \uf0b7 How to test Workspace ONE will have two domains named vmware.com (ActiveDirectory1) and tlglab.net (ActiveDirectory2). The following Linux VMs must be created for testing: Bootstrap \u2013 For creating Tanzu clusters, and where the kubeconfig file resides Jumpbox \u2013 A VM that will log a user into the Tanzu clusters For the management Tanzu Kubernetes Grid cluster Log in to the bootstrap machine and create clusterrolebinding for the user. kubectl create clusterrolebinding --clusterrole cluster-admin --user Create the management kubeconfig file. tanzu management-cluster kubeconfig get --export-file SCP this kubeconfig file to the Jumpbox. Log in to the Jumpbox machine and clear the contexts and current-context sections from .config\/tanzu\/config-ng.yaml. Clear the server and current sections from .config\/tanzu\/config.yaml. Also, delete everything under .config\/tanzu\/pinniped directory. Clear the cache from the browser to be used. Log in to the management cluster from the Jumpbox machine. tanzu login --endpoint https:\/\/:6443 --name Copy the link and paste to the browser to get the authentication code. Try accessing the cluster as per the role-based access control (RBAC) created and it should be successful. For the workload Tanzu Kubernetes Grid cluster Log in to the bootstrap machine and create clusterrolebinding for the user. kubectl create clusterrolebinding --clusterrole cluster-admin \u2013user Create the workload kubeconfig file. tanzu cluster kubeconfig get --export-file SCP this kubeconfig file to the Jumpbox. Log in to the Jumpbox machine and clear the contexts and current-context sections from .config\/tanzu\/config-ng.yaml. Clear the server and current sections from .config\/tanzu\/config.yaml. Also, delete everything under .config\/tanzu\/pinniped directory. Clear the cache from the browser to be used. Log in to the management cluster from the Jumpbox machine. tanzu login --endpoint https:\/\/:6443 --name Copy the link and paste to the browser to get the authentication code. Change the context to a workload cluster. kubectl config use-context --kubeconfig= Context-name can be retrieved from the workload-kubeconfig file that has been SCP. Try accessing the cluster as per the RBAC created and it should be successful. Note: If you also have the groups in Workspace ONE and you want to give access to that group, then create clusterrolebinding with the group email ID and follow the same steps. Multiple ADs In this documentation, we have completed an integration of Tanzu with Workspace ONE, however, we must point out that this is for the use of multiple ADs in Workspace ONE. Therefore, we can say that we have tested not only the integration of Tanzu with Workspace ONE, but also tested the access of clusters by the users present in multiple ADs in Workspace ONE. LAB Details Product specifications VMware NSX-T 3.2.1.2 Tanzu Kubernetes Grid on vSphere 2.1.0 AVI Load Balancer 21.1.4 VMware vCenter Server 7.0 Update 3h VMware ESXi 7.0 Update 3g Workspace ONE Access 22.0.9.2 Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration","#format":"restricted_html","#langcode":"en"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":19},"field_video_duration":{"#theme":"field","#title":"Read Time\/Duration","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_video_duration","#field_type":"string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"string","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"inline_template","#template":"{{ value|nl2br }}","#context":{"value":"23:45"}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":20},"field_read_time_visible_on_resou":{"#theme":"field","#title":"Read Time\/Duration Visible on Resource","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_read_time_visible_on_resou","#field_type":"list_string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"list_default","#is_multiple":true,"#third_party_settings":[],"0":{"#markup":"Show duration on Page","#allowed_tags":["a","b","big","code","del","em","i","ins","pre","q","small","span","strong","sub","sup","tt","ol","ul","li","p","br","img"]},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":21},"comment_node_article":{"#theme":"field","#title":"Comments","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"comment_node_article","#field_type":"comment","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"comment_default","#is_multiple":false,"#third_party_settings":[],"#cache":{"contexts":["user.permissions","user.roles"],"tags":[],"max-age":-1},"0":{"comments":[],"#comment_type":"comment_node_article","#comment_display_mode":1,"comment_form":[]},"#weight":22},"field_content_rich":{"#theme":"field","#title":"Summary","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_content_rich","#field_type":"text_long","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"text_default","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"processed_text","#text":"In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. \r\n\r\n \r\n","#format":"summary_html","#langcode":"en"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":23},"field_manual_read_time_duration":{"#theme":"field","#title":"If Manual Read Time\/Duration","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_manual_read_time_duration","#field_type":"boolean","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"boolean","#is_multiple":false,"#third_party_settings":[],"0":{"#markup":"Off"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":24},"field_quick_links":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":25},"field_pdf_author":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":26},"field_pdf":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":27},"field_auto_generated_pdf":{"#theme":"field","#title":"Auto Generated PDF","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_auto_generated_pdf","#field_type":"file","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"file_default","#is_multiple":false,"#third_party_settings":[],"0":{"#theme":"file_link","#file":{},"#description":null,"#cache":{"tags":[],"contexts":[],"max-age":-1},"#attributes":[]},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":28},"field_pdf_index":{"#theme":"field","#title":"PDF