Overview
VAST VMS supports Single Sign-On (SSO) authentication using SAML-based Identity Providers (IdP). This allows VMS managers to sign-in to aVAST Cluster using their credentials an IdP such as Okta,
This guide describes how to configure this using Okta as the IdP.
When configured for SSO with an IdP, VMS acts as the SAML Service Provider (SP),
In the IdP, you must define roles (also referred to as groups in some IdPs) that map to roles in VMS. Users who use the IdP to sign on to VMS use one of these roles. When a user signs into VMS from the IdP using SSO, they receive permissions in VMS associated with the role in VMS that is mapped to the role in the IdP. If a role does not exist in VMS for the user, the user has only read-only permissions after signing in.
For example, consider a user who has the role VMS Administrators in the IdP, which is mapped to the role VMS Administrators in VMS, with Admin permissions. When the user signs on to VMS from the IdP, they will have Admin permissions in VMS.
Permissions are not preserved for users who sign on to VMS using SSO. This means that if the role for a user on the IdP is changed to a different role, the user will have the permissions of the new role on VMS when they subsequently sign on to VMS.
VMS supports SP-initiated authentication and IdP-initiated authentication with the IdP. In SP-initiated authentication, the selects the SSO sign-on option on VMS, and is redirected to the IdP from there to complete the authentication (for example, Okta). In IdP-initiated authentication, the user starts in IdP portal and selects VMS from there (for example, JumpCloud).
SAML Attributes Required by VMS for SSO
IdPs must return these attributes in the SAML assertion response for VMS user creation:
email. A unique identifier to create or update a user,username. The name of the userroles. The roles of the user as they appear in the VMS. If this attribute is missing from the assertion, the user only receivesread_onlypermission. For example, if you define a role in VMS calledSamlUserwith specific permissions, and yourIDP roles = SamlUser, all users that are assigned to this role by your IdP will receive this role in VMS with all the permissions you granted for it.
Configuring SSO on a VAST Cluster
Configuring SSO using the VAST Web UI
On the VAST Web UI, navigate to the Administrators page, then select the SSO tab.
Click Add new identity.
In the General section, add these details for the Identity Provider:
IdP name
The name of the Identify Provider (e.g. Okta)
IdP Entity ID
The Entity ID for the Identity Provider, typically obtained from the metadata.
Force authenticate
Forces authentication with the IdP for each sign-on.
In the Metadata section, enter these details:
Metadata URL
The URL to the metadata on the IdP, usually in the form
<https://<idp-url>/sso/saml/metadatawhere idp-url is the URL of the IdP.
Local metadata
Use metadata stored locally on VMS. This is an alternative to including a Metadata URL.
Paste metadata text in the box.
In the Assertions and Certificates section you can optionally enable and configure encryption for SAML assertions and responses. If enabled, you must also provide or upload certificates.
To enable encryption of SAML assertions, toggle Enable assertion encryption. If enabled, follow these steps to configure a certificate and key.
Click Add certificate.
Paste an X.509 certificate in the box or click Upload, and upload an X.509 certificate file.
Click Save to save the certificate.
Click Add key.
Paste an X.509 key in box or click Upload, and upload an X.509 key file.
Click Save.
To enable signatures on SAML assertion responses, toggle Enable assertion response signing . If enabled, follow these steps to configure a certificate and key.
This is enabled independently of the Enable assertion encryption option. The certificate and key used for this option can be different from the ones used for Assertion Encryption.
Click Add certificate.
Paste an X.509 certificate in the box or click Upload, and upload an X.509 certificate file.
Click Save to save the certificate.
Click Add key.
Paste an X.509 key in box or click Upload, and upload an X.509 key file.
Click Save.
Note
The selections here for encryption and signing must match the corresponding selections on the IdP. For example, if assertion encryption is set on the VMS, it must also be set on the IdP.
Click Save.
Configure an Identity Provider for SSO using the VAST CLI
On the VAST CLI use the modify-saml command in the vms section to create or modify a configuration for an Identity Provider for Single Sign-On.
On the VAST CLI, run this command:
vms modify_saml --idp-entityid <IDP_ENTITYID> --idp-metadata-url <IDP_METADATA_URL> --idp-name <idp-name>
where IDP_ENTITYID and IDP_METADATA_URL are obtained from your IdP instance,
See vms saml_modify for more details about the
modify_samlcommand.
On the VAST CLI, run this command:
vms modify_saml --idp-entityid <IDP_ENTITYID> --idp-metadata-url <IDP_METADATA_URL> --idp-name Okta --encrypt_assertion This action will impact your saml login with Okta. Are you sure you want to continue? [y/N] y Please enter idp signing certificate (ALT+ENTER/option+ENTER to finish): PUT_CERTIFICATE_FILE_CONTENT Please enter idp signing certificate key (ALT+ENTER/option+ENTER to finish): PUT_KEY_FILE_CONTENT
For other options see vms saml_modify.
