If you want to import users and groups from an OpenID Connect (OIDC) identity provider to your VMware Cloud Director system organization, you must configure your system organization with this OIDC identity provider. Imported users can log in to the system organization with the credentials established in the OIDC identity provider.
OAuth is an open federation standard that delegates user access. OpenID Connect is an authentication layer on top of the OAuth 2.0 protocol. By using OpenID Connect, clients can receive information about authenticated sessions and end-users. The OAuth authentication endpoint must be reachable from the VMware Cloud Director cells which makes it more suitable when you use public identity providers or provider managed ones.
You can allow tenants to generate and issue API access tokens that applications can use on their behalf.
You can configure VMware Cloud Director to automatically refresh your OIDC key configurations from the JWKS endpoint you provide. You can configure the frequency of the key refresh process and the rotation strategy that determines whether VMware Cloud Director adds new keys, replaces the old keys with new, or the old keys expire after a certain period.
VMware Cloud Director generates audit events for both successful and failed key refreshes under the event topic com/vmware/vcloud/event/oidcSettings/keys/modify. The audit events for failed key refreshes include additional information about the failure.
For version 10.4.2 and later, if an organization in VMware Cloud Director has SAML or OIDC configured, the UI displays only the Sign in with Single Sign-On option. To log in as a local user, navigate to https://vcloud.example.com/tenant/tenant_name/login or https://vcloud.example.com/provider/login.
For versions 10.3.3 through 10.4.1, if an organization in VMware Cloud Director has SAML or OIDC configured, to log in with your identity provider, select the Sign in with Single Sign-On option.
Procedure
What to do next
- Subscribe to the com/vmware/vcloud/event/oidcSettings/keys/modify event topic.
- Verify that the Last Run and the Last Successful Run are identical. The runs start at the beginning of the hour. The Last Run is the time stamp of the last key refresh attempt. The Last Successful Run is the time stamp of the last successful key refresh. If the time stamps are different, the automatic key refresh is failing and you can diagnose the problem by reviewing the audit events.