Index","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_pdf_index","#field_type":"list_string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"list_default","#is_multiple":true,"#third_party_settings":[],"0":{"#markup":"Check to index PDF on Search Engines","#allowed_tags":["a","b","big","code","del","em","i","ins","pre","q","small","span","strong","sub","sup","tt","ol","ul","li","p","br","img"]},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":29},"field_generate_pdf":{"#theme":"field","#title":"Generate PDF","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_generate_pdf","#field_type":"list_string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"list_default","#is_multiple":true,"#third_party_settings":[],"0":{"#markup":"Generate a PDF from HTML Content","#allowed_tags":["a","b","big","code","del","em","i","ins","pre","q","small","span","strong","sub","sup","tt","ol","ul","li","p","br","img"]},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":30},"field_youtube_ids":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":31},"field_thumbnail_logo":{"#theme":"field","#title":"Thumbnail Logo","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_thumbnail_logo","#field_type":"boolean","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"boolean","#is_multiple":false,"#third_party_settings":[],"0":{"#markup":"Off"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":32},"field_slider_icon_image":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":33},"field_label":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":34},"#sorted":true,"#children":"","#render_children":true},"theme_hook_original":"node","attributes":" data-history-node-id=\"5913\" about=\"\/blog\/tanzu-kubernetes-grid-clusters-vmware-vsphere-and-workspace-one-integration\" typeof=\"sioc:Item foaf:Document\"","title_attributes":"","content_attributes":"","title_prefix":[],"title_suffix":{"rdf_meta_title":{"#theme":"rdf_metadata","#metadata":[{"property":["dc:title"],"content":"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration"}]},"rdf_meta_comment_count":{"#theme":"rdf_metadata","#metadata":[{"property":["sioc:num_replies"],"datatype":"xsd:integer"}]}},"db_is_active":true,"is_admin":false,"logged_in":false,"user":{},"directory":"themes\/custom\/techzone","view_mode":"full","teaser":false,"node":{"in_preview":null},"date":"\nWed, 10\/11\/2023 - 10:53\n\n","author_name":"\nPramita Gautam\n","label":{"#theme":"field","#title":"Title (Heading 1)","#label_display":"hidden","#view_mode":"full","#language":"en","#field_name":"title","#field_type":"string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"string","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"inline_template","#template":"{{ value|nl2br }}","#context":{"value":"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration"}},"#cache":{"contexts":["user.permissions"],"tags":[],"max-age":-1},"#weight":-5,"#is_page_title":true,"#attached":[],"#children":"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration","#markup":"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration","#printed":true},"url":"\/blog\/tanzu-kubernetes-grid-clusters-vmware-vsphere-and-workspace-one-integration","page":true,"content":{"field_image":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":1},"body":{"#theme":"field","#title":"Body","#label_display":"hidden","#view_mode":"full","#language":"en","#field_name":"body","#field_type":"text_with_summary","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"text_default","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"processed_text","#text":"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration \r\n\r\nAuthor: Pramita Gautam, Kalyaan Krushna Codadu\r\n\r\nIn this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. \r\n\r\nWorkspace ONE is designed to provide a management platform that allows IT administrators to centrally control end user\u2019s mobile devices, cloud-hosted virtual desktops, and applications from the cloud or from an on-premises deployment.\r\n\r\n\r\nIn this documentation, Workspace ONE is the identity provider and integrated in it is VMware Tanzu as the pinniped supervisor.\r\n\r\nWorkspace ONE configuration \r\n\r\n \r\n\r\n\r\nRequirements\r\n\r\n\r\n\r\nDeploy and configure VMware Workspace ONE Access. If needed, refer to the documentation for more information on Workspace ONE Access.\r\n\r\n\r\n \r\n\r\n\r\nInstall and configure Workspace ONE Access connector on a Windows server joined to the domain (for integrating with Active Directory and making use of features such as Directory Sync, User Auth, Kerberos Auth, or Virtual App services).\r\n\r\n\r\n \r\n\r\n\r\nClick on the Access Connector installer file.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nAccept the EULA.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nSelect all the components listed and click Next.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nBrowse to the json file generated from Workspace ONE Access, and add the connector screen.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nSelect the Custom Installation option.\r\n\r\n\r\n\r\n\r\n \r\n\r\n \r\n\r\n\r\nIf connection between the connector virtual machine (VM) and Workspace ONE Access occurs via proxy servers, select the proxy box and provide the details. Otherwise, click Next, with Enable Proxy unchecked.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nConfigure syslog, if available.\r\n\r\n\r\n\r\n\r\n \r\n\r\n \r\n\r\n\r\nIf using Citrix multi-site aggregation, provide the required cofiguration details.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nProvide the root certificate authority (CA) of the Workspace ONE Access appliance.\r\n\r\n\r\n\r\n\r\n \r\n\r\n \r\n\r\n\r\nSelect the default ports and click Next.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nIf you have certificate for Kerberos Auth services, select the certificate. Otherwise, leave the box unchecked and click Next to use the self-signed certificate.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\n\r\n\r\nSelect any domain user\/service account part of the domain that is being integrated with Workspace ONE Access using the following connector instance.