VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Use AD FS as the Identity Provider for VMware Cloud Foundation

You can configure
VMware Cloud Foundation
 to use Active Directory Federation Services (AD FS) as an external identity provider, instead of using vCenter Single Sign-On. In this configuration, the external identity provider interacts with the identity source on behalf of vCenter Server.
Active Directory Federation Services requirements:
  • AD FS for Windows Server 2016 or later must already be deployed.
  • AD FS must be connected to Active Directory.
  • You have created a vCenter Server administrators group in AD FS that contains the users you want to grant vCenter Server administrator privileges to.
For more information about configuring AD FS, see the Microsoft documentation.
vCenter Server and other requirements:
  • vSphere 7.0 or later
  • vCenter Server must be able to connect to the AD FS discovery endpoint, and the authorization, token, logout, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
  • You need the
    VcIdentityProviders.Manage
     privilege to create, update, or delete a vCenter Server Identity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the
    VcIdentityProviders.Read
     privilege.
You can only add one external identity provider to
VMware Cloud Foundation
. Changing the identity provider from vCenter Single Sign-On to AD FS removes any users and groups that you added
VMware Cloud Foundation
 from AD over LDAP or OpenLDAP identity sources. Users and groups from the system domain (for example,
vsphere.local
) are not impacted.
  1. In the navigation pane, click
    Administration
    Single Sign On
    .
  2. Click
    Identity Provider
    .
  3. Click
    Change Identity Provider
     and select
    AD FS
    .
    The
    Connect Identity Provider
     wizard opens.
  4. Click
    Next
    .
  5. Select the checkbox to confirm the prerequisites and click
    Next
    .
  6. If your AD FS server certificate is signed by a publicly trusted Certificate Authority, click
    Next
    . If you are using a self-signed certificate, add the AD FS root CA certificate added to the Trusted Root Certificates Store.
    1. Click
      Browse
      .
    2. Navigate to the certificate and click
      Open
      .
    3. Click
      Next
      .
  7. Copy the redirect URIs.
    You will need them when you create the AD FS Application Group in the next step.
  8. Create an OpenID Connect configuration in AD FS.
    To establish a relying party trust between vCenter Server and an identity provider, you must establish the identifying information and a shared secret between them. In AD FS, you do so by creating an OpenID Connect configuration known as an Application Group, which consists of a Server application and a Web API. The two components specify the information that vCenter Server uses to trust and communicate with the AD FS server. To enable OpenID Connect in AD FS, see the VMware knowledge base article at https://kb.vmware.com/s/article/78029.
    Note the following when you create the AD FS Application Group.
    • You need the two Redirect URIs from the previous step.
    • Copy the following information to a file or write it down for use when configuring the identity provider in the next step.
      • Client Identifier
      • Shared Secret
      • OpenID address of the AD FS server
  9. Enter the Application Group information and click
    Next
    .
    Use the information you gathered in the previous step and enter the:
    • Client Identifier
    • Shared Secret
    • OpenID address of the AD FS server
  10. Enter user and group information for the Active Directory over LDAP connection to search for users and groups.
    vCenter Server derives the AD domain to use for authorization and permissions from the Base Distinguished Name for users. You can add permissions on vSphere objects only for users and groups from this AD domain. Users or groups from AD child domains or other domains in the AD forest are not supported by vCenter Server Identity Provider Federation.
    Option
    Description
    Base Distinguished Name for Users
    Base Distinguished Name for users.
    Base Distinguished Name for Groups
    The base Distinguished Name for groups.
    User Name
    ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
    Password
    ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups.
    Primary Server URL
    Primary domain controller LDAP server for the domain.
    Use the format
    ldap://hostname:port
     or
    ldaps://hostname:port
    . The port is typically 389 for LDAP connections and 636 for LDAPS connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS.
    A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use
    ldaps://
     in the primary or secondary LDAP URL.
    Secondary Server URL
    Address of a secondary domain controller LDAP server that is used for failover.
    Certificates (for LDAPS)
    If you want to use LDAPS, click
    Browse
     to select a certificate.
  11. Review the information and click
    Submit
    .
After you successfully add AD FS as an external identity provider, you can add users and groups to
VMware Cloud Foundation
. See Add a User or Group to VMware Cloud Foundation.

Content feedback and comments