Commands for Configuring IdPs for SSO in the VAST CLI
Use the following VAST CLI commands to configure IdPs for SSO.
vms saml_modify. Add or modify an IdP in VMS. If encryption options are selected, you will be prompted to enter a certificate and key.
vms remove_saml_signed_cert. Remove all signed certificates from an IdP configuration.
vms delete_saml_idp_configuration. Remove a SAML IdP configuration from VMS.
vms show_saml_config. Show details for a SAML configuration for a specific IdP.
vms show_saml_configured_idps. List all IdPs configured in VMS.
Login to a VAST Cluster using SSO
Once you have configured VMS for SSO, using your chosen IdP, you can login to VMS using your IDP.
On the VMS login page, click .
You are redirected to the IdP to login there, and then back to VMS. Your permissions on VAST Cluster are determined by the permissions configured for you in the IdP.
.png?sv=2022-11-02&spr=https&st=2026-02-09T11%3A08%3A02Z&se=2026-02-09T11%3A25%3A02Z&sr=c&sp=r&sig=gZs5MmSxvZbLm3RSWbBaNzEKyttTRfFqnyZEh80TFUk%3D)
If you configured more then one IdP, the SSO Login With shows a drop down list. Select the provider to use for the login. Your permissions on the VAST Cluster are determined by the permissions configured for you in the selected IdP.
.png?sv=2022-11-02&spr=https&st=2026-02-09T11%3A08%3A02Z&se=2026-02-09T11%3A25%3A02Z&sr=c&sp=r&sig=gZs5MmSxvZbLm3RSWbBaNzEKyttTRfFqnyZEh80TFUk%3D)
Note
SSO cannot be configure to access the VAST CLI or REST API.
Configuring the Okta IDP for SSO login to VMS
Okta uses a SAML application to mediate SAML-based SSO. This is configured on Okta.
Sign in to Okta.
select Applications > Create App Integration > SAML 2.0 to create a new SAML application.
Configure your application:
.png?sv=2022-11-02&spr=https&st=2026-02-09T11%3A08%3A02Z&se=2026-02-09T11%3A25%3A02Z&sr=c&sp=r&sig=gZs5MmSxvZbLm3RSWbBaNzEKyttTRfFqnyZEh80TFUk%3D)
Enter a name for your application and click Next.
Configure the SSO URL for the VAST Cluster (as the SAML SP) in the format
https://<mgmt-vip>/api/saml2/metadata/, where<mgmt-vip>is the Virtual IP address of the VAST Cluster.Note
You can also obtain the SSO URL from VMS by running show_saml_config from the VCLI; the URL is included in the response
.png?sv=2022-11-02&spr=https&st=2026-02-09T11%3A08%3A02Z&se=2026-02-09T11%3A25%3A02Z&sr=c&sp=r&sig=gZs5MmSxvZbLm3RSWbBaNzEKyttTRfFqnyZEh80TFUk%3D)
For the Audience URI (SP Entity ID) enter
https://<mgmt_vip>/api/saml2/metadata/.where<mgmt_vip>is the VIP for VMS.Change the Name ID format to EmailAddress and Application username to Email.
If a signed certificate or encryption is required, select Show Advanced Settings and view the certificate in the SP configuration.
Enter the username and email in the Attribute Statements pane. Enter the role Name and Name Format attributes in the Group Attribute Statements pane. With the roles attribute, this configuration enables the IDP to return the correct values for the user creation in VMS.
.png?sv=2022-11-02&spr=https&st=2026-02-09T11%3A08%3A02Z&se=2026-02-09T11%3A25%3A02Z&sr=c&sp=r&sig=gZs5MmSxvZbLm3RSWbBaNzEKyttTRfFqnyZEh80TFUk%3D)
Click Next and select I'm an Okta customer adding an internal app, then click Finish.
To create a user, select Directory > People > Add person.
To create a group, select Directory > Groups > Add group. After creating a group you can select the group name and assign users to it.
Open the Application tab, select the application and click Assign Users to App to assign users to the application. Select the necessary user and click Assign.
.png?sv=2022-11-02&spr=https&st=2026-02-09T11%3A08%3A02Z&se=2026-02-09T11%3A25%3A02Z&sr=c&sp=r&sig=gZs5MmSxvZbLm3RSWbBaNzEKyttTRfFqnyZEh80TFUk%3D)
Editing your Okta Application Settings
To edit the Okta application settings in Okta, in the Application tab, select Application > Choose your application. You can then edit your application in the General tab.
To configure your SAML settings click Edit for the SAML settings.