\r\n\r\n\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nClick Install to complete the connector installation.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nOnce the installation is complete, you should see the connector displayed in Workspace ONE Access UI console.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nOnce the connector is updated in the Workspace ONE Access UI, create the directory.\r\n\r\n\r\n\r\n\r\nIf needed, refer to this documentation for details on installing Workspace ONE Access Connector.\r\n\r\n \r\n\r\n\r\nPerform the following configurations on Workspace ONE Access to create the OpenID Connect (OIDC) Client to be able to integrate with the Tanzu Kubernetes Grid cluster on vSphere.\r\n\r\n\r\n \r\n\r\n\r\nLog in to the Workspace ONE Access admin console and navigate to Resources. Select Web Apps from the righthand menu and click NEW.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nSpecify a Name to the new web app and click NEXT.\r\n\r\n\r\n \r\n\r\n\r\n\r\n\r\nFrom the configuration screen\r\n\r\n\r\n\r\nSpecify the Authentication type \u2013 OpenID Connect\r\nSpecify the Target URL \u2013 This should be the NSX Load Balancer (LB) URL\/IP for the pinniped supervisor service running in the Tanzu Kubernetes Grid cluster on vSphere.\r\n\r\n\r\n \r\n\r\nSyntax: https:\/\/[lb Ip address]\/callback\r\n\r\n \r\n\r\nNote: If the Tanzu Kubernetes Grid cluster is not yet created, any IP address could be specified here and updated later, once the cluster is deployed and a LB IP is assigned to the pinniped service.\r\n\r\n\r\n\r\n \r\n\r\n\r\nRedirect URL \u2013 List the same URL mentioned for the Target URL\r\nEnter a Name for ClientID \r\n\r\n\r\nNote: This ClientID will be used in the pinniped configured in the Tanzu Kubernetes Grid cluster on vSphere.\r\n\r\n\r\nThe client secret can be created as specified below on any machine.\r\n\r\n\r\n\r\n\r\n\r\nMake sure the toggle buttons for Open in Workspace ONE Web and Show in User Portal are disabled. Click Next.\r\n\r\n\r\n\r\n\r\n\r\nAssign an access policy from the drop-down menu or select the default policy.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nClick Save, then Assign.\r\nAssign the web app now created to the users\/groups synced in Workspace ONE Access using the connector installed previously.\r\n\r\n\r\nNote: Make sure to select Deployment Type as Automatic, when the web app is assigned to users.\r\n\r\n\r\nConfigure Remote App Access in the Workspace ONE Access console with the following steps.\r\n\r\n\r\n \r\n\r\n\r\n In the Workspace ONE Access console navigate to Settings > Remote App Access, then click the newly created web app.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nOn the screen that has opened, click Edit next to Scope in the OAuth 2 Client section.\r\n\r\n\r\n\r\n\r\n\r\n Select the following scope option check boxes.\r\n\r\n\r\n\r\nEmail\r\nProfile\r\nUser\r\nNAPPS\r\nOpenID\r\nGroup\r\n\r\n\r\n\r\nClick Save.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nClick Next to navigate to Client Configuration. On this screen, uncheck the box for Prompt users for access.\r\nEnsure the token type is set to Bearer and update\/redirect the URL with the correct IP LB for the pinniped supervisor.\r\n\r\n\r\n \r\n\r\n\r\n\r\n \r\n\r\nClick Save.\r\n\r\n \r\n\r\n\r\nAssign the web app to Users Synced.\r\n\r\n\r\n \r\n\r\n\r\nClick Accounts, then navigate to Users.\r\nDouble-click on the username and select the Application Tab.\r\nClick Assign and select the web app you created in the previous step.\r\nEnsure you have the Deployment Type set to Automatic. The same is applicable for User Groups.\r\n\r\n\r\n \r\n\r\n \r\n\r\n \r\n\r\n\r\nNext, we\u2019ll need the root CA of Workspace ONE.\r\n\r\n\r\n\r\nLog in to the Workspace ONE Access virtual appliance management UI (https:\/\/:8443).\r\n\r\n\r\n \r\n\r\n\r\n\r\n\r\nNavigate to Install SSL Certificates.\r\nUnder Server Certificate select Auto Generate Certificate (self-signed). You should now see the location from which you can download the root CA.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nFor an alternate way to obtain the root CA for the VIDM appliance, follow the next steps. Otherwise, skip ahead to Tanzu Kubernetes Grid cluster configuration.\r\n\r\n\r\n\r\nFrom any machines with OpenSSL installed, run the following command:\r\n\r\n\r\n\r\n\r\n\r\n\t\r\n\topenssl s_client -connect [Ip\/fqdn of ws1 appliance]:443\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\n\r\n \r\n\r\n\r\nCopy the root CA from the output of the above command and save it in a notepad file.\r\nYou will need to convert this certificate from a base64-encoded format to use for OIDC integration.\r\n\r\nTo convert to base64-encoded format:\r\n\r\n\r\n\r\n\r\ncat [name to root ca file] | base64 | tr -d \u2018\\n\u2019 > [output file name]\r\n\r\n \r\n\r\n\uf0b7 Tanzu Kubernetes Grid cluster configuration\r\n\r\n \r\n\r\n\r\nFor new management of Tanzu Kubernetes Grid clusters follow these steps:\r\n\r\nIf management of the Tanzu Kubernetes Grid cluster is to be created using the cluster YAML file, then refer to this documentation.\r\n\r\n\r\n\r\n\r\nUpdate the values related to OIDC in the YAML file as specified below:\r\n\r\n\r\n\r\n\r\n\t\r\n\tIDENTITY_MANAGEMENT_TYPE: oidc\r\n\r\n\tOIDC_IDENTITY_PROVIDER_CLIENT_ID: \r\n\r\n\tOIDC_IDENTITY_PROVIDER_CLIENT_SECRET: \r\n\r\n\tOIDC_IDENTITY_PROVIDER_GROUPS_CLAIM: group_names\r\n\r\n\tOIDC_IDENTITY_PROVIDER_ISSUER_URL: https:\/\/\/SAAS\/auth\r\n\r\n\tOIDC_IDENTITY_PROVIDER_SCOPES: openId,email,user,profile,group\r\n\r\n\tOIDC_IDENTITY_PROVIDER_USERNAME_CLAIM: email\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\nUse \u201ctanzu management-cluster create -f \u201d to create the management cluster.\r\n\r\nUse \u201ctanzu cluster create -f \u201d to create workload clusters.\r\n\r\n\r\nIf the management Tanzu Kubernetes Grid cluster is to be created using the Tanzu installer, then review this documentation.\r\n\r\n\r\nIn the cluster creation wizard under the Identity Management section, select OIDC and provide the required details as shared.