- How to use VMware vSAN ReadyNode Configurator - Fri, Dec 17 2021
- VMware Tanzu Kubernetes Toolkit version 1.3 new features - Fri, Dec 10 2021
- Disaster recovery strategies for vCenter Server appliance VM - Fri, Nov 26 2021
If we look at the corporate environment, we can see that there are users and external workers using mobile devices that are present within the corporate workspace. Secure authentication must be available for these devices. It is important both that users can authenticate themselves and that the organization can trust that a particular user is authenticated and can be granted access to secure documents and corporate emails.
Identity management is one of the key elements needed for each organization to remain secure. Organizations are looking to consolidate their authentication into dedicated identity providers with flexible options, such as Multi-Factor Authentication (MFA). Another consideration is the reduction of risk via federated solutions, in which the applications do not have to handle credentials directly.
vSphere Identity Federation (VIF) uses industrystandard protocols such as OIDC and OAuth 2.0 to connect to these systems and to participate in the corporate and identity solution. OpenID Connect (OIDC) is an authentication protocol based on the OAuth 2.0 specifications. It uses simple JSON Web Tokens (JWT). OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site or to a different site without the need to expose their credentials at any time.
The traditional link between vCenter Server and Microsoft Active Directory (AD) is no longer used if you use vCenter Identity Federation.
When Active Directory Federation Services (ADFS) are configured and users try to connect to vCenter, they are redirected to ADFS, which prompts the users for login credentials. After successful authentication, the users receive a token that enables them to do their work as before. The token-based service is an industry standard now, so vCenter will be able to use the same system as other applications and systems.
The process looks like this:
vSphere Identity Federation overview
vSphere Identity Federation will basically allows you to connect your vCenter Server to an external identity provider that supports OAuth 2.0, so you can log in to vCenter Server with the corporate identity using this enhanced single sign-on (SSO) and multi-factor authentication (MFA) method.
In this initial release, vSphere and ADFS will support some additional providers, such as Azure AD, PingID, Okta, vIDM, and others.
How to configure vCenter with ADFS
The configuration of vCenter Identity federationhas three principal phases:
- Creating an application group on the Microsoft ADFS server and configuring it for vCenter Server
- Creating an identity provider via the vCenter SSO Administration configuration page
- Configuring group membership in vCenter to provide authorization for users within the ADFS domain
After all this is done, users will be able to log in to vCenter and be redirected for authentication via ADFS and the corporate portal.
There will be a new wizard that will allow you to configure identity federation with Microsoft ADFS. To configure vCenter identity federation, you must go to the Single Sign-On configuration page and add a new identity source in the Identity Sources pane.
vSphere Identity Federation Configuration wizard
In order to make the configuration work, you'll need to configure the ADFS server before you start the wizard in your vCenter.
You'll need to create an OpenID Connect configuration, which is known as an application group. This group comprises a server application and API components, which together specify the connection details for vCenter Server. vCenter Server then uses those details as a trust and can communicate with the ADFS server.
After you create the application group on the ADFS server, you can return to the vCenter Server and launch the wizard. Note that the detailed configuration of the vCenter identity federation and ADFS is outside the scope of this post.
Other configurations are also needed, such as users and group configuration, as well as permission configuration within the vCenter SSO Administration section.
Subscribe to 4sysops newsletter!
Conclusion
vCenter Identity Federation will allows better, more secure authentication with the possibility of leveraging MFA. Organizations will have a more robust way to protect access to resources and allow external workers on mobile devices to authenticate more securely. Enterprise admins will be able to configure vCenter Identity federation as standards-based federated authentication method with enterprise identity providers. vCenter Server will basically delegate the user/password management to the enterprise identity provider that is used by the specific organization or enterprise.
Great article, thanks.
I have couple of questions,
1. does redirection happens to ADFS (MFA) as soon as we entered vCenter FQDN on web browser? or still we need to enter credentials on vCenter server login page and gets redirected to ADFS ?
2. Can we still use administrator@vsphere.local account to login? How MFA is leveraged to login as SSO admin?
1. Still need to enter the userid/account portion. Depending on the suffix authentication proceeds locally (for "vsphere.local" (or whatever was chosen during instalation), or is redirected to the ADFS login page
2. Yes
Is there a way to exclude AD based service accounts? Just trying to understand how you handle service accounts used for monitoring and backup applications, for example. Also, how does this work with PowerCLI?
We don't use ADFS, but we do use Azure AD. Can vCenter 7.0 directly use Azure AD as an IdP, or does it require ADFS as an intermediary?
We don’t use ADFS, but we do use Azure AD. Can vCenter 7.0 directly use Azure AD as an IdP, or does it require ADFS as an intermediary?
Same situation – Any luck