Federate vCenter Server to Microsoft Active Directory Federation Services (AD FS)
vCenter Server
to Microsoft Active Directory Federation Services (AD FS)You can federate
vCenter Server
to Microsoft Active Directory Federation Services (AD FS) as an external identity provider by using the vCenter Server
Identity Providers
service.This process of configuring an AD
FS identity provider requires that you have administrative access to both your
vCenter Server
and your AD FS
server. During the configuration process, you enter information first in your
vCenter Server
, then in your AD FS
server, then in your vCenter Server
.Active Directory Federation Services
requirements:
- AD FS for Windows Server 2016 or later must already be deployed.
- AD FS must be connected to Active Directory.
- An Application Group forvCenter Servermust be created in AD FS as part of the configuration process. See the VMware knowledge base article at https://kb.vmware.com/s/article/78029.
- An AD FS server certificate (or a CA or intermediate certificate that signed the AD FS server certificate) that you add to the Trusted Root Certificates Store.
- You have created avCenter Serveradministrators group in AD FS that contains the users you want to grantvCenter Serveradministrator privileges to.
For more information about configuring AD
FS, see the Microsoft documentation.
vCenter Server
and other requirements:- vSphere 7.0 or later
- vCenter Servermust be able to connect to the AD FS discovery endpoint, and the authorization, token, logout, JWKS, and any other endpoints advertised in the discovery endpoint metadata.
- You need theprivilege to create, update, or delete avCenter ServerIdentity Provider that is required for federated authentication. To limit a user to view the Identity Provider configuration information only, assign the privilege.
- Authenticate to thevSphere AutomationAPI endpoint and establish a session.
- Add your AD FS root CA certificate to the Trusted Root Certificates Store.
- Create aProvidersTypes.OidcCreateSpecobject by using the Application Group configuration from AD FS.MethodDescriptionsetDiscoveryEndpointThe OpenID address of the AD FS server.setClientIdThe client identifier of the AD FS Application Group.setClientSecretThe secret shared between the client and the provider.setClaimMapThis parameter is required but not applicable to AD FS. Use an empty array[].
- Create an object of typeProvidersTypes.ActiveDirectoryOverLdap.MethodDescriptionsetUserNameThe user name of a user in the domain who has a minimum of read-only access to base Distinguished Name (DN) for users and groups.setPasswordThe password of a user in the domain who has a minimum of read-only access to base DN for users and groups.setUsersBaseDnThe base DN for users in the Active Directory environment connected to AD FS that you want to be able to federate withvCenter Server.setGroupsBaseDnThe base DN for groups in the Active Directory environment connected to AD FS that you want to be able to federate withvCenter Server.setServerEndpointsActive directory server endpoints. At least one Active Directory server endpoint must be set.Use the formatldap://<orhostname>:<port>ldaps://<. The port is typically 389 for LDAP connections and 636 for LDAPS connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS.hostname>:<port>setCertChainThe SSL certificate chain in base64 encoding. You can skip this parameter only if all the Active Directory server endpoints use the LDAP (and not the LDAPS) protocol.
- Add the identity provider by using theIdentity Providersservice.
- Create an object of typeProvidersTypes.CreateSpec.MethodDescriptionsetConfigTagThe configuration type of the identity provider. The possible values areOauth2andOidc. For AD FS federation, useOidc.setNameThe user-friendly name for the identity provider. You must use the exact stringMicrosoft ADFSfor proper configuration.setUpnClaimThe name of the claim in the AD FS JWT token that contains the user principal name of the user that is logging in. You must use the same value that you used when you set up the AD FS Application Group. The procedure from the article in the prerequisites usesupn. If unset, the default value isacct.setGroupsClaimThe name of the claim in the AD FS JWT token that contains the group membership of the user that is logging in. You must use the same value that you used when you set up the AD FS Application Group. The procedure from the article in the prerequisites usesgroup. If unset, the groups for the subject consist of the groups ingroup_namesandgroup_idsclaims.setIsDefaultSet totrue. Specifies whether the provider is the default provider. Setting totruemakes all other providers non-default.If unset:
- In case it is the first created provider, it is set as the default provider.
- In case it is not the first created provider, it is not set as the default provider.
setOidcUse theProvidersTypes.OidcCreateSpecobject.setIdmProtocolThe communication protocol used to connect to AD FS to search for users and groups when assigning permissions invCenter Server. You must useLDAP. If unset, no communication protocol is configured for the users and groups search.setActiveDirectoryOverLdapUse theProvidersTypes.ActiveDirectoryOverLdapobject. - To add the provider, call thecreate(ProvidersTypes.CreateSpec)method.The operation returns the ID of the provider you added.
- ConfigurevCenter Serverpermissions for Active Directory users or groups in your AD FS environment.You can do this in two ways:
- Add a user from your AD FS environment to a group invCenter Server.
- Configure Global Permissions for an AD FS user.
In vSphere 8.0 and later, you cannot configure permissions through thevSphere AutomationAPI. Instead, you use either thevSphere Clientor the vSphere Web Services API. For more information, see thevSphere Authentication Guideor thevSphere Web Services SDK Programming Guide. - Copy the two redirect URIs from the Identity Provider Configuration page in thevSphere Clientand add them to your AD FS Application Group.You must do this step to enable logging in tovCenter Serverthrough AD FS by using thevSphere Client.
You configured
vCenter Server
to use AD FS as the identity provider.