\r\n\r\n\r\nAfter creating the management Tanzu Kubernetes Grid cluster, follow the steps in the Enable and Configure Identity Management in an Existing Deployment of this documentation. To update the pinniped secret file to add the CA of the Workspace ONE Access appliance for the key: \u201cupstream_oidc_tls_ca_data\u201d under the pinniped section.\r\nTo get the CA of Workspace ONE, refer the Workspace ONE configuration section above.\r\n\r\n\r\n \r\n\r\n\r\nFor existing management Tanzu Kubernetes Grid clusters, the same secret file can be updated with the OIDC details.\r\n\r\n\r\nIf needed, refer to the Enable and Configure Identity Management in an Existing Deployment section of this documentation.\r\n\r\n\r\n\r\n\r\n \r\n\r\n\r\nWorkload Tanzu Kubernetes Grid clusters\r\n\r\nAny workload clusters that you create when you enable identity management in the management cluster are automatically configured to use the same identity management service.\r\nBefore you create workload cluster, remember to unset the variables (e.g., \u201c_TKG_CLUSTER_FORCE_ROLE\u201d) you might have set while updating the management cluster with identity management\r\n\r\n\r\n\r\n\r\n \r\n\r\n\uf0b7 How to test\r\n\r\n \r\n\r\n\r\n\r\n\r\n\t\r\n\t\r\n\tWorkspace ONE will have two domains named vmware.com (ActiveDirectory1) and tlglab.net (ActiveDirectory2).\r\n\tThe following Linux VMs must be created for testing:\r\n\t\r\n\tBootstrap \u2013 For creating Tanzu clusters, and where the kubeconfig file resides\r\n\tJumpbox \u2013 A VM that will log a user into the Tanzu clusters\r\n\t\r\n\t\r\n\t\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\nFor the management Tanzu Kubernetes Grid cluster\r\n\r\n\r\n\r\n\r\n\t\r\n\t\r\n\tLog in to the bootstrap machine and create clusterrolebinding for the user.\r\n\t\r\n\r\n\tkubectl create clusterrolebinding --clusterrole cluster-admin --user \r\n\r\n\t\r\n\tCreate the management kubeconfig file.\r\n\t\r\n\r\n\ttanzu management-cluster kubeconfig get --export-file \r\n\r\n\t\r\n\tSCP this kubeconfig file to the Jumpbox.\r\n\tLog in to the Jumpbox machine and clear the contexts and current-context sections from .config\/tanzu\/config-ng.yaml.\r\n\tClear the server and current sections from .config\/tanzu\/config.yaml. Also, delete everything under .config\/tanzu\/pinniped directory.\r\n\tClear the cache from the browser to be used.\r\n\tLog in to the management cluster from the Jumpbox machine.\r\n\t\r\n\r\n\ttanzu login --endpoint https:\/\/:6443 --name \r\n\r\n\t\r\n\tCopy the link and paste to the browser to get the authentication code.\r\n\tTry accessing the cluster as per the role-based access control (RBAC) created and it should be successful.\r\n\t\r\n\r\n\t \r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\nFor the workload Tanzu Kubernetes Grid cluster\r\n\r\n\r\n\r\n\r\n\t\r\n\t\r\n\tLog in to the bootstrap machine and create clusterrolebinding for the user.\r\n\t\r\n\r\n\tkubectl create clusterrolebinding --clusterrole cluster-admin \u2013user \r\n\r\n\t\r\n\tCreate the workload kubeconfig file.\r\n\t\r\n\r\n\ttanzu cluster kubeconfig get --export-file \r\n\r\n\t\r\n\tSCP this kubeconfig file to the Jumpbox.\r\n\tLog in to the Jumpbox machine and clear the contexts and current-context sections from .config\/tanzu\/config-ng.yaml.\r\n\tClear the server and current sections from .config\/tanzu\/config.yaml. Also, delete everything under .config\/tanzu\/pinniped directory.\r\n\tClear the cache from the browser to be used.\r\n\tLog in to the management cluster from the Jumpbox machine.\r\n\t\r\n\r\n\ttanzu login --endpoint https:\/\/:6443 --name \r\n\r\n\t\r\n\tCopy the link and paste to the browser to get the authentication code.\r\n\tChange the context to a workload cluster.\r\n\t\r\n\r\n\tkubectl config use-context --kubeconfig=\r\n\r\n\t\r\n\t Context-name can be retrieved from the workload-kubeconfig file that has been SCP.\r\n\tTry accessing the cluster as per the RBAC created and it should be successful.\r\n\t\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n\r\nNote: If you also have the groups in Workspace ONE and you want to give access to that group, then create clusterrolebinding with the group email ID and follow the same steps.\r\n\r\n \r\n\r\n\r\nMultiple ADs\r\n\r\n\r\nIn this documentation, we have completed an integration of Tanzu with Workspace ONE, however, we must point out that this is for the use of multiple ADs in Workspace ONE.\r\n\r\nTherefore, we can say that we have tested not only the integration of Tanzu with Workspace ONE, but also tested the access of clusters by the users present in multiple ADs in Workspace ONE.\r\n\r\n \r\n\r\nLAB Details\r\n\r\n\r\n\r\n\r\n\t\r\n\tProduct specifications\r\n\t\r\n\t\r\n\tVMware NSX-T\r\n\t\r\n\t\r\n\t3.2.1.2\r\n\t\r\n\r\n\r\n\t\r\n\tTanzu Kubernetes Grid on vSphere\r\n\t\r\n\t\r\n\t2.1.0\r\n\t\r\n\r\n\r\n\t\r\n\tAVI Load Balancer\r\n\t\r\n\t\r\n\t21.1.4\r\n\t\r\n\r\n\r\n\t\r\n\tVMware vCenter Server\r\n\t\r\n\t\r\n\t7.0 Update 3h\r\n\t\r\n\r\n\r\n\t\r\n\tVMware ESXi \r\n\t\r\n\t\r\n\t7.0 Update 3g\r\n\t\r\n\r\n\r\n\t\r\n\tWorkspace ONE Access\r\n\t\r\n\t\r\n\t22.0.9.2\r\n\t\r\n\r\n\r\n\r\n\r\n \r\n","#format":"full_html","#langcode":"en"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":2},"field_tags":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":3},"field_url":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":4},"field_content":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":5},"field_cc_category":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":6},"field_cc_level":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":7},"field_cc_operating_system":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":8},"field_cc_phase":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":9},"field_cc_product":{"#theme":"field","#title":"Product","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_cc_product","#field_type":"entity_reference","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"entity_reference_label","#is_multiple":true,"#third_party_settings":[],"0":{"#type":"link","#title":"Tanzu Kubernetes Grid","#url":{},"#options":{"entity_type":"taxonomy_term","entity":{},"language":{}},"#entity":{},"#cache":{"tags":["taxonomy_term:9148"],"contexts":["user.permissions"],"max-age":-1}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":10},"field_cc_solution":{"#theme":"field","#title":"Solution","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_cc_solution","#field_type":"entity_reference","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"entity_reference_label","#is_multiple":true,"#third_party_settings":[],"0":{"#type":"link","#title":"Tanzu","#url":{},"#options":{"entity_type":"taxonomy_term","entity":{},"language":{}},"#entity":{},"#cache":{"tags":["taxonomy_term:9145"],"contexts":["user.permissions"],"max-age":-1}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":11},"field_cc_type":{"#theme":"field","#title":"Type","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_cc_type","#field_type":"entity_reference","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"entity_reference_label","#is_multiple":true,"#third_party_settings":[],"0":{"#type":"link","#title":"Blog","#url":{},"#options":{"entity_type":"taxonomy_term","entity":{},"language":{}},"#entity":{},"#cache":{"tags":["taxonomy_term:641"],"contexts":["user.permissions"],"max-age":-1}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":12},"field_cc_use_case":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":13},"field_co_author":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":14},"field_cc_audience":{"#theme":"field","#title":"Audience","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_cc_audience","#field_type":"entity_reference","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"entity_reference_label","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"link","#title":"Customer","#url":{},"#options":{"entity_type":"taxonomy_term","entity":{},"language":{}},"#entity":{},"#cache":{"tags":["taxonomy_term:2719"],"contexts":["user.permissions"],"max-age":-1}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":15},"field_cc_internal":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":16},"field_associated_content":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":17},"links":{"#lazy_builder":["Drupal\\node\\NodeViewBuilder::renderLinks",["5913","full","en",false,null]],"#weight":18},"field_search_content":{"#theme":"field","#title":"Search Content","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_search_content","#field_type":"text_with_summary","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"text_default","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"processed_text","#text":"In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration Author: Pramita Gautam, Kalyaan Krushna Codadu In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. Workspace ONE is designed to provide a management platform that allows IT administrators to centrally control end user\u2019s mobile devices, cloud-hosted virtual desktops, and applications from the cloud or from an on-premises deployment. In this documentation, Workspace ONE is the identity provider and integrated in it is VMware Tanzu as the pinniped supervisor. Workspace ONE configuration Requirements Deploy and configure VMware Workspace ONE Access. If needed, refer to the documentation for more information on Workspace ONE Access. Install and configure Workspace ONE Access connector on a Windows server joined to the domain (for integrating with Active Directory and making use of features such as Directory Sync, User Auth, Kerberos Auth, or Virtual App services). Click on the Access Connector installer file. Accept the EULA. Select all the components listed and click Next. Browse to the json file generated from Workspace ONE Access, and add the connector screen. Select the Custom Installation option. If connection between the connector virtual machine (VM) and Workspace ONE Access occurs via proxy servers, select the proxy box and provide the details. Otherwise, click Next, with Enable Proxy unchecked. Configure syslog, if available. If using Citrix multi-site aggregation, provide the required cofiguration details. Provide the root certificate authority (CA) of the Workspace ONE Access appliance. Select the default ports and click Next. If you have certificate for Kerberos Auth services, select the certificate. Otherwise, leave the box unchecked and click Next to use the self-signed certificate. Select any domain user\/service account part of the domain that is being integrated with Workspace ONE Access using the following connector instance. Click Install to complete the connector installation. Once the installation is complete, you should see the connector displayed in Workspace ONE Access UI console. Once the connector is updated in the Workspace ONE Access UI, create the directory. If needed, refer to this documentation for details on installing Workspace ONE Access Connector. Perform the following configurations on Workspace ONE Access to create the OpenID Connect (OIDC) Client to be able to integrate with the Tanzu Kubernetes Grid cluster on vSphere. Log in to the Workspace ONE Access admin console and navigate to Resources. Select Web Apps from the righthand menu and click NEW. Specify a Name to the new web app and click NEXT. From the configuration screen Specify the Authentication type \u2013 OpenID Connect Specify the Target URL \u2013 This should be the NSX Load Balancer (LB) URL\/IP for the pinniped supervisor service running in the Tanzu Kubernetes Grid cluster on vSphere. Syntax: https:\/\/[lb Ip address]\/callback Note: If the Tanzu Kubernetes Grid cluster is not yet created, any IP address could be specified here and updated later, once the cluster is deployed and a LB IP is assigned to the pinniped service. Redirect URL \u2013 List the same URL mentioned for the Target URL Enter a Name for ClientID Note: This ClientID will be used in the pinniped configured in the Tanzu Kubernetes Grid cluster on vSphere. The client secret can be created as specified below on any machine. Make sure the toggle buttons for Open in Workspace ONE Web and Show in User Portal are disabled. Click Next. Assign an access policy from the drop-down menu or select the default policy. Click Save, then Assign. Assign the web app now created to the users\/groups synced in Workspace ONE Access using the connector installed previously. Note: Make sure to select Deployment Type as Automatic, when the web app is assigned to users. Configure Remote App Access in the Workspace ONE Access console with the following steps. In the Workspace ONE Access console navigate to Settings > Remote App Access, then click the newly created web app. On the screen that has opened, click Edit next to Scope in the OAuth 2 Client section. Select the following scope option check boxes. Email Profile User NAPPS OpenID Group Click Save. Click Next to navigate to Client Configuration. On this screen, uncheck the box for Prompt users for access. Ensure the token type is set to Bearer and update\/redirect the URL with the correct IP LB for the pinniped supervisor. Click Save. Assign the web app to Users Synced. Click Accounts, then navigate to Users. Double-click on the username and select the Application Tab. Click Assign and select the web app you created in the previous step. Ensure you have the Deployment Type set to Automatic. The same is applicable for User Groups. Next, we\u2019ll need the root CA of Workspace ONE. Log in to the Workspace ONE Access virtual appliance management UI (https:\/\/:8443). Navigate to Install SSL Certificates. Under Server Certificate select Auto Generate Certificate (self-signed). You should now see the location from which you can download the root CA. For an alternate way to obtain the root CA for the VIDM appliance, follow the next steps. Otherwise, skip ahead to Tanzu Kubernetes Grid cluster configuration. From any machines with OpenSSL installed, run the following command: openssl s_client -connect [Ip\/fqdn of ws1 appliance]:443 Copy the root CA from the output of the above command and save it in a notepad file. You will need to convert this certificate from a base64-encoded format to use for OIDC integration. To convert to base64-encoded format: cat [name to root ca file] | base64 | tr -d \u2018\\n\u2019 > [output file name] \uf0b7 Tanzu Kubernetes Grid cluster configuration For new management of Tanzu Kubernetes Grid clusters follow these steps: If management of the Tanzu Kubernetes Grid cluster is to be created using the cluster YAML file, then refer to this documentation. Update the values related to OIDC in the YAML file as specified below: IDENTITY_MANAGEMENT_TYPE: oidc OIDC_IDENTITY_PROVIDER_CLIENT_ID: OIDC_IDENTITY_PROVIDER_CLIENT_SECRET: OIDC_IDENTITY_PROVIDER_GROUPS_CLAIM: group_names OIDC_IDENTITY_PROVIDER_ISSUER_URL: https:\/\/\/SAAS\/auth OIDC_IDENTITY_PROVIDER_SCOPES: openId,email,user,profile,group OIDC_IDENTITY_PROVIDER_USERNAME_CLAIM: email Use \u201ctanzu management-cluster create -f \u201d to create the management cluster. Use \u201ctanzu cluster create -f \u201d to create workload clusters. If the management Tanzu Kubernetes Grid cluster is to be created using the Tanzu installer, then review this documentation. In the cluster creation wizard under the Identity Management section, select OIDC and provide the required details as shared. After creating the management Tanzu Kubernetes Grid cluster, follow the steps in the Enable and Configure Identity Management in an Existing Deployment of this documentation. To update the pinniped secret file to add the CA of the Workspace ONE Access appliance for the key: \u201cupstream_oidc_tls_ca_data\u201d under the pinniped section. To get the CA of Workspace ONE, refer the Workspace ONE configuration section above. For existing management Tanzu Kubernetes Grid clusters, the same secret file can be updated with the OIDC details. If needed, refer to the Enable and Configure Identity Management in an Existing Deployment section of this documentation. Workload Tanzu Kubernetes Grid clusters Any workload clusters that you create when you enable identity management in the management cluster are automatically configured to use the same identity management service. Before you create workload cluster, remember to unset the variables (e.g., \u201c_TKG_CLUSTER_FORCE_ROLE\u201d) you might have set while updating the management cluster with identity management \uf0b7 How to test Workspace ONE will have two domains named vmware.com (ActiveDirectory1) and tlglab.net (ActiveDirectory2). The following Linux VMs must be created for testing: Bootstrap \u2013 For creating Tanzu clusters, and where the kubeconfig file resides Jumpbox \u2013 A VM that will log a user into the Tanzu clusters For the management Tanzu Kubernetes Grid cluster Log in to the bootstrap machine and create clusterrolebinding for the user. kubectl create clusterrolebinding --clusterrole cluster-admin --user Create the management kubeconfig file. tanzu management-cluster kubeconfig get --export-file SCP this kubeconfig file to the Jumpbox. Log in to the Jumpbox machine and clear the contexts and current-context sections from .config\/tanzu\/config-ng.yaml. Clear the server and current sections from .config\/tanzu\/config.yaml. Also, delete everything under .config\/tanzu\/pinniped directory. Clear the cache from the browser to be used. Log in to the management cluster from the Jumpbox machine. tanzu login --endpoint https:\/\/:6443 --name Copy the link and paste to the browser to get the authentication code. Try accessing the cluster as per the role-based access control (RBAC) created and it should be successful. For the workload Tanzu Kubernetes Grid cluster Log in to the bootstrap machine and create clusterrolebinding for the user. kubectl create clusterrolebinding --clusterrole cluster-admin \u2013user Create the workload kubeconfig file. tanzu cluster kubeconfig get --export-file SCP this kubeconfig file to the Jumpbox. Log in to the Jumpbox machine and clear the contexts and current-context sections from .config\/tanzu\/config-ng.yaml. Clear the server and current sections from .config\/tanzu\/config.yaml. Also, delete everything under .config\/tanzu\/pinniped directory. Clear the cache from the browser to be used. Log in to the management cluster from the Jumpbox machine. tanzu login --endpoint https:\/\/:6443 --name Copy the link and paste to the browser to get the authentication code. Change the context to a workload cluster. kubectl config use-context --kubeconfig= Context-name can be retrieved from the workload-kubeconfig file that has been SCP. Try accessing the cluster as per the RBAC created and it should be successful. Note: If you also have the groups in Workspace ONE and you want to give access to that group, then create clusterrolebinding with the group email ID and follow the same steps. Multiple ADs In this documentation, we have completed an integration of Tanzu with Workspace ONE, however, we must point out that this is for the use of multiple ADs in Workspace ONE. Therefore, we can say that we have tested not only the integration of Tanzu with Workspace ONE, but also tested the access of clusters by the users present in multiple ADs in Workspace ONE. LAB Details Product specifications VMware NSX-T 3.2.1.2 Tanzu Kubernetes Grid on vSphere 2.1.0 AVI Load Balancer 21.1.4 VMware vCenter Server 7.0 Update 3h VMware ESXi 7.0 Update 3g Workspace ONE Access 22.0.9.2 Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration","#format":"restricted_html","#langcode":"en"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":19},"field_video_duration":{"#theme":"field","#title":"Read Time\/Duration","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_video_duration","#field_type":"string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"string","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"inline_template","#template":"{{ value|nl2br }}","#context":{"value":"23:45"}},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":20},"field_read_time_visible_on_resou":{"#theme":"field","#title":"Read Time\/Duration Visible on Resource","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_read_time_visible_on_resou","#field_type":"list_string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"list_default","#is_multiple":true,"#third_party_settings":[],"0":{"#markup":"Show duration on Page","#allowed_tags":["a","b","big","code","del","em","i","ins","pre","q","small","span","strong","sub","sup","tt","ol","ul","li","p","br","img"]},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":21},"comment_node_article":{"#theme":"field","#title":"Comments","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"comment_node_article","#field_type":"comment","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"comment_default","#is_multiple":false,"#third_party_settings":[],"#cache":{"contexts":["user.permissions","user.roles"],"tags":[],"max-age":-1},"0":{"comments":[],"#comment_type":"comment_node_article","#comment_display_mode":1,"comment_form":[]},"#weight":22},"field_content_rich":{"#theme":"field","#title":"Summary","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_content_rich","#field_type":"text_long","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"text_default","#is_multiple":false,"#third_party_settings":[],"0":{"#type":"processed_text","#text":"In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. \r\n\r\n \r\n","#format":"summary_html","#langcode":"en"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":23},"field_manual_read_time_duration":{"#theme":"field","#title":"If Manual Read Time\/Duration","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_manual_read_time_duration","#field_type":"boolean","#field_translatable":false,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"boolean","#is_multiple":false,"#third_party_settings":[],"0":{"#markup":"Off"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":24},"field_quick_links":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":25},"field_pdf_author":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":26},"field_pdf":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":27},"field_auto_generated_pdf":{"#theme":"field","#title":"Auto Generated PDF","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_auto_generated_pdf","#field_type":"file","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"file_default","#is_multiple":false,"#third_party_settings":[],"0":{"#theme":"file_link","#file":{},"#description":null,"#cache":{"tags":[],"contexts":[],"max-age":-1},"#attributes":[]},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":28},"field_pdf_index":{"#theme":"field","#title":"PDF Index","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_pdf_index","#field_type":"list_string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"list_default","#is_multiple":true,"#third_party_settings":[],"0":{"#markup":"Check to index PDF on Search Engines","#allowed_tags":["a","b","big","code","del","em","i","ins","pre","q","small","span","strong","sub","sup","tt","ol","ul","li","p","br","img"]},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":29},"field_generate_pdf":{"#theme":"field","#title":"Generate PDF","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_generate_pdf","#field_type":"list_string","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"list_default","#is_multiple":true,"#third_party_settings":[],"0":{"#markup":"Generate a PDF from HTML Content","#allowed_tags":["a","b","big","code","del","em","i","ins","pre","q","small","span","strong","sub","sup","tt","ol","ul","li","p","br","img"]},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":30},"field_youtube_ids":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":31},"field_thumbnail_logo":{"#theme":"field","#title":"Thumbnail Logo","#label_display":"above","#view_mode":"full","#language":"en","#field_name":"field_thumbnail_logo","#field_type":"boolean","#field_translatable":true,"#entity_type":"node","#bundle":"article","#object":{"in_preview":null},"#items":{},"#formatter":"boolean","#is_multiple":false,"#third_party_settings":[],"0":{"#markup":"Off"},"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":32},"field_slider_icon_image":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":33},"field_label":{"#cache":{"contexts":[],"tags":[],"max-age":-1},"#weight":34}},"author_attributes":"","display_submitted":true,"author_picture":{"#user":{},"#view_mode":"compact","#cache":{"tags":["user_view","user:48454"],"contexts":[],"max-age":-1,"keys":["entity_view","user","48454","compact"],"bin":"render"},"#theme":"user","#weight":0,"#pre_render":[[{},"build"]]},"#cache":{"contexts":["user.permissions"]},"coveo_enabled":1,"metadata":" \n","node_quick_links":"","isInternal":false,"associatedContent":"","the_author":[{"name":"Pramita Gautam","url":"\/users\/pramita-gautam","bio":"","picture":""}],"audience_name_is_internal":"Customer","active_inside_page":"yes","#attached":{"html_head":[[{"#tag":"script","#attributes":{"type":"text\/javascript"},"#value":"window.nodeData = {\"NodeID\":5913,\"NodeTitle\":\"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration\",\"NodeUrl\":\"https:\\\/\\\/apps-cloudmgmt.techzone.vmware.com\\\/blog\\\/tanzu-kubernetes-grid-clusters-vmware-vsphere-and-workspace-one-integration\",\"AuthorID\":48454,\"currentNode\":{\"nid\":\"5913\",\"title\":\"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration\",\"excerpt\":\"In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider.\\u0026nbsp;\\r\\n\\r\\n\\u0026nbsp;\\r\\n\",\"thumbnail\":\"https:\\\/\\\/apps-cloudmgmt.techzone.vmware.com\\\/themes\\\/custom\\\/techzone\\\/assets\\\/dist\\\/img\\\/acm_thumbnail_image.png\",\"date\":\"October 11, 2023\",\"thumbnail_logo_option\":\"\",\"no_thumbnail_image\":true,\"slider_icon_image\":\"\",\"field_card_type\":\"\",\"url\":\"\\\/blog\\\/tanzu-kubernetes-grid-clusters-vmware-vsphere-and-workspace-one-integration\",\"pdfUrl\":\"https:\\\/\\\/apps-cloudmgmt.techzone.vmware.com\\\/sites\\\/default\\\/files\\\/resource\\\/tanzu_kubernetes_grid_clusters_on_vmware_vsphere_and_workspace_one_integration.pdf\",\"target\":\"_self\",\"primaryIcon\":\"resource-blog\",\"secondaryIcon\":\"resource-blog\",\"timeDuration\":\"23:45\",\"resourceType\":\"Blog\",\"cardType\":\"colored\",\"cardColor\":\"indigo\",\"label\":\"Read Post\",\"shareUrl\":\"https:\\\/\\\/apps-cloudmgmt.techzone.vmware.com\\\/blog\\\/tanzu-kubernetes-grid-clusters-vmware-vsphere-and-workspace-one-integration\",\"hideTileDate\":\"no\",\"confidential\":false,\"tags\":{\"Solution\":[\"Tanzu\"],\"Audience\":[\"Customer\"],\"Type\":[\"Blog\"],\"Product\":[\"Tanzu Kubernetes Grid\"]},\"poc\":true,\"rating\":{\"cr\":\"4.2\",\"ur\":\"0\",\"cr1\":\"5\",\"ur1\":\"0\"},\"admintags\":\"DigitalWorkspace\",\"type_orig\":\"article\",\"pathAlias\":\"\\\/blog\\\/tanzu-kubernetes-grid-clusters-vmware-vsphere-and-workspace-one-integration\",\"node_author\":[{\"name\":\"Pramita Gautam\",\"bio\":\"\",\"authorURL\":\"\\\/users\\\/pramita-gautam\"}],\"file_type\":\"\"},\"admintags\":\"DigitalWorkspace\",\"assetInfo\":{\"previousLink\":\"\",\"nextLink\":\"\",\"backLink\":\"\",\"currentActivityTitle\":\"\",\"timeDuration\":\"r-23:45\",\"unpub\":false,\"creationDate\":\"October 11, 2023\",\"lastUpdatedTime\":\"\",\"lastAccessed\":\"Login\",\"assetLocation\":[{\"title\":\"Tanzu Kubernetes Grid - Activity Path \",\"link\":\"https:\\\/\\\/apps-cloudmgmt.techzone.vmware.com\\\/tanzu-kubernetes-grid-activity-path\"}],\"activityPaths\":[],\"quickLinks\":[],\"authors\":[]}};"},"nodeData"],[{"#tag":"link","#attributes":{"rel":"canonical","href":"https:\/\/apps-cloudmgmt.techzone.vmware.com\/blog\/tanzu-kubernetes-grid-clusters-vmware-vsphere-and-workspace-one-integration"}},"canonical_url"],[{"#tag":"title","#value":"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration | VMware"},"title"],[{"#tag":"meta","#attributes":{"name":"description","content":"In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere"}},"description"],[{"#tag":"meta","#attributes":{"name":"keywords","content":"tanzu, kubernetes, grid, clusters, vmware, vsphere, workspace, integration, blog, covering, customers, leverage, external, identity, provider , "}},"keywords"],[{"#tag":"meta","#attributes":{"name":"author","content":"Pramita Gautam"}},"author"],[{"#tag":"meta","#attributes":{"property":"og:title","content":"Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration | VMware"}},"og_title"],[{"#tag":"meta","#attributes":{"property":"og:description","content":"In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. \r\n\r\n "}},"og_description"],[{"#tag":"meta","#attributes":{"property":"og:url","content":"https:\/\/apps-cloudmgmt.techzone.vmware.com\/blog\/tanzu-kubernetes-grid-clusters-vmware-vsphere-and-workspace-one-integration"}},"og_url"],[{"#tag":"meta","#attributes":{"property":"og:image","content":"https:\/\/apps-cloudmgmt.techzone.vmware.com\/themes\/custom\/techzone\/assets\/dist\/img\/acm_thumbnail_image.png"}},"og_image"],[{"#tag":"meta","#attributes":{"property":"og:author","content":"Pramita Gautam"}},"og_author"],[{"#tag":"meta","#attributes":{"property":"og:type","content":"VMware Blog"}},"og_type"],[{"#tag":"meta","#attributes":{"name":"twitter:label1","content":"Written by"}},"twitterauthor1"],[{"#tag":"meta","#attributes":{"name":"twitter:data1","content":"Pramita Gautam"}},"twitterauthor2"],[{"#tag":"meta","#attributes":{"name":"twitter:label2","content":"Est. reading time"}},"readtime1"],[{"#tag":"meta","#attributes":{"name":"twitter:data2","content":"23:45"}},"readtime2"],[{"#tag":"meta","#attributes":{"name":"twitter:label3","content":"Asset Type"}},"asset1"],[{"#tag":"meta","#attributes":{"name":"twitter:data3","content":"Blog Post"}},"asset2"],[{"#tag":"meta","#attributes":{"property":"og:site_name","content":"Apps & Cloud Management Tech Zone"}},"og_site_name"]]},"#cssjscid":"s6me9p","formatedDate":"October 11, 2023","image_url":"","summary":"In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider.\u00a0\r\n\r\n\u00a0\r\n","theme_hook_suggestions":["node__full","node__article","node__article__full","node__5913","node__5913__full"],"theme_hook_suggestion":"node"}); October 11, 2023 Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration In this blog, we are covering how customers can leverage the integration between VMware Tanzu Kubernetes Grid clusters on vSphere and VMware Workspace ONE as an external identity provider. Tanzu Kubernetes Grid Clusters on VMware vSphere and Workspace ONE Integration Author: Pramita Gautam, Kalyaan Krushna Codadu 17dc91bb1f

how to download furniture mod in minecraft pe

mht cet cut off list 2022 pdf download

can i download office 365 on chromebook

apc economics class 12 pdf download

jason derulo songs